cschmatzler/nixos-config
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

up

Browse Source
This commit is contained in:
Christoph Schmatzler
2025-08-12 18:36:19 +00:00
parent ed7fc605b1
commit fd7ad5cf86
9 changed files with 132 additions and 131 deletions
Download Patch File Download Diff File Expand all files Collapse all files

9
.sops.yaml Normal file
View File

@@ -0,0 +1,9 @@
keys:
- &admin_cschmatzler age1smjjh7l5gchlp4zgfqcxaam506mudacsr37nqj690t0gktzlksvqskd2ek
- &host_tahani age1njjegjjdqzfnrr54f536yl4lduqgna3wuv7ef6vtl9jw5cju0grsgy62tm
creation_rules:
- path_regex: secrets/[^/]+\.(yaml|json|env|ini)$
key_groups:
- age:
- *admin_cschmatzler
- *host_tahani

174
flake.lock generated
View File

@@ -1,26 +1,5 @@
{ {
"nodes": { "nodes": {
"agenix": {
"inputs": {
"darwin": "darwin",
"home-manager": "home-manager",
"nixpkgs": "nixpkgs",
"systems": "systems"
},
"locked": {
"lastModified": 1754433428,
"narHash": "sha256-NA/FT2hVhKDftbHSwVnoRTFhes62+7dxZbxj5Gxvghs=",
"owner": "ryantm",
"repo": "agenix",
"rev": "9edb1787864c4f59ae5074ad498b6272b3ec308d",
"type": "github"
},
"original": {
"owner": "ryantm",
"repo": "agenix",
"type": "github"
}
},
"brew-src": { "brew-src": {
"flake": false, "flake": false,
"locked": { "locked": {
@@ -39,28 +18,6 @@
} }
}, },
"darwin": { "darwin": {
"inputs": {
"nixpkgs": [
"agenix",
"nixpkgs"
]
},
"locked": {
"lastModified": 1744478979,
"narHash": "sha256-dyN+teG9G82G+m+PX/aSAagkC+vUv0SgUw3XkPhQodQ=",
"owner": "lnl7",
"repo": "nix-darwin",
"rev": "43975d782b418ebf4969e9ccba82466728c2851b",
"type": "github"
},
"original": {
"owner": "lnl7",
"ref": "master",
"repo": "nix-darwin",
"type": "github"
}
},
"darwin_2": {
"inputs": { "inputs": {
"nixpkgs": [ "nixpkgs": [
"nixpkgs" "nixpkgs"
@@ -122,7 +79,7 @@
}, },
"flake-utils": { "flake-utils": {
"inputs": { "inputs": {
"systems": "systems_2" "systems": "systems"
}, },
"locked": { "locked": {
"lastModified": 1731533236, "lastModified": 1731533236,
@@ -140,28 +97,7 @@
}, },
"home-manager": { "home-manager": {
"inputs": { "inputs": {
"nixpkgs": [ "nixpkgs": "nixpkgs"
"agenix",
"nixpkgs"
]
},
"locked": {
"lastModified": 1745494811,
"narHash": "sha256-YZCh2o9Ua1n9uCvrvi5pRxtuVNml8X2a03qIFfRKpFs=",
"owner": "nix-community",
"repo": "home-manager",
"rev": "abfad3d2958c9e6300a883bd443512c55dfeb1be",
"type": "github"
},
"original": {
"owner": "nix-community",
"repo": "home-manager",
"type": "github"
}
},
"home-manager_2": {
"inputs": {
"nixpkgs": "nixpkgs_2"
}, },
"locked": { "locked": {
"lastModified": 1754974548, "lastModified": 1754974548,
@@ -273,16 +209,16 @@
}, },
"nixpkgs": { "nixpkgs": {
"locked": { "locked": {
"lastModified": 1754028485, "lastModified": 1754725699,
"narHash": "sha256-IiiXB3BDTi6UqzAZcf2S797hWEPCRZOwyNThJIYhUfk=", "narHash": "sha256-iAcj9T/Y+3DBy2J0N+yF9XQQQ8IEb5swLFzs23CdP88=",
"owner": "NixOS", "owner": "NixOS",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "59e69648d345d6e8fef86158c555730fa12af9de", "rev": "85dbfc7aaf52ecb755f87e577ddbe6dbbdbc1054",
"type": "github" "type": "github"
}, },
"original": { "original": {
"owner": "NixOS", "owner": "NixOS",
"ref": "nixos-25.05", "ref": "nixos-unstable",
"repo": "nixpkgs", "repo": "nixpkgs",
"type": "github" "type": "github"
} }
@@ -303,22 +239,6 @@
} }
}, },
"nixpkgs_2": { "nixpkgs_2": {
"locked": {
"lastModified": 1754725699,
