Add aspi system, use sops

2024-06-12 19:29:50 +02:00 · 2024-06-12 19:29:50 +02:00 · ff40093b83
commit ff40093b83
parent 061f196afc
9 changed files with 373 additions and 43 deletions
--- a/.sops.yaml
+++ b/.sops.yaml
@ -0,0 +1,7 @@
 keys:
  - &primary age12x3jgpq5j83rhvxmuu90z99rwnpf8ntu3m87strf856syr6alv2q379k9w
 creation_rules:
  - path_regex: secrets/secrets.yaml$
    key_groups:
    - age:
      - *primary
--- a/flake.lock
+++ b/flake.lock
@ -143,6 +143,22 @@
        "type": "github"
      }
    },
    "nixpkgs-stable": {
      "locked": {
        "lastModified": 1717880976,
        "narHash": "sha256-BRvSCsKtDUr83NEtbGfHLUOdDK0Cgbezj2PtcHnz+sQ=",
        "owner": "NixOS",
        "repo": "nixpkgs",
        "rev": "4913a7c3d8b8d00cb9476a6bd730ff57777f740c",
        "type": "github"
      },
      "original": {
        "owner": "NixOS",
        "ref": "release-23.11",
        "repo": "nixpkgs",
        "type": "github"
      }
    },
    "nixpkgs-unstable": {
      "locked": {
        "lastModified": 1717196966,
@ -166,7 +182,8 @@
        "nix-matlab": "nix-matlab",
        "nixpkgs": "nixpkgs",
        "nixpkgs-unstable": "nixpkgs-unstable",
-        "snowfall-lib": "snowfall-lib"
+        "snowfall-lib": "snowfall-lib",
        "sops-nix": "sops-nix"
      }
    },
    "snowfall-lib": {
@ -191,6 +208,27 @@
        "type": "github"
      }
    },
    "sops-nix": {
      "inputs": {
        "nixpkgs": [
          "nixpkgs"
        ],
        "nixpkgs-stable": "nixpkgs-stable"
      },
      "locked": {
        "lastModified": 1718137936,
        "narHash": "sha256-psA+1Q5fPaK6yI3vzlLINNtb6EeXj111zQWnZYyJS9c=",
        "owner": "Mic92",
        "repo": "sops-nix",
        "rev": "c279dec105dd53df13a5e57525da97905cc0f0d6",
        "type": "github"
      },
      "original": {
        "owner": "Mic92",
        "repo": "sops-nix",
        "type": "github"
      }
    },
    "systems": {
      "locked": {
        "lastModified": 1681028828,
--- a/flake.nix
+++ b/flake.nix
@ -22,9 +22,13 @@
    nix-matlab.url = "gitlab:doronbehar/nix-matlab";
    nix-matlab.inputs.nixpkgs.follows = "nixpkgs";
    sops-nix.url = "github:Mic92/sops-nix";
    sops-nix.inputs.nixpkgs.follows = "nixpkgs";
  };
-  outputs = inputs:
+  outputs =
    inputs:
    inputs.snowfall-lib.mkFlake {
      inherit inputs;
      # Must always be ./.
--- a/homes/x86_64-linux/julian@aspi/default.nix
+++ b/homes/x86_64-linux/julian@aspi/default.nix
@ -23,9 +23,6 @@
  home.username = "julian";
  home.homeDirectory = "/home/julian";
  # DO NOT CHANGE!!!
  home.stateVersion = "23.11";
  modules = {
    non-nixos.is-nixos = false;
    shell = {
@ -77,4 +74,8 @@
  # Let Home Manager install and manage itself.
  programs.home-manager.enable = true;
  # ======================== DO NOT CHANGE THIS ========================
  home.stateVersion = "23.11";
  # ======================== DO NOT CHANGE THIS ========================
 }
--- a/modules/nixos/sops/default.nix
+++ b/modules/nixos/sops/default.nix
@ -0,0 +1,46 @@
 {
  # Snowfall Lib provides a customized `lib` instance with access to your flake's library
  # as well as the libraries available from your flake's inputs.
  lib,
  # An instance of `pkgs` with your overlays and packages applied is also available.
  pkgs,
  # You also have access to your flake's inputs.
  inputs,
  # Additional metadata is provided by Snowfall Lib.
  namespace, # The namespace used for your flake, defaulting to "internal" if not set.
  system, # The system architecture for this host (eg. `x86_64-linux`).
  target, # The Snowfall Lib target for this system (eg. `x86_64-iso`).
  format, # A normalized name for the system target (eg. `iso`).
  virtual, # A boolean to determine whether this system is a virtual target using nixos-generators.
  systems, # An attribute map of your defined hosts.
