repomaa/nixos
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

use agenix

Browse Source
This commit is contained in:
Joakim Repomaa
2025-02-11 22:15:44 +02:00
parent 8a1f2c4968
commit 0bc01cd2b1
20 changed files with 182 additions and 20 deletions
Download Patch File Download Diff File Expand all files Collapse all files

90
flake.lock generated
View File

@@ -1,5 +1,28 @@
{ {
"nodes": { "nodes": {
"agenix": {
"inputs": {
"darwin": "darwin",
"home-manager": "home-manager",
"nixpkgs": [
"nixpkgs"
],
"systems": "systems"
},
"locked": {
"lastModified": 1736955230,
"narHash": "sha256-uenf8fv2eG5bKM8C/UvFaiJMZ4IpUFaQxk9OH5t/1gA=",
"owner": "ryantm",
"repo": "agenix",
"rev": "e600439ec4c273cf11e06fe4d9d906fb98fa097c",
"type": "github"
},
"original": {
"owner": "ryantm",
"repo": "agenix",
"type": "github"
}
},
"auto-cpufreq": { "auto-cpufreq": {
"inputs": { "inputs": {
"nixpkgs": [ "nixpkgs": [
@@ -51,6 +74,28 @@
"type": "github" "type": "github"
} }
}, },
"darwin": {
"inputs": {
"nixpkgs": [
"agenix",
"nixpkgs"
]
},
"locked": {
"lastModified": 1700795494,
"narHash": "sha256-gzGLZSiOhf155FW7262kdHo2YDeugp3VuIFb4/GGng0=",
"owner": "lnl7",
"repo": "nix-darwin",
"rev": "4b9b83d5a92e8c1fbfd8eb27eda375908c11ec4d",
"type": "github"
},
"original": {
"owner": "lnl7",
"ref": "master",
"repo": "nix-darwin",
"type": "github"
}
},
"flake-compat": { "flake-compat": {
"flake": false, "flake": false,
"locked": { "locked": {
@@ -144,7 +189,7 @@
}, },
"flake-utils": { "flake-utils": {
"inputs": { "inputs": {
"systems": "systems" "systems": "systems_2"
}, },
"locked": { "locked": {
"lastModified": 1710146030, "lastModified": 1710146030,
@@ -162,7 +207,7 @@
}, },
"flake-utils_2": { "flake-utils_2": {
"inputs": { "inputs": {
"systems": "systems_2" "systems": "systems_3"
}, },
"locked": { "locked": {
"lastModified": 1701680307, "lastModified": 1701680307,
@@ -180,7 +225,7 @@
}, },
"flake-utils_3": { "flake-utils_3": {
"inputs": { "inputs": {
"systems": "systems_3" "systems": "systems_4"
}, },
"locked": { "locked": {
"lastModified": 1710146030, "lastModified": 1710146030,
@@ -298,6 +343,27 @@
} }
}, },
"home-manager": { "home-manager": {
"inputs": {
"nixpkgs": [
"agenix",
"nixpkgs"
]
},
"locked": {
"lastModified": 1703113217,
"narHash": "sha256-7ulcXOk63TIT2lVDSExj7XzFx09LpdSAPtvgtM7yQPE=",
"owner": "nix-community",
"repo": "home-manager",
"rev": "3bfaacf46133c037bb356193bd2f1765d9dc82c1",
"type": "github"
},
"original": {
"owner": "nix-community",
"repo": "home-manager",
"type": "github"
}
},
"home-manager_2": {
"inputs": { "inputs": {
"nixpkgs": [ "nixpkgs": [
"nixpkgs" "nixpkgs"
@@ -645,13 +711,14 @@
}, },
"root": { "root": {
"inputs": { "inputs": {
"agenix": "agenix",
"auto-cpufreq": "auto-cpufreq", "auto-cpufreq": "auto-cpufreq",
"commander-nvim": "commander-nvim", "commander-nvim": "commander-nvim",
"flake-parts": "flake-parts", "flake-parts": "flake-parts",
"gen-nvim": "gen-nvim", "gen-nvim": "gen-nvim",
"gtrackmap": "gtrackmap", "gtrackmap": "gtrackmap",
"hastebin": "hastebin", "hastebin": "hastebin",
"home-manager": "home-manager", "home-manager": "home-manager_2",
"ketchup": "ketchup", "ketchup": "ketchup",
"ksoloti-pr": "ksoloti-pr", "ksoloti-pr": "ksoloti-pr",
"lanzaboote": "lanzaboote", "lanzaboote": "lanzaboote",
@@ -730,6 +797,21 @@
"type": "github" "type": "github"
} }
}, },
"systems_4": {
"locked": {
"lastModified": 1681028828,
"narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
"owner": "nix-systems",
"repo": "default",
"rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
"type": "github"
},
"original": {
"owner": "nix-systems",
"repo": "default",
"type": "github"
}
},
"vimpeccable": { "vimpeccable": {
"flake": false, "flake": false,
"locked": { "locked": {

