diff --git a/.sops.yaml b/.sops.yaml index 982a625..c59fe8c 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -2,7 +2,7 @@ keys: - &admin_cschmatzler age1smjjh7l5gchlp4zgfqcxaam506mudacsr37nqj690t0gktzlksvqskd2ek - &host_tahani age1njjegjjdqzfnrr54f536yl4lduqgna3wuv7ef6vtl9jw5cju0grsgy62tm creation_rules: - - path_regex: secrets/[^/]+\.(yaml|json|env|ini)$ + - path_regex: secrets/[^/]+$ key_groups: - age: - *admin_cschmatzler diff --git a/apps/aarch64-darwin/build-switch b/apps/aarch64-darwin/build-switch index 387904d..ac7daec 100755 --- a/apps/aarch64-darwin/build-switch +++ b/apps/aarch64-darwin/build-switch @@ -26,10 +26,10 @@ FLAKE_SYSTEM="darwinConfigurations.${MACHINE_NAME}.system" echo "${YELLOW}Building configuration for machine: ${MACHINE_NAME}${NC}" -NIXPKGS_ALLOW_UNFREE=1 nix --extra-experimental-features 'nix-command flakes' build --impure .#$FLAKE_SYSTEM "$@" +nix --extra-experimental-features 'nix-command flakes' build .#$FLAKE_SYSTEM "$@" echo "${YELLOW}Switching to new generation...${NC}" -sudo NIXPKGS_ALLOW_UNFREE=1 ./result/sw/bin/darwin-rebuild switch --impure --flake .#${MACHINE_NAME} +sudo ./result/sw/bin/darwin-rebuild switch --flake .#${MACHINE_NAME} echo "${YELLOW}Cleaning up...${NC}" unlink ./result diff --git a/apps/x86_64-linux/build-switch b/apps/x86_64-linux/build-switch index 3a18de1..ed87bb1 100755 --- a/apps/x86_64-linux/build-switch +++ b/apps/x86_64-linux/build-switch @@ -12,6 +12,6 @@ HOSTNAME="tahani" echo -e "${YELLOW}Starting...${NC}" # We pass SSH from user to root so root can download secrets from our private Github -sudo SSH_AUTH_SOCK=$SSH_AUTH_SOCK NIXPKGS_ALLOW_UNFREE=1 /run/current-system/sw/bin/nixos-rebuild switch --impure --flake .#$HOSTNAME $@ +sudo SSH_AUTH_SOCK=$SSH_AUTH_SOCK /run/current-system/sw/bin/nixos-rebuild switch --flake .#$HOSTNAME $@ echo -e "${GREEN}Switch to new generation complete!${NC}" diff --git a/flake.lock b/flake.lock index 9772856..63a54b0 100644 --- a/flake.lock +++ b/flake.lock @@ -341,26 +341,9 @@ "nix-homebrew": "nix-homebrew", "nixpkgs": "nixpkgs_2", "nixvim": "nixvim", - "secrets": "secrets", "sops-nix": "sops-nix" } }, - "secrets": { - "flake": false, - "locked": { - "lastModified": 1755022209, - "narHash": "sha256-FZwzbsIz1iNqQjL85VH6rPfQzmWT1Twz21/XOF3as1E=", - "ref": "refs/heads/main", - "rev": "f2e263737af6b96108ba90c68406e0811043bcc1", - "revCount": 