diff --git a/.gitmodules b/.gitmodules new file mode 100644 index 0000000..b238f43 --- /dev/null +++ b/.gitmodules @@ -0,0 +1,3 @@ +[submodule "secrets"] + path = secrets + url = https://git.karaolidis.com/karaolidis/nix-secrets.git diff --git a/README.md b/README.md index e89786f..325e168 100644 --- a/README.md +++ b/README.md @@ -19,8 +19,6 @@ NixOS dotfiles and configuration for various hosts and users. - [`packages/`](./packages/): Custom packages. -- `secrets//`: Global secrets for individual namespaces that apply across all hosts. - - [`lib/`](./lib): Nix library function definitions and utilities. - [`scripts/`](./lib/scripts): Utility scripts for managing the repository. diff --git a/flake.lock b/flake.lock index 0e0bf6c..061eb21 100644 --- a/flake.lock +++ b/flake.lock @@ -252,12 +252,29 @@ "nur": "nur", "nvidia-patch": "nvidia-patch", "quadlet-nix": "quadlet-nix", + "secrets": "secrets", "sops-nix": "sops-nix", "spicetify-nix": "spicetify-nix", "systems": "systems", "treefmt-nix": "treefmt-nix" } }, + "secrets": { + "flake": false, + "locked": { + "lastModified": 1753348217, + "narHash": "sha256-0WC1OduTSV52LHWvOBH5jJ/CjSnQG+k1c0xWP9jAMJM=", + "ref": "refs/heads/main", + "rev": "63c7032ad90dbafa555b02450e146dbb8be4b89c", + "revCount": 11, + "type": "git", + "url": "https://git.karaolidis.com/karaolidis/nix-secrets.git" + }, + "original": { + "type": "git", + "url": "https://git.karaolidis.com/karaolidis/nix-secrets.git" + } + }, "sops-nix": { "inputs": { "nixpkgs": [ diff --git a/flake.nix b/flake.nix index 193bdb0..cbb1553 100644 --- a/flake.nix +++ b/flake.nix @@ -17,6 +17,11 @@ inputs.nixpkgs.follows = "nixpkgs"; }; + secrets = { + url = "git+https://git.karaolidis.com/karaolidis/nix-secrets.git"; + flake = false; + }; + systems.url = "github:nix-systems/default"; nur = { diff --git a/hosts/common/configs/system/nix-install/install.sh b/hosts/common/configs/system/nix-install/install.sh index 3b60da8..a4f8ee8 100644 --- a/hosts/common/configs/system/nix-install/install.sh +++ b/hosts/common/configs/system/nix-install/install.sh @@ -51,7 +51,7 @@ check_key() { set_password_file() { SOPS_AGE_KEY_FILE="$flake/secrets/$key/key.txt" export SOPS_AGE_KEY_FILE - sops --decrypt --extract "['luks']" "$flake/hosts/$host/secrets/secrets.yaml" > /tmp/keyfile + sops --decrypt --extract "['luks']" "$flake/secrets/hosts/$host/secrets.yaml" > /tmp/keyfile unset SOPS_AGE_KEY_FILE } @@ -64,7 +64,7 @@ prepare_disk() { copy_keys() { mkdir -p "$root/persist/state/etc/ssh" - cp -f "$flake/hosts/$host/secrets/ssh_host_ed25519_key" "$root/persist/state/etc/ssh/ssh_host_ed25519_key" + cp -f "$flake/secrets/hosts/$host/ssh_host_ed25519_key" "$root/persist/state/etc/ssh/ssh_host_ed25519_key" for path in "$flake/hosts/$host/users"/*; do if [[ -z "$key" ]]; then diff --git a/hosts/common/configs/system/nix/default.nix b/hosts/common/configs/system/nix/default.nix index 2ed3143..9b81042 100644 --- a/hosts/common/configs/system/nix/default.nix +++ b/hosts/common/configs/system/nix/default.nix @@ -2,10 +2,8 @@ { sops = { secrets = { - "git/credentials/github.com/public/username".sopsFile = - ../../../../../secrets/personal/secrets.yaml; - "git/credentials/github.com/public/password".sopsFile = - ../../../../../secrets/personal/secrets.yaml; + "git/credentials/github.com/public/username".sopsFile = "${inputs.secrets}/personal/secrets.yaml"; + "git/credentials/github.com/public/password".sopsFile = "${inputs.secrets}/personal/secrets.yaml"; }; templates.nix-access-tokens = { diff --git a/hosts/common/configs/system/sops/default.nix b/hosts/common/configs/system/sops/default.nix index 120ed6b..35dd9c7 100644 --- a/hosts/common/configs/system/sops/default.nix +++ b/hosts/common/configs/system/sops/default.nix @@ -18,7 +18,7 @@ }; sops = { - defaultSopsFile = ../../../../. + "/${config.networking.hostName}/secrets/secrets.yaml"; + defaultSopsFile = "${inputs.secrets}/hosts/${config.networking.hostName}/secrets.yaml"; age = { generateKey = true; diff --git a/hosts/common/configs/system/ssh/default.nix b/hosts/common/configs/system/ssh/default.nix index 73d29c0..55b04ff 100644 --- a/hosts/common/configs/system/ssh/default.nix +++ b/hosts/common/configs/system/ssh/default.nix @@ -1,22 +1,22 @@ -{ ... }: +{ inputs, ... }: { programs.ssh.knownHosts = { - installer.publicKeyFile = ../../../../installer/secrets/ssh_host_ed25519_key.pub; - elara.publicKeyFile = ../../../../elara/secrets/ssh_host_ed25519_key.pub; - himalia.publicKeyFile = ../../../../himalia/secrets/ssh_host_ed25519_key.pub; + installer.publicKeyFile = "${inputs.secrets}/hosts/installer/ssh_host_ed25519_key.pub"; + elara.publicKeyFile = "${inputs.secrets}/hosts/elara/ssh_host_ed25519_key.pub"; + himalia.publicKeyFile = "${inputs.secrets}/hosts/himalia/ssh_host_ed25519_key.pub"; jupiter = { - publicKeyFile = ../../../../jupiter/secrets/ssh_host_ed25519_key.pub; + publicKeyFile = "${inputs.secrets}/hosts/jupiter/ssh_host_ed25519_key.pub"; extraHostNames = [ "karaolidis.com" ]; }; jupiter-sish = { - publicKeyFile = ../../../../jupiter/users/storm/configs/console/podman/sish/ssh_host_ed25519_key.pub; + publicKeyFile = "${inputs.secrets}/hosts/jupiter/ssh_sish_ed25519_key.pub"; extraHostNames = [ "karaolidis.com" ]; }; jupiter-vps = { - publicKeyFile = ../../../../jupiter-vps/secrets/ssh_host_ed25519_key.pub; + publicKeyFile = "${inputs.secrets}/hosts/jupiter-vps/ssh_host_ed25519_key.pub"; extraHostNames = [ "vps.karaolidis.com" ]; }; }; diff --git a/hosts/common/configs/user/gui/darktable/default.nix b/hosts/common/configs/user/gui/darktable/default.nix index aab2c89..bba1a7e 100644 --- a/hosts/common/configs/user/gui/darktable/default.nix +++ b/hosts/common/configs/user/gui/darktable/default.nix @@ -82,6 +82,6 @@ in }; sops.secrets."jupiter/photos.karaolidis.com/admin".sopsFile = - ../../../../../../secrets/personal/secrets.yaml; + "${inputs.secrets}/personal/secrets.yaml"; }; } diff --git a/hosts/common/configs/user/gui/obsidian/default.nix b/hosts/common/configs/user/gui/obsidian/default.nix