7
flake.nix
View File

@@ -52,8 +52,12 @@
inputs.nixpkgs.follows = "nixpkgs"; inputs.nixpkgs.follows = "nixpkgs";
}; };
ksoloti-pr.url = "github:repomaa/nixpkgs/pkg/ksoloti"; ksoloti-pr.url = "github:repomaa/nixpkgs/pkg/ksoloti";
agenix = {
url = "github:ryantm/agenix";
inputs.nixpkgs.follows = "nixpkgs";
}; };
outputs = { flake-parts, nixpkgs, ... }@inputs: };
outputs = { flake-parts, agenix, nixpkgs, ... }@inputs:
flake-parts.lib.mkFlake { inherit inputs; } ( flake-parts.lib.mkFlake { inherit inputs; } (
let let
ssh.publicKeys.yubikey = "ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBLIUkESu5NnBi1M0+ZjYrkp6/rIFuwc3aguspf98jmOydNce6l65cnS3GRzc9oWx4lu11ahi87ZuE+pYV+gaHm4="; ssh.publicKeys.yubikey = "ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBLIUkESu5NnBi1M0+ZjYrkp6/rIFuwc3aguspf98jmOydNce6l65cnS3GRzc9oWx4lu11ahi87ZuE+pYV+gaHm4=";
@@ -74,6 +78,7 @@
(writeShellScriptBin "evaluate" '' (writeShellScriptBin "evaluate" ''
${nix}/bin/nix build --dry-run ".#nixosConfigurations.$1.config.system.build.toplevel" | ${nix-output-monitor}/bin/nom ${nix}/bin/nix build --dry-run ".#nixosConfigurations.$1.config.system.build.toplevel" | ${nix-output-monitor}/bin/nom
'') '')
agenix.packages.${pkgs.system}.default
]; ];
}; };
}; };

1
hosts/freun.dev/default.nix
View File

@@ -4,5 +4,6 @@
./hardware-configuration.nix ./hardware-configuration.nix
./configuration.nix ./configuration.nix
./services.nix ./services.nix
./secrets.nix
]; ];
} }

22
hosts/freun.dev/secrets.nix Normal file
View File

@@ -0,0 +1,22 @@
{ lib, config, ... }:
{
age.secrets = lib.listToAttrs
(
map (secret: { name = secret; value = { file = ../../secrets/${secret}.age; }; }) [
"gotosocial"
"hastebin-tokens"
"immich"
"storage-box-credentials"
"vaultwarden"
]
) // {
smtp-password = {
file = ../../secrets/smtp-password.age;
owner =
if (config.services.grafana.enable) then
config.systemd.services.grafana.serviceConfig.User
else
"root";
};
};
}

5
hosts/radish/packages.nix
View File

@@ -24,6 +24,11 @@
}; };
services = { services = {
openssh = {
enable = true;
openFirewall = false;
};
tailscale = { tailscale = {
enable = true; enable = true;
useRoutingFeatures = "client"; useRoutingFeatures = "client";

