steveej/infra
1
0
Fork 0
Code Issues 2 Pull requests Projects Releases Packages Wiki Activity Actions

feat: migrate all containers and hosts to sops

Browse source 
nix/os/devices/sj-vps-htz0: bump versions
nix/os/devices/elias-e525: bump versions
nix/os/devices/steveej-t14: bump versions
nix/os/devices/justyna-p300: bump versions
This commit is contained in:
steveej 2023-07-09 20:15:06 +02:00
parent 4e0d0c3abd
commit ea7caae226
25 changed files with 241 additions and 180 deletions
Download patch file Download diff file Expand all files Collapse all files

20
nix/os/devices/elias-e525/default.nix
View file

@ -1,11 +1,13 @@
{repoFlake, ...}: let
nodeName = "elias-e525";
{
nodeName,
repoFlake,
nodeFlake,
...
}: let
system = "x86_64-linux";
nodeFlake = repoFlake.inputs.get-flake ./.;
in {
meta.nodeSpecialArgs.${nodeName} = {
inherit nodeName nodeFlake;
inherit repoFlake nodeName nodeFlake;
packages' = repoFlake.packages.${system};
};
@ -13,17 +15,15 @@ in {
inherit system;
};
# TODO: build a module with "meta" and "freeformtype" for all the others
${nodeName} = {
deployment.targetHost = nodeName;
deployment.targetHost = "192.168.15.198";
deployment.replaceUnknownProfiles = false;
# deployment.allowLocalDeployment = true;
imports = [
(repoFlake + "/nix/os/devices/${nodeName}/configuration.nix")
nodeFlake.inputs.home-manager.nixosModules.home-manager
./configuration.nix
];
};
}

34
nix/os/devices/elias-e525/flake.lock generated
View file

@ -4,36 +4,35 @@
"inputs": {
"nixpkgs": [
"nixpkgs"
],
"utils": "utils"
]
},
"locked": {
"lastModified": 1681092193,
"narHash": "sha256-JerCqqOqbT2tBnXQW4EqwFl0hHnuZp21rIQ6lu/N4rI=",
"lastModified": 1687871164,
"narHash": "sha256-bBFlPthuYX322xOlpJvkjUBz0C+MOBjZdDOOJJ+G2jU=",
"owner": "nix-community",
"repo": "home-manager",
"rev": "f9edbedaf015013eb35f8caacbe0c9666bbc16af",
"rev": "07c347bb50994691d7b0095f45ebd8838cf6bc38",
"type": "github"
},
"original": {
"owner": "nix-community",
"ref": "release-22.11",
"ref": "release-23.05",
"repo": "home-manager",
"type": "github"
}
},
"nixpkgs": {
"locked": {
"lastModified": 1681696129,
"narHash": "sha256-Ba2y1lmsWmmAOAoTD5G9UnTS/UqV0ZFyzysgdfu7qag=",
"lastModified": 1688868408,
"narHash": "sha256-RR9N5XTAxSBhK8MCvLq9uxfdkd7etC//seVXldy0k48=",
"owner": "nixos",
"repo": "nixpkgs",
"rev": "de66115c552acc4e0c0f92c5a5efb32e37dfa216",
"rev": "510d721ce097150ae3b80f84b04b13b039186571",
"type": "github"
},
"original": {
"owner": "nixos",
"ref": "nixos-22.11",
"ref": "nixos-23.05",
"repo": "nixpkgs",
"type": "github"
}
@ -43,21 +42,6 @@
"home-manager": "home-manager",
"nixpkgs": "nixpkgs"
}
},
"utils": {
"locked": {
"lastModified": 1667395993,
"narHash": "sha256-nuEHfE/LcWyuSWnS8t12N1wc105Qtau+/OdUAjtQ0rA=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "5aed5285a952e0b949eb3ba02c12fa4fcfef535f",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "flake-utils",
"type": "github"
}
}
},
"root": "root",