  # All other arguments come from the module system.
  config,
  ...
 }:
 let
  cfg = config.modules.sops;
 in
 {
  imports = [ inputs.sops-nix.nixosModules.sops ];
  options.modules.sops = { };
  config = {
    sops.defaultSopsFile = ../../../secrets/secrets.yaml;
    sops.defaultSopsFormat = "yaml";
    sops.age.keyFile = "/home/julian/.config/sops/age/keys.txt";
    # List of defined secrets
    sops.secrets."aspi/password" = {
      neededForUsers = true;
    };
    # sops.secrets."aspi/syncthing/key" = {
    #   neededForUsers = true;
    # };
    # sops.secrets."ngrok/terraria" = { };
  };
 }
--- a/secrets/secrets.yaml
+++ b/secrets/secrets.yaml
@ -0,0 +1,24 @@
 aspi:
    syncthing:
        cert: ENC[AES256_GCM,data:AByFKHdW0/kW5LdMdAlvB8O0OBtTSolnIs1o8V94b5H/Mqyy52HwaxTLu4I5BttlK4dd43dCRploUs7LwBiilmI5SlO1RFU2MupzBlGMiun4UbXC9dFW7iDY+lfX3fwlR6uUfmkm+iW8tSAii+G8KS7eBjyq2EqJ2KzXuEBS74pDJKQ5+hlKWa3dBSCfz3o+on1lfQYqjD9Sgf5x/irEhdCsGFTRM7pnEqdwHhJ87mrv//qrGU9ZWgvOEAQc3mJClGZniF1ePAGnCa9fMu3JKXbsKzLKC2QgIa576k0pgnIK5dEyLUaUemnS2fidbRGz6rAp0tPK8Nm/pbROjkReCfPZ2IjKHX8CAG7VcZokJX8pry+NWCq2/vRnkz6tgAIZu1nykVcRTM0TGDNlXNolK1tCycx3BDRzKFQunp0FdvcN3QTrVsA1sRInZve5x3Y1XVukQjgMk/uyfvQ4ktt3io5PcVmeTWBugJaNC6WlCUwee2o7b2kJGsshk2N+FgfAWZS9bGIxi/ijC87IGZu0bSvqlg4D1bsTCfODte/l+bTW+CZ96eu/8fbcQ+S4ClDeqzzjvIjFiGxSq/KXB3RLGP8aORbdI6y6AkLdwzhb2icFGzVHo/pU3VqHGYhFHbxbpRBs8iJ+EBMoL9AZJi/wh9Hg/gWHtpfWr06nySIEjQkqzEgTzC5O3A1mltkBaHP0XXp1WxyHq2id2dehB+xFpwA8h+Yg25HXMgJowNPpU0Z9a4BNmjdQl9cMWBytGP/20wwQEc9gwweFw5/kFRV0BVtfKUHYerwNoR+yWWURhPl0eUgn3tt77vVhwsuJcKlzbu8XRe0fj/1CFV8mmR8T3zBss4K7sZiDGAWgknRUAdhBV3HincmXdwkT4HWfgT4OSKk156BJof40xJNMpkk+CXFd2M0Trb9UcQQEneldnnvvDe1rML2FFrURRwTCKekCr7Wfsij6cvfz90Qs8NqkfWiAhwsZLwlfHcQrZn1gYHepW6OY/5knB5QWUuexGgRKUQmPQsiaVOgcz8zmSBWtYhLQEXenTg==,iv:n/8CkSiZu666RcOtMXB+Fg5rU2Un77OhxD0wtwfRNYc=,tag:Gy5i2UbBpckO6beyn8gv6Q==,type:str]
        key: ENC[AES256_GCM,data:81YkG2zWuYIrpC9BMm/+79Ad7gXLHqHqtxnNbUox7E/oii9nNlbR4YqQJfegkDijrV/PK+UjgeiySHfxUzH0MFnVQ4XTDVFiuQ31s1ft/TZlZmOs7JmElc2i8AbdJM31+NCLoH8nDxGOcoqfErFmf4hbRFprnamItYrDqjq/vIbtPbpjm2cTZw3qwKT1HTPpZfvM6b2xDBd9BqjaoOqwhRUVg45Z0gjKXyKqMv0d9JfpoY5lGp6x6SoSlIzM+a5CpKM3v5I1lxN6DtAlh8hO/dCJZCkXCjuIgWWhl3DVol3h6XzDeNsUvgmjhMSjMmEg4utpIMAYzDCTF5GzHyogPdrhqSejnHG1Y6GQnYqniwobabU/6tcY/6nTkLjMpSbM,iv:Nn5LpyxvsvHnxY39Bg205chZ4nhNsHbBstGcJ2Nf2mc=,tag:fslhHkp3gspRnNZNlA7fbg==,type:str]