3
modules/default.nix
View File

@@ -1,9 +1,10 @@
{ ... }: { inputs, ... }:
{ {
imports = [ imports = [
./vlans.nix ./vlans.nix
./firewall.nix ./firewall.nix
./storage-box-mounts.nix ./storage-box-mounts.nix
./services ./services
inputs.agenix.nixosModules.default
]; ];
} }

3
modules/services/gotosocial.nix
View File

@@ -1,6 +1,7 @@
{ config, lib, ... }: { config, lib, ... }:
let let
cfg = config.modules.services.gotosocial; cfg = config.modules.services.gotosocial;
secrets = config.age.secrets;
domain = config.networking.domain; domain = config.networking.domain;
fqdn = "${cfg.subdomain}.${domain}"; fqdn = "${cfg.subdomain}.${domain}";
port = cfg.port; port = cfg.port;
@@ -24,7 +25,7 @@ in
config = lib.mkIf cfg.enable { config = lib.mkIf cfg.enable {
services.gotosocial = { services.gotosocial = {
enable = true; enable = true;
environmentFile = "/var/secrets/gotosocial.env"; environmentFile = secrets.gotosocial.path;
settings = { settings = {
host = fqdn; host = fqdn;
account-domain = domain; account-domain = domain;

3
modules/services/grafana.nix
View File

@@ -1,6 +1,7 @@
{ lib, config, ... }: { lib, config, ... }:
let let
cfg = config.modules.services.grafana; cfg = config.modules.services.grafana;
secrets = config.age.secrets;
fqdn = "${cfg.subdomain}.${config.networking.domain}"; fqdn = "${cfg.subdomain}.${config.networking.domain}";
in in
{ {
@@ -40,7 +41,7 @@ in
from_address = "noreply@freun.dev"; from_address = "noreply@freun.dev";
from_name = "Vaultwarden"; from_name = "Vaultwarden";
user = "noreply@freun.dev"; user = "noreply@freun.dev";
password = "$__file{/var/secrets/smtp-password}"; password = "$__file{${secrets.smtp-password.path}}";
}; };
}; };
}; };

3
modules/services/hastebin.nix
View File

@@ -1,6 +1,7 @@
{ lib, config, inputs, ... }: { lib, config, inputs, ... }:
let let
cfg = config.services.hastebin; cfg = config.services.hastebin;
secrets = config.age.secrets;
fqdn = "${cfg.subdomain}.${config.networking.domain}"; fqdn = "${cfg.subdomain}.${config.networking.domain}";
in in
{ {
@@ -33,7 +34,7 @@ in
"jsx" "jsx"
]; ];
}; };
auth_tokens_file = "/var/secrets/hastebin-tokens"; auth_tokens_file = secrets.hastebin-tokens.path;
}; };
modules.services.webserver = { modules.services.webserver = {