4
nix/os/devices/elias-e525/flake.nix
View file

@ -1,8 +1,8 @@
{
inputs.nixpkgs.url = "github:nixos/nixpkgs/nixos-22.11";
inputs.nixpkgs.url = "github:nixos/nixpkgs/nixos-23.05";
inputs.home-manager = {
url = "github:nix-community/home-manager/release-22.11";
url = "github:nix-community/home-manager/release-23.05";
inputs.nixpkgs.follows = "nixpkgs";
};

6
nix/os/devices/elias-e525/pkg.nix
View file

@ -17,15 +17,9 @@
home.keyboard = keyboard;
home.packages = with pkgs; [
rhythmbox
lollypop
dia
rustdesk
kotatogram-desktop
jitsi-meet-electron
signal-desktop
];
};
in {

2
nix/os/devices/elias-e525/system.nix
View file

@ -43,4 +43,6 @@ in {
services.xserver.videoDrivers = ["modesetting"];
boot.kernelPackages = lib.mkForce pkgs.linuxPackages_latest;
nix.gc = {automatic = true;};
}

19
nix/os/devices/elias-e525/user.nix
View file

@ -4,19 +4,30 @@
lib,
...
}: let
passwords = import ../../../variables/passwords.crypt.nix;
keys = import ../../../variables/keys.nix;
inherit (import ../../lib/default.nix {inherit (pkgs) lib;}) mkUser;
inherit (pkgs.callPackage ../../lib/default.nix {}) mkUser;
in {
sops.secrets.sharedUsers-elias = {
sopsFile = ../../../../secrets/shared-users.yaml;
neededForUsers = true;
format = "yaml";
};
sops.secrets.sharedUsers-justyna = {
sopsFile = ../../../../secrets/shared-users.yaml;
neededForUsers = true;
format = "yaml";
};
users.extraUsers.elias = mkUser {
uid = 1001;
openssh.authorizedKeys.keys = keys.users.steveej.openssh;
hashedPassword = passwords.users.elias;
passwordFile = config.sops.secrets.sharedUsers-elias.path;
};
users.extraUsers.justyna = mkUser {
uid = 1002;
openssh.authorizedKeys.keys = keys.users.steveej.openssh;
hashedPassword = passwords.users.justyna;
passwordFile = config.sops.secrets.sharedUsers-justyna.path;
};
}

19
nix/os/devices/justyna-p300/default.nix
View file

@ -1,12 +1,13 @@
{repoFlake, ...}: let
nodeName = "justyna-p300";
# system = "i686-linux";
{
nodeName,
repoFlake,
nodeFlake,
...
}: let
system = "x86_64-linux";
nodeFlake = repoFlake.inputs.get-flake ./.;
in {
meta.nodeSpecialArgs.${nodeName} = {
inherit nodeName nodeFlake;
inherit repoFlake nodeName nodeFlake;
packages' = repoFlake.packages.${system};
};
@ -14,17 +15,15 @@ in {
inherit system;
};
# TODO: build a module with "meta" and "freeformtype" for all the others
${nodeName} = {
deployment.targetHost = nodeName;
deployment.replaceUnknownProfiles = false;
# deployment.allowLocalDeployment = true;
imports = [
(repoFlake + "/nix/os/devices/${nodeName}/configuration.nix")
nodeFlake.inputs.home-manager.nixosModules.home-manager
./configuration.nix
];
};
}

