From 3138fd23ef855a5925eb370bf0c976316c6c96b4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Kier=C3=A1n=20Meinhardt?= Date: Tue, 27 Jun 2023 17:57:42 +0200 Subject: [PATCH] chore: get secrets via input, mock for CI this fixes CI, yay! --- .github/workflows/niveum.yml | 19 +++++-- configs/aerc.nix | 15 +++--- configs/cloud.nix | 3 +- configs/default.nix | 6 +-- configs/hu-berlin.nix | 10 +--- configs/i3.nix | 5 +- configs/khal.nix | 6 +-- configs/packages.nix | 4 +- configs/telegram-bots/autorenkalender.nix | 4 +- configs/telegram-bots/default.nix | 7 ++- configs/telegram-bots/nachtischsatan.nix | 4 +- configs/traadfri.nix | 4 +- flake.lock | 14 +++++ flake.nix | 32 ++++++++---- secrets.txt | 62 +++++++++++++++++++++++ systems/ful/configuration.nix | 10 ++-- systems/kabsa/configuration.nix | 13 +++-- systems/makanek/configuration.nix | 8 +-- systems/makanek/menstruation.nix | 3 +- systems/makanek/monitoring/default.nix | 7 +-- systems/makanek/nextcloud.nix | 5 +- systems/makanek/onlyoffice.nix | 4 +- systems/makanek/retiolum-map.nix | 2 +- systems/makanek/tt-rss.nix | 5 +- systems/makanek/weechat.nix | 4 +- systems/manakish/configuration.nix | 14 ++--- systems/tabula/configuration.nix | 6 +-- systems/tahina/configuration.nix | 6 +-- systems/zaatar/configuration.nix | 8 +-- systems/zaatar/moodle-dl-meinhark.nix | 5 +- systems/zaatar/mpd.nix | 9 ++-- systems/zaatar/spotifyd.nix | 10 ++-- 32 files changed, 203 insertions(+), 111 deletions(-) create mode 100644 secrets.txt diff --git a/.github/workflows/niveum.yml b/.github/workflows/niveum.yml index f1622b9..893df0d 100644 --- a/.github/workflows/niveum.yml +++ b/.github/workflows/niveum.yml @@ -10,10 +10,21 @@ jobs: system: [makanek,manakish,kabsa,zaatar,ful] steps: - uses: actions/checkout@v2 - - uses: cachix/install-nix-action@v16 - - name: Install nixos-rebuild - run: GC_DONT_GC=1 nix-env -i nixos-rebuild -f '' + - name: Install QEMU (ARM) + run: sudo apt-get install -y qemu-user-static + if: ${{ matrix.system == 'ful' }} + - name: Install Nix (ARM) + uses: cachix/install-nix-action@v16 + if: ${{ matrix.system == 'ful' }} + with: + extra_nix_config: | + system = aarch64-linux + - name: Install Nix (x86_64) + uses: cachix/install-nix-action@v16 + if: ${{ matrix.system != 'ful' }} - run: | rm -rf secrets mkdir secrets - - run: GC_DONT_GC=1 nixos-rebuild dry-build --flake .#{{matrix.system}} + cat secrets.txt | while read -r path; do echo dummy > $path; done + find + - run: nix run nixpkgs#nixos-rebuild -- dry-build --override-input secrets ./secrets --flake .#${{matrix.system}} diff --git a/configs/aerc.nix b/configs/aerc.nix index 7cb4083..6d8da28 100644 --- a/configs/aerc.nix +++ b/configs/aerc.nix @@ -2,6 +2,7 @@ pkgs, config, lib, + inputs, ... }: let defaults = { @@ -19,43 +20,43 @@ in { age.secrets = { email-password-cock = { - file = ../secrets/email-password-cock.age; + file = inputs.secrets + "/email-password-cock.age"; owner = config.users.users.me.name; group = config.users.users.me.group; mode = "400"; }; email-password-fysi = { - file = ../secrets/email-password-fysi.age; + file = inputs.secrets + "/secrets/email-password-fysi.age"; owner = config.users.users.me.name; group = config.users.users.me.group; mode = "400"; }; email-password-posteo = { - file = ../secrets/email-password-posteo.age; + file = inputs.secrets + "/email-password-posteo.age"; owner = config.users.users.me.name; group = config.users.users.me.group; mode = "400"; }; email-password-meinhark = { - file = ../secrets/email-password-meinhark.age; + file = inputs.secrets + "/email-password-meinhark.age"; owner = config.users.users.me.name; group = config.users.users.me.group; mode = "400"; }; email-password-meinhaki = { - file = ../secrets/email-password-meinhaki.age; + file = inputs.secrets + "/email-password-meinhaki.age"; owner = config.users.users.me.name; group = config.users.users.me.group; mode = "400"; }; email-password-dslalewa = { - file = ../secrets/email-password-dslalewa.age; + file = inputs.secrets + "/email-password-dslalewa.age"; owner = config.users.users.me.name; group = config.users.users.me.group; mode = "400"; }; email-password-fsklassp = { - file = ../secrets/email-password-fsklassp.age; + file = inputs.secrets + "/email-password-fsklassp.age"; owner = config.users.users.me.name; group = config.users.users.me.group; mode = "400"; diff --git a/configs/cloud.nix b/configs/cloud.nix index e18cb5c..e637f86 100644 --- a/configs/cloud.nix +++ b/configs/cloud.nix @@ -2,6 +2,7 @@ config, lib, pkgs, + inputs, ... }: let inherit (import ../lib) tmpfilesConfig; @@ -97,7 +98,7 @@ in { ]; age.secrets.mega-password = { - file = ../secrets/mega-password.age; + file = inputs.secrets + "/mega-password.age"; owner = config.users.users.me.name; group = config.users.users.me.group; mode = "400"; diff --git a/configs/default.nix b/configs/default.nix index 3600f5b..672e19c 100644 --- a/configs/default.nix +++ b/configs/default.nix @@ -37,13 +37,13 @@ in { { age.secrets = { di-fm-key = { - file = ../secrets/di-fm-key.age; + file = inputs.secrets + "/di-fm-key.age"; owner = config.users.users.me.name; group = config.users.users.me.group; mode = "400"; }; restic = { - file = ../secrets/restic.age; + file = inputs.secrets + "/restic.age"; owner = config.users.users.me.name; group = config.users.users.me.group; mode = "400"; @@ -76,7 +76,7 @@ in { }; age.secrets = { - kfm-password.file = ../secrets/kfm-password.age; + kfm-password.file = inputs.secrets + "/kfm-password.age"; }; home-manager.users.me.xdg.enable = true; diff --git a/configs/hu-berlin.nix b/configs/hu-berlin.nix index 9998e1a..6bbd9b1 100644 --- a/configs/hu-berlin.nix +++ b/configs/hu-berlin.nix @@ -1,15 +1,9 @@ { config, pkgs, - lib, + inputs, ... }: let - inherit (lib.strings) fileContents; - inherit (import ../lib) sshPort; - eduroam = { - identity = fileContents ; - password = fileContents ; - }; hu-berlin-cifs-options = [ "uid=${toString config.users.users.me.uid}" "gid=${toString config.users.groups.users.gid}" @@ -35,7 +29,7 @@ in { options = hu-berlin-cifs-options; }; - age.secrets.cifs-credentials-hu-berlin.file = ../secrets/cifs-credentials-hu-berlin.age; + age.secrets.cifs-credentials-hu-berlin.file = inputs.secrets + "/cifs-credentials-hu-berlin.age"; home-manager.users.me.programs.ssh = { matchBlocks = { diff --git a/configs/i3.nix b/configs/i3.nix index abf2549..52298f4 100644 --- a/configs/i3.nix +++ b/configs/i3.nix @@ -3,6 +3,7 @@ pkgs, lib, niveumPackages, + inputs, ... }: let inherit (import ../lib) defaultApplications colours; @@ -65,13 +66,13 @@ in { age.secrets = { github-token-i3status-rust = { - file = ../secrets/github-token-i3status-rust.age; + file = inputs.secrets + "/github-token-i3status-rust.age"; owner = config.users.users.me.name; group = config.users.users.me.group; mode = "400"; }; openweathermap-api-key = { - file = ../secrets/openweathermap-api-key.age; + file = inputs.secrets + "/openweathermap-api-key.age"; owner = config.users.users.me.name; group = config.users.users.me.group; mode = "400"; diff --git a/configs/khal.nix b/configs/khal.nix index 184a849..05983a4 100644 --- a/configs/khal.nix +++ b/configs/khal.nix @@ -1,7 +1,7 @@ { config, pkgs, - lib, + inputs, ... }: let davHome = "~/.local/share/dav"; @@ -18,13 +18,13 @@ in { age.secrets = { nextcloud-password-kieran = { - file = ../secrets/nextcloud-password-kieran.age; + file = inputs.secrets + "/nextcloud-password-kieran.age"; owner = config.users.users.me.name; group = config.users.users.me.group; mode = "400"; }; nextcloud-password-fysi = { - file = ../secrets/nextcloud-password-fysi.age; + file = inputs.secrets + "/nextcloud-password-fysi.age"; owner = config.users.users.me.name; group = config.users.users.me.group; mode = "400"; diff --git a/configs/packages.nix b/configs/packages.nix index 6cfdda6..69ab7a8 100644 --- a/configs/packages.nix +++ b/configs/packages.nix @@ -1,10 +1,8 @@ { config, pkgs, - lib, inputs, niveumPackages, - unstablePackages, ... }: let worldradio = pkgs.callPackage ../packages/worldradio.nix {}; @@ -291,7 +289,7 @@ in { ]; age.secrets.home-assistant-token = { - file = ../secrets/home-assistant-token.age; + file = inputs.secrets + "/home-assistant-token.age"; owner = config.users.users.me.name; group = config.users.users.me.group; mode = "400"; diff --git a/configs/telegram-bots/autorenkalender.nix b/configs/telegram-bots/autorenkalender.nix index 4e9eeb5..b4bd683 100644 --- a/configs/telegram-bots/autorenkalender.nix +++ b/configs/telegram-bots/autorenkalender.nix @@ -1,6 +1,6 @@ { pkgs, - lib, + inputs, config, ... }: let @@ -22,7 +22,7 @@ in { command = "${autorenkalender}/bin/autorenkalender"; }; - age.secrets.telegram-token-kmein.file = ../../secrets/telegram-token-kmein.age; + age.secrets.telegram-token-kmein.file = inputs.secrets + "/telegram-token-kmein.age"; niveum.passport.services = [ { diff --git a/configs/telegram-bots/default.nix b/configs/telegram-bots/default.nix index 3521eb4..e2551ae 100644 --- a/configs/telegram-bots/default.nix +++ b/configs/telegram-bots/default.nix @@ -1,7 +1,6 @@ { config, pkgs, - lib, inputs, ... }: let @@ -48,9 +47,9 @@ in { ]; age.secrets = { - telegram-token-reverse.file = ../../secrets/telegram-token-reverse.age; - telegram-token-betacode.file = ../../secrets/telegram-token-betacode.age; - telegram-token-proverb.file = ../../secrets/telegram-token-proverb.age; + telegram-token-reverse.file = inputs.secrets + "/telegram-token-reverse.age"; + telegram-token-betacode.file = inputs.secrets + "/telegram-token-betacode.age"; + telegram-token-proverb.file = inputs.secrets + "/telegram-token-proverb.age"; }; systemd.services.telegram-reverse = { diff --git a/configs/telegram-bots/nachtischsatan.nix b/configs/telegram-bots/nachtischsatan.nix index 86dc987..732242b 100644 --- a/configs/telegram-bots/nachtischsatan.nix +++ b/configs/telegram-bots/nachtischsatan.nix @@ -1,7 +1,7 @@ { pkgs, config, - lib, + inputs, ... }: let nachtischsatan-bot = {tokenFile}: @@ -36,7 +36,7 @@ in { serviceConfig.Restart = "always"; }; - age.secrets.telegram-token-nachtischsatan.file = ../../secrets/telegram-token-nachtischsatan.age; + age.secrets.telegram-token-nachtischsatan.file = inputs.secrets + "/telegram-token-nachtischsatan.age"; niveum.passport.services = [ { diff --git a/configs/traadfri.nix b/configs/traadfri.nix index 6d283f6..de437ca 100644 --- a/configs/traadfri.nix +++ b/configs/traadfri.nix @@ -1,7 +1,7 @@ { config, pkgs, - lib, + inputs, ... }: let inherit (import ../lib) localAddresses; @@ -20,7 +20,7 @@ in { ]; age.secrets.traadfri-key = { - file = ../secrets/traadfri-key.age; + file = inputs.secrets + "/traadfri-key.age"; owner = config.users.users.me.name; group = config.users.users.me.group; mode = "400"; diff --git a/flake.lock b/flake.lock index b0716aa..8ddcd54 100644 --- a/flake.lock +++ b/flake.lock @@ -322,6 +322,7 @@ "retiolum": "retiolum", "rust-overlay": "rust-overlay", "scripts": "scripts", + "secrets": "secrets", "telebots": "telebots", "tinc-graph": "tinc-graph", "traadfri": "traadfri", @@ -377,6 +378,19 @@ "type": "github" } }, + "secrets": { + "flake": false, + "locked": { + "lastModified": 1, + "narHash": "sha256-D9ZMDdN7FOG+x8Ds2FuBUz/ujRLjJ07rxiV8AFuEqbQ=", + "path": "./secrets", + "type": "path" + }, + "original": { + "path": "./secrets", + "type": "path" + } + }, "systems": { "locked": { "lastModified": 1681028828, diff --git a/flake.nix b/flake.nix index 70101a7..ef99c28 100644 --- a/flake.nix +++ b/flake.nix @@ -13,6 +13,7 @@ nixpkgs-unstable.url = "github:NixOS/nixpkgs/master"; nur.url = "github:nix-community/NUR"; recht.url = "github:kmein/recht"; + secrets.url = "path:./secrets"; scripts.url = "github:kmein/scripts"; retiolum.url = "git+https://git.thalheim.io/Mic92/retiolum"; rust-overlay.url = "github:oxalica/rust-overlay"; @@ -38,6 +39,7 @@ scripts.inputs.flake-utils.follows = "flake-utils"; scripts.inputs.nixpkgs.follows = "nixpkgs"; scripts.inputs.rust-overlay.follows = "rust-overlay"; + secrets.flake = false; tinc-graph.inputs.flake-utils.follows = "flake-utils"; tinc-graph.inputs.nixpkgs.follows = "nixpkgs"; tinc-graph.inputs.rust-overlay.follows = "rust-overlay"; @@ -62,19 +64,27 @@ apps = nixinate.nixinate.x86_64-linux self // { - x86_64-linux.deploy = let + x86_64-linux = let pkgs = nixpkgs.legacyPackages.x86_64-linux; in { - type = "app"; - program = toString (pkgs.writers.writeDash "deploy" '' - if [ $# -eq 0 ] - then - systems='${toString (builtins.attrNames self.nixosConfigurations)}' - else - systems=$* - fi - ${pkgs.parallel}/bin/parallel --line-buffer --tagstring '{}' 'nix run .\?submodules=1\#apps.nixinate.{}' ::: $systems - ''); + mock-secrets = { + type = "app"; + program = toString (pkgs.writers.writeDash "mock-secrets" '' + ${pkgs.findutils}/bin/find secrets -not -path '*/.*' -type f > secrets.txt + ''); + }; + deploy = { + type = "app"; + program = toString (pkgs.writers.writeDash "deploy" '' + if [ $# -eq 0 ] + then + systems='${toString (builtins.attrNames self.nixosConfigurations)}' + else + systems=$* + fi + ${pkgs.parallel}/bin/parallel --line-buffer --tagstring '{}' 'nix run .\?submodules=1\#apps.nixinate.{}' ::: $systems + ''); + }; }; }; diff --git a/secrets.txt b/secrets.txt new file mode 100644 index 0000000..a414a55 --- /dev/null +++ b/secrets.txt @@ -0,0 +1,62 @@ +secrets/di-fm-key.age +secrets/email-password-meinhark.age +secrets/kabsa-retiolum-privateKey-ed25519.age +secrets/makanek-specus-privateKey.age +secrets/manakish-retiolum-privateKey-rsa.age +secrets/kfm-password.age +secrets/email-password-fysi.age +secrets/github-token-i3status-rust.age +secrets/nextcloud-password-admin.age +secrets/zaatar-retiolum-privateKey-ed25519.age +secrets/manakish-syncthing-cert.age +secrets/telegram-token-betacode.age +secrets/tabula-retiolum-privateKey-rsa.age +secrets/zaatar-ympd-basicAuth.age +secrets/zaatar-moodle-dl-basicAuth.age +secrets/mega-password.age +secrets/telegram-token-reverse.age +secrets/email-password-meinhaki.age +secrets/spotify-password.age +secrets/telegram-token-kmein.age +secrets/maxmind-license-key.age +secrets/makanek-retiolum-privateKey-rsa.age +secrets/spotify-username.age +secrets/onlyoffice-jwt-key.age +secrets/miniflux-credentials.age +secrets/email-password-fsklassp.age +secrets/kabsa-retiolum-privateKey-rsa.age +secrets/traadfri-key.age +secrets/tahina-retiolum-privateKey-rsa.age +secrets/makanek-retiolum-privateKey-ed25519.age +secrets/zaatar-retiolum-privateKey-rsa.age +secrets/kabsa-specus-privateKey.age +secrets/nextcloud-password-kieran.age +secrets/ful-root.age +secrets/manakish-syncthing-key.age +secrets/email-password-dslalewa.age +secrets/zaatar-moodle-dl-tokens.json.age +secrets/tabula-retiolum-privateKey-ed25519.age +secrets/tahina-retiolum-privateKey-ed25519.age +secrets/cifs-credentials-hu-berlin.age +secrets/kabsa-syncthing-key.age +secrets/ful-retiolum-privateKey-rsa.age +secrets/ful-retiolum-privateKey-ed25519.age +secrets/zaatar-syncthing-key.age +secrets/openweathermap-api-key.age +secrets/secrets.nix +secrets/email-password-cock.age +secrets/telegram-token-nachtischsatan.age +secrets/kabsa-syncthing-cert.age +secrets/grafana-password-admin.age +secrets/email-password-posteo.age +secrets/manakish-retiolum-privateKey-ed25519.age +secrets/restic.age +secrets/home-assistant-token.age +secrets/zaatar-syncthing-cert.age +secrets/nextcloud-password-database.age +secrets/telegram-token-menstruation.age +secrets/alertmanager-token-reporters.age +secrets/ful-specus-privateKey.age +secrets/nextcloud-password-fysi.age +secrets/weechat-sec.conf.age +secrets/telegram-token-proverb.age diff --git a/systems/ful/configuration.nix b/systems/ful/configuration.nix index 297563e..fd0ff8d 100644 --- a/systems/ful/configuration.nix +++ b/systems/ful/configuration.nix @@ -1,5 +1,5 @@ { - lib, + inputs, config, pkgs, ... @@ -36,19 +36,19 @@ in { age.secrets = { retiolum-rsa = { - file = ../../secrets/ful-retiolum-privateKey-rsa.age; + file = inputs.secrets + "/ful-retiolum-privateKey-rsa.age"; mode = "400"; owner = "tinc.retiolum"; group = "tinc.retiolum"; }; retiolum-ed25519 = { - file = ../../secrets/ful-retiolum-privateKey-ed25519.age; + file = inputs.secrets + "/ful-retiolum-privateKey-ed25519.age"; mode = "400"; owner = "tinc.retiolum"; group = "tinc.retiolum"; }; - root.file = ../../secrets/ful-root.age; - restic.file = ../../secrets/restic.age; + root.file = inputs.secrets + "/ful-root.age"; + restic.file = inputs.secrets + "/restic.age"; }; services.restic.backups.niveum = { diff --git a/systems/kabsa/configuration.nix b/systems/kabsa/configuration.nix index dfd582f..95bd939 100644 --- a/systems/kabsa/configuration.nix +++ b/systems/kabsa/configuration.nix @@ -1,7 +1,6 @@ { - config, + inputs, pkgs, - lib, ... }: let inherit (import ../../lib) retiolumAddresses; @@ -26,20 +25,20 @@ in { age.secrets = { retiolum-rsa = { - file = ../../secrets/kabsa-retiolum-privateKey-rsa.age; + file = inputs.secrets + "/kabsa-retiolum-privateKey-rsa.age"; mode = "400"; owner = "tinc.retiolum"; group = "tinc.retiolum"; }; retiolum-ed25519 = { - file = ../../secrets/kabsa-retiolum-privateKey-ed25519.age; + file = inputs.secrets + "/kabsa-retiolum-privateKey-ed25519.age"; mode = "400"; owner = "tinc.retiolum"; group = "tinc.retiolum"; }; - restic.file = ../../secrets/restic.age; - syncthing-cert.file = ../../secrets/kabsa-syncthing-cert.age; - syncthing-key.file = ../../secrets/kabsa-syncthing-key.age; + restic.file = inputs.secrets + "/restic.age"; + syncthing-cert.file = inputs.secrets + "/kabsa-syncthing-cert.age"; + syncthing-key.file = inputs.secrets + "/kabsa-syncthing-key.age"; }; environment.systemPackages = [pkgs.minecraft pkgs.zeroad]; diff --git a/systems/makanek/configuration.nix b/systems/makanek/configuration.nix index 1233802..cadff2e 100644 --- a/systems/makanek/configuration.nix +++ b/systems/makanek/configuration.nix @@ -1,5 +1,5 @@ { - lib, + inputs, config, pkgs, ... @@ -84,18 +84,18 @@ in { age.secrets = { retiolum-rsa = { - file = ../../secrets/makanek-retiolum-privateKey-rsa.age; + file = inputs.secrets + "/makanek-retiolum-privateKey-rsa.age"; mode = "400"; owner = "tinc.retiolum"; group = "tinc.retiolum"; }; retiolum-ed25519 = { - file = ../../secrets/makanek-retiolum-privateKey-ed25519.age; + file = inputs.secrets + "/makanek-retiolum-privateKey-ed25519.age"; mode = "400"; owner = "tinc.retiolum"; group = "tinc.retiolum"; }; - restic.file = ../../secrets/restic.age; + restic.file = inputs.secrets + "/restic.age"; }; system.stateVersion = "20.03"; diff --git a/systems/makanek/menstruation.nix b/systems/makanek/menstruation.nix index 0b45260..296489f 100644 --- a/systems/makanek/menstruation.nix +++ b/systems/makanek/menstruation.nix @@ -1,7 +1,6 @@ { config, pkgs, - lib, inputs, ... }: let @@ -47,7 +46,7 @@ in { }; }; - age.secrets.telegram-token-menstruation.file = ../../secrets/telegram-token-menstruation.age; + age.secrets.telegram-token-menstruation.file = inputs.secrets + "/telegram-token-menstruation.age"; systemd.services.menstruation-backend = { wants = ["network-online.target"]; diff --git a/systems/makanek/monitoring/default.nix b/systems/makanek/monitoring/default.nix index 2e3347b..d76a140 100644 --- a/systems/makanek/monitoring/default.nix +++ b/systems/makanek/monitoring/default.nix @@ -2,6 +2,7 @@ lib, config, pkgs, + inputs, ... }: let lokiConfig = import ./loki.nix; @@ -241,19 +242,19 @@ in { age.secrets = { email-password-cock = { - file = ../../../secrets/email-password-cock.age; + file = inputs.secrets + "/email-password-cock.age"; owner = "grafana"; group = "grafana"; mode = "440"; }; grafana-password-admin = { - file = ../../../secrets/grafana-password-admin.age; + file = inputs.secrets + "/grafana-password-admin.age"; owner = "grafana"; group = "grafana"; mode = "440"; }; alertmanager-token-reporters = { - file = ../../../secrets/alertmanager-token-reporters.age; + file = inputs.secrets + "/alertmanager-token-reporters.age"; owner = "prometheus"; group = "prometheus"; mode = "440"; diff --git a/systems/makanek/nextcloud.nix b/systems/makanek/nextcloud.nix index b581419..048a04f 100644 --- a/systems/makanek/nextcloud.nix +++ b/systems/makanek/nextcloud.nix @@ -1,6 +1,7 @@ { pkgs, config, + inputs, lib, ... }: let @@ -8,13 +9,13 @@ in { age.secrets = { nextcloud-password-database = { - file = ../../secrets/nextcloud-password-database.age; + file = inputs.secrets + "/nextcloud-password-database.age"; owner = "nextcloud"; group = "nextcloud"; mode = "440"; }; nextcloud-password-admin = { - file = ../../secrets/nextcloud-password-admin.age; + file = inputs.secrets + "/nextcloud-password-admin.age"; owner = "nextcloud"; group = "nextcloud"; mode = "440"; diff --git a/systems/makanek/onlyoffice.nix b/systems/makanek/onlyoffice.nix index c74d24a..56138cf 100644 --- a/systems/makanek/onlyoffice.nix +++ b/systems/makanek/onlyoffice.nix @@ -1,5 +1,5 @@ { - pkgs, + inputs, config, ... }: { @@ -11,7 +11,7 @@ }; age.secrets.onlyoffice-key = { - file = ../../secrets/onlyoffice-jwt-key.age; + file = inputs.secrets + "/onlyoffice-jwt-key.age"; owner = "onlyoffice"; }; diff --git