25
modules/services/immich.nix
View File

@@ -1,6 +1,7 @@
{ pkgs, lib, config, ... }: { pkgs, lib, config, ... }:
let let
cfg = config.modules.services.immich; cfg = config.modules.services.immich;
secrets = config.age.secrets;
fqdn = "${cfg.subdomain}.${config.networking.domain}"; fqdn = "${cfg.subdomain}.${config.networking.domain}";
volumeServices = names: ( volumeServices = names: (
@@ -52,6 +53,13 @@ let
{ } { }
services services
); );
environment = {
TZ = cfg.timezone;
DB_USERNAME = "postgres";
POSTGRES_USER = environment.DB_USERNAME;
DB_DATABASE_NAME = "immich";
};
in in
{ {
options.modules.services.immich = { options.modules.services.immich = {
@@ -59,6 +67,10 @@ in
subdomain = lib.mkOption { subdomain = lib.mkOption {
type = lib.types.str; type = lib.types.str;
}; };
timezone = lib.mkOption {
type = lib.types.str;
default = "Europe/Helsinki";
};
version = lib.mkOption { version = lib.mkOption {
type = lib.types.str; type = lib.types.str;
default = "latest"; default = "latest";
@@ -97,8 +109,9 @@ in
virtualisation.oci-containers.containers = { virtualisation.oci-containers.containers = {
"immich_machine_learning" = { "immich_machine_learning" = {
image = "ghcr.io/immich-app/immich-machine-learning:${cfg.version}"; image = "ghcr.io/immich-app/immich-machine-learning:${cfg.version}";
inherit environment;
environmentFiles = [ environmentFiles = [
"/var/secrets/immich.env" secrets.immich.path
]; ];
volumes = [ volumes = [
"immich_model_cache:/cache:rw" "immich_model_cache:/cache:rw"
@@ -113,9 +126,9 @@ in
"immich_postgres" = { "immich_postgres" = {
image = "registry.hub.docker.com/tensorchord/pgvecto-rs:pg14-v0.2.0"; image = "registry.hub.docker.com/tensorchord/pgvecto-rs:pg14-v0.2.0";
environmentFiles = [ environmentFiles = [
"/var/secrets/immich.env" secrets.immich.path
]; ];
environment = { environment = environment // {
POSTGRES_INITDB_ARGS = "--data-checksums"; POSTGRES_INITDB_ARGS = "--data-checksums";
}; };
volumes = [ volumes = [
@@ -131,8 +144,9 @@ in
"immich_redis" = { "immich_redis" = {
image = "registry.hub.docker.com/library/redis:6.2-alpine"; image = "registry.hub.docker.com/library/redis:6.2-alpine";
inherit environment;
environmentFiles = [ environmentFiles = [
"/var/secrets/immich.env" secrets.immich.path
]; ];
log-driver = "journald"; log-driver = "journald";
extraOptions = [ extraOptions = [
@@ -143,8 +157,9 @@ in
"immich_server" = { "immich_server" = {
image = "ghcr.io/immich-app/immich-server:${cfg.version}"; image = "ghcr.io/immich-app/immich-server:${cfg.version}";
inherit environment;
environmentFiles = [ environmentFiles = [
"/var/secrets/immich.env" secrets.immich.path
]; ];
volumes = [ volumes = [
"/etc/localtime:/etc/localtime:ro" "/etc/localtime:/etc/localtime:ro"

3
modules/services/vaultwarden.nix
View File

@@ -1,6 +1,7 @@
{ lib, config, ... }: { lib, config, ... }:
let let
cfg = config.modules.services.vaultwarden; cfg = config.modules.services.vaultwarden;
secrets = config.age.secrets;
fqdn = "${cfg.subdomain}.${config.networking.domain}"; fqdn = "${cfg.subdomain}.${config.networking.domain}";
port = config.services.vaultwarden.config.ROCKET_PORT; port = config.services.vaultwarden.config.ROCKET_PORT;
in in
@@ -23,7 +24,7 @@ in
services.vaultwarden = { services.vaultwarden = {
enable = true; enable = true;
dbBackend = "postgresql"; dbBackend = "postgresql";
environmentFile = "/var/secrets/vaultwarden.env"; environmentFile = secrets.vaultwarden.path;
config = { config = {
DOMAIN = "https://${fqdn}"; DOMAIN = "https://${fqdn}";
DATABASE_URL = "postgres://%2Fvar%2Frun%2Fpostgresql/vaultwarden"; DATABASE_URL = "postgres://%2Fvar%2Frun%2Fpostgresql/vaultwarden";

4
modules/services/webserver.nix
View File

@@ -38,10 +38,6 @@ in
type = lib.types.str; type = lib.types.str;
default = "hetzner"; default = "hetzner";
}; };
environmentFile = lib.mkOption {
type = lib.types.str;
default = "/var/secrets/lego";
};
}; };
vHosts = lib.mkOption { vHosts = lib.mkOption {
type = lib.types.attrsOf types.vhost; type = lib.types.attrsOf types.vhost;