"narHash": "sha256-iAcj9T/Y+3DBy2J0N+yF9XQQQ8IEb5swLFzs23CdP88=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "85dbfc7aaf52ecb755f87e577ddbe6dbbdbc1054",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "nixos-unstable",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs_3": {
"locked": { "locked": {
"lastModified": 1755005871, "lastModified": 1755005871,
"narHash": "sha256-qqhLstgA5OFjSUkY0DeQJDyU8Yd0b3PAmSbHz9/bE+M=", "narHash": "sha256-qqhLstgA5OFjSUkY0DeQJDyU8Yd0b3PAmSbHz9/bE+M=",
@@ -334,7 +254,7 @@
"type": "github" "type": "github"
} }
}, },
"nixpkgs_4": { "nixpkgs_3": {
"locked": { "locked": {
"lastModified": 1754393734, "lastModified": 1754393734,
"narHash": "sha256-fbnmAwTQkuXHKBlcL5Nq1sMAzd3GFqCOQgEQw6Hy0Ak=", "narHash": "sha256-fbnmAwTQkuXHKBlcL5Nq1sMAzd3GFqCOQgEQw6Hy0Ak=",
@@ -350,12 +270,28 @@
"type": "github" "type": "github"
} }
}, },
"nixpkgs_4": {
"locked": {
"lastModified": 1744868846,
"narHash": "sha256-5RJTdUHDmj12Qsv7XOhuospjAjATNiTMElplWnJE9Hs=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "ebe4301cbd8f81c4f8d3244b3632338bbeb6d49c",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "nixpkgs-unstable",
"repo": "nixpkgs",
"type": "github"
}
},
"nixvim": { "nixvim": {
"inputs": { "inputs": {
"flake-parts": "flake-parts_2", "flake-parts": "flake-parts_2",
"nixpkgs": "nixpkgs_4", "nixpkgs": "nixpkgs_3",
"nuschtosSearch": "nuschtosSearch", "nuschtosSearch": "nuschtosSearch",
"systems": "systems_3" "systems": "systems_2"
}, },
"locked": { "locked": {
"lastModified": 1754921951, "lastModified": 1754921951,
@@ -396,16 +332,51 @@
}, },
"root": { "root": {
"inputs": { "inputs": {
"agenix": "agenix", "darwin": "darwin",
"darwin": "darwin_2",
"flake-parts": "flake-parts", "flake-parts": "flake-parts",
"home-manager": "home-manager_2", "home-manager": "home-manager",
"homebrew-axe": "homebrew-axe", "homebrew-axe": "homebrew-axe",
"homebrew-cask": "homebrew-cask", "homebrew-cask": "homebrew-cask",
"homebrew-core": "homebrew-core", "homebrew-core": "homebrew-core",
"nix-homebrew": "nix-homebrew", "nix-homebrew": "nix-homebrew",
"nixpkgs": "nixpkgs_3", "nixpkgs": "nixpkgs_2",
"nixvim": "nixvim" "nixvim": "nixvim",
"secrets": "secrets",
"sops-nix": "sops-nix"
}
},
"secrets": {
"flake": false,
"locked": {
"lastModified": 1755022209,
"narHash": "sha256-FZwzbsIz1iNqQjL85VH6rPfQzmWT1Twz21/XOF3as1E=",
"ref": "refs/heads/main",
"rev": "f2e263737af6b96108ba90c68406e0811043bcc1",
"revCount": 2,
"type": "git",
"url": "ssh://git@github.com/cschmatzler/nixos-config-secrets.git"
},
"original": {
"type": "git",
"url": "ssh://git@github.com/cschmatzler/nixos-config-secrets.git"
}
},
"sops-nix": {
"inputs": {
"nixpkgs": "nixpkgs_4"
},
"locked": {
"lastModified": 1754988908,
"narHash": "sha256-t+voe2961vCgrzPFtZxha0/kmFSHFobzF00sT8p9h0U=",
"owner": "Mic92",
"repo": "sops-nix",
"rev": "3223c7a92724b5d804e9988c6b447a0d09017d48",
"type": "github"
},
"original": {
"owner": "Mic92",
"repo": "sops-nix",
"type": "github"
} }
}, },
"systems": { "systems": {
@@ -437,21 +408,6 @@
"repo": "default", "repo": "default",
"type": "github" "type": "github"
} }
},
"systems_3": {
"locked": {
"lastModified": 1681028828,
"narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
"owner": "nix-systems",
"repo": "default",
"rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
"type": "github"
},
"original": {
"owner": "nix-systems",
"repo": "default",
"type": "github"
}
} }
}, },
"root": "root", "root": "root",

