up
This commit is contained in:
@@ -2,7 +2,7 @@ keys:
|
||||
- &admin_cschmatzler age1smjjh7l5gchlp4zgfqcxaam506mudacsr37nqj690t0gktzlksvqskd2ek
|
||||
- &host_tahani age1njjegjjdqzfnrr54f536yl4lduqgna3wuv7ef6vtl9jw5cju0grsgy62tm
|
||||
creation_rules:
|
||||
- path_regex: secrets/[^/]+\.(yaml|json|env|ini)$
|
||||
- path_regex: secrets/[^/]+$
|
||||
key_groups:
|
||||
- age:
|
||||
- *admin_cschmatzler
|
||||
|
||||
@@ -26,10 +26,10 @@ FLAKE_SYSTEM="darwinConfigurations.${MACHINE_NAME}.system"
|
||||
|
||||
|
||||
echo "${YELLOW}Building configuration for machine: ${MACHINE_NAME}${NC}"
|
||||
NIXPKGS_ALLOW_UNFREE=1 nix --extra-experimental-features 'nix-command flakes' build --impure .#$FLAKE_SYSTEM "$@"
|
||||
nix --extra-experimental-features 'nix-command flakes' build .#$FLAKE_SYSTEM "$@"
|
||||
|
||||
echo "${YELLOW}Switching to new generation...${NC}"
|
||||
sudo NIXPKGS_ALLOW_UNFREE=1 ./result/sw/bin/darwin-rebuild switch --impure --flake .#${MACHINE_NAME}
|
||||
sudo ./result/sw/bin/darwin-rebuild switch --flake .#${MACHINE_NAME}
|
||||
|
||||
echo "${YELLOW}Cleaning up...${NC}"
|
||||
unlink ./result
|
||||
|
||||
@@ -12,6 +12,6 @@ HOSTNAME="tahani"
|
||||
echo -e "${YELLOW}Starting...${NC}"
|
||||
|
||||
# We pass SSH from user to root so root can download secrets from our private Github
|
||||
sudo SSH_AUTH_SOCK=$SSH_AUTH_SOCK NIXPKGS_ALLOW_UNFREE=1 /run/current-system/sw/bin/nixos-rebuild switch --impure --flake .#$HOSTNAME $@
|
||||
sudo SSH_AUTH_SOCK=$SSH_AUTH_SOCK /run/current-system/sw/bin/nixos-rebuild switch --flake .#$HOSTNAME $@
|
||||
|
||||
echo -e "${GREEN}Switch to new generation complete!${NC}"
|
||||
|
||||
17
flake.lock
generated
17
flake.lock
generated
@@ -341,26 +341,9 @@
|
||||
"nix-homebrew": "nix-homebrew",
|
||||
"nixpkgs": "nixpkgs_2",
|
||||
"nixvim": "nixvim",
|
||||
"secrets": "secrets",
|
||||
"sops-nix": "sops-nix"
|
||||
}
|
||||
},
|
||||
"secrets": {
|
||||
"flake": false,
|
||||
"locked": {
|
||||
"lastModified": 1755022209,
|
||||
"narHash": "sha256-FZwzbsIz1iNqQjL85VH6rPfQzmWT1Twz21/XOF3as1E=",
|
||||
"ref": "refs/heads/main",
|
||||
"rev": "f2e263737af6b96108ba90c68406e0811043bcc1",
|
||||
"revCount": 2,
|
||||
"type": "git",
|
||||
"url": "ssh://git@github.com/cschmatzler/nixos-config-secrets.git"
|
||||
},
|
||||
"original": {
|
||||
"type": "git",
|
||||
"url": "ssh://git@github.com/cschmatzler/nixos-config-secrets.git"
|
||||
}
|
||||
},
|
||||
"sops-nix": {
|
||||
"inputs": {
|
||||
"nixpkgs": "nixpkgs_4"
|
||||
|
||||
@@ -24,10 +24,6 @@
|
||||
flake = false;
|
||||
};
|
||||
nixvim.url = "github:nix-community/nixvim";
|
||||
secrets = {
|
||||
url = "git+ssh://git@github.com/cschmatzler/nixos-config-secrets.git";
|
||||
flake = false;
|
||||
};
|
||||
};
|
||||
|
||||
outputs = inputs @ {flake-parts, ...}:
|
||||
|
||||
@@ -1,7 +1,6 @@
|
||||
{
|
||||
pkgs,
|
||||
hostname,
|
||||
sops,
|
||||
user,
|
||||
...