2, - "type": "git", - "url": "ssh://git@github.com/cschmatzler/nixos-config-secrets.git" - }, - "original": { - "type": "git", - "url": "ssh://git@github.com/cschmatzler/nixos-config-secrets.git" - } - }, "sops-nix": { "inputs": { "nixpkgs": "nixpkgs_4" diff --git a/flake.nix b/flake.nix index fa4719c..3f94ed3 100644 --- a/flake.nix +++ b/flake.nix @@ -24,10 +24,6 @@ flake = false; }; nixvim.url = "github:nix-community/nixvim"; - secrets = { - url = "git+ssh://git@github.com/cschmatzler/nixos-config-secrets.git"; - flake = false; - }; }; outputs = inputs @ {flake-parts, ...}: diff --git a/hosts/nixos/tahani/default.nix b/hosts/nixos/tahani/default.nix index 3f365c2..dbdad36 100644 --- a/hosts/nixos/tahani/default.nix +++ b/hosts/nixos/tahani/default.nix @@ -1,7 +1,6 @@ { pkgs, hostname, -sops, user, ... }: { @@ -52,7 +51,30 @@ sops, nameservers = ["1.1.1.1"]; }; - sops.defaultSopsFile = "./secrets/tahani.yaml"; + sops.secrets = { + syncthing-cert = { + sopsFile = "secrets/tahani-syncthing-cert"; + format = "binary"; + path = "/home/${user}/.config/syncthing/cert.pem"; + }; + }; + + services.syncthing = { + enable = true; + openDefaultPorts = true; + dataDir = "/home/${user}/.local/share/syncthing"; + configDir = "/home/${user}/.config/syncthing"; + user = "${user}"; + group = "users"; + guiAddress = "0.0.0.0:8384"; + overrideFolders = true; + overrideDevices = true; + + settings = { + devices = {}; + options.globalAnnounceEnabled = false; + }; + }; services.postgresql = { enable = true; diff --git a/modules/base/default.nix b/modules/base/default.nix index cb64277..2b5bb0a 100644 --- a/modules/base/default.nix +++ b/modules/base/default.nix @@ -8,6 +8,9 @@ ]; nixpkgs = { + config = { + allowUnfree = true; + }; overlays = let path = ../../overlays; in @@ -47,21 +50,5 @@ tailscale = { enable = true; }; - syncthing = { - enable = true; - openDefaultPorts = true; - dataDir = "/home/${user}/.local/share/syncthing"; - configDir = "/home/${user}/.config/syncthing"; - user = "${user}"; - group = "users"; - guiAddress = "0.0.0.0:8384"; - overrideFolders = true; - overrideDevices = true; - - settings = { - devices = {}; - options.globalAnnounceEnabled = false; - }; - }; }; } diff --git a/modules/base/packages.nix b/modules/base/packages.nix index f8b30d5..e53f31f 100644 --- a/modules/base/packages.nix +++ b/modules/base/packages.nix @@ -2,7 +2,6 @@ with pkgs; [ alejandra sops - claude-code delta docker docker-compose @@ -26,7 +25,6 @@ with pkgs; [ sqlite tree tree-sitter - unrar unzip vivid wget diff --git a/secrets/tahani-syncthing-cert b/secrets/tahani-syncthing-cert new file mode 100644 index 0000000..e1ea8e0 --- /dev/null +++ b/secrets/tahani-syncthing-cert @@ -0,0 +1,19 @@ +{ + "data": "ENC[AES256_GCM,data:GQmaXRUykTZzEFvS3mdFqfNZW8MQavGNJMUqP+vbeXvmihqva16QGmneI9vaXa8HSGi3iFCoMLp6RqazbzL4gW3c6vgmdKkNuU5PogBqsR+wOqkI+SgUm8uS/wXJw0+Q2yUpD0Br/VJhsxcRKi6oVn4qhhWmebo2XOuVshUrlSXo2MtNfZTev0OF/JMkpfZjDi90iRRMPpzjN5oTxSO/rzoFnYkOb4cvMNFrS1h/Fz5zVR+WiPxNMuKLPEnwcNAHE77q5bJ1SVV6YdMTLNeiwze7jxpjY9vDD77l1mIkPgNiZzkhWJ6hP/Otp37sUU3pQCT2Ch0RLWXY9qOAwsl/LC889G8WH5+DsienV08vaMV4YBagb8NzvOBb3jKuxBRwIVkBIrc5Kjkok4iihAzrbWdM/Yb5ga5XOcKB4z6xavrhgLrCVDDiLiTcDG49GKWda3LivaJkqQNyUnc1xJFj1TojwyDEvwDUrseKwH9UFzBKm+bKXBqgW0ehjeAKzuroTMAWgGK+X2WJIAK9C0r0+B9YReEra+hTEcPcOoo81BXY7CiesjHBXa8JpdSjjdiG1WRKOg0w8JEWMQL5XZLrCJ/oniuaqMjmSFB4eYEJeBbCRB7rZ3luHPijnSTAqPEbnCWH7XvNn5Y/rzul/QTtSgh1FrdDPPBLz57gRshRR5gbb/Dcjt4nL9bUbf+ZgP57g09BgLHphkR4pj6IwfepaZig+1H0DDfB4l1AhP6Tt4HtdJ3Ks5UOYTQ2htF6Dt/gb1xmaJ5//H51TcAX5ithEviRGxoX+znm7SQ6BQluKI5kvwuj8QQ7lkD7845u3tDTkWlfyioNmRubUD7PSXwQFWWqbuqrMry+ZpwZ1Dj9rJ7YqvRxoehKGW8lGsRIKzMoD8bnP+GtDW1IKkSMqXnDLQZobKDAVsrf6dmaZiTGvMZt+cEBs+C9Lw6tLEsepQVLlKzTttnhUqnRtcwWJJHJA5A1uBmv4qvbikm+T5+he7Di3Fx1wBYJizqRD3nCt6fGNHwKYjRVPXmjEcjAm5riBSM5fbs4SL+1vmo=,iv:xXiyY0eT/6MwMc9BRGaT/vMSGNN6C++pwQGEMc01z8U=,tag:fMBzOz+hKuSfCM3FRgCamA==,type:str]", + "sops": { + "age": [ + { + "recipient": "age1smjjh7l5gchlp4zgfqcxaam506mudacsr37nqj690t0gktzlksvqskd2ek", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBOdUQ3bmdjZGVMRDVZd1hu\nUWw4OStzdGNONVFGdVdjbk9VUGM3MzhWYjB3Ck1SRXp3YXVvRUlmVG1uS285eG8y\nWWtXTXBUY0FNaDVzTjgzMWl0b1RGaHMKLS0tIFlvVXJQTGY1MWhzNkZud2pYNGlO\nWG5acnhSV2g4cXpjMUl0MEpXN2lYUUUKwxENZ+NSS8gxlvWT3QVS/734mcK6AhYM\nMtO9KU+sNUuYX341xx2+oXyz980X2OhCwe6nzsX5D28UTmiROKBbXw==\n-----END AGE ENCRYPTED FILE-----\n" + }, + { + "recipient": "age1njjegjjdqzfnrr54f536yl4lduqgna3wuv7ef6vtl9jw5cju0grsgy62tm", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBidGtKVFliajRWbndlVjFD\nWUVrZGhMYlJSNTFBbUExYXBSUGFwelVsUzNVClY2WXNnR1dMcHFsTHNvcjBnL1Vi\nVzBoR3hxc0xCT3FNZ1JrMU1FSzFCWEUKLS0tIHg1cVRScXEwRHdld0RSRUt0bWR1\nUUh4eVdScFg4U29pSmRDT0xoNmVkQmMKBHgwk+OlI8+PcKTornjGBrUR/PEl1Qaj\nYXWctTVFOXwiuk3Lp2M+KJX6YtvPAUuI3BWJoE+esL7NGGKX5Swt3g==\n-----END AGE ENCRYPTED