6
flake.nix
View File

@@ -4,7 +4,7 @@
inputs = { inputs = {
nixpkgs.url = "github:nixos/nixpkgs/master"; nixpkgs.url = "github:nixos/nixpkgs/master";
flake-parts.url = "github:hercules-ci/flake-parts"; flake-parts.url = "github:hercules-ci/flake-parts";
agenix.url = "github:ryantm/agenix"; sops-nix.url = "github:Mic92/sops-nix";
home-manager.url = "github:nix-community/home-manager"; home-manager.url = "github:nix-community/home-manager";
darwin = { darwin = {
url = "github:LnL7/nix-darwin/master"; url = "github:LnL7/nix-darwin/master";
@@ -24,6 +24,10 @@
flake = false; flake = false;
}; };
nixvim.url = "github:nix-community/nixvim"; nixvim.url = "github:nix-community/nixvim";
secrets = {
url = "git+ssh://git@github.com/cschmatzler/nixos-config-secrets.git";
flake = false;
};
}; };
outputs = inputs @ {flake-parts, ...}: outputs = inputs @ {flake-parts, ...}:

3
hosts/nixos/tahani/default.nix
View File

@@ -1,6 +1,7 @@
{ {
pkgs, pkgs,
hostname, hostname,
sops,
user, user,
... ...
}: { }: {
@@ -51,6 +52,8 @@
nameservers = ["1.1.1.1"]; nameservers = ["1.1.1.1"];
}; };
sops.defaultSopsFile = "./secrets/tahani.yaml";
services.postgresql = { services.postgresql = {
enable = true; enable = true;
package = pkgs.postgresql_17; package = pkgs.postgresql_17;

27
modules/base/default.nix
View File

@@ -1,11 +1,10 @@
{ {
agenix, sops-nix,
pkgs, pkgs,
user, user,
... ...
}: { }: {
imports = [ imports = [
agenix.darwinModules.default
]; ];
nixpkgs = { nixpkgs = {
@@ -42,13 +41,27 @@
''; '';
}; };
environment.systemPackages = with pkgs; [
agenix.packages."${pkgs.system}".default
];
programs.fish.enable = true; programs.fish.enable = true;
services.tailscale = { services = {
tailscale = {
enable = true; enable = true;
}; };
syncthing = {
enable = true;
openDefaultPorts = true;
dataDir = "/home/${user}/.local/share/syncthing";
configDir = "/home/${user}/.config/syncthing";
user = "${user}";
group = "users";
guiAddress = "0.0.0.0:8384";
overrideFolders = true;
overrideDevices = true;
settings = {
devices = {};
options.globalAnnounceEnabled = false;
};
};
};
} }

3
modules/base/packages.nix
View File

@@ -1,8 +1,7 @@
{pkgs}: {pkgs}:
with pkgs; [ with pkgs; [
age
age-plugin-yubikey
alejandra alejandra
sops
claude-code claude-code
delta delta
docker docker