|
||||
}: {
|
||||
@@ -52,7 +51,30 @@ sops,
|
||||
nameservers = ["1.1.1.1"];
|
||||
};
|
||||
|
||||
sops.defaultSopsFile = "./secrets/tahani.yaml";
|
||||
sops.secrets = {
|
||||
syncthing-cert = {
|
||||
sopsFile = "secrets/tahani-syncthing-cert";
|
||||
format = "binary";
|
||||
path = "/home/${user}/.config/syncthing/cert.pem";
|
||||
};
|
||||
};
|
||||
|
||||
services.syncthing = {
|
||||
enable = true;
|
||||
openDefaultPorts = true;
|
||||
dataDir = "/home/${user}/.local/share/syncthing";
|
||||
configDir = "/home/${user}/.config/syncthing";
|
||||
user = "${user}";
|
||||
group = "users";
|
||||
guiAddress = "0.0.0.0:8384";
|
||||
overrideFolders = true;
|
||||
overrideDevices = true;
|
||||
|
||||
settings = {
|
||||
devices = {};
|
||||
options.globalAnnounceEnabled = false;
|
||||
};
|
||||
};
|
||||
|
||||
services.postgresql = {
|
||||
enable = true;
|
||||
|
||||
@@ -8,6 +8,9 @@
|
||||
];
|
||||
|
||||
nixpkgs = {
|
||||
config = {
|
||||
allowUnfree = true;
|
||||
};
|
||||
overlays = let
|
||||
path = ../../overlays;
|
||||
in
|
||||
@@ -47,21 +50,5 @@
|
||||
tailscale = {
|
||||
enable = true;
|
||||
};
|
||||
syncthing = {
|
||||
enable = true;
|
||||
openDefaultPorts = true;
|
||||
dataDir = "/home/${user}/.local/share/syncthing";
|
||||
configDir = "/home/${user}/.config/syncthing";
|
||||
user = "${user}";
|
||||
group = "users";
|
||||
guiAddress = "0.0.0.0:8384";
|
||||
overrideFolders = true;
|
||||
overrideDevices = true;
|
||||
|
||||
settings = {
|
||||
devices = {};
|
||||
options.globalAnnounceEnabled = false;
|
||||
};
|
||||
};
|
||||
};
|
||||
}
|
||||
|
||||
@@ -2,7 +2,6 @@
|
||||
with pkgs; [
|
||||
alejandra
|
||||
sops
|
||||
claude-code
|
||||
delta
|
||||
docker
|
||||
docker-compose
|
||||
@@ -26,7 +25,6 @@ with pkgs; [
|
||||
sqlite
|
||||
tree
|
||||
tree-sitter
|
||||
unrar
|
||||
unzip
|
||||
vivid
|
||||
wget
|
||||
|
||||
19
secrets/tahani-syncthing-cert
Normal file
19
secrets/tahani-syncthing-cert
Normal file
@@ -0,0 +1,19 @@
|
||||
{
|
||||