 sops:
    kms: []
    gcp_kms: []
    azure_kv: []
    hc_vault: []
    age:
        - recipient: age12x3jgpq5j83rhvxmuu90z99rwnpf8ntu3m87strf856syr6alv2q379k9w
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSByL0l4a0ZHcjFEQk5ETXk0
            dlZJWktVS2pQVjBoZkxyNlo0R3pMM2JkdTNJCk11VEs0U0xleFI3dGkrZEVwWWtz
            S1dOV1NYcEtOMFFkMWVhM3poNXhTdVkKLS0tIEp2Zk4wanp2M0pIT1Y1eDBYbW1y
            NUNKTTA1VGhOVFRiV0RDSDJGREgzWFUKvW4A3/CPoTGb6gdrbEQN9NgXSQ+L4wXp
            NOxR56TemX6fmSZhQU7wyxMmD1rZ64b9cIedauEWr91iYbKjhNpw2A==
            -----END AGE ENCRYPTED FILE-----
    lastmodified: "2024-06-12T17:14:51Z"
    mac: ENC[AES256_GCM,data:XiTeyln5B9lpxUr903mSNBlCw9EsJwQEDVV18NMdHJ3e6Ryq+VkSVYOB60rl2E4C9KiFnh+ibU6KnSmi+bpWBKZ2KjkqxK7jhLnD3FdWFvruJKwf+SZxhd1UAKYjT7yssvQLc971ExVk18zFHRLJwPoPE8ukU9cixlA5PjDUbbY=,iv:w1t+4noBUhirZCcp4FgNQw6Ip+P58OW7HgR39vcOjoY=,tag:bZWznsdm3edevNyZSeQLgQ==,type:str]
    pgp: []
    unencrypted_suffix: _unencrypted
    version: 3.8.1
--- a/systems/x86_64-linux/aspi/default.nix
+++ b/systems/x86_64-linux/aspi/default.nix
@ -0,0 +1,247 @@
 {
  # Snowfall Lib provides a customized `lib` instance with access to your flake's library
  # as well as the libraries available from your flake's inputs.
  lib,
  # An instance of `pkgs` with your overlays and packages applied is also available.
  pkgs,
  # You also have access to your flake's inputs.
  inputs,
  # Additional metadata is provided by Snowfall Lib.
  namespace, # The namespace used for your flake, defaulting to "internal" if not set.
  system, # The system architecture for this host (eg. `x86_64-linux`).
  target, # The Snowfall Lib target for this system (eg. `x86_64-iso`).
  format, # A normalized name for the system target (eg. `iso`).
  virtual, # A boolean to determine whether this system is a virtual target using nixos-generators.
  systems, # An attribute map of your defined hosts.
  # All other arguments come from the system system.
  config,
  ...