index 3f62861..5fcea37 100644 --- a/hosts/common/configs/user/gui/obsidian/default.nix +++ b/hosts/common/configs/user/gui/obsidian/default.nix @@ -380,7 +380,7 @@ in ]; searchProvider = "google"; geocodingApiMethod = "path"; - geocodingApiPath = hmConfig.sops.secrets."google/geocoding".path; + geocodingApiPath = hmConfig.sops.secrets."google/cloud/obsidian/geocoding".path; useGooglePlaces = true; letZoomBeyondMax = true; showGeolinkPreview = true; @@ -608,6 +608,6 @@ in } ) hmConfig.programs.obsidian.vaults; - sops.secrets."google/geocoding".sopsFile = ../../../../../../secrets/personal/secrets.yaml; + sops.secrets."google/cloud/obsidian/geocoding".sopsFile = "${inputs.secrets}/personal/secrets.yaml"; }; } diff --git a/hosts/common/configs/user/gui/spicetify/default.nix b/hosts/common/configs/user/gui/spicetify/default.nix index a3c6873..043aabc 100644 --- a/hosts/common/configs/user/gui/spicetify/default.nix +++ b/hosts/common/configs/user/gui/spicetify/default.nix @@ -64,7 +64,7 @@ in ]; }; - sops.secrets."spotify/username".sopsFile = ../../../../../../secrets/personal/secrets.yaml; + sops.secrets."spotify/username".sopsFile = "${inputs.secrets}/personal/secrets.yaml"; xdg.configFile = { "spotify/prefs.init" = { diff --git a/hosts/elara/configs/git/default.nix b/hosts/elara/configs/git/default.nix index 0095134..a25387c 100644 --- a/hosts/elara/configs/git/default.nix +++ b/hosts/elara/configs/git/default.nix @@ -10,7 +10,7 @@ let in { sops.secrets."ssh/sas/ed25519/key" = { - sopsFile = ../../../../secrets/sas/secrets.yaml; + sopsFile = "${inputs.secrets}/sas/secrets.yaml"; key = "ssh/ed25519/key"; path = "/root/.ssh/ssh_sas_ed25519_key"; }; diff --git a/hosts/elara/secrets/ssh_host_ed25519_key.pub b/hosts/elara/secrets/ssh_host_ed25519_key.pub deleted file mode 100644 index cfbcf9f..0000000 --- a/hosts/elara/secrets/ssh_host_ed25519_key.pub +++ /dev/null @@ -1 +0,0 @@ -ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIB2sVagJ2CqpitBK4izlfKWIe2n2xkfV95F0VNkAc3FD root@elara diff --git a/hosts/elara/users/nikara/configs/console/git/default.nix b/hosts/elara/users/nikara/configs/console/git/default.nix index 70ac866..c451ec0 100644 --- a/hosts/elara/users/nikara/configs/console/git/default.nix +++ b/hosts/elara/users/nikara/configs/console/git/default.nix @@ -16,22 +16,22 @@ in sops = { secrets = { "git/credentials/personal/git.karaolidis.com/admin/username" = { - sopsFile = ../../../../../../../secrets/personal/secrets.yaml; + sopsFile = "${inputs.secrets}/personal/secrets.yaml"; key = "git/credentials/git.karaolidis.com/admin/username"; }; "git/credentials/personal/git.karaolidis.com/admin/password" = { - sopsFile = ../../../../../../../secrets/personal/secrets.yaml; + sopsFile = "${inputs.secrets}/personal/secrets.yaml"; key = "git/credentials/git.karaolidis.com/admin/password"; }; "git/credentials/sas/github.com/admin/username" = { - sopsFile = ../../../../../../../secrets/sas/secrets.yaml; + sopsFile = "${inputs.secrets}/sas/secrets.yaml"; key = "git/credentials/github.com/admin/username"; }; "git/credentials/sas/github.com/admin/password" = { - sopsFile = ../../../../../../../secrets/sas/secrets.yaml; + sopsFile = "${inputs.secrets}/sas/secrets.yaml"; key = "git/credentials/github.com/admin/password"; }; }; diff --git a/hosts/elara/users/nikara/configs/console/gpg/default.nix b/hosts/elara/users/nikara/configs/console/gpg/default.nix index 0253b67..5c2012a 100644 --- a/hosts/elara/users/nikara/configs/console/gpg/default.nix +++ b/hosts/elara/users/nikara/configs/console/gpg/default.nix @@ -1,5 +1,5 @@ { user, home }: -{ config, ... }: +{ config, inputs, ... }: let hmConfig = config.home-manager.users.${user}; in @@ -7,22 +7,22 @@ in home-manager.users.${user} = { sops.secrets = { "gpg/personal/key" = { - sopsFile = ../../../../../../../secrets/personal/secrets.yaml; + sopsFile = "${inputs.secrets}/personal/secrets.yaml"; key = "gpg/key"; }; "gpg/personal/pass" = { - sopsFile = ../../../../../../../secrets/personal/secrets.yaml; + sopsFile = "${inputs.secrets}/personal/secrets.yaml"; key = "gpg/pass"; }; "gpg/sas/key" = { - sopsFile = ../../../../../../../secrets/sas/secrets.yaml; + sopsFile = "${inputs.secrets}/sas/secrets.yaml"; key = "gpg/key"; }; "gpg/sas/pass" = { - sopsFile = ../../../../../../../secrets/sas/secrets.yaml; + sopsFile = "${inputs.secrets}/sas/secrets.yaml"; key = "gpg/pass"; }; }; diff --git a/hosts/elara/users/nikara/configs/console/podman/default.nix b/hosts/elara/users/nikara/configs/console/podman/default.nix index 7cf34cf..4db9c7a 100644 --- a/hosts/elara/users/nikara/configs/console/podman/default.nix +++ b/hosts/elara/users/nikara/configs/console/podman/default.nix @@ -3,6 +3,7 @@ config, lib, pkgs, + inputs, ... }: let @@ -12,17 +13,17 @@ in home-manager.users.${user}.sops = { secrets = { "registry/personal/docker.io" = { - sopsFile = ../../../../../../../secrets/personal/secrets.yaml; + sopsFile = "${inputs.secrets}/personal/secrets.yaml"; key = "registry/docker.io"; }; "registry/personal/registry.karaolidis.com" = { - sopsFile = ../../../../../../../secrets/personal/secrets.yaml; + sopsFile = "${inputs.secrets}/personal/secrets.yaml"; key = "registry/registry.karaolidis.com"; }; "registry/sas/cr.sas.com" = { - sopsFile = ../../../../../../../secrets/sas/secrets.yaml; + sopsFile = "${inputs.secrets}/sas/secrets.yaml"; key = "registry/cr.sas.com"; }; }; diff --git a/hosts/elara/users/nikara/configs/console/sas/default.nix b/hosts/elara/users/nikara/configs/console/sas/default.nix index dc04833..13a3ffe 100644 --- a/hosts/elara/users/nikara/configs/console/sas/default.nix +++ b/hosts/elara/users/nikara/configs/console/sas/default.nix @@ -1,8 +1,8 @@ { user, home }: -{ ... }: +{ inputs, ... }: { home-manager.users.