"data": "ENC[AES256_GCM,data:GQmaXRUykTZzEFvS3mdFqfNZW8MQavGNJMUqP+vbeXvmihqva16QGmneI9vaXa8HSGi3iFCoMLp6RqazbzL4gW3c6vgmdKkNuU5PogBqsR+wOqkI+SgUm8uS/wXJw0+Q2yUpD0Br/VJhsxcRKi6oVn4qhhWmebo2XOuVshUrlSXo2MtNfZTev0OF/JMkpfZjDi90iRRMPpzjN5oTxSO/rzoFnYkOb4cvMNFrS1h/Fz5zVR+WiPxNMuKLPEnwcNAHE77q5bJ1SVV6YdMTLNeiwze7jxpjY9vDD77l1mIkPgNiZzkhWJ6hP/Otp37sUU3pQCT2Ch0RLWXY9qOAwsl/LC889G8WH5+DsienV08vaMV4YBagb8NzvOBb3jKuxBRwIVkBIrc5Kjkok4iihAzrbWdM/Yb5ga5XOcKB4z6xavrhgLrCVDDiLiTcDG49GKWda3LivaJkqQNyUnc1xJFj1TojwyDEvwDUrseKwH9UFzBKm+bKXBqgW0ehjeAKzuroTMAWgGK+X2WJIAK9C0r0+B9YReEra+hTEcPcOoo81BXY7CiesjHBXa8JpdSjjdiG1WRKOg0w8JEWMQL5XZLrCJ/oniuaqMjmSFB4eYEJeBbCRB7rZ3luHPijnSTAqPEbnCWH7XvNn5Y/rzul/QTtSgh1FrdDPPBLz57gRshRR5gbb/Dcjt4nL9bUbf+ZgP57g09BgLHphkR4pj6IwfepaZig+1H0DDfB4l1AhP6Tt4HtdJ3Ks5UOYTQ2htF6Dt/gb1xmaJ5//H51TcAX5ithEviRGxoX+znm7SQ6BQluKI5kvwuj8QQ7lkD7845u3tDTkWlfyioNmRubUD7PSXwQFWWqbuqrMry+ZpwZ1Dj9rJ7YqvRxoehKGW8lGsRIKzMoD8bnP+GtDW1IKkSMqXnDLQZobKDAVsrf6dmaZiTGvMZt+cEBs+C9Lw6tLEsepQVLlKzTttnhUqnRtcwWJJHJA5A1uBmv4qvbikm+T5+he7Di3Fx1wBYJizqRD3nCt6fGNHwKYjRVPXmjEcjAm5riBSM5fbs4SL+1vmo=,iv:xXiyY0eT/6MwMc9BRGaT/vMSGNN6C++pwQGEMc01z8U=,tag:fMBzOz+hKuSfCM3FRgCamA==,type:str]",
|
||||
"sops": {
|
||||
"age": [
|
||||
{
|
||||
"recipient": "age1smjjh7l5gchlp4zgfqcxaam506mudacsr37nqj690t0gktzlksvqskd2ek",
|
||||
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBOdUQ3bmdjZGVMRDVZd1hu\nUWw4OStzdGNONVFGdVdjbk9VUGM3MzhWYjB3Ck1SRXp3YXVvRUlmVG1uS285eG8y\nWWtXTXBUY0FNaDVzTjgzMWl0b1RGaHMKLS0tIFlvVXJQTGY1MWhzNkZud2pYNGlO\nWG5acnhSV2g4cXpjMUl0MEpXN2lYUUUKwxENZ+NSS8gxlvWT3QVS/734mcK6AhYM\nMtO9KU+sNUuYX341xx2+oXyz980X2OhCwe6nzsX5D28UTmiROKBbXw==\n-----END AGE ENCRYPTED FILE-----\n"
|
||||
},
|
||||
{
|
||||
"recipient": "age1njjegjjdqzfnrr54f536yl4lduqgna3wuv7ef6vtl9jw5cju0grsgy62tm",
|
||||
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBidGtKVFliajRWbndlVjFD\nWUVrZGhMYlJSNTFBbUExYXBSUGFwelVsUzNVClY2WXNnR1dMcHFsTHNvcjBnL1Vi\nVzBoR3hxc0xCT3FNZ1JrMU1FSzFCWEUKLS0tIHg1cVRScXEwRHdld0RSRUt0bWR1\nUUh4eVdScFg4U29pSmRDT0xoNmVkQmMKBHgwk+OlI8+PcKTornjGBrUR/PEl1Qaj\nYXWctTVFOXwiuk3Lp2M+KJX6YtvPAUuI3BWJoE+esL7NGGKX5Swt3g==\n-----END AGE ENCRYPTED FILE-----\n"
|
||||
}
|
||||
],
|
||||
"lastmodified": "2025-08-12T18:39:30Z",
|
||||
"mac": "ENC[AES256_GCM,data:FAmt5iGVsLmKdKX/PXCIF7ysl5ijTiEI0S7nl9NjuW8et/ksJKdNHDeyeWbfFN/bMRR12N/3TcV+lVHyoDagX6Yfj1ynjhi3xHRyOp472pTPZbJX2gEt1kJ4ZkQkNPEnMIc9WoZ6duaq4py22VWtpzODc0NDSBZXeuPyHoVTP9c=,iv:JQ00ax4F6u7kDGtjYG3KY5oOP8M4ZlNkBhfxBt+84H8=,tag:xEMZDeuulGIueB75REkW2g==,type:str]",
