cschmatzler/nixos-config
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

up

Browse Source
This commit is contained in:
Christoph Schmatzler
2025-08-12 18:46:45 +00:00
parent fd7ad5cf86
commit 874d79f456
10 changed files with 69 additions and 45 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
.sops.yaml
View File

@@ -2,7 +2,7 @@ keys:
- &admin_cschmatzler age1smjjh7l5gchlp4zgfqcxaam506mudacsr37nqj690t0gktzlksvqskd2ek - &admin_cschmatzler age1smjjh7l5gchlp4zgfqcxaam506mudacsr37nqj690t0gktzlksvqskd2ek
- &host_tahani age1njjegjjdqzfnrr54f536yl4lduqgna3wuv7ef6vtl9jw5cju0grsgy62tm - &host_tahani age1njjegjjdqzfnrr54f536yl4lduqgna3wuv7ef6vtl9jw5cju0grsgy62tm
creation_rules: creation_rules:
- path_regex: secrets/[^/]+\.(yaml|json|env|ini)$ - path_regex: secrets/[^/]+$
key_groups: key_groups:
- age: - age:
- *admin_cschmatzler - *admin_cschmatzler

4
apps/aarch64-darwin/build-switch
View File

@@ -26,10 +26,10 @@ FLAKE_SYSTEM="darwinConfigurations.${MACHINE_NAME}.system"
echo "${YELLOW}Building configuration for machine: ${MACHINE_NAME}${NC}" echo "${YELLOW}Building configuration for machine: ${MACHINE_NAME}${NC}"
NIXPKGS_ALLOW_UNFREE=1 nix --extra-experimental-features 'nix-command flakes' build --impure .#$FLAKE_SYSTEM "$@" nix --extra-experimental-features 'nix-command flakes' build .#$FLAKE_SYSTEM "$@"
echo "${YELLOW}Switching to new generation...${NC}" echo "${YELLOW}Switching to new generation...${NC}"
sudo NIXPKGS_ALLOW_UNFREE=1 ./result/sw/bin/darwin-rebuild switch --impure --flake .#${MACHINE_NAME} sudo ./result/sw/bin/darwin-rebuild switch --flake .#${MACHINE_NAME}
echo "${YELLOW}Cleaning up...${NC}" echo "${YELLOW}Cleaning up...${NC}"
unlink ./result unlink ./result

2
apps/x86_64-linux/build-switch
View File

@@ -12,6 +12,6 @@ HOSTNAME="tahani"
echo -e "${YELLOW}Starting...${NC}" echo -e "${YELLOW}Starting...${NC}"
# We pass SSH from user to root so root can download secrets from our private Github # We pass SSH from user to root so root can download secrets from our private Github
sudo SSH_AUTH_SOCK=$SSH_AUTH_SOCK NIXPKGS_ALLOW_UNFREE=1 /run/current-system/sw/bin/nixos-rebuild switch --impure --flake .#$HOSTNAME $@ sudo SSH_AUTH_SOCK=$SSH_AUTH_SOCK /run/current-system/sw/bin/nixos-rebuild switch --flake .#$HOSTNAME $@
echo -e "${GREEN}Switch to new generation complete!${NC}" echo -e "${GREEN}Switch to new generation complete!${NC}"

17
flake.lock generated
View File

@@ -341,26 +341,9 @@
"nix-homebrew": "nix-homebrew", "nix-homebrew": "nix-homebrew",
"nixpkgs": "nixpkgs_2", "nixpkgs": "nixpkgs_2",
"nixvim": "nixvim", "nixvim": "nixvim",
"secrets": "secrets",
"sops-nix": "sops-nix" "sops-nix": "sops-nix"
} }
}, },
"secrets": {
"flake": false,
"locked": {
"lastModified": 1755022209,
"narHash": "sha256-FZwzbsIz1iNqQjL85VH6rPfQzmWT1Twz21/XOF3as1E=",
"ref": "refs/heads/main",
"rev": "f2e263737af6b96108ba90c68406e0811043bcc1",
"revCount": 2,
"type": "git",
"url": "ssh://git@github.com/cschmatzler/nixos-config-secrets.git"
},
"original": {
"type": "git",
"url": "ssh://git@github.com/cschmatzler/nixos-config-secrets.git"
}
},
"sops-nix": { "sops-nix": {
"inputs": { "inputs": {
"nixpkgs": "nixpkgs_4" "nixpkgs": "nixpkgs_4"