${user}.sops.secrets = { - "artifactory/cdp/user".sopsFile = ../../../../../../../secrets/sas/secrets.yaml; - "artifactory/cdp/password".sopsFile = ../../../../../../../secrets/sas/secrets.yaml; + "artifactory/cdp/user".sopsFile = "${inputs.secrets}/sas/secrets.yaml"; + "artifactory/cdp/password".sopsFile = "${inputs.secrets}/sas/secrets.yaml"; }; } diff --git a/hosts/elara/users/nikara/configs/console/ssh/default.nix b/hosts/elara/users/nikara/configs/console/ssh/default.nix index f8a21bd..fe5b5fa 100644 --- a/hosts/elara/users/nikara/configs/console/ssh/default.nix +++ b/hosts/elara/users/nikara/configs/console/ssh/default.nix @@ -14,35 +14,35 @@ in home-manager.users.${user} = { sops.secrets = { "ssh/personal/key" = { - sopsFile = ../../../../../../../secrets/personal/secrets.yaml; + sopsFile = "${inputs.secrets}/personal/secrets.yaml"; key = "ssh/key"; path = "${home}/.ssh/ssh_personal_ed25519_key"; }; "ssh/personal/pass" = { - sopsFile = ../../../../../../../secrets/personal/secrets.yaml; + sopsFile = "${inputs.secrets}/personal/secrets.yaml"; key = "ssh/pass"; }; "ssh/sas/ed25519/key" = { - sopsFile = ../../../../../../../secrets/sas/secrets.yaml; + sopsFile = "${inputs.secrets}/sas/secrets.yaml"; key = "ssh/ed25519/key"; path = "${home}/.ssh/ssh_sas_ed25519_key"; }; "ssh/sas/ed25519/pass" = { - sopsFile = ../../../../../../../secrets/sas/secrets.yaml; + sopsFile = "${inputs.secrets}/sas/secrets.yaml"; key = "ssh/ed25519/pass"; }; "ssh/sas/rsa/key" = { - sopsFile = ../../../../../../../secrets/sas/secrets.yaml; + sopsFile = "${inputs.secrets}/sas/secrets.yaml"; key = "ssh/rsa/key"; path = "${home}/.ssh/ssh_sas_rsa_key"; }; "ssh/sas/rsa/pass" = { - sopsFile = ../../../../../../../secrets/sas/secrets.yaml; + sopsFile = "${inputs.secrets}/sas/secrets.yaml"; key = "ssh/rsa/pass"; }; }; diff --git a/hosts/elara/users/nikara/configs/console/viya4-orders-cli/default.nix b/hosts/elara/users/nikara/configs/console/viya4-orders-cli/default.nix index 1ec3f84..a1c042f 100644 --- a/hosts/elara/users/nikara/configs/console/viya4-orders-cli/default.nix +++ b/hosts/elara/users/nikara/configs/console/viya4-orders-cli/default.nix @@ -13,8 +13,8 @@ in { home-manager.users.${user} = { sops.secrets = { - "viya/orders-api/key".sopsFile = ../../../../../../../secrets/sas/secrets.yaml; - "viya/orders-api/secret".sopsFile = ../../../../../../../secrets/sas/secrets.yaml; + "viya/orders-api/key".sopsFile = "${inputs.secrets}/sas/secrets.yaml"; + "viya/orders-api/secret".sopsFile = "${inputs.secrets}/sas/secrets.yaml"; }; home.packages = [ selfPkgs.viya4-orders-cli ]; diff --git a/hosts/elara/users/nikara/default.nix b/hosts/elara/users/nikara/default.nix index 49ff2d1..64933b6 100644 --- a/hosts/elara/users/nikara/default.nix +++ b/hosts/elara/users/nikara/default.nix @@ -1,4 +1,9 @@ -{ config, lib, ... }: +{ + config, + lib, + inputs, + ... +}: let # FIXME: https://github.com/NixOS/nixpkgs/issues/24570 # FIXME: https://github.com/NixOS/nixpkgs/issues/305643 @@ -97,7 +102,7 @@ in # mkpasswd -s sops.secrets."${user}-password" = { - sopsFile = ../../../../secrets/sas/secrets.yaml; + sopsFile = "${inputs.secrets}/sas/secrets.yaml"; key = "password"; neededForUsers = true; }; diff --git a/hosts/himalia/secrets/ssh_host_ed25519_key.pub b/hosts/himalia/secrets/ssh_host_ed25519_key.pub deleted file mode 100644 index aff7b9a..0000000 --- a/hosts/himalia/secrets/ssh_host_ed25519_key.pub +++ /dev/null @@ -1 +0,0 @@ -ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEgGmzh23q/ucuZRRkS4LdPfBdTDWJk0UrlUYVnC7j2b root@himalia diff --git a/hosts/himalia/users/nick/configs/console/git/default.nix b/hosts/himalia/users/nick/configs/console/git/default.nix index d870c6d..330a2c0 100644 --- a/hosts/himalia/users/nick/configs/console/git/default.nix +++ b/hosts/himalia/users/nick/configs/console/git/default.nix @@ -15,9 +15,9 @@ in sops = { secrets = { "git/credentials/git.karaolidis.com/admin/username".sopsFile = - ../../../../../../../secrets/personal/secrets.yaml; + "${inputs.secrets}/personal/secrets.yaml"; "git/credentials/git.karaolidis.com/admin/password".sopsFile = - ../../../../../../../secrets/personal/secrets.yaml; + "${inputs.secrets}/personal/secrets.yaml"; }; templates."git/credentials" = { diff --git a/hosts/himalia/users/nick/configs/console/gpg/default.nix b/hosts/himalia/users/nick/configs/console/gpg/default.nix index 6100b10..9e8d630 100644 --- a/hosts/himalia/users/nick/configs/console/gpg/default.nix +++ b/hosts/himalia/users/nick/configs/console/gpg/default.nix @@ -1,13 +1,13 @@ { user, home }: -{ config, ... }: +{ config, inputs, ... }: let hmConfig = config.home-manager.users.${user}; in { home-manager.users.${user} = { sops.secrets = { - "gpg/key".sopsFile = ../../../../../../../secrets/personal/secrets.yaml; - "gpg/pass".sopsFile = ../../../../../../../secrets/personal/secrets.yaml; + "gpg/key".sopsFile = "${inputs.secrets}/personal/secrets.yaml"; + "gpg/pass".sopsFile = "${inputs.secrets}/personal/secrets.yaml"; }; programs.clipbook.bookmarks."GPG Passphrase".source = hmConfig.sops.secrets."gpg/pass".path; diff --git a/hosts/himalia/users/nick/configs/console/podman/default.nix b/hosts/himalia/users/nick/configs/console/podman/default.nix index eae10c3..6ece150 100644 --- a/hosts/himalia/users/nick/configs/console/podman/default.nix +++ b/hosts/himalia/users/nick/configs/console/podman/default.nix @@ -1,13 +1,18 @@ { user, home }: -{ config, pkgs, ... }: +{ + config, + pkgs, + inputs, + ... +}: let hmConfig = config.home-manager.users.${user}; in { home-manager.users.${user}.sops = { secrets = { - "registry/docker.io".sopsFile = ../../../../../../../secrets/personal/secrets.yaml; - "registry/registry.karaolidis.com".sopsFile = ../../../../../../../secrets/personal/secrets.yaml; + "registry/docker.io".sopsFile = "${inputs.secrets}/personal/secrets.yaml"; + "registry/registry.karaolidis.com".sopsFile = "${inputs.secrets}/personal/secrets.yaml"; }; templates."containers-auth.json" = { diff --git a/hosts/himalia/users/nick/configs/console/ssh/default.nix b/hosts/himalia/users/nick/configs/console/ssh/default.nix index 84f8335..cfeb008 100644 --- a/hosts/himalia/users/nick/configs/console/ssh/default.nix +++ b/hosts/himalia/users/nick/configs/console/ssh/default.nix @@ -1,5 +1,5 @@ { user, home }: -{ config, ... }: +{ config, inputs, ... }: let hmConfig = config.home-manager.users.