4
modules/storage-box-mounts.nix
View File

@@ -23,12 +23,14 @@ let
}; };
cfg = config.modules.storageBoxMounts; cfg = config.modules.storageBoxMounts;
secrets = config.age.secrets;
mountOptions = { uid, gid, ... }: [ mountOptions = { uid, gid, ... }: [
"x-systemd.automount" "x-systemd.automount"
"auto" "auto"
"x-systemd.device-timeout=5s" "x-systemd.device-timeout=5s"
"x-systemd.mount-timeout=5s" "x-systemd.mount-timeout=5s"
"credentials=/var/secrets/storage-box-credentials" "credentials=${secrets.storage-box-credentials.path}"
] ++ ( ] ++ (
if (uid != null) then [ "uid=${toString uid}" ] else [ ] if (uid != null) then [ "uid=${toString uid}" ] else [ ]
) ++ ( ) ++ (

10
secrets/gotosocial.age Normal file
View File

@@ -0,0 +1,10 @@
age-encryption.org/v1
-> ssh-ed25519 osOCZA j4E5QbHMQm/p5X87ADaDs3UXoYvK6kNOZN548Giiuxg
SGiUy4u4wZEPV5HyREfyGnmi1pZUxxTLNvpvWbvLw6A
-> ssh-ed25519 Zmk+Rw CKL/dmRt1uK8rXcL5/jvKVt8kbOMwbtD6QEszgkXjmU
t64DTcIze3o+KTYm5xtAW7l7B7EntcCN1DsOgmJLLno
-> ssh-ed25519 PT7ffg 0X40j5NfqTW0zDuJZTzJt0A96lzOMUqwiT8ePYHYRjM
22724DDGthA6cyJhB/oquTRy1VEEw6/0YBdDov61m2k
--- Somq6fnDd8OEprRrsbpy53fxyay1XL5TIgVa6KV2MJY
L¾Ê¿'ûÿ¡Hj­²
#MìôbuÂ%dKƒ<12>ˆªø¹íõ0†ãûL/‡ü*I /±<E28099>½š}¦{õ§ç·IÔÍVˆA

BIN
secrets/hastebin-tokens.age Normal file
View File

Binary file not shown.

BIN
secrets/immich.age Normal file
View File

Binary file not shown.

19
secrets/secrets.nix Normal file
View File

@@ -0,0 +1,19 @@
let
moco = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDRXRJUwX98l2Vl4bUZdyHGhLjlf1RGAA5VCa4dmEJdU";
jokke = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIP0IGUXVtUChrWHMaHoGq4USQwviHR1v1CLeDztWshZ4";
users = [ moco jokke ];
apu = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICAZkIuXtpP9a9bHkBl+MJI//q3ClMqzx03Rd/Xe4rjc";
freun-dev = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEvCSjIjipog1Xf9mPc683r5VSGSjVc8v1UZg5VrbbxM";
radish = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIQ0fy4n3yyD64+g55eZazeI5g9FurJnlC6fRiOXbbks";
hosts = [ apu freun-dev radish ];
in
{
"gotosocial.age".publicKeys = users ++ [ freun-dev ];
"hastebin-tokens.age".publicKeys = users ++ [ freun-dev ];
"immich.age".publicKeys = users ++ [ freun-dev ];
"storage-box-credentials.age".publicKeys = users ++ [ freun-dev ];
"vaultwarden.age".publicKeys = users ++ [ freun-dev ];
"smtp-password.age".publicKeys = users ++ [ freun-dev ];
}

BIN
secrets/smtp-password.age Normal file
View File

Binary file not shown.

BIN
secrets/storage-box-credentials.age Normal file
View File

Binary file not shown.

BIN
secrets/vaultwarden.age Normal file
View File

Binary file not shown.