40
nix/os/devices/justyna-p300/flake.lock generated
View file

@ -7,11 +7,11 @@
]
},
"locked": {
"lastModified": 1682299489,
"narHash": "sha256-bqHo0/82KB+IyBMyjBd6QdyZWJl/YZeGggjBsAgRFlY=",
"lastModified": 1688544596,
"narHash": "sha256-/rbDM71Qpj4gMp54r9mQ2AdD10jEMtnrQ3b2Xf+HYTU=",
"owner": "nix-community",
"repo": "disko",
"rev": "8ab9e5609929379ab15f03fd3bdc1f85419e5a3a",
"rev": "fc3c3817c9f1fcd405463c6a7f0f98baab97c692",
"type": "github"
},
"original": {
@ -24,36 +24,35 @@
"inputs": {
"nixpkgs": [
"nixpkgs"
],
"utils": "utils"
]
},
"locked": {
"lastModified": 1681092193,
"narHash": "sha256-JerCqqOqbT2tBnXQW4EqwFl0hHnuZp21rIQ6lu/N4rI=",
"lastModified": 1687871164,
"narHash": "sha256-bBFlPthuYX322xOlpJvkjUBz0C+MOBjZdDOOJJ+G2jU=",
"owner": "nix-community",
"repo": "home-manager",
"rev": "f9edbedaf015013eb35f8caacbe0c9666bbc16af",
"rev": "07c347bb50994691d7b0095f45ebd8838cf6bc38",
"type": "github"
},
"original": {
"owner": "nix-community",
"ref": "release-22.11",
"ref": "release-23.05",
"repo": "home-manager",
"type": "github"
}
},
"nixpkgs": {
"locked": {
"lastModified": 1682303062,
"narHash": "sha256-x+KAADp27lbxeoPXLUMxKcRsUUHDlg+qVjt5PjgBw9A=",
"lastModified": 1688939073,
"narHash": "sha256-jYhYjeK5s6k8QS3i+ovq9VZqBJaWbxm7awTKNhHL9d0=",
"owner": "nixos",
"repo": "nixpkgs",
"rev": "f5364316e314436f6b9c8fd50592b18920ab18f9",
"rev": "8df7a67abaf8aefc8a2839e0b48f92fdcf69a38b",
"type": "github"
},
"original": {
"owner": "nixos",
"ref": "nixos-22.11",
"ref": "nixos-23.05",
"repo": "nixpkgs",
"type": "github"
}
@ -64,21 +63,6 @@
"home-manager": "home-manager",
"nixpkgs": "nixpkgs"
}
},
"utils": {
"locked": {
"lastModified": 1667395993,
"narHash": "sha256-nuEHfE/LcWyuSWnS8t12N1wc105Qtau+/OdUAjtQ0rA=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "5aed5285a952e0b949eb3ba02c12fa4fcfef535f",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "flake-utils",
"type": "github"
}
}
},
"root": "root",

4
nix/os/devices/justyna-p300/flake.nix
View file

@ -1,8 +1,8 @@
{
inputs.nixpkgs.url = "github:nixos/nixpkgs/nixos-22.11";
inputs.nixpkgs.url = "github:nixos/nixpkgs/nixos-23.05";
inputs.home-manager = {
url = "github:nix-community/home-manager/release-22.11";
url = "github:nix-community/home-manager/release-23.05";
inputs.nixpkgs.follows = "nixpkgs";
};

20
nix/os/devices/justyna-p300/pkg.nix
View file

@ -18,15 +18,9 @@
home.keyboard = keyboard;
home.packages = with pkgs; [
rhythmbox
lollypop
dia
rustdesk
kotatogram-desktop
jitsi-meet-electron
signal-desktop
];
};
in {
@ -55,11 +49,15 @@ in {
variant = "";
};
home-manager.users.justyna = homeEnv {
layout = "de";
options = [];
variant = "";
};
home-manager.users.justyna =
lib.attrsets.recursiveUpdate (homeEnv {
layout = "de";
options = [];
variant = "";
}) {
services.syncthing.enable = true;
services.syncthing.tray = true;
};
system.stateVersion = "21.11";
}

2
nix/os/devices/justyna-p300/system.nix
View file

@ -41,4 +41,6 @@ in {
services.xserver.videoDrivers = ["modesetting"];
boot.kernelPackages = lib.mkForce pkgs.linuxPackages_latest;
nix.gc = {automatic = true;};
}