FILE-----\n" + } + ], + "lastmodified": "2025-08-12T18:39:30Z", + "mac": "ENC[AES256_GCM,data:FAmt5iGVsLmKdKX/PXCIF7ysl5ijTiEI0S7nl9NjuW8et/ksJKdNHDeyeWbfFN/bMRR12N/3TcV+lVHyoDagX6Yfj1ynjhi3xHRyOp472pTPZbJX2gEt1kJ4ZkQkNPEnMIc9WoZ6duaq4py22VWtpzODc0NDSBZXeuPyHoVTP9c=,iv:JQ00ax4F6u7kDGtjYG3KY5oOP8M4ZlNkBhfxBt+84H8=,tag:xEMZDeuulGIueB75REkW2g==,type:str]", + "unencrypted_suffix": "_unencrypted", + "version": "3.10.2" + } +} diff --git a/secrets/tahani-syncthing-key b/secrets/tahani-syncthing-key new file mode 100644 index 0000000..0181ec7 --- /dev/null +++ b/secrets/tahani-syncthing-key @@ -0,0 +1,19 @@ +{ + "data": "ENC[AES256_GCM,data:EvYPgzUceBP/KlMG3tvWu7+Bw2Opnj9qoIDWQxGGgpvwQBIDxH4V6iGB3o1sZ2AuvsLBflPlZJLiAYk9Ffqm3wM52nXjWlGlgJcEvIlojQNnx/H09xuEbQk+ULpsMG33RdjDFNwngqKWRs9PAz09nJz9bMhFNCPikikynQun4/It54h4TddHQtey9hT+JovJBEVboUda7Wt4BGIyaENC0i0FfNhPzoaSXFhjhcujSPl2u9xvFQjBb9tleoznqxeVq8d3OB2O3IA/lCTGEj1PJsj/cATXLBC7eQdPiX5zDZ9gpI3ae+PvLt7+/c+g4p0FfR89yiLKF+oxjYEdEXSkBHV7JaO6IOX4pR5eOCjMLe8u1EyVG/e7beflloK5hUGV,iv:iF7eIyJn+FaGoM/OzuPgmPk1HW+aKvIuqDXKLTkc074=,tag:X4lkvzFwDpHGlXPUOZg/1g==,type:str]", + "sops": { + "age": [ + { + "recipient": "age1smjjh7l5gchlp4zgfqcxaam506mudacsr37nqj690t0gktzlksvqskd2ek", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBDWlFqdFJkbWJiaCtQVXd0\nNU9rRVpremxsSVRTK1gxTi9GSEU1a3luREJzCnErbXVoNUUyei84MllxN3F6TE12\nSWk5b0lDYXBUcWhURnhvdGVEUFRnUE0KLS0tIENBa1JmTXVKVUYwREU3Z0RoWGtU\naG9JY1VvajFGdGFpUDcvbDZ4UURkVk0K1Pot9qq+kHSoKXvVDgXShUJOyq1LjY3d\nMX5rqvHbcZ0Ksp2aTrMK6xmbzucbrv0/CIqMoCLNr6DkyVa1ZGCgeA==\n-----END AGE ENCRYPTED FILE-----\n" + }, + { + "recipient": "age1njjegjjdqzfnrr54f536yl4lduqgna3wuv7ef6vtl9jw5cju0grsgy62tm", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBDeXVUSi9FeUtwcjI5NzFt\nWkV6VUF3bVBLZmMzSVBlY2czb3RIZU10VW1nCmRLTTVramRHSTl2Wi9uYVNFaUxt\nclpSVHNMeUFqV25UcjdyY3l6U2RKYnMKLS0tIDBDRlAvYUJ4SFU5OGFsbkZ6NXRr\nektCZlJMSkRhU2toVFJrZDRWeHpsZUUKDnak2CrvnwXmPewkHI4JEcZokDhZxIvn\n3U/e03i7iW4pKDjtzl8pFCdORwPJ3ttj+6hfBIl4s6MHicCVeTAetA==\n-----END AGE ENCRYPTED FILE-----\n" + } + ], + "lastmodified": "2025-08-12T18:39:37Z", + "mac": "ENC[AES256_GCM,data:KpPsY88w0y5bJ0+l/0KaqAD5Rd9F6n5M7tZLfKCk9PP+/I2HcQ8GB5oa23TjdXpM0ubYhAnAwGt9EPeC55jT9KFS9EGZkRhmRk6ppI4dTD6ZdXyfjyZMIL6oGCfwTuzyNRhibVzKu8xgKXr6HI7/WXgaTSRihw/o7Ih69vCbNa4=,iv:h0HrGEIRbOaYbFL/lGc3Qwu7znUSIos/JhfkFIFqem0=,tag:W6IEPW6pvhDdZLcCqJKlEw==,type:str]", + "unencrypted_suffix": "_unencrypted", + "version": "3.10.2" + } +}