From 93cd9620ddc80712930afc37a8c88f300091ea60 Mon Sep 17 00:00:00 2001 From: Yusuf Bera Ertan Date: Fri, 5 May 2023 01:54:16 +0300 Subject: [PATCH] wip --- flake.lock | 44 ++++++++++++++++++++++++++ flake.nix | 3 ++ hosts/tkaronto/default.nix | 1 + hosts/tkaronto/modules/nix.nix | 5 +++ hosts/tkaronto/modules/secrets.nix | 4 +++ hosts/tkaronto/modules/wireguard.nix | 11 +++++++ hosts/wolumonde/default.nix | 9 +++--- hosts/wolumonde/modules/secrets.nix | 4 +++ hosts/wolumonde/modules/wireguard.nix | 11 +++++++ modules/base/nix.nix | 2 -- pkgs-set/overlays/agenix.nix | 3 ++ secrets/secrets.nix | Bin 0 -> 338 bytes secrets/ssh-key.pub | 1 - secrets/wolumonde.key.pub | Bin 0 -> 102 bytes secrets/yusdacra.key.pub | Bin 0 -> 746 bytes shells/default.nix | 2 +- 16 files changed, 91 insertions(+), 9 deletions(-) create mode 100644 hosts/tkaronto/modules/nix.nix create mode 100644 hosts/tkaronto/modules/secrets.nix create mode 100644 hosts/tkaronto/modules/wireguard.nix create mode 100644 hosts/wolumonde/modules/secrets.nix create mode 100644 hosts/wolumonde/modules/wireguard.nix create mode 100644 pkgs-set/overlays/agenix.nix create mode 100644 secrets/secrets.nix delete mode 100644 secrets/ssh-key.pub create mode 100644 secrets/wolumonde.key.pub create mode 100644 secrets/yusdacra.key.pub diff --git a/flake.lock b/flake.lock index 3d00d97..45978b3 100644 --- a/flake.lock +++ b/flake.lock @@ -1,5 +1,26 @@ { "nodes": { + "agenix": { + "inputs": { + "darwin": "darwin", + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1682101079, + "narHash": "sha256-MdAhtjrLKnk2uiqun1FWABbKpLH090oeqCSiWemtuck=", + "owner": "ryantm", + "repo": "agenix", + "rev": "2994d002dcff5353ca1ac48ec584c7f6589fe447", + "type": "github" + }, + "original": { + "owner": "ryantm", + "repo": "agenix", + "type": "github" + } + }, "all-cabal-json": { "flake": false, "locked": { @@ -189,6 +210,28 @@ "type": "github" } }, + "darwin": { + "inputs": { + "nixpkgs": [ + "agenix", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1673295039, + "narHash": "sha256-AsdYgE8/GPwcelGgrntlijMg4t3hLFJFCRF3tL5WVjA=", + "owner": "lnl7", + "repo": "nix-darwin", + "rev": "87b9d090ad39b25b2400029c64825fc2a8868943", + "type": "github" + }, + "original": { + "owner": "lnl7", + "ref": "master", + "repo": "nix-darwin", + "type": "github" + } + }, "devshell": { "flake": false, "locked": { @@ -925,6 +968,7 @@ }, "root": { "inputs": { + "agenix": "agenix", "bernbot": "bernbot", "blender-bin": "blender-bin", "blog": "blog", diff --git a/flake.nix b/flake.nix index fc03e5c..e392703 100644 --- a/flake.nix +++ b/flake.nix @@ -41,6 +41,9 @@ vscode-extensions.url = "github:nix-community/nix-vscode-extensions"; vscode-extensions.inputs.nixpkgs.follows = "nixpkgs"; + agenix.url = "github:ryantm/agenix"; + agenix.inputs.nixpkgs.follows = "nixpkgs"; + # needed for hyprland setup # hyprland.url = "github:hyprwm/Hyprland"; # hyprland.inputs.nixpkgs.follows = "nixpkgs"; diff --git a/hosts/tkaronto/default.nix b/hosts/tkaronto/default.nix index 9cfb4d7..05dcf0f 100644 --- a/hosts/tkaronto/default.nix +++ b/hosts/tkaronto/default.nix @@ -9,6 +9,7 @@ imports = with inputs; with nixos-hardware.nixosModules; [ + inputs.agenix.nixosModules.default nixpkgs.nixosModules.notDetected nixos-persistence.nixosModule common-pc-ssd diff --git a/hosts/tkaronto/modules/nix.nix b/hosts/tkaronto/modules/nix.nix new file mode 100644 index 0000000..cc820b9 --- /dev/null +++ b/hosts/tkaronto/modules/nix.nix @@ -0,0 +1,5 @@ +{config, ...