4
flake.nix
View File

@@ -24,10 +24,6 @@
flake = false; flake = false;
}; };
nixvim.url = "github:nix-community/nixvim"; nixvim.url = "github:nix-community/nixvim";
secrets = {
url = "git+ssh://git@github.com/cschmatzler/nixos-config-secrets.git";
flake = false;
};
}; };
outputs = inputs @ {flake-parts, ...}: outputs = inputs @ {flake-parts, ...}:

26
hosts/nixos/tahani/default.nix
View File

@@ -1,7 +1,6 @@
{ {
pkgs, pkgs,
hostname, hostname,
sops,
user, user,
... ...
}: { }: {
@@ -52,7 +51,30 @@ sops,
nameservers = ["1.1.1.1"]; nameservers = ["1.1.1.1"];
}; };
sops.defaultSopsFile = "./secrets/tahani.yaml"; sops.secrets = {
syncthing-cert = {
sopsFile = "secrets/tahani-syncthing-cert";
format = "binary";
path = "/home/${user}/.config/syncthing/cert.pem";
};
};
services.syncthing = {
enable = true;
openDefaultPorts = true;
dataDir = "/home/${user}/.local/share/syncthing";
configDir = "/home/${user}/.config/syncthing";
user = "${user}";
group = "users";
guiAddress = "0.0.0.0:8384";
overrideFolders = true;
overrideDevices = true;
settings = {
devices = {};
options.globalAnnounceEnabled = false;
};
};
services.postgresql = { services.postgresql = {
enable = true; enable = true;

19
modules/base/default.nix
View File

@@ -8,6 +8,9 @@
]; ];
nixpkgs = { nixpkgs = {
config = {
allowUnfree = true;
};
overlays = let overlays = let
path = ../../overlays; path = ../../overlays;
in in
@@ -47,21 +50,5 @@
tailscale = { tailscale = {
enable = true; enable = true;
}; };
syncthing = {
enable = true;
openDefaultPorts = true;
dataDir = "/home/${user}/.local/share/syncthing";
configDir = "/home/${user}/.config/syncthing";
user = "${user}";
group = "users";
guiAddress = "0.0.0.0:8384";
overrideFolders = true;
overrideDevices = true;
settings = {
devices = {};
options.globalAnnounceEnabled = false;
};
};
}; };
} }

2
modules/base/packages.nix
View File

@@ -2,7 +2,6 @@
with pkgs; [ with pkgs; [
alejandra alejandra
sops sops
claude-code
delta delta
docker docker
docker-compose docker-compose
@@ -26,7 +25,6 @@ with pkgs; [
sqlite sqlite
tree tree
tree-sitter tree-sitter
unrar
unzip unzip
vivid vivid
wget wget