${user}; in @@ -7,11 +7,11 @@ in home-manager.users.${user} = { sops.secrets = { "ssh/key" = { - sopsFile = ../../../../../../../secrets/personal/secrets.yaml; + sopsFile = "${inputs.secrets}/personal/secrets.yaml"; path = "${home}/.ssh/ssh_personal_ed25519_key"; }; - "ssh/pass".sopsFile = ../../../../../../../secrets/personal/secrets.yaml; + "ssh/pass".sopsFile = "${inputs.secrets}/personal/secrets.yaml"; }; programs.clipbook.bookmarks."SSH Key Passphrase".source = hmConfig.sops.secrets."ssh/pass".path; diff --git a/hosts/himalia/users/nick/default.nix b/hosts/himalia/users/nick/default.nix index 53a761b..40248ef 100644 --- a/hosts/himalia/users/nick/default.nix +++ b/hosts/himalia/users/nick/default.nix @@ -1,4 +1,9 @@ -{ config, lib, ... }: +{ + config, + lib, + inputs, + ... +}: let # FIXME: https://github.com/NixOS/nixpkgs/issues/24570 # FIXME: https://github.com/NixOS/nixpkgs/issues/305643 @@ -94,7 +99,7 @@ in # mkpasswd -s sops.secrets."${user}-password" = { - sopsFile = ../../../../secrets/personal/secrets.yaml; + sopsFile = "${inputs.secrets}/personal/secrets.yaml"; key = "password"; neededForUsers = true; }; diff --git a/hosts/installer/secrets/ssh_host_ed25519_key.pub b/hosts/installer/secrets/ssh_host_ed25519_key.pub deleted file mode 100644 index 0f70235..0000000 --- a/hosts/installer/secrets/ssh_host_ed25519_key.pub +++ /dev/null @@ -1 +0,0 @@ -ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHEIK+JkxkC0E8w0IF59gtpG55JBS/osqs1B7VhsI0eI root@installer diff --git a/hosts/installer/users/nick/configs/console/git/default.nix b/hosts/installer/users/nick/configs/console/git/default.nix index d870c6d..330a2c0 100644 --- a/hosts/installer/users/nick/configs/console/git/default.nix +++ b/hosts/installer/users/nick/configs/console/git/default.nix @@ -15,9 +15,9 @@ in sops = { secrets = { "git/credentials/git.karaolidis.com/admin/username".sopsFile = - ../../../../../../../secrets/personal/secrets.yaml; + "${inputs.secrets}/personal/secrets.yaml"; "git/credentials/git.karaolidis.com/admin/password".sopsFile = - ../../../../../../../secrets/personal/secrets.yaml; + "${inputs.secrets}/personal/secrets.yaml"; }; templates."git/credentials" = { diff --git a/hosts/installer/users/nick/configs/console/gpg/default.nix b/hosts/installer/users/nick/configs/console/gpg/default.nix index fef15f0..594c6af 100644 --- a/hosts/installer/users/nick/configs/console/gpg/default.nix +++ b/hosts/installer/users/nick/configs/console/gpg/default.nix @@ -1,8 +1,8 @@ { user, home }: -{ ... }: +{ inputs, ... }: { home-manager.users.${user}.sops.secrets = { - "gpg/key".sopsFile = ../../../../../../../secrets/personal/secrets.yaml; - "gpg/pass".sopsFile = ../../../../../../../secrets/personal/secrets.yaml; + "gpg/key".sopsFile = "${inputs.secrets}/personal/secrets.yaml"; + "gpg/pass".sopsFile = "${inputs.secrets}/personal/secrets.yaml"; }; } diff --git a/hosts/installer/users/nick/configs/console/ssh/default.nix b/hosts/installer/users/nick/configs/console/ssh/default.nix index ab586dd..e4e14aa 100644 --- a/hosts/installer/users/nick/configs/console/ssh/default.nix +++ b/hosts/installer/users/nick/configs/console/ssh/default.nix @@ -1,14 +1,14 @@ { user, home }: -{ ... }: +{ inputs, ... }: { home-manager.users.${user} = { sops.secrets = { "ssh/key" = { - sopsFile = ../../../../../../../secrets/personal/secrets.yaml; + sopsFile = "${inputs.secrets}/personal/secrets.yaml"; path = "${home}/.ssh/ssh_personal_ed25519_key"; }; - "ssh/pass".sopsFile = ../../../../../../../secrets/personal/secrets.yaml; + "ssh/pass".sopsFile = "${inputs.secrets}/personal/secrets.yaml"; }; programs.ssh.matchBlocks = { diff --git a/hosts/installer/users/nick/default.nix b/hosts/installer/users/nick/default.nix index cb69723..98fb008 100644 --- a/hosts/installer/users/nick/default.nix +++ b/hosts/installer/users/nick/default.nix @@ -1,4 +1,9 @@ -{ config, lib, ... }: +{ + config, + lib, + inputs, + ... +}: let # FIXME: https://github.com/NixOS/nixpkgs/issues/24570 # FIXME: https://github.com/NixOS/nixpkgs/issues/305643 @@ -41,7 +46,7 @@ in # mkpasswd -s sops.secrets."${user}-password" = { - sopsFile = ../../../../secrets/personal/secrets.yaml; + sopsFile = "${inputs.secrets}/personal/secrets.yaml"; key = "password"; neededForUsers = true; }; diff --git a/hosts/jupiter-vps/secrets/ssh_host_ed25519_key.pub b/hosts/jupiter-vps/secrets/ssh_host_ed25519_key.pub deleted file mode 100644 index 7953cff..0000000 --- a/hosts/jupiter-vps/secrets/ssh_host_ed25519_key.pub +++ /dev/null @@ -1 +0,0 @@ -ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIEQGAjeS+Q5aB8uTmy//XyFRFihtUBeWJbFhIi8YEa3 root@jupiter-vps diff --git a/hosts/jupiter/configs/tv/default.nix b/hosts/jupiter/configs/tv/default.nix index f539065..9edb31d 100644 --- a/hosts/jupiter/configs/tv/default.nix +++ b/hosts/jupiter/configs/tv/default.nix @@ -62,8 +62,8 @@ in sops = { secrets = { - "tv/network/password".sopsFile = ../../secrets/secrets.yaml; - "tv/adguard/admin".sopsFile = ../../secrets/secrets.yaml; + "tv/network/password".sopsFile = "${inputs.secrets}/hosts/jupiter/secrets.yaml"; + "tv/adguard/admin".sopsFile = "${inputs.secrets}/hosts/jupiter/secrets.yaml"; }; templates.adguard-env.content = '' diff --git a/hosts/jupiter/secrets/ssh_host_ed25519_key.pub b/hosts/jupiter/secrets/ssh_host_ed25519_key.pub deleted file mode 100644 index 952a80a..0000000 --- a/hosts/jupiter/secrets/ssh_host_ed25519_key.pub +++ /dev/null @@ -1 +0,0 @@ -ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEoe+/nXBPhLKVZ2Fo4iif8F9WgrriBE+/oXPdANR+7G root@jupiter diff --git a/hosts/jupiter/users/nick/configs/console/podman/default.nix b/hosts/jupiter/users/nick/configs/console/podman/default.nix index 8805a48..be839b3 100644 --- a/hosts/jupiter/users/nick/configs/console/podman/default.nix +++ b/hosts/jupiter/users/nick/configs/console/podman/default.nix @@ -1,11 +1,16 @@ { user, home }: -{ config, pkgs, ... }: +{ + config, + pkgs, + inputs, + ... +}: let hmConfig = config.home-manager.users.