|
||||
"unencrypted_suffix": "_unencrypted",
|
||||
"version": "3.10.2"
|
||||
}
|
||||
}
|
||||
19
secrets/tahani-syncthing-key
Normal file
19
secrets/tahani-syncthing-key
Normal file
@@ -0,0 +1,19 @@
|
||||
{
|
||||
"data": "ENC[AES256_GCM,data:EvYPgzUceBP/KlMG3tvWu7+Bw2Opnj9qoIDWQxGGgpvwQBIDxH4V6iGB3o1sZ2AuvsLBflPlZJLiAYk9Ffqm3wM52nXjWlGlgJcEvIlojQNnx/H09xuEbQk+ULpsMG33RdjDFNwngqKWRs9PAz09nJz9bMhFNCPikikynQun4/It54h4TddHQtey9hT+JovJBEVboUda7Wt4BGIyaENC0i0FfNhPzoaSXFhjhcujSPl2u9xvFQjBb9tleoznqxeVq8d3OB2O3IA/lCTGEj1PJsj/cATXLBC7eQdPiX5zDZ9gpI3ae+PvLt7+/c+g4p0FfR89yiLKF+oxjYEdEXSkBHV7JaO6IOX4pR5eOCjMLe8u1EyVG/e7beflloK5hUGV,iv:iF7eIyJn+FaGoM/OzuPgmPk1HW+aKvIuqDXKLTkc074=,tag:X4lkvzFwDpHGlXPUOZg/1g==,type:str]",
|
||||
"sops": {
|
||||
"age": [
|
||||
{
|
||||
"recipient": "age1smjjh7l5gchlp4zgfqcxaam506mudacsr37nqj690t0gktzlksvqskd2ek",
|
||||
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBDWlFqdFJkbWJiaCtQVXd0\nNU9rRVpremxsSVRTK1gxTi9GSEU1a3luREJzCnErbXVoNUUyei84MllxN3F6TE12\nSWk5b0lDYXBUcWhURnhvdGVEUFRnUE0KLS0tIENBa1JmTXVKVUYwREU3Z0RoWGtU\naG9JY1VvajFGdGFpUDcvbDZ4UURkVk0K1Pot9qq+kHSoKXvVDgXShUJOyq1LjY3d\nMX5rqvHbcZ0Ksp2aTrMK6xmbzucbrv0/CIqMoCLNr6DkyVa1ZGCgeA==\n-----END AGE ENCRYPTED FILE-----\n"
|
||||
},
|
||||
{
|
||||
"recipient": "age1njjegjjdqzfnrr54f536yl4lduqgna3wuv7ef6vtl9jw5cju0grsgy62tm",
|
||||
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBDeXVUSi9FeUtwcjI5NzFt\nWkV6VUF3bVBLZmMzSVBlY2czb3RIZU10VW1nCmRLTTVramRHSTl2Wi9uYVNFaUxt\nclpSVHNMeUFqV25UcjdyY3l6U2RKYnMKLS0tIDBDRlAvYUJ4SFU5OGFsbkZ6NXRr\nektCZlJMSkRhU2toVFJrZDRWeHpsZUUKDnak2CrvnwXmPewkHI4JEcZokDhZxIvn\n3U/e03i7iW4pKDjtzl8pFCdORwPJ3ttj+6hfBIl4s6MHicCVeTAetA==\n-----END AGE ENCRYPTED FILE-----\n"
|
||||
}
|
||||
],
|
||||
"lastmodified": "2025-08-12T18:39:37Z",
|
||||
"mac": "ENC[AES256_GCM,data:KpPsY88w0y5bJ0+l/0KaqAD5Rd9F6n5M7tZLfKCk9PP+/I2HcQ8GB5oa23TjdXpM0ubYhAnAwGt9EPeC55jT9KFS9EGZkRhmRk6ppI4dTD6ZdXyfjyZMIL6oGCfwTuzyNRhibVzKu8xgKXr6HI7/WXgaTSRihw/o7Ih69vCbNa4=,iv:h0HrGEIRbOaYbFL/lGc3Qwu7znUSIos/JhfkFIFqem0=,tag:W6IEPW6pvhDdZLcCqJKlEw==,type:str]",
|
||||
"unencrypted_suffix": "_unencrypted",
|
||||
"version": "3.10.2"
|
||||
}
|
||||
}
|
||||
Reference in New Issue
Block a user