19
secrets/tahani-syncthing-cert Normal file
View File

@@ -0,0 +1,19 @@
{
"data": "ENC[AES256_GCM,data:GQmaXRUykTZzEFvS3mdFqfNZW8MQavGNJMUqP+vbeXvmihqva16QGmneI9vaXa8HSGi3iFCoMLp6RqazbzL4gW3c6vgmdKkNuU5PogBqsR+wOqkI+SgUm8uS/wXJw0+Q2yUpD0Br/VJhsxcRKi6oVn4qhhWmebo2XOuVshUrlSXo2MtNfZTev0OF/JMkpfZjDi90iRRMPpzjN5oTxSO/rzoFnYkOb4cvMNFrS1h/Fz5zVR+WiPxNMuKLPEnwcNAHE77q5bJ1SVV6YdMTLNeiwze7jxpjY9vDD77l1mIkPgNiZzkhWJ6hP/Otp37sUU3pQCT2Ch0RLWXY9qOAwsl/LC889G8WH5+DsienV08vaMV4YBagb8NzvOBb3jKuxBRwIVkBIrc5Kjkok4iihAzrbWdM/Yb5ga5XOcKB4z6xavrhgLrCVDDiLiTcDG49GKWda3LivaJkqQNyUnc1xJFj1TojwyDEvwDUrseKwH9UFzBKm+bKXBqgW0ehjeAKzuroTMAWgGK+X2WJIAK9C0r0+B9YReEra+hTEcPcOoo81BXY7CiesjHBXa8JpdSjjdiG1WRKOg0w8JEWMQL5XZLrCJ/oniuaqMjmSFB4eYEJeBbCRB7rZ3luHPijnSTAqPEbnCWH7XvNn5Y/rzul/QTtSgh1FrdDPPBLz57gRshRR5gbb/Dcjt4nL9bUbf+ZgP57g09BgLHphkR4pj6IwfepaZig+1H0DDfB4l1AhP6Tt4HtdJ3Ks5UOYTQ2htF6Dt/gb1xmaJ5//H51TcAX5ithEviRGxoX+znm7SQ6BQluKI5kvwuj8QQ7lkD7845u3tDTkWlfyioNmRubUD7PSXwQFWWqbuqrMry+ZpwZ1Dj9rJ7YqvRxoehKGW8lGsRIKzMoD8bnP+GtDW1IKkSMqXnDLQZobKDAVsrf6dmaZiTGvMZt+cEBs+C9Lw6tLEsepQVLlKzTttnhUqnRtcwWJJHJA5A1uBmv4qvbikm+T5+he7Di3Fx1wBYJizqRD3nCt6fGNHwKYjRVPXmjEcjAm5riBSM5fbs4SL+1vmo=,iv:xXiyY0eT/6MwMc9BRGaT/vMSGNN6C++pwQGEMc01z8U=,tag:fMBzOz+hKuSfCM3FRgCamA==,type:str]",
"sops": {
"age": [
{
"recipient": "age1smjjh7l5gchlp4zgfqcxaam506mudacsr37nqj690t0gktzlksvqskd2ek",
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBOdUQ3bmdjZGVMRDVZd1hu\nUWw4OStzdGNONVFGdVdjbk9VUGM3MzhWYjB3Ck1SRXp3YXVvRUlmVG1uS285eG8y\nWWtXTXBUY0FNaDVzTjgzMWl0b1RGaHMKLS0tIFlvVXJQTGY1MWhzNkZud2pYNGlO\nWG5acnhSV2g4cXpjMUl0MEpXN2lYUUUKwxENZ+NSS8gxlvWT3QVS/734mcK6AhYM\nMtO9KU+sNUuYX341xx2+oXyz980X2OhCwe6nzsX5D28UTmiROKBbXw==\n-----END AGE ENCRYPTED FILE-----\n"
},
{
"recipient": "age1njjegjjdqzfnrr54f536yl4lduqgna3wuv7ef6vtl9jw5cju0grsgy62tm",
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBidGtKVFliajRWbndlVjFD\nWUVrZGhMYlJSNTFBbUExYXBSUGFwelVsUzNVClY2WXNnR1dMcHFsTHNvcjBnL1Vi\nVzBoR3hxc0xCT3FNZ1JrMU1FSzFCWEUKLS0tIHg1cVRScXEwRHdld0RSRUt0bWR1\nUUh4eVdScFg4U29pSmRDT0xoNmVkQmMKBHgwk+OlI8+PcKTornjGBrUR/PEl1Qaj\nYXWctTVFOXwiuk3Lp2M+KJX6YtvPAUuI3BWJoE+esL7NGGKX5Swt3g==\n-----END AGE ENCRYPTED FILE-----\n"
}
],
"lastmodified": "2025-08-12T18:39:30Z",
"mac": "ENC[AES256_GCM,data:FAmt5iGVsLmKdKX/PXCIF7ysl5ijTiEI0S7nl9NjuW8et/ksJKdNHDeyeWbfFN/bMRR12N/3TcV+lVHyoDagX6Yfj1ynjhi3xHRyOp472pTPZbJX2gEt1kJ4ZkQkNPEnMIc9WoZ6duaq4py22VWtpzODc0NDSBZXeuPyHoVTP9c=,iv:JQ00ax4F6u7kDGtjYG3KY5oOP8M4ZlNkBhfxBt+84H8=,tag:xEMZDeuulGIueB75REkW2g==,type:str]",
"unencrypted_suffix": "_unencrypted",
"version": "3.10.2"
}
}

