wip

2023-05-05 01:54:16 +03:00 · 2023-05-05 01:54:16 +03:00 · 93cd9620dd
commit 93cd9620dd
parent 9e3e04422a
16 changed files with 91 additions and 9 deletions
--- a/flake.lock
+++ b/flake.lock
@ -1,5 +1,26 @@
 {
  "nodes": {
+    "agenix": {
+      "inputs": {
+        "darwin": "darwin",
+        "nixpkgs": [
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1682101079,
+        "narHash": "sha256-MdAhtjrLKnk2uiqun1FWABbKpLH090oeqCSiWemtuck=",
+        "owner": "ryantm",
+        "repo": "agenix",
+        "rev": "2994d002dcff5353ca1ac48ec584c7f6589fe447",
+        "type": "github"
+      },
+      "original": {
+        "owner": "ryantm",
+        "repo": "agenix",
+        "type": "github"
+      }
+    },
    "all-cabal-json": {
      "flake": false,
      "locked": {
@ -189,6 +210,28 @@
        "type": "github"
      }
    },
+    "darwin": {
+      "inputs": {
+        "nixpkgs": [
+          "agenix",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1673295039,
+        "narHash": "sha256-AsdYgE8/GPwcelGgrntlijMg4t3hLFJFCRF3tL5WVjA=",
+        "owner": "lnl7",
+        "repo": "nix-darwin",
+        "rev": "87b9d090ad39b25b2400029c64825fc2a8868943",
+        "type": "github"
+      },
+      "original": {
+        "owner": "lnl7",
+        "ref": "master",
+        "repo": "nix-darwin",
+        "type": "github"
+      }
+    },
    "devshell": {
      "flake": false,
      "locked": {
@ -925,6 +968,7 @@
    },
    "root": {
      "inputs": {
+        "agenix": "agenix",
        "bernbot": "bernbot",
        "blender-bin": "blender-bin",
        "blog": "blog",
--- a/flake.nix
+++ b/flake.nix
@ -41,6 +41,9 @@
    vscode-extensions.url = "github:nix-community/nix-vscode-extensions";
    vscode-extensions.inputs.nixpkgs.follows = "nixpkgs";

+    agenix.url = "github:ryantm/agenix";
+    agenix.inputs.nixpkgs.follows = "nixpkgs";
+
    # needed for hyprland setup
    # hyprland.url = "github:hyprwm/Hyprland";
    # hyprland.inputs.nixpkgs.follows = "nixpkgs";
--- a/hosts/tkaronto/default.nix
+++ b/hosts/tkaronto/default.nix
@ -9,6 +9,7 @@
  imports = with inputs;
  with nixos-hardware.nixosModules;
    [
+      inputs.agenix.nixosModules.default
      nixpkgs.nixosModules.notDetected
      nixos-persistence.nixosModule
      common-pc-ssd
--- a/hosts/tkaronto/modules/nix.nix
+++ b/hosts/tkaronto/modules/nix.nix
@ -0,0 +1,5 @@
+{config, ...}: {
+  nix.extraOptions = ''
+    !include ${config.age.secrets.nixGithubAccessToken.path}
+  '';
+}
--- a/hosts/tkaronto/modules/secrets.nix
+++ b/hosts/tkaronto/modules/secrets.nix
@ -0,0 +1,4 @@
+{
+  age.secrets.nixGithubAccessToken.file = ../../../secrets/nixGithubAccessToken.age;
+  age.secrets.wgServerPrivateKey.file = ../../../secrets/wgServerPrivateKey.age;
+}
--- a/hosts/tkaronto/modules/wireguard.nix
+++ b/hosts/tkaronto/modules/wireguard.nix
@ -0,0 +1,11 @@
+{config, ...}: {
+  networking.wireguard.enable = true;
+  networking.wireguard.interfaces."wg0" = {
+    privateKeyFile = config.age.secrets.wgServerPrivateKey.path;
+    peers = [{
+      publicKey = import ./wgProxyPublicKey.key.pub;
+      allowedIPs = ["10.99.0.1/32"];
+      endpoint = "${import ./wgProxyPublicIp}:51820";
+    }];
+  };
+}
--- a/hosts/wolumonde/default.nix
+++ b/hosts/wolumonde/default.nix
@ -1,12 +1,11 @@
 {
  inputs,
-  pkgs,
-  config,
-  lib,
  tlib,
  ...
-}: {
-  imports = tlib.importFolder (toString ./modules);
+}: { 
+  imports = [
+    inputs.agenix.nixosModules.default
+  ] ++ (tlib.importFolder (toString ./modules));