19
nix/os/devices/justyna-p300/user.nix
View file

@ -3,19 +3,30 @@
pkgs,
...
}: let
passwords = import ../../../variables/passwords.crypt.nix;
keys = import ../../../variables/keys.nix;
inherit (import ../../lib/default.nix {inherit (pkgs) lib;}) mkUser;
inherit (pkgs.callPackage ../../lib/default.nix {}) mkUser;
in {
sops.secrets.sharedUsers-elias = {
sopsFile = ../../../../secrets/shared-users.yaml;
neededForUsers = true;
format = "yaml";
};
sops.secrets.sharedUsers-justyna = {
sopsFile = ../../../../secrets/shared-users.yaml;
neededForUsers = true;
format = "yaml";
};
users.extraUsers.elias = mkUser {
uid = 1001;
openssh.authorizedKeys.keys = keys.users.steveej.openssh;
hashedPassword = passwords.users.elias;
passwordFile = config.sops.secrets.sharedUsers-elias.path;
};
users.extraUsers.justyna = mkUser {
uid = 1002;
openssh.authorizedKeys.keys = keys.users.steveej.openssh;
hashedPassword = passwords.users.justyna;
passwordFile = config.sops.secrets.sharedUsers-justyna.path;
};
}

18
nix/os/devices/sj-vps-htz0/flake.lock generated
View file

@ -23,11 +23,11 @@
},
"nixpkgs": {
"locked": {
"lastModified": 1688109178,
"narHash": "sha256-BSdeYp331G4b1yc7GIRgAnfUyaktW2nl7k0C577Tttk=",
"lastModified": 1688868408,
"narHash": "sha256-RR9N5XTAxSBhK8MCvLq9uxfdkd7etC//seVXldy0k48=",
"owner": "nixos",
"repo": "nixpkgs",
"rev": "b72aa95f7f096382bff3aea5f8fde645bca07422",
"rev": "510d721ce097150ae3b80f84b04b13b039186571",
"type": "github"
},
"original": {
@ -39,11 +39,11 @@
},
"nixpkgs-master": {
"locked": {
"lastModified": 1688246754,
"narHash": "sha256-OuUvCCMrJgN9K/L1j2ADMxu/nuJhplFjIZFFtelnymc=",
"lastModified": 1688925019,
"narHash": "sha256-281HjmJycKt8rZ0/vpYTtJuZrQl6mpGNlUFf8cebmeA=",
"owner": "nixos",
"repo": "nixpkgs",
"rev": "b9b176f8b8155c122e01a336b439ce57b2485b40",
"rev": "2b356dae6208d422236c4cdc48f3bed749f9daea",
"type": "github"
},
"original": {
@ -55,11 +55,11 @@
},
"nixpkgs-unstable": {
"locked": {
"lastModified": 1688180391,
"narHash": "sha256-oTUSZepWQ7AYQKvNPkf8QyxkfoVpEhGioVji0hd3p8U=",
"lastModified": 1688891216,
"narHash": "sha256-ZUQs8C5N6aw/QeBhUFGcX89OoYoP9jbdmbR6aSbvaHg=",
"owner": "nixos",
"repo": "nixpkgs",
"rev": "1353de5923daba8462cfc3624d8c2d70cbafafcd",
"rev": "e4a12fdac2a313b18e7f66a097108412b07c5f00",
"type": "github"
},
"original": {

2
nix/os/devices/sj-vps-htz0/system.nix
View file

@ -73,6 +73,8 @@
webserver =
import ../../containers/webserver.nix
{
inherit repoFlake;
autoStart = true;
hostAddress = "192.168.100.12";