4
modules/darwin/secrets.nix
View File

@@ -1,8 +1,4 @@
{ {
config,
pkgs,
agenix,
secrets,
user, user,
... ...
}: { }: {

9
modules/nixos/default.nix
View File

@@ -1,15 +1,14 @@
{ {
pkgs, pkgs,
nixvim, nixvim,
config,
user, user,
agenix, sops-nix,
... ...
}: let }: let
sshKeys = import ../../shared/ssh-keys.nix; sshKeys = import ../../shared/ssh-keys.nix;
in { in {
imports = [ imports = [
agenix.nixosModules.default sops-nix.nixosModules.sops
]; ];
system.stateVersion = "25.11"; system.stateVersion = "25.11";
@@ -88,10 +87,6 @@ in {
enable = true; enable = true;
}; };
environment.systemPackages = [
agenix.packages."${pkgs.system}".default
];
home-manager = { home-manager = {
users.${user} = { users.${user} = {
pkgs, pkgs,

26
secrets/tahani.yaml Normal file
View File

@@ -0,0 +1,26 @@
syncthing_cert: ENC[AES256_GCM,data:24s+oLn0v5ZBeEzYLs/n/G3HhqwktLCyCqZ/JU7F9NQHK0ZlR0k/5TFAoxjSr+1/DHGYalCf+KtCv9rJfDH4Mj+ekd+H8JzPAg9nzZ+xw7D4FH+2oHv4nHSFeGinKbgNwXibXd915gugLb0qjN09DCrZrIlxYcglrK2ds1klFIp6npGF1AvCaZg4bqDI1k+ATVqjH8HoNWN9MJyjv2ixZ2hXuHK6y9waY9mweBh/0UK6IDwvrJx4mDjKTDhPTB9C08qNZ2wP+FPEdDOMUha1zv2KQocRp4b+U5bEUlLuxeVusMxYh4ZSuPQWrAr35D40bwyvi4c6uyVywIZ5XP+BxrJsLck+tD49QE6mqAMuRV0PjfakHnbiH1uV1Wop9P6+n7tKQ1umHPK7YSWAMSG2QmGJBTW5NoTgFPDRLa+9RMkEAX11BdkS8SgJtVS6i/B8WhtPIrSKi8KMaLkMJ5q42bgxwQmNhRuvzwV8nevbFdTcEg8ZHJS8WAP+viC9JiSryD2hz6GN6gZnEZAtlINNy9p3AtCYYc1BDACJgm4jtMTDWMmqy4K6lGhFW7hAKBxHoV4/a1Nyxx35IIV8AJVqWnmCR8P6Xy/UEUsFz1L8l/y15mvEhmAu6axUi+4qkqx+54cGWA75ml5b0KnG3j2E7p5NIRrILHpzlTsR3y+zakcwtOi3Ggbu16hvr/WM+D/PJacv3fnZG65lBShbIFNmKNgwPXMlXljzl23XY1mXcVNmDCXRgZhe2KnlzV//jWIYB/04GLDAJ0pLZ99lVLU8qoE9CCBW7sd/NZTaYbyLR2pBwQJhRVapwN60ZYDKqZWARqk5jR49ZR8LWA3EHGP6YfgjPGM6/xpMovqHNpys1TEBdzbB1vCsyseTnfJEApaWFsTg1472TIBWJP5YjScXtq6pRkqorLEyR4h331OX3Qu37sRpMlbxYFD9NpBajRiH01RoYKOqSIbttq8ovsAvt5LotrLUyTIR7hp5T5/Est1++o7zdGmOwL1Sl8VAlY0ucyEPBl2tNeUsEYRrRy0WVWD5zNRcXRmACpIsquYxvDJd5hrbeaAXhD1XCVaiV7cA1zg4EOcy6x/K0IPGGHm6U9UzHZmIzw/9MDb8vCOqb6r+58k2VqVl34l39X51Kl9xg1MJ9GWJKqah0d9JgRFGK2dHOUo5Yat7pe6fobP3BUGV8cxfEvny3IKpHnY6NllYaERQnq3Eje6nagyC1QQBVwYJeGqImqGJeYIT8+fhOnXUC/Uhmbe3OZQoWXhZMo1Pk+aMiiUPnAM3l+ykf0wlaf+r4JcCc+lQpcrGImK0XdsCf3SiairZowBMcuJqf/HVM99zujx2D/GG4HFttWXZN5KDcWqWfBkmWxQuXTR3tgIMXtZdCHVctN9LYRtJ4Rjp3T8GlQ==,iv:DSQ2uHBlhFaMklqbItA6Crt09EOydiCD7DzQcSPJdlM=,tag:nWT/ZiJVGKojw/QzhVJiqg==,type:str]