  boot.cleanTmpDir = true;
  zramSwap.enable = true;
--- a/hosts/wolumonde/modules/secrets.nix
+++ b/hosts/wolumonde/modules/secrets.nix
@ -0,0 +1,4 @@
+{
+  age.secrets.bernbotToken.file = ../../../secrets/bernbotToken.age;
+  age.secrets.wgProxyPrivateKey.file = ../../../secrets/wgProxyPrivateKey.age;
+}
--- a/hosts/wolumonde/modules/wireguard.nix
+++ b/hosts/wolumonde/modules/wireguard.nix
@ -0,0 +1,11 @@
+{config, ...}: {
+  networking.wireguard.enable = true;
+  networking.wireguard.interfaces."wg0" = {
+    listenPort = 51820;
+    privateKeyFile = config.age.secrets.wgProxyPrivateKey.path;
+    peers = [{
+      publicKey = import ./wgServerPublicKey.key.pub;
+      allowedIPs = ["10.99.0.2/32"];
+    }];
+  };
+}
--- a/modules/base/nix.nix
+++ b/modules/base/nix.nix
@ -2,7 +2,6 @@
  pkgs,
  lib,
  inputs,
-  config,
  ...
 }: {
  nix = {
@ -20,7 +19,6 @@
      fallback = true
      extra-experimental-features = nix-command flakes
      builders-use-substitutes = true
-      netrc-file = /etc/nix/netrc
    '';
    nixPath = ["nixpkgs=${inputs.nixpkgs}" "home-manager=${inputs.home}"];
  };
--- a/pkgs-set/overlays/agenix.nix
+++ b/pkgs-set/overlays/agenix.nix
@ -0,0 +1,3 @@
+{inputs}: final: prev: {
+  agenix = inputs.agenix.packages."${final.system}".agenix;
+}
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
--- a/secrets/ssh-key.pub
+++ b/secrets/ssh-key.pub
@ -1 +0,0 @@
-ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDUeDBW4hnHgnT0SjVFeGDztht9owObSmiyWXmmIEGQp2IMPqFpCxkOU61osvfCf4ZT92Ok9iJTohLwFBvHJRD/+CH8/b54sgFAx1lLObkJOMLz4iWZ5y4fNtBYuIA2McQSQoMDpDz6TDym7v7HF7zoUyBmfHMT/9WiX/z6Ft9hY63eh9DcF7WVURzeUvXLApt9wUYUxxdC2KZ/VrDPrIOxCcOgj3le+1zTiD8zwfAGhkzRD3IEx0yCYK6oztrh6WTwA5ZW+cLziH2sVEvSHFa2O398gIvZpzsdYTcQt06d/oyZIvftcpxD8IvjpGgHEsN/mAg0ovexyqAVk+TV/1XySKaoPPVCekap0R50CVD9kEk+GlD78XBYi++aAMIq0/D+NOXkgksfODt3yJPPzQx4KH8gcn0dQJM5zeyTwDfclzMRqCwL1eVHY00EbtG9IcLmMsWk/lM6vpHfyHqHlqNJ3CnUuDBccz9p5ORC1cuj4r9CmXPPmh7OYk7gGiQb4oxuqsYClzp93qmU7qMvGwmxBJaVagNIJgBqb5fsne0OMlcer5CH4L31ozszkSkzCXtFWNoTdgQHU1J3DxxL9WQJCfKku4EPJadYOh80USnauOke5CqfsGtf6uMq4l5Ylcc1QcNhRqxpeTLAIZx0EYDhmQ4eGjAZbiv6ddUp9dAdiQ== openpgp:0xDE3C8FCD
--- a/secrets/wolumonde.key.pub
+++ b/secrets/wolumonde.key.pub
--- a/secrets/yusdacra.key.pub
+++ b/secrets/yusdacra.key.pub
--- a/shells/default.nix
+++ b/shells/default.nix
@ -3,7 +3,7 @@ tlib.genPkgs (pkgs: {
  default = with pkgs;
    mkShell {
      name = "prts";
-      buildInputs = [git git-crypt alejandra helix];
+      buildInputs = [git git-crypt alejandra helix agenix];
      shellHook = "echo \"$(tput bold)welcome to PRTS, $USER$(tput sgr0)\"";
    };
 })
				`@ -1 +0,0 @@`
				ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDUeDBW4hnHgnT0SjVFeGDztht9owObSmiyWXmmIEGQp2IMPqFpCxkOU61osvfCf4ZT92Ok9iJTohLwFBvHJRD/+CH8/b54sgFAx1lLObkJOMLz4iWZ5y4fNtBYuIA2McQSQoMDpDz6TDym7v7HF7zoUyBmfHMT/9WiX/z6Ft9hY63eh9DcF7WVURzeUvXLApt9wUYUxxdC2KZ/VrDPrIOxCcOgj3le+1zTiD8zwfAGhkzRD3IEx0yCYK6oztrh6WTwA5ZW+cLziH2sVEvSHFa2O398gIvZpzsdYTcQt06d/oyZIvftcpxD8IvjpGgHEsN/mAg0ovexyqAVk+TV/1XySKaoPPVCekap0R50CVD9kEk+GlD78XBYi++aAMIq0/D+NOXkgksfODt3yJPPzQx4KH8gcn0dQJM5zeyTwDfclzMRqCwL1eVHY00EbtG9IcLmMsWk/lM6vpHfyHqHlqNJ3CnUuDBccz9p5ORC1cuj4r9CmXPPmh7OYk7gGiQb4oxuqsYClzp93qmU7qMvGwmxBJaVagNIJgBqb5fsne0OMlcer5CH4L31ozszkSkzCXtFWNoTdgQHU1J3DxxL9WQJCfKku4EPJadYOh80USnauOke5CqfsGtf6uMq4l5Ylcc1QcNhRqxpeTLAIZx0EYDhmQ4eGjAZbiv6ddUp9dAdiQ== openpgp:0xDE3C8FCD