 }:
 {
  imports = [ ./hardware-configuration.nix ];
  nix.buildMachines = [
    {
      hostName = "192.168.3.118";
      system = "x86_64-linux";
      protocol = "ssh";
      # if the builder supports building for multiple architectures,
      # replace the previous line by, e.g.
      # systems = ["x86_64-linux" "aarch64-linux"];
      maxJobs = 4;
      speedFactor = 3;
      supportedFeatures = [
        "nixos-test"
        "benchmark"
        "big-parallel"
        "kvm"
      ];
      mandatoryFeatures = [ ];
    }
  ];
  nix.distributedBuilds = true;
  # optional, useful when the builder has a faster internet connection than yours
  nix.extraOptions = "  builders-use-substitutes = true\n";
  # Bootloader
  # Use this for simple nix boot menu, if no dual boot required
  boot.loader.systemd-boot.enable = true;
  boot.loader.efi.canTouchEfiVariables = true;
  boot.loader.efi.efiSysMountPoint = "/boot/efi";
  boot.supportedFilesystems = [
    "btrfs"
    "ntfs"
    "nfs"
    "cifs"
  ];
  networking.hostName = "aspi";
  networking.wireless.enable = true; # Enables wireless support via wpa_supplicant.
  networking.networkmanager.enable = true;
  # Set your time zone.
  time.timeZone = "Europe/Berlin";
  # Set location used by redshift
  location.provider = "manual";
  location.latitude = 47.92;
  location.longitude = 10.12;
  modules = {
    locales.enable = true;
  };
  nix.settings.auto-optimise-store = true;
  nix.settings.experimental-features = [
    "nix-command"
    "flakes"
  ];
  # Setup binary caches
  nix.settings = {
    substituters = [
      "https://nix-community.cachix.org"
      "https://cache.nixos.org/"
    ];
    trusted-public-keys = [ "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs=" ];
  };
  # Enable the X11 windowing system.
  services.xserver.enable = true;
  hardware.opengl.enable = true;
  nix.gc = {
    automatic = true;
    dates = "weekly";
    options = "--delete-older-than 30d";
  };
  # Enable the XFCE Desktop Environment.
  services.xserver.displayManager.lightdm.enable = true;
  services.xserver.desktopManager = {
    xterm.enable = false;
    xfce = {
      enable = true;
      noDesktop = true;
      enableXfwm = false;
    };
  };
  services.displayManager.defaultSession = "none+i3";
  services.xserver.windowManager.i3.enable = true;
  services.xserver.windowManager.i3.package = pkgs.i3-gaps;
  # Configure keymap in X11
  services.xserver = {
    xkb.layout = "de";
    xkb.variant = "";
  };
  # Configure console keymap
  console.keyMap = "de";
  # Enable sound with pipewire.
  sound.enable = true;
  hardware.pulseaudio.enable = false;
  security.rtkit.enable = true;
  services.pipewire = {
    enable = true;
    alsa.enable = true;
    alsa.support32Bit = true;
    pulse.enable = true;
  };
  # Enable touchpad support (enabled default in most desktopManager).
  services.xserver.libinput.enable = true;
  # Define a user account. Don't forget to set a password with ‘passwd’.
  users.users.julian = {
    isNormalUser = true;
    description = "Julian";
    uid = 1000;
    group = "julian";
    shell = pkgs.fish;
    extraGroups = [
      "networkmanager"
      "wheel"
      "docker"
    ];
  };
  # home-manager.useGlobalPkgs = true; # make overlays for nixpkgs work for home-manager, not only the system
  # home-manager.useUserPackages = true;
  programs.fish.enable = true;
  programs.nix-ld.enable = true;
  users.groups.julian = {
    gid = 1000;
  };