24
nix/os/devices/steveej-t14/flake.lock generated
View file

@ -39,11 +39,11 @@
},
"nixpkgs-2305": {
"locked": {
"lastModified": 1688594934,
"narHash": "sha256-3dUo20PsmUd57jVZRx5vgKyIN1tv+v/JQweZsve5q/A=",
"lastModified": 1688868408,
"narHash": "sha256-RR9N5XTAxSBhK8MCvLq9uxfdkd7etC//seVXldy0k48=",
"owner": "nixos",
"repo": "nixpkgs",
"rev": "e11142026e2cef35ea52c9205703823df225c947",
"rev": "510d721ce097150ae3b80f84b04b13b039186571",
"type": "github"
},
"original": {
@ -55,11 +55,11 @@
},
"nixpkgs-master": {
"locked": {
"lastModified": 1688722718,
"narHash": "sha256-Uralooke0g1EgrNDjboSiqc0BHOCgiugL43JAA1ncDA=",
"lastModified": 1688969282,
"narHash": "sha256-Ti0dejGXXvhEDATY5nJB0GdKM6AdVwJNTp6LWx8pHyw=",
"owner": "nixos",
"repo": "nixpkgs",
"rev": "5cbff28ae66e5a98386bcbea29f5a7252c33c808",
"rev": "9d6e454b857fb472fa35fc8b098fa5ac307a0d7d",
"type": "github"
},
"original": {
@ -71,11 +71,11 @@
},
"nixpkgs-unstable": {
"locked": {
"lastModified": 1688590700,
"narHash": "sha256-ZF055rIUP89cVwiLpG5xkJzx00gEuuGFF60Bs/LM3wc=",
"lastModified": 1688918189,
"narHash": "sha256-f8ZlJ67LgEUDnN7ZsAyd1/Fyby1VdOXWg4XY/irSGrQ=",
"owner": "nixos",
"repo": "nixpkgs",
"rev": "f292b4964cb71f9dfbbd30dc9f511d6165cd109b",
"rev": "408c0e8c15a1c9cf5c3226931b6f283c9867c484",
"type": "github"
},
"original": {
@ -87,11 +87,11 @@
},
"nixpkgs-unstable-small": {
"locked": {
"lastModified": 1688640665,
"narHash": "sha256-bpNl3nTFDZqrLiRU0bO6vdIT5Ww13nNCVsOLLKEqGuE=",
"lastModified": 1688951312,
"narHash": "sha256-0oG4uv60m5+oOMqgYYQ3ao3OK3YP3n3t7nWFtuyR/uQ=",
"owner": "nixos",
"repo": "nixpkgs",
"rev": "88faf206ce0d5cfda760539a367daf6cde5b3712",
"rev": "2a5f6cac357616d2596167d0631b4ca729e9a3ea",
"type": "github"
},
"original": {

2
nix/os/devices/steveej-utilitepro/configuration.nix
View file

@ -269,6 +269,7 @@ in {
users.mutableUsers = false;
users.extraUsers.root = {
# FIXME: this is deprecated but so is this device probably
hashedPassword = passwords.users.root;
openssh.authorizedKeys.keys = [
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQD3niN5KcIYikRhXTYZCSehI1ZQs+vvG/dZ7KxNVHslfsS+p1yTycXcZFtDDn5vtG2fAo3yksxCk+G10/AWQ+NMOcFKuAi5qTOYSLbEcHVlZ4ko8sDUe3fF79vrCqY7IWbKKjZ4DH77Qs6SXk5GIlNaIzxut8Dpv8qHnkPiPuFgrJC4oGk60ZKmCPvOEpgg9twcdI6ykIxD4Fg+hHgG1p07uSEcm9EADli8RsU3UJ1UBhXMohMC6HrKVBkBX9wTo+zY+xqXxxem6xGNnkNiZLACfhCnjXv39zh85pgFuNv7R8SzVZQ9iRoCmax/w3JtWdDjqoTGgLfJyhMMjNdjVHOx steveej@steveej-laptop"
@ -279,6 +280,7 @@ in {
isNormalUser = true;
home = "/home/steveej";
extraGroups = ["wheel" "libvirtd"];
# FIXME: this is deprecated but so is this device probably
hashedPassword = passwords.users.steveej;
openssh.authorizedKeys.keys = [
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQD3niN5KcIYikRhXTYZCSehI1ZQs+vvG/dZ7KxNVHslfsS+p1yTycXcZFtDDn5vtG2fAo3yksxCk+G10/AWQ+NMOcFKuAi5qTOYSLbEcHVlZ4ko8sDUe3fF79vrCqY7IWbKKjZ4DH77Qs6SXk5GIlNaIzxut8Dpv8qHnkPiPuFgrJC4oGk60ZKmCPvOEpgg9twcdI6ykIxD4Fg+hHgG1p07uSEcm9EADli8RsU3UJ1UBhXMohMC6HrKVBkBX9wTo+zY+xqXxxem6xGNnkNiZLACfhCnjXv39zh85pgFuNv7R8SzVZQ9iRoCmax/w3JtWdDjqoTGgLfJyhMMjNdjVHOx steveej@steveej-laptop"