}: { + nix.extraOptions = '' + !include ${config.age.secrets.nixGithubAccessToken.path} + ''; +} diff --git a/hosts/tkaronto/modules/secrets.nix b/hosts/tkaronto/modules/secrets.nix new file mode 100644 index 0000000..37b5c33 --- /dev/null +++ b/hosts/tkaronto/modules/secrets.nix @@ -0,0 +1,4 @@ +{ + age.secrets.nixGithubAccessToken.file = ../../../secrets/nixGithubAccessToken.age; + age.secrets.wgServerPrivateKey.file = ../../../secrets/wgServerPrivateKey.age; +} diff --git a/hosts/tkaronto/modules/wireguard.nix b/hosts/tkaronto/modules/wireguard.nix new file mode 100644 index 0000000..c9f4ce4 --- /dev/null +++ b/hosts/tkaronto/modules/wireguard.nix @@ -0,0 +1,11 @@ +{config, ...}: { + networking.wireguard.enable = true; + networking.wireguard.interfaces."wg0" = { + privateKeyFile = config.age.secrets.wgServerPrivateKey.path; + peers = [{ + publicKey = import ./wgProxyPublicKey.key.pub; + allowedIPs = ["10.99.0.1/32"]; + endpoint = "${import ./wgProxyPublicIp}:51820"; + }]; + }; +} \ No newline at end of file diff --git a/hosts/wolumonde/default.nix b/hosts/wolumonde/default.nix index 71ebe53..8a41124 100644 --- a/hosts/wolumonde/default.nix +++ b/hosts/wolumonde/default.nix @@ -1,12 +1,11 @@ { inputs, - pkgs, - config, - lib, tlib, ... -}: { - imports = tlib.importFolder (toString ./modules); +}: { + imports = [ + inputs.agenix.nixosModules.default + ] ++ (tlib.importFolder (toString ./modules)); boot.cleanTmpDir = true; zramSwap.enable = true; diff --git a/hosts/wolumonde/modules/secrets.nix b/hosts/wolumonde/modules/secrets.nix new file mode 100644 index 0000000..a16ddc2 --- /dev/null +++ b/hosts/wolumonde/modules/secrets.nix @@ -0,0 +1,4 @@ +{ + age.secrets.bernbotToken.file = ../../../secrets/bernbotToken.age; + age.secrets.wgProxyPrivateKey.file = ../../../secrets/wgProxyPrivateKey.age; +} diff --git a/hosts/wolumonde/modules/wireguard.nix b/hosts/wolumonde/modules/wireguard.nix new file mode 100644 index 0000000..264e684 --- /dev/null +++ b/hosts/wolumonde/modules/wireguard.nix @@ -0,0 +1,11 @@ +{config, ...}: { + networking.wireguard.enable = true; + networking.wireguard.interfaces."wg0" = { + listenPort = 51820; + privateKeyFile = config.age.secrets.wgProxyPrivateKey.path; + peers = [{ + publicKey = import ./wgServerPublicKey.key.pub; + allowedIPs = ["10.99.0.2/32"]; + }]; + }; +} \ No newline at end of file diff --git a/modules/base/nix.nix b/modules/base/nix.nix index 7abe5c9..910604f 100644 --- a/modules/base/nix.nix +++ b/modules/base/nix.nix @@ -2,7 +2,6 @@ pkgs, lib, inputs, - config, ... }: { nix = { @@ -20,7 +19,6 @@ fallback = true extra-experimental-features = nix-command flakes builders-use-substitutes = true - netrc-file = /etc/nix/netrc ''; nixPath = ["nixpkgs=${inputs.nixpkgs}" "home-manager=${inputs.home}"]; }; diff --git a/pkgs-set/overlays/agenix.nix b/pkgs-set/overlays/agenix.nix new file mode 100644 index 0000000..5d35278 --- /dev/null +++ b/pkgs-set/overlays/agenix.nix @@ -0,0 +1,3 @@ +{inputs}: final: prev: { + agenix = inputs.agenix.packages."${final.system}".agenix; +} diff --git a/secrets/secrets.nix b/secrets/secrets.nix new file mode 100644 index 0000000000000000000000000000000000000000..c97fb0e0717fc74a290fcafcf56d68af208bc398 GIT binary patch literal 338 zcmV-Y0j>T3M@dveQdv+`00V@<^%0(JiL^2yRo0xhENI7L2!&2C04+(_kN2h7CZJA^ z{l7 zR^?dR1= z_rA_XA(p6j#A!UaIJuCdJ-IZ)<(!fGBdk|_fBYC I_3sk!GG!<+r2qf` literal 0 HcmV?d00001 diff --git a/secrets/yusdacra.key.pub b/secrets/yusdacra.key.pub new file mode 100644 index 0000000000000000000000000000000000000000..87fb0c768597ea92ac22c20c68c0404c169f6b15 GIT binary patch literal 746 zcmVcUnC7gf4jVV#u;=xx;a9d(aynm`P#wpP9K`uQTCL@C&WuBoG5#UPjim2?3}ID~-00{9^$Z*) zRoTF)$aeIaEJ><$YRUXltQg>eA2dD@{`F{ zZbr&L9OaFwLPCk4_Cxmc)~!nF-eR_?FP732ayIxVo^Q*B#I~QPLra>o+Pk#LYKN>@ z7kAp;x}vC@w$o#RK>|#tB)_tih+i7~WM_+oCh(qw3#x%4h5tqtGQ{g*!P)kn9Bd;~ z&+6V*LqsiO9c7-u(|Cd*ynA_86lsN{YByJ&D~VDG(=}sZU{j`>Obx|(4y2BnfpmSb zztZb(Umj&GhvHlb`*Z#*%y$m)4|dA?C7G~TY*<|dpM$}=4JCxzMJzI$bU9KiF;v9QZ