  # List services that you want to enable:
  # Enable the OpenSSH daemon.
  services.openssh.enable = false;
  services.syncthing.enable = true;
  services.syncthing.user = "julian";
  services.syncthing.group = "julian";
  services.syncthing.key = config.sops.secrets."aspi/syncthing/key".path;
  services.syncthing.cert = config.sops.secrets."aspi/syncthing/cert".path;
  # overrideDevices = true; # overrides any devices added or deleted through the WebUI
  # overrideFolders = true; # overrides any folders added or deleted through the WebUI
  # settings = {
  #   devices = {
  #     "device1" = {
  #       id = "DEVICE-ID-GOES-HERE";
  #     };
  #     "device2" = {
  #       id = "DEVICE-ID-GOES-HERE";
  #     };
  #   };
  #   folders = {
  #     "Documents" = {
  #       # Name of folder in Syncthing, also the folder ID
  #       path = "/home/myusername/Documents"; # Which folder to add to Syncthing
  #       devices = [
  #         "device1"
  #         "device2"
  #       ]; # Which devices to share the folder with
  #     };
  #     "Example" = {
  #       path = "/home/myusername/Example";
  #       devices = [ "device1" ];
  #       ignorePerms = false; # By default, Syncthing doesn't sync file permissions. This line enables it for this folder.
  #     };
  #   };
  # };
  services.redshift.enable = true;
  services.flatpak.enable = true;
  xdg.portal.enable = true;
  xdg.portal.extraPortals = [ pkgs.xdg-desktop-portal-gtk ];
  # services.emacs.enable = true;
  # services.gnome.gnome-keyring.enable = true;
  # List packages installed in system profile. To search, run:
  # $ nix search wget
  # Packages needed as root
  environment.systemPackages = with pkgs; [
    vim
    htop
    mc
  ];
  virtualisation.docker.enable = true;
  virtualisation.virtualbox.host.enable = true;
  # virtualisation.virtualbox.host.enableExtensionPack = true;
  # virtualisation.virtualbox.guest.enable = true;
  # virtualisation.virtualbox.guest.x11 = true;
  users.extraGroups.vboxusers.members = [ "julian" ];
  # Some programs need SUID wrappers, can be configured further or are
  # started in user sessions.
  # programs.mtr.enable = true;
  # programs.gnupg.agent = {
  #   enable = true;
  #   enableSSHSupport = true;
  # };
  # Open ports in the firewall.
  # networking.firewall.allowedTCPPorts = [ ... ];
  # networking.firewall.allowedUDPPorts = [ ... ];
  # Or disable the firewall altogether.
  # networking.firewall.enable = false;
  # ======================== DO NOT CHANGE THIS ========================
  system.stateVersion = "24.05";
  # ======================== DO NOT CHANGE THIS ========================
 }
--- a/systems/x86_64-linux/kardorf/default.nix
+++ b/systems/x86_64-linux/kardorf/default.nix
@ -7,6 +7,7 @@
  inputs,
  config,
  pkgs,
  systems,
  ...
 }:
 {
@ -161,7 +162,6 @@
      "wheel"
      "docker"
    ];
    packages = with pkgs; [ ]; # Using home-manager instead
  };
  # home-manager.useGlobalPkgs = true; # make overlays for nixpkgs work for home-manager, not only the system
--- a/systems/x86_64-linux/kardorf/home.nix
+++ b/systems/x86_64-linux/kardorf/home.nix
@ -1,37 +0,0 @@
 { config, pkgs, ... }:
 {
  # Home Manager needs a bit of information about you and the
  # paths it should manage.
  home.username = "julian";
  home.homeDirectory = "/home/julian";
  # This value determines the Home Manager release that your
  # configuration is compatible with. This helps avoid breakage
  # when a new Home Manager release introduces backwards
  # incompatible changes.
  #
  # You can update Home Manager without changing this value. See
  # the Home Manager release notes for a list of state version
  # changes in each release.
  home.stateVersion = "23.05";
  # Let Home Manager install and manage itself.
  programs.home-manager.enable = true;
  home.packages = [
    # pkgs.cowsay
  ];
  # home.file
  # home.sessionVariables
  gtk = {
    enable = true;
    theme.name = "Adwaita-dark";
    # theme.package = pkgs.materia-theme;
    # cursorTheme.name = "Bibata-Modern-Ice";
    # iconTheme.name = "GruvboxPlus";
  };
 }