${user}; in { home-manager.users.${user}.sops = { - secrets."registry/docker.io".sopsFile = ../../../../../../../secrets/personal/secrets.yaml; + secrets."registry/docker.io".sopsFile = "${inputs.secrets}/personal/secrets.yaml"; templates.containers-auth = { content = builtins.readFile ( diff --git a/hosts/jupiter/users/nick/default.nix b/hosts/jupiter/users/nick/default.nix index 6a6b319..c248464 100644 --- a/hosts/jupiter/users/nick/default.nix +++ b/hosts/jupiter/users/nick/default.nix @@ -1,4 +1,9 @@ -{ config, lib, ... }: +{ + config, + lib, + inputs, + ... +}: let # FIXME: https://github.com/NixOS/nixpkgs/issues/24570 # FIXME: https://github.com/NixOS/nixpkgs/issues/305643 @@ -38,7 +43,7 @@ in # mkpasswd -s sops.secrets."${user}-password" = { - sopsFile = ../../../../secrets/personal/secrets.yaml; + sopsFile = "${inputs.secrets}/personal/secrets.yaml"; key = "password"; neededForUsers = true; }; diff --git a/hosts/jupiter/users/storm/configs/console/podman/authelia/default.nix b/hosts/jupiter/users/storm/configs/console/podman/authelia/default.nix index 9e29238..d72e562 100644 --- a/hosts/jupiter/users/storm/configs/console/podman/authelia/default.nix +++ b/hosts/jupiter/users/storm/configs/console/podman/authelia/default.nix @@ -16,14 +16,14 @@ in home-manager.users.${user} = { sops = { secrets = { - "authelia/session".sopsFile = ../../../../../../secrets/secrets.yaml; - "authelia/resetPasswordJwt".sopsFile = ../../../../../../secrets/secrets.yaml; - "authelia/oidcHmac".sopsFile = ../../../../../../secrets/secrets.yaml; - "authelia/oidcKey".sopsFile = ../../../../../../secrets/secrets.yaml; - "authelia/storage".sopsFile = ../../../../../../secrets/secrets.yaml; - "authelia/postgresql".sopsFile = ../../../../../../secrets/secrets.yaml; - "authelia/smtp".sopsFile = ../../../../../../secrets/secrets.yaml; - "authelia/users/karaolidis".sopsFile = ../../../../../../secrets/secrets.yaml; + "authelia/session".sopsFile = "${inputs.secrets}/hosts/jupiter/secrets.yaml"; + "authelia/resetPasswordJwt".sopsFile = "${inputs.secrets}/hosts/jupiter/secrets.yaml"; + "authelia/oidcHmac".sopsFile = "${inputs.secrets}/hosts/jupiter/secrets.yaml"; + "authelia/oidcKey".sopsFile = "${inputs.secrets}/hosts/jupiter/secrets.yaml"; + "authelia/storage".sopsFile = "${inputs.secrets}/hosts/jupiter/secrets.yaml"; + "authelia/postgresql".sopsFile = "${inputs.secrets}/hosts/jupiter/secrets.yaml"; + "authelia/smtp".sopsFile = "${inputs.secrets}/hosts/jupiter/secrets.yaml"; + "authelia/users/karaolidis".sopsFile = "${inputs.secrets}/hosts/jupiter/secrets.yaml"; }; templates = { diff --git a/hosts/jupiter/users/storm/configs/console/podman/default.nix b/hosts/jupiter/users/storm/configs/console/podman/default.nix index fc7d3b8..1e631eb 100644 --- a/hosts/jupiter/users/storm/configs/console/podman/default.nix +++ b/hosts/jupiter/users/storm/configs/console/podman/default.nix @@ -1,5 +1,10 @@ { user, home }: -{ config, pkgs, ... }: +{ + config, + pkgs, + inputs, + ... +}: let hmConfig = config.home-manager.users.${user}; in @@ -35,7 +40,7 @@ in ]; sops = { - secrets."registry/docker.io".sopsFile = ../../../../../../../secrets/personal/secrets.yaml; + secrets."registry/docker.io".sopsFile = "${inputs.secrets}/personal/secrets.yaml"; templates.containers-auth = { content = builtins.readFile ( diff --git a/hosts/jupiter/users/storm/configs/console/podman/gitea/default.nix b/hosts/jupiter/users/storm/configs/console/podman/gitea/default.nix index 9b9b6d8..3bdb6cd 100644 --- a/hosts/jupiter/users/storm/configs/console/podman/gitea/default.nix +++ b/hosts/jupiter/users/storm/configs/console/podman/gitea/default.nix @@ -68,14 +68,14 @@ in { sops = { secrets = { - "gitea/postgresql".sopsFile = ../../../../../../secrets/secrets.yaml; - "gitea/smtp".sopsFile = ../../../../../../secrets/secrets.yaml; - "gitea/secretKey".sopsFile = ../../../../../../secrets/secrets.yaml; - "gitea/internalToken".sopsFile = ../../../../../../secrets/secrets.yaml; - "gitea/jwtSecret".sopsFile = ../../../../../../secrets/secrets.yaml; - "gitea/lfsJwtSecret".sopsFile = ../../../../../../secrets/secrets.yaml; - "gitea/authelia/password".sopsFile = ../../../../../../secrets/secrets.yaml; - "gitea/authelia/digest".sopsFile = ../../../../../../secrets/secrets.yaml; + "gitea/postgresql".sopsFile = "${inputs.secrets}/hosts/jupiter/secrets.yaml"; + "gitea/smtp".sopsFile = "${inputs.secrets}/hosts/jupiter/secrets.yaml"; + "gitea/secretKey".sopsFile = "${inputs.secrets}/hosts/jupiter/secrets.yaml"; + "gitea/internalToken".sopsFile = "${inputs.secrets}/hosts/jupiter/secrets.yaml"; + "gitea/jwtSecret".sopsFile = "${inputs.secrets}/hosts/jupiter/secrets.yaml"; + "gitea/lfsJwtSecret".sopsFile = "${inputs.secrets}/hosts/jupiter/secrets.yaml"; + "gitea/authelia/password".sopsFile = "${inputs.secrets}/hosts/jupiter/secrets.yaml"; + "gitea/authelia/digest".sopsFile = "${inputs.secrets}/hosts/jupiter/secrets.yaml"; }; templates = { diff --git a/hosts/jupiter/users/storm/configs/console/podman/grafana/default.nix b/hosts/jupiter/users/storm/configs/console/podman/grafana/default.nix index 7e73dd7..711562a 100644 --- a/hosts/jupiter/users/storm/configs/console/podman/grafana/default.nix +++ b/hosts/jupiter/users/storm/configs/console/podman/grafana/default.nix @@ -17,9 +17,9 @@ in home-manager.users.${user} = { sops = { secrets = { - "grafana/authelia/password".sopsFile = ../../../../../../secrets/secrets.yaml; - "grafana/authelia/digest".sopsFile = ../../../../../../secrets/secrets.yaml; - "grafana/smtp".sopsFile = ../../../../../../secrets/secrets.yaml; + "grafana/authelia/password".sopsFile = "${inputs.secrets}/hosts/jupiter/secrets.yaml"; + "grafana/authelia/digest".sopsFile = "${inputs.secrets}/hosts/jupiter/secrets.yaml"; + "grafana/smtp".sopsFile = "${inputs.secrets}/hosts/jupiter/secrets.yaml"; }; templates = { diff --git a/hosts/jupiter/users/storm/configs/console/podman/media/jellyfin/default.nix b/hosts/jupiter/users/storm/configs/console/podman/media/jellyfin/default.nix index 707df2b..e935426 100644 --- a/hosts/jupiter/users/storm/configs/console/podman/media/jellyfin/default.nix +++ b/hosts/jupiter/users/storm/configs/console/podman/media/jellyfin/default.nix @@ -17,11 +17,11 @@ in home-manager.users.