kfm/niveum
1
0
Fork 0
mirror of https://github.com/kmein/niveum synced 2026-03-16 10:11:08 +01:00
Code Releases Activity

chore: get secrets via input, mock for CI

Browse Source 
this fixes CI, yay!
This commit is contained in:
Kierán Meinhardt
2023-06-27 17:57:42 +02:00
parent d0edb9c915
commit 3138fd23ef
32 changed files with 203 additions and 111 deletions
Download Patch File Download Diff File Expand all files Collapse all files

19
.github/workflows/niveum.yml vendored
View File

@@ -10,10 +10,21 @@ jobs:
system: [makanek,manakish,kabsa,zaatar,ful] system: [makanek,manakish,kabsa,zaatar,ful]
steps: steps:
- uses: actions/checkout@v2 - uses: actions/checkout@v2
- uses: cachix/install-nix-action@v16 - name: Install QEMU (ARM)
- name: Install nixos-rebuild run: sudo apt-get install -y qemu-user-static
run: GC_DONT_GC=1 nix-env -i nixos-rebuild -f '<nixpkgs>' if: ${{ matrix.system == 'ful' }}
- name: Install Nix (ARM)
uses: cachix/install-nix-action@v16
if: ${{ matrix.system == 'ful' }}
with:
extra_nix_config: |
system = aarch64-linux
- name: Install Nix (x86_64)
uses: cachix/install-nix-action@v16
if: ${{ matrix.system != 'ful' }}
- run: | - run: |
rm -rf secrets rm -rf secrets
mkdir secrets mkdir secrets
- run: GC_DONT_GC=1 nixos-rebuild dry-build --flake .#{{matrix.system}} cat secrets.txt | while read -r path; do echo dummy > $path; done
find
- run: nix run nixpkgs#nixos-rebuild -- dry-build --override-input secrets ./secrets --flake .#${{matrix.system}}

15
configs/aerc.nix
View File

@@ -2,6 +2,7 @@
pkgs, pkgs,
config, config,
lib, lib,
inputs,
... ...
}: let }: let
defaults = { defaults = {
@@ -19,43 +20,43 @@
in { in {
age.secrets = { age.secrets = {
email-password-cock = { email-password-cock = {
file = ../secrets/email-password-cock.age; file = inputs.secrets + "/email-password-cock.age";
owner = config.users.users.me.name; owner = config.users.users.me.name;
group = config.users.users.me.group; group = config.users.users.me.group;
mode = "400"; mode = "400";
}; };
email-password-fysi = { email-password-fysi = {
file = ../secrets/email-password-fysi.age; file = inputs.secrets + "/secrets/email-password-fysi.age";
owner = config.users.users.me.name; owner = config.users.users.me.name;
group = config.users.users.me.group; group = config.users.users.me.group;
mode = "400"; mode = "400";
}; };
email-password-posteo = { email-password-posteo = {
file = ../secrets/email-password-posteo.age; file = inputs.secrets + "/email-password-posteo.age";
owner = config.users.users.me.name; owner = config.users.users.me.name;
group = config.users.users.me.group; group = config.users.users.me.group;
mode = "400"; mode = "400";
}; };
email-password-meinhark = { email-password-meinhark = {
file = ../secrets/email-password-meinhark.age; file = inputs.secrets + "/email-password-meinhark.age";
owner = config.users.users.me.name; owner = config.users.users.me.name;
group = config.users.users.me.group; group = config.users.users.me.group;
mode = "400"; mode = "400";
}; };
email-password-meinhaki = { email-password-meinhaki = {
file = ../secrets/email-password-meinhaki.age; file = inputs.secrets + "/email-password-meinhaki.age";
owner = config.users.users.me.name; owner = config.users.users.me.name;
group = config.users.users.me.group; group = config.users.users.me.group;
mode = "400"; mode = "400";
}; };
email-password-dslalewa = { email-password-dslalewa = {
file = ../secrets/email-password-dslalewa.age; file = inputs.secrets + "/email-password-dslalewa.age";
owner = config.users.users.me.name; owner = config.users.users.me.name;
group = config.users.users.me.group; group = config.users.users.me.group;
mode = "400"; mode = "400";
}; };
email-password-fsklassp = { email-password-fsklassp = {
file = ../secrets/email-password-fsklassp.age; file = inputs.secrets + "/email-password-fsklassp.age";
owner = config.users.users.me.name; owner = config.users.users.me.name;
group = config.users.users.me.group; group = config.users.users.me.group;
mode = "400"; mode = "400";

3
configs/cloud.nix
View File

@@ -2,6 +2,7 @@
config, config,
lib, lib,
pkgs, pkgs,
inputs,
... ...
}: let }: let
inherit (import ../lib) tmpfilesConfig; inherit (import ../lib) tmpfilesConfig;
@@ -97,7 +98,7 @@ in {
]; ];
age.secrets.mega-password = { age.secrets.mega-password = {
file = ../secrets/mega-password.age; file = inputs.secrets + "/mega-password.age";
owner = config.users.users.me.name; owner = config.users.users.me.name;
group = config.users.users.me.group; group = config.users.users.me.group;
mode = "400"; mode = "400";

6
configs/default.nix
View File

@@ -37,13 +37,13 @@ in {
{ {
age.secrets = { age.secrets = {
di-fm-key = { di-fm-key = {
file = ../secrets/di-fm-key.age; file = inputs.secrets + "/di-fm-key.age";
owner = config.users.users.me.name; owner = config.users.users.me.name;
group = config.users.users.me.group; group = config.users.users.me.group;
mode = "400"; mode = "400";
}; };
restic = { restic = {
file = ../secrets/restic.age; file = inputs.secrets + "/restic.age";
owner = config.users.users.me.name; owner = config.users.users.me.name;
group = config.users.users.me.group; group = config.users.users.me.group;
mode = "400"; mode = "400";
@@ -76,7 +76,7 @@ in {
}; };
age.secrets = { age.secrets = {
kfm-password.file = ../secrets/kfm-password.age; kfm-password.file = inputs.secrets + "/kfm-password.age";
}; };
home-manager.users.me.xdg.enable = true; home-manager.users.me.xdg.enable = true;

10
configs/hu-berlin.nix
View File

@@ -1,15 +1,9 @@
{ {
config, config,
pkgs, pkgs,
lib, inputs,
... ...
}: let }: let
inherit (lib.strings) fileContents;
inherit (import ../lib) sshPort