a/systems/makanek/retiolum-map.nix b/systems/makanek/retiolum-map.nix index bd5a2ed..aae26da 100644 --- a/systems/makanek/retiolum-map.nix +++ b/systems/makanek/retiolum-map.nix @@ -45,7 +45,7 @@ in { }; }; - age.secrets.maxmind-license-key.file = ../../secrets/maxmind-license-key.age; + age.secrets.maxmind-license-key.file = inputs.secrets + "/maxmind-license-key.age"; niveum.passport.services = [ { diff --git a/systems/makanek/tt-rss.nix b/systems/makanek/tt-rss.nix index 6ea2aa3..19f21bf 100644 --- a/systems/makanek/tt-rss.nix +++ b/systems/makanek/tt-rss.nix @@ -1,6 +1,5 @@ { - pkgs, - lib, + inputs, config, ... }: let @@ -19,7 +18,7 @@ in { }; }; - age.secrets.miniflux-credentials.file = ../../secrets/miniflux-credentials.age; + age.secrets.miniflux-credentials.file = inputs.secrets + "/miniflux-credentials.age"; services.postgresqlBackup = { enable = true; diff --git a/systems/makanek/weechat.nix b/systems/makanek/weechat.nix index e111fa7..530fd4e 100644 --- a/systems/makanek/weechat.nix +++ b/systems/makanek/weechat.nix @@ -1,7 +1,7 @@ { lib, pkgs, - config, + inputs, ... }: let inherit (import ../../lib) kieran; @@ -205,7 +205,7 @@ in { }; age.secrets.weechat-sec = { - file = ../../secrets/weechat-sec.conf.age; + file = inputs.secrets + "/weechat-sec.conf.age"; path = "/var/lib/weechat/sec.conf"; owner = "weechat"; group = "weechat"; diff --git a/systems/manakish/configuration.nix b/systems/manakish/configuration.nix index 1cc3d88..2dc3afa 100644 --- a/systems/manakish/configuration.nix +++ b/systems/manakish/configuration.nix @@ -1,8 +1,4 @@ -{ - config, - pkgs, - ... -}: let +{inputs, ...}: let inherit (import ../../lib) retiolumAddresses; in { imports = [ @@ -16,19 +12,19 @@ in { age.secrets = { retiolum-rsa = { - file = ../../secrets/manakish-retiolum-privateKey-rsa.age; + file = inputs.secrets + "/manakish-retiolum-privateKey-rsa.age"; mode = "400"; owner = "tinc.retiolum"; group = "tinc.retiolum"; }; retiolum-ed25519 = { - file = ../../secrets/manakish-retiolum-privateKey-ed25519.age; + file = inputs.secrets + "/manakish-retiolum-privateKey-ed25519.age"; mode = "400"; owner = "tinc.retiolum"; group = "tinc.retiolum"; }; - syncthing-cert.file = ../../secrets/manakish-syncthing-cert.age; - syncthing-key.file = ../../secrets/manakish-syncthing-key.age; + syncthing-cert.file = inputs.secrets + "/manakish-syncthing-cert.age"; + syncthing-key.file = inputs.secrets + "/manakish-syncthing-key.age"; }; niveum = { diff --git a/systems/tabula/configuration.nix b/systems/tabula/configuration.nix index f3d5614..4d0793e 100644 --- a/systems/tabula/configuration.nix +++ b/systems/tabula/configuration.nix @@ -1,5 +1,5 @@ { - config, + inputs, pkgs, ... }: let @@ -15,13 +15,13 @@ in { age.secrets = { retiolum-rsa = { - file = ../../secrets/tabula-retiolum-privateKey-rsa.age; + file = inputs.secrets + "/tabula-retiolum-privateKey-rsa.age"; mode = "400"; owner = "tinc.retiolum"; group = "tinc.retiolum"; }; retiolum-ed25519 = { - file = ../../secrets/tabula-retiolum-privateKey-ed25519.age; + file = inputs.secrets + "/tabula-retiolum-privateKey-ed25519.age"; mode = "400"; owner = "tinc.retiolum"; group = "tinc.retiolum"; diff --git a/systems/tahina/configuration.nix b/systems/tahina/configuration.nix index fde04b7..5a2a960 100644 --- a/systems/tahina/configuration.nix +++ b/systems/tahina/configuration.nix @@ -1,5 +1,5 @@ { - config, + inputs, pkgs, ... }: let @@ -15,13 +15,13 @@ in { age.secrets = { retiolum-rsa = { - file = ../../secrets/tahina-retiolum-privateKey-rsa.age; + file = inputs.secrets + "/tahina-retiolum-privateKey-rsa.age"; mode = "400"; owner = "tinc.retiolum"; group = "tinc.retiolum"; }; retiolum-ed25519 = { - file = ../../secrets/tahina-retiolum-privateKey-ed25519.age; + file = inputs.secrets + "/tahina-retiolum-privateKey-ed25519.age"; mode = "400"; owner = "tinc.retiolum"; group = "tinc.retiolum"; diff --git a/systems/zaatar/configuration.nix b/systems/zaatar/configuration.nix index 18d34cf..31be235 100644 --- a/systems/zaatar/configuration.nix +++ b/systems/zaatar/configuration.nix @@ -1,7 +1,7 @@ { config, pkgs, - lib, + inputs, ... }: let inherit (import ../../lib) retiolumAddresses restic; @@ -31,18 +31,18 @@ in { age.secrets = { retiolum-rsa = { - file = ../../secrets/zaatar-retiolum-privateKey-rsa.age; + file = inputs.secrets + "/zaatar-retiolum-privateKey-rsa.age"; mode = "400"; owner = "tinc.retiolum"; group = "tinc.retiolum"; }; retiolum-ed25519 = { - file = ../../secrets/zaatar-retiolum-privateKey-ed25519.age; + file = inputs.secrets + "/zaatar-retiolum-privateKey-ed25519.age"; mode = "400"; owner = "tinc.retiolum"; group = "tinc.retiolum"; }; - restic.file = ../../secrets/restic.age; + restic.file = inputs.secrets + "/restic.age"; }; services.restic.backups.moodle-dl = { diff --git a/systems/zaatar/moodle-dl-meinhark.nix b/systems/zaatar/moodle-dl-meinhark.nix index 3726b5a..82b6665 100644 --- a/systems/zaatar/moodle-dl-meinhark.nix +++ b/systems/zaatar/moodle-dl-meinhark.nix @@ -2,6 +2,7 @@ config, pkgs, lib, + inputs, ... }: let moodle-dl-package = pkgs.moodle-dl.overrideAttrs (old: @@ -13,14 +14,14 @@ in { age.secrets = { /* moodle-dl-tokens = { - file = ../../secrets/zaatar-moodle-dl-tokens.json.age; + file = inputs.secrets + "/zaatar-moodle-dl-tokens.json.age"; owner = "moodle-dl"; group = "moodle-dl"; mode = "400"; }; */ moodle-dl-basicAuth = { - file = ../../secrets/zaatar-moodle-dl-basicAuth.age; + file = inputs.secrets + "/zaatar-moodle-dl-basicAuth.age"; owner = "nginx"; group = "nginx"; mode = "400"; diff --git a/systems/zaatar/mpd.nix b/systems/zaatar/mpd.nix index 78076c5..101e6a2 100644 --- a/systems/zaatar/mpd.nix +++ b/systems/zaatar/mpd.nix @@ -2,6 +2,7 @@ config, pkgs, lib, + inputs, ... }: let firewall = (import ../../lib).firewall lib; @@ -102,14 +103,14 @@ in { age.secrets = { ympd-basicAuth = { - file = ../../secrets/zaatar-ympd-basicAuth.age; + file = inputs.secrets + "/zaatar-ympd-basicAuth.age"; owner = "nginx"; group = "nginx"; mode = "400"; }; - syncthing-cert.file = ../../secrets/zaatar-syncthing-cert.age; - syncthing-key.file = ../../secrets/zaatar-syncthing-key.age; - di-fm-key.file = ../../secrets/di-fm-key.age; + syncthing-cert.file = inputs.secrets + "/zaatar-syncthing-cert.age"; + syncthing-key.file = inputs.secrets + "/zaatar-syncthing-key.age"; + di-fm-key.file = inputs.secrets + "/di-fm-key.age"; }; services.nginx = { diff --git a/systems/zaatar/spotifyd.nix b/systems/zaatar/spotifyd.nix index 353ae72..ef7d81f 100644 --- a/systems/zaatar/spotifyd.nix +++ b/systems/zaatar/spotifyd.nix @@ -1,4 +1,8 @@ -{config, ...}: { +{ + config, + inputs, + ... +}: { services.spotifyd = { enable = true; settings = { @@ -21,8 +25,8 @@ }; age.secrets = { - spotify-username.file = ../../secrets/spotify-username.age; - spotify-password.file = ../../secrets/spotify-password.age; + spotify-username.file = inputs.secrets + "/spotify-username.age"; + spotify-password.file = inputs.secrets + "/spotify-password.age"; }; # ref https://github.com/NixOS/nixpkgs/issues/71362#issuecomment-753461502