${user} = { sops = { secrets = { - "jellyfin/admin".sopsFile = ../../../../../../../secrets/secrets.yaml; - "jellyfin/authelia/password".sopsFile = ../../../../../../../secrets/secrets.yaml; - "jellyfin/authelia/digest".sopsFile = ../../../../../../../secrets/secrets.yaml; - "opensubtitles/username".sopsFile = ../../../../../../../../../secrets/personal/secrets.yaml; - "opensubtitles/password".sopsFile = ../../../../../../../../../secrets/personal/secrets.yaml; + "jellyfin/admin".sopsFile = "${inputs.secrets}/hosts/jupiter/secrets.yaml"; + "jellyfin/authelia/password".sopsFile = "${inputs.secrets}/hosts/jupiter/secrets.yaml"; + "jellyfin/authelia/digest".sopsFile = "${inputs.secrets}/hosts/jupiter/secrets.yaml"; + "opensubtitles/username".sopsFile = "${inputs.secrets}/personal/secrets.yaml"; + "opensubtitles/password".sopsFile = "${inputs.secrets}/personal/secrets.yaml"; }; templates = { diff --git a/hosts/jupiter/users/storm/configs/console/podman/media/jellyseerr/default.nix b/hosts/jupiter/users/storm/configs/console/podman/media/jellyseerr/default.nix index a07e0e6..cd77c9c 100644 --- a/hosts/jupiter/users/storm/configs/console/podman/media/jellyseerr/default.nix +++ b/hosts/jupiter/users/storm/configs/console/podman/media/jellyseerr/default.nix @@ -24,9 +24,9 @@ in home-manager.users.${user} = { sops = { secrets = { - "jellyseerr/smtp".sopsFile = ../../../../../../../secrets/secrets.yaml; - "jellyseerr/authelia/password".sopsFile = ../../../../../../../secrets/secrets.yaml; - "jellyseerr/authelia/digest".sopsFile = ../../../../../../../secrets/secrets.yaml; + "jellyseerr/smtp".sopsFile = "${inputs.secrets}/hosts/jupiter/secrets.yaml"; + "jellyseerr/authelia/password".sopsFile = "${inputs.secrets}/hosts/jupiter/secrets.yaml"; + "jellyseerr/authelia/digest".sopsFile = "${inputs.secrets}/hosts/jupiter/secrets.yaml"; }; templates = { diff --git a/hosts/jupiter/users/storm/configs/console/podman/media/prowlarr/default.nix b/hosts/jupiter/users/storm/configs/console/podman/media/prowlarr/default.nix index ba578d6..12b21a8 100644 --- a/hosts/jupiter/users/storm/configs/console/podman/media/prowlarr/default.nix +++ b/hosts/jupiter/users/storm/configs/console/podman/media/prowlarr/default.nix @@ -20,7 +20,7 @@ in { home-manager.users.${user} = { sops = { - secrets."prowlarr/apiKey".sopsFile = ../../../../../../../secrets/secrets.yaml; + secrets."prowlarr/apiKey".sopsFile = "${inputs.secrets}/hosts/jupiter/secrets.yaml"; templates = { prowlarr-env.content = '' diff --git a/hosts/jupiter/users/storm/configs/console/podman/media/radarr/default.nix b/hosts/jupiter/users/storm/configs/console/podman/media/radarr/default.nix index 04b9755..9712e8b 100644 --- a/hosts/jupiter/users/storm/configs/console/podman/media/radarr/default.nix +++ b/hosts/jupiter/users/storm/configs/console/podman/media/radarr/default.nix @@ -21,7 +21,7 @@ in secrets = builtins.listToAttrs ( builtins.map (radarr: { name = "${radarr.hostName}/apiKey"; - value.sopsFile = ../../../../../../../secrets/secrets.yaml; + value.sopsFile = "${inputs.secrets}/hosts/jupiter/secrets.yaml"; }) radarrs ); diff --git a/hosts/jupiter/users/storm/configs/console/podman/media/sonarr/default.nix b/hosts/jupiter/users/storm/configs/console/podman/media/sonarr/default.nix index 34995f8..68c38c3 100644 --- a/hosts/jupiter/users/storm/configs/console/podman/media/sonarr/default.nix +++ b/hosts/jupiter/users/storm/configs/console/podman/media/sonarr/default.nix @@ -21,7 +21,7 @@ in secrets = builtins.listToAttrs ( builtins.map (sonarr: { name = "${sonarr.hostName}/apiKey"; - value.sopsFile = ../../../../../../../secrets/secrets.yaml; + value.sopsFile = "${inputs.secrets}/hosts/jupiter/secrets.yaml"; }) sonarrs ); diff --git a/hosts/jupiter/users/storm/configs/console/podman/media/transmission/default.nix b/hosts/jupiter/users/storm/configs/console/podman/media/transmission/default.nix index 57c1ac6..acbebfb 100644 --- a/hosts/jupiter/users/storm/configs/console/podman/media/transmission/default.nix +++ b/hosts/jupiter/users/storm/configs/console/podman/media/transmission/default.nix @@ -13,7 +13,7 @@ let in { home-manager.users.${user} = { - sops.secrets."transmission/protonvpn".sopsFile = ../../../../../../../secrets/secrets.yaml; + sops.secrets."transmission/protonvpn".sopsFile = "${inputs.secrets}/hosts/jupiter/secrets.yaml"; systemd.user.tmpfiles.rules = [ "d /mnt/storage/private/storm/containers/storage/volumes/media/_data/downloads/transmission 755 storm storm" diff --git a/hosts/jupiter/users/storm/configs/console/podman/nextcloud/default.nix b/hosts/jupiter/users/storm/configs/console/podman/nextcloud/default.nix index cea3d65..4bf7205 100644 --- a/hosts/jupiter/users/storm/configs/console/podman/nextcloud/default.nix +++ b/hosts/jupiter/users/storm/configs/console/podman/nextcloud/default.nix @@ -16,12 +16,12 @@ in home-manager.users.${user} = { sops = { secrets = { - "nextcloud/salt".sopsFile = ../../../../../../secrets/secrets.yaml; - "nextcloud/secret".sopsFile = ../../../../../../secrets/secrets.yaml; - "nextcloud/smtp".sopsFile = ../../../../../../secrets/secrets.yaml; - "nextcloud/postgresql".sopsFile = ../../../../../../secrets/secrets.yaml; - "nextcloud/authelia/password".sopsFile = ../../../../../../secrets/secrets.yaml; - "nextcloud/authelia/digest".sopsFile = ../../../../../../secrets/secrets.yaml; + "nextcloud/salt".sopsFile = "${inputs.secrets}/hosts/jupiter/secrets.yaml"; + "nextcloud/secret".sopsFile = "${inputs.secrets}/hosts/jupiter/secrets.yaml"; + "nextcloud/smtp".sopsFile = "${inputs.secrets}/hosts/jupiter/secrets.yaml"; + "nextcloud/postgresql".sopsFile = "${inputs.secrets}/hosts/jupiter/secrets.yaml"; + "nextcloud/authelia/password".sopsFile = "${inputs.secrets}/hosts/jupiter/secrets.yaml"; + "nextcloud/authelia/digest".sopsFile = "${inputs.secrets}/hosts/jupiter/secrets.yaml"; }; templates = { diff --git a/hosts/jupiter/users/storm/configs/console/podman/ntfy/default.nix b/hosts/jupiter/users/storm/configs/console/podman/ntfy/default.nix index 9795d3b..fc80898 100644 --- a/hosts/jupiter/users/storm/configs/console/podman/ntfy/default.nix +++ b/hosts/jupiter/users/storm/configs/console/podman/ntfy/default.nix @@ -15,10 +15,10 @@ in home-manager.users.