syncthing_key: ENC[AES256_GCM,data:W/mx/qc1Cc5AY3utYSfroSoVDzX+pyOE6z54ppck1Hc/Y2LLyInRuc6eIZgqdA9BvVtv8YDTltpXjp2kJSZSm+GWjrkl/OislojXeOLkuqjRtjydCyu/ErlFglcLLvWwx+kvLeq0yADARZnanmG2+HT1nnF8OORWQ08sP8GnujFKVj4JLUX7emBzUz6wARjjFbnuF1xNh+Ach+0J6g+shGRMDdVSazbk+lDKsotUCMItMLhEde0TK7fWxpsCGRBfTjERDoQiyIgwouOIvV78Z8Qa/5GCWntg2b8lvqE9IsWvdmySiZ0XNzP8Qmd1ux3PRT5Btw0e3eZIehVmtwEkgKmuBx++SmEi4fULlrA2bs/SW1lyDYazUXfMteGNtEUY4rlKpE2RMiY3xXi4+7/K1SgQoPLn0tIiW5YUVxmQKOSYvXoCg+HF3ppmbXRHnVrfj8rv/fEXjGXywXKCyGeIJMEp+gmPaxHaMIjiAXvsuxBhvOnc17j0UakKB9mdefVs,iv:RnSiWtdgQfDiEooqm5ecjubN5uR11+qa28d79v+6GK8=,tag:LJwBUw3BBvcUWPGBKOSSsA==,type:str]
sops:
age:
- recipient: age1smjjh7l5gchlp4zgfqcxaam506mudacsr37nqj690t0gktzlksvqskd2ek
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB1VlRCZHlaRVVjbTAweEMv
RXc5eDZMdjk3MFEyZFY2NmFYZGg0WFVuK1d3CmpheFB0SzlTWTA2MXg4eDVSeG9a
ZGlkK3BJbzM5RkNOazV5TGNJWVI1bDAKLS0tIExBM1JQNk9IL1FHeXFabWJ2ckxW
U1BsSnRNWTdUMlR5YVlGaW1PWDdBNzQKSZVNl4AWkEzn6cTxOrl+OVpWel1JQHmy
w8kWDihMnFfB4LwuDePYtUIFdOxxWeTZjObP/UP6ZxumhxNEAOR6tQ==
-----END AGE ENCRYPTED FILE-----
- recipient: age1njjegjjdqzfnrr54f536yl4lduqgna3wuv7ef6vtl9jw5cju0grsgy62tm
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBrZFhkSGVjSTNJVUdIbnFj
WEJNMGhheHVUUUdQM01vb0tNamg2ekExc244ClJsT21uZ2ZJZlNoQ0Vld01JWFAx
bDBwNEEvZ0dFalVVb2kxaUZ3Q0x4eTAKLS0tIHhWRmh2N3NEekN0bnJSSHBVTzBk
cEE5bVpUSE9TY2t3ZjZTSUZ3Z1ZreGsKqZH2+N5cTl5a5MIDO/x33RQ44ZZWM8HN
eb0lI8kOc+e4plDQF6Qe2RXJCKcD/4MPkB70sUiPb6SemqBfrREsew==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2025-08-12T18:34:32Z"
mac: ENC[AES256_GCM,data:XBKlvlDejMuOK5LXFTtmIV0TcnzAPctQrmhV28ZqPcdpiBYINGiWM4r4Zo3fNjpjBhKx+Vd3sIIGiBBi40Lhm1uK6FBAZ7eqhIDU0LOsJJ+jBo26m7kXCWYddzoPzTHBfYRx0DyecLml2bhW8JuRv5v5/IHSq6ibF5XUtbZT9GA=,iv:oOUCUd2BlodibsUoe1eLWWtJvempPZBckfgAwU4rqKA=,tag:gYmsLVaOopKJsO7k52vZKw==,type:str]
unencrypted_suffix: _unencrypted
version: 3.10.2