19
secrets/tahani-syncthing-key Normal file
View File

@@ -0,0 +1,19 @@
{
"data": "ENC[AES256_GCM,data:EvYPgzUceBP/KlMG3tvWu7+Bw2Opnj9qoIDWQxGGgpvwQBIDxH4V6iGB3o1sZ2AuvsLBflPlZJLiAYk9Ffqm3wM52nXjWlGlgJcEvIlojQNnx/H09xuEbQk+ULpsMG33RdjDFNwngqKWRs9PAz09nJz9bMhFNCPikikynQun4/It54h4TddHQtey9hT+JovJBEVboUda7Wt4BGIyaENC0i0FfNhPzoaSXFhjhcujSPl2u9xvFQjBb9tleoznqxeVq8d3OB2O3IA/lCTGEj1PJsj/cATXLBC7eQdPiX5zDZ9gpI3ae+PvLt7+/c+g4p0FfR89yiLKF+oxjYEdEXSkBHV7JaO6IOX4pR5eOCjMLe8u1EyVG/e7beflloK5hUGV,iv:iF7eIyJn+FaGoM/OzuPgmPk1HW+aKvIuqDXKLTkc074=,tag:X4lkvzFwDpHGlXPUOZg/1g==,type:str]",
"sops": {
"age": [
{
"recipient": "age1smjjh7l5gchlp4zgfqcxaam506mudacsr37nqj690t0gktzlksvqskd2ek",
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBDWlFqdFJkbWJiaCtQVXd0\nNU9rRVpremxsSVRTK1gxTi9GSEU1a3luREJzCnErbXVoNUUyei84MllxN3F6TE12\nSWk5b0lDYXBUcWhURnhvdGVEUFRnUE0KLS0tIENBa1JmTXVKVUYwREU3Z0RoWGtU\naG9JY1VvajFGdGFpUDcvbDZ4UURkVk0K1Pot9qq+kHSoKXvVDgXShUJOyq1LjY3d\nMX5rqvHbcZ0Ksp2aTrMK6xmbzucbrv0/CIqMoCLNr6DkyVa1ZGCgeA==\n-----END AGE ENCRYPTED FILE-----\n"
},
{
"recipient": "age1njjegjjdqzfnrr54f536yl4lduqgna3wuv7ef6vtl9jw5cju0grsgy62tm",
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBDeXVUSi9FeUtwcjI5NzFt\nWkV6VUF3bVBLZmMzSVBlY2czb3RIZU10VW1nCmRLTTVramRHSTl2Wi9uYVNFaUxt\nclpSVHNMeUFqV25UcjdyY3l6U2RKYnMKLS0tIDBDRlAvYUJ4SFU5OGFsbkZ6NXRr\nektCZlJMSkRhU2toVFJrZDRWeHpsZUUKDnak2CrvnwXmPewkHI4JEcZokDhZxIvn\n3U/e03i7iW4pKDjtzl8pFCdORwPJ3ttj+6hfBIl4s6MHicCVeTAetA==\n-----END AGE ENCRYPTED FILE-----\n"
}
],
"lastmodified": "2025-08-12T18:39:37Z",
"mac": "ENC[AES256_GCM,data:KpPsY88w0y5bJ0+l/0KaqAD5Rd9F6n5M7tZLfKCk9PP+/I2HcQ8GB5oa23TjdXpM0ubYhAnAwGt9EPeC55jT9KFS9EGZkRhmRk6ppI4dTD6ZdXyfjyZMIL6oGCfwTuzyNRhibVzKu8xgKXr6HI7/WXgaTSRihw/o7Ih69vCbNa4=,iv:h0HrGEIRbOaYbFL/lGc3Qwu7znUSIos/JhfkFIFqem0=,tag:W6IEPW6pvhDdZLcCqJKlEw==,type:str]",
"unencrypted_suffix": "_unencrypted",
"version": "3.10.2"
}
}