${user} = { sops = { secrets = { - "ntfy/smtp".sopsFile = ../../../../../../secrets/secrets.yaml; - "ntfy/webPush/publicKey".sopsFile = ../../../../../../secrets/secrets.yaml; - "ntfy/webPush/privateKey".sopsFile = ../../../../../../secrets/secrets.yaml; - "ntfy/users/karaolidis".sopsFile = ../../../../../../secrets/secrets.yaml; + "ntfy/smtp".sopsFile = "${inputs.secrets}/hosts/jupiter/secrets.yaml"; + "ntfy/webPush/publicKey".sopsFile = "${inputs.secrets}/hosts/jupiter/secrets.yaml"; + "ntfy/webPush/privateKey".sopsFile = "${inputs.secrets}/hosts/jupiter/secrets.yaml"; + "ntfy/users/karaolidis".sopsFile = "${inputs.secrets}/hosts/jupiter/secrets.yaml"; }; templates = { diff --git a/hosts/jupiter/users/storm/configs/console/podman/outline/default.nix b/hosts/jupiter/users/storm/configs/console/podman/outline/default.nix index 5b4e5dd..cb9c924 100644 --- a/hosts/jupiter/users/storm/configs/console/podman/outline/default.nix +++ b/hosts/jupiter/users/storm/configs/console/podman/outline/default.nix @@ -16,12 +16,12 @@ in home-manager.users.${user} = { sops = { secrets = { - "outline/postgresql".sopsFile = ../../../../../../secrets/secrets.yaml; - "outline/secretKey".sopsFile = ../../../../../../secrets/secrets.yaml; - "outline/utilsSecret".sopsFile = ../../../../../../secrets/secrets.yaml; - "outline/authelia/password".sopsFile = ../../../../../../secrets/secrets.yaml; - "outline/authelia/digest".sopsFile = ../../../../../../secrets/secrets.yaml; - "outline/smtp".sopsFile = ../../../../../../secrets/secrets.yaml; + "outline/postgresql".sopsFile = "${inputs.secrets}/hosts/jupiter/secrets.yaml"; + "outline/secretKey".sopsFile = "${inputs.secrets}/hosts/jupiter/secrets.yaml"; + "outline/utilsSecret".sopsFile = "${inputs.secrets}/hosts/jupiter/secrets.yaml"; + "outline/authelia/password".sopsFile = "${inputs.secrets}/hosts/jupiter/secrets.yaml"; + "outline/authelia/digest".sopsFile = "${inputs.secrets}/hosts/jupiter/secrets.yaml"; + "outline/smtp".sopsFile = "${inputs.secrets}/hosts/jupiter/secrets.yaml"; }; templates = { diff --git a/hosts/jupiter/users/storm/configs/console/podman/shlink/default.nix b/hosts/jupiter/users/storm/configs/console/podman/shlink/default.nix index 0caccfb..766828d 100644 --- a/hosts/jupiter/users/storm/configs/console/podman/shlink/default.nix +++ b/hosts/jupiter/users/storm/configs/console/podman/shlink/default.nix @@ -15,9 +15,9 @@ in home-manager.users.${user} = { sops = { secrets = { - "shlink/postgresql".sopsFile = ../../../../../../secrets/secrets.yaml; - "shlink/apiKey".sopsFile = ../../../../../../secrets/secrets.yaml; - "maxmind/licenseKey".sopsFile = ../../../../../../../../secrets/personal/secrets.yaml; + "shlink/postgresql".sopsFile = "${inputs.secrets}/hosts/jupiter/secrets.yaml"; + "shlink/apiKey".sopsFile = "${inputs.secrets}/hosts/jupiter/secrets.yaml"; + "maxmind/licenseKey".sopsFile = "${inputs.secrets}/personal/secrets.yaml"; }; templates = { diff --git a/hosts/jupiter/users/storm/configs/console/podman/sish/default.nix b/hosts/jupiter/users/storm/configs/console/podman/sish/default.nix index 3068e0b..680fc01 100644 --- a/hosts/jupiter/users/storm/configs/console/podman/sish/default.nix +++ b/hosts/jupiter/users/storm/configs/console/podman/sish/default.nix @@ -15,7 +15,7 @@ in networking.firewall.allowedTCPPorts = [ 2222 ]; home-manager.users.${user} = { - sops.secrets."sish/ssh/key".sopsFile = ../../../../../../secrets/secrets.yaml; + sops.secrets."sish/ssh/key".sopsFile = "${inputs.secrets}/hosts/jupiter/secrets.yaml"; virtualisation.quadlet = { networks.sish = { }; diff --git a/hosts/jupiter/users/storm/configs/console/podman/traefik/default.nix b/hosts/jupiter/users/storm/configs/console/podman/traefik/default.nix index 94e60a2..c4ba504 100644 --- a/hosts/jupiter/users/storm/configs/console/podman/traefik/default.nix +++ b/hosts/jupiter/users/storm/configs/console/podman/traefik/default.nix @@ -25,7 +25,7 @@ in home-manager.users.${user} = { sops = { - secrets."cloudflare/letsencrypt".sopsFile = ../../../../../../../../secrets/personal/secrets.yaml; + secrets."cloudflare/letsencrypt".sopsFile = "${inputs.secrets}/personal/secrets.yaml"; templates.traefik-env.content = '' CF_DNS_API_TOKEN=${hmConfig.sops.placeholder."cloudflare/letsencrypt"} ''; diff --git a/hosts/jupiter/users/storm/configs/console/podman/vaultwarden/default.nix b/hosts/jupiter/users/storm/configs/console/podman/vaultwarden/default.nix index 6dd12a7..435ccd5 100644 --- a/hosts/jupiter/users/storm/configs/console/podman/vaultwarden/default.nix +++ b/hosts/jupiter/users/storm/configs/console/podman/vaultwarden/default.nix @@ -17,13 +17,13 @@ in home-manager.users.${user} = { sops = { secrets = { - "vaultwarden/adminToken".sopsFile = ../../../../../../secrets/secrets.yaml; - "vaultwarden/postgresql".sopsFile = ../../../../../../secrets/secrets.yaml; - "vaultwarden/smtp".sopsFile = ../../../../../../secrets/secrets.yaml; - "vaultwarden/push/installationId".sopsFile = ../../../../../../secrets/secrets.yaml; - "vaultwarden/push/installationKey".sopsFile = ../../../../../../secrets/secrets.yaml; - "vaultwarden/authelia/password".sopsFile = ../../../../../../secrets/secrets.yaml; - "vaultwarden/authelia/digest".sopsFile = ../../../../../../secrets/secrets.yaml; + "vaultwarden/adminToken".sopsFile = "${inputs.secrets}/hosts/jupiter/secrets.yaml"; + "vaultwarden/postgresql".sopsFile = "${inputs.secrets}/hosts/jupiter/secrets.yaml"; + "vaultwarden/smtp".sopsFile = "${inputs.secrets}/hosts/jupiter/secrets.yaml"; + "vaultwarden/push/installationId".sopsFile = "${inputs.secrets}/hosts/jupiter/secrets.yaml"; + "vaultwarden/push/installationKey".sopsFile = "${inputs.secrets}/hosts/jupiter/secrets.yaml"; + "vaultwarden/authelia/password".sopsFile = "${inputs.secrets}/hosts/jupiter/secrets.yaml"; + "vaultwarden/authelia/digest".sopsFile = "${inputs.secrets}/hosts/jupiter/secrets.yaml"; }; templates = { diff --git a/hosts/jupiter/users/storm/default.nix b/hosts/jupiter/users/storm/default.nix index fcef55f..38b1091 100644 --- a/hosts/jupiter/users/storm/default.nix +++ b/hosts/jupiter/users/storm/default.nix @@ -1,4 +1,9 @@ -{ config, lib, ... }: +{ + config, + lib, + inputs, + ... +}: let # FIXME: https://github.com/NixOS/nixpkgs/issues/24570 # FIXME: https://github.com/NixOS/nixpkgs/issues/305643 @@ -26,7 +31,7 @@ in # mkpasswd -s sops.secrets."${user}-password" = { - sopsFile = ../../../../secrets/personal/secrets.yaml; + sopsFile = "${inputs.secrets}/personal/secrets.yaml"; key = "password"; neededForUsers = true; }; diff --git a/lib/scripts/add-host.sh b/lib/scripts/add-host.sh index 0ebbe82..cbfbfdd 100755 --- a/lib/scripts/add-host.sh +++ b/lib/scripts/add-host.sh @@ -11,11 +11,11 @@ fi host="$1" -mkdir -p "./hosts/$host/secrets" -ssh-keygen -t ed25519 -f "./hosts/$host/secrets/ssh_host_ed25519_key" -C "root@$host" -N "" -age_key=$(ssh-to-age < "./hosts/$host/secrets/ssh_host_ed25519_key.pub") +mkdir -p "./secrets/hosts/$host" +ssh-keygen -t ed25519 -f "./secrets/hosts/$host/ssh_host_ed25519_key" -C "root@$host" -N "" +age_key=$(ssh-to-age < "./secrets/hosts/$host/ssh_host_ed25519_key.pub") -cat < "./hosts/$host/secrets/sops.yaml" +cat < "./secrets/hosts/$host/sops.yaml" keys: - hosts: - &$host $age_key @@ -46,7 +46,7 @@ done machine_id=$(uuidgen -r | tr -d -) -cat < "./hosts/$host/secrets/.decrypted~secrets.yaml" +cat < "./secrets/hosts/$host/.decrypted~secrets.yaml" luks: '$luks' machineId: $machine_id EOF @@ -55,11 +55,11 @@ tmp_age_key="$(mktemp)" echo "$age_key" > "$tmp_age_key" export SOPS_AGE_KEY_FILE="$tmp_age_key" -sops --config "./hosts/$host/secrets/sops.yaml" --encrypt "./hosts/$host/secrets/.decrypted~secrets.yaml" > "./hosts/$host/secrets/secrets.yaml" +sops --config "./secrets/hosts/$host/sops.yaml" --encrypt "./secrets/hosts/$host/.decrypted~secrets.yaml" > "./secrets/hosts/$host/secrets.yaml" unset SOPS_AGE_KEY_FILE rm -f "$tmp_age_key" -rm -f "./hosts/$host/secrets/.decrypted~secrets.yaml" +rm -f "./secrets/hosts/$host/.decrypted~secrets.yaml" mkdir -p "./hosts/$host/hardware" @@ -194,7 +194,7 @@ EOF sed -i "/nixosConfigurations = {/a\\ $host = mkNixosConfiguration inputs system [ ./hosts/$host ];\n" flake.nix -sed -i "/knownHosts = {/a\\ $host.publicKeyFile = ../../../../$host/secrets/ssh_host_ed25519_key.pub;" ./hosts/common/configs/system/ssh/default.nix +sed -i "/knownHosts = {/a\\ $host.publicKeyFile = \"${inputs.secrets}/$host/ssh_host_ed25519_key.pub\";" ./hosts/common/configs/system/ssh/default.nix new_entry="| \`$host\` | [hosts/$host/README.md](./hosts/$host/README.md) |" last_table_line=$(grep -n "^| " README.md | tail -n 1 | cut -d: -f1) diff --git a/lib/scripts/remove-host.sh b/lib/scripts/remove-host.sh index 3126d0e..0bf102a 100755 --- a/lib/scripts/remove-host.sh +++ b/lib/scripts/remove-host.sh @@ -11,7 +11,7 @@ fi host="$1" -age_key=$(ssh-to-age < "./hosts/$host/secrets/ssh_host_ed25519_key.pub") +age_key=$(ssh-to-age < "./secrets/hosts/$host/ssh_host_ed25519_key.pub") find . -type f -name "sops.yaml" | while IFS= read -r sops_file; do sed -i "/ - &$host $age_key/d" "$sops_file" diff --git a/packages/docker/mariadb/entrypoint.sh b/packages/docker/mariadb/entrypoint.sh index 5e1505d..cf4ef79 100644 --- a/packages/docker/mariadb/entrypoint.sh +++ b/packages/docker/mariadb/entrypoint.sh @@ -6,7 +6,7 @@ set -o nounset MYSQL_USER="${MYSQL_USER:-mariadb}" MYSQL_PASSWORD="${MYSQL_PASSWORD:-mariadb}" MYSQL_ROOT_PASSWORD="${MYSQL_ROOT_PASSWORD:-$MYSQL_PASSWORD}" -MYSQL_DB="${MYSQL_DB}" +MYSQL_DB="${MYSQL_DB:-main}" DATADIR="${DATADIR:-/var/lib/mysql}" if [ ! -f "$DATADIR/mysql_upgrade_info" ]; then diff --git a/packages/docker/mysql/entrypoint.sh b/packages/docker/mysql/entrypoint.sh index 9ee411b..1b62a2b 100644 --- a/packages/docker/mysql/entrypoint.sh +++ b/packages/docker/mysql/entrypoint.sh @@ -6,7 +6,7 @@ set -o nounset MYSQL_USER="${MYSQL_USER:-mysql}" MYSQL_PASSWORD="${MYSQL_PASSWORD:-mysql}" MYSQL_ROOT_PASSWORD="${MYSQL_ROOT_PASSWORD:-$MYSQL_PASSWORD}" -MYSQL_DB="${MYSQL_DB}" +MYSQL_DB="${MYSQL_D:-main}" DATADIR="${DATADIR:-/var/lib/mysql}" if [ ! -f "$DATADIR/mysql_upgrade_history" ]; then diff --git a/packages/docker/nextcloud/entrypoint.sh b/packages/docker/nextcloud/entrypoint.sh index b1ea2f3..a57eea4 100644 --- a/packages/docker/nextcloud/entrypoint.sh +++ b/packages/docker/nextcloud/entrypoint.sh @@ -8,7 +8,7 @@ if [ ! -f "/var/www/nextcloud/config/config.php" ]; then POSTGRES_PORT="${POSTGRES_PORT:-5432}" POSTGRES_USER="${POSTGRES_USER:-nextcloud}" POSTGRES_PASSWORD="${POSTGRES_PASSWORD:-nextcloud}" - POSTGRES_DB="${POSTGRES_DB}" + POSTGRES_DB="${POSTGRES_DB:-nextcloud}" ADMIN_USER="admin" ADMIN_PASS="$(head -c 128 /dev/urandom | tr -dc 'A-Za-z0-9' | head -c 64)" diff --git a/packages/docker/postgresql/entrypoint.sh b/packages/docker/postgresql/entrypoint.sh index f011650..8db37e9 100644 --- a/packages/docker/postgresql/entrypoint.sh +++ b/packages/docker/postgresql/entrypoint.sh @@ -5,7 +5,7 @@ set -o nounset POSTGRES_USER="${POSTGRES_USER:-postgres}" POSTGRES_PASSWORD="${POSTGRES_PASSWORD:-postgres}" -POSTGRES_DB="${POSTGRES_DB}" +POSTGRES_DB="${POSTGRES_DB:-main}" export PGDATA="${PGDATA:-/var/lib/postgresql/data}" LOG_PIPE="$(mktemp -u)" diff --git a/secrets b/secrets new file mode 160000 index 0000000..63c7032 --- /dev/null +++ b/secrets @@ -0,0 +1 @@ +Subproject commit 63c7032ad90dbafa555b02450e146dbb8be4b89c diff --git a/secrets/.gitignore b/secrets/.gitignore deleted file mode 100644 index 428ef63..0000000 --- a/secrets/.gitignore +++ /dev/null @@ -1,2 +0,0 @@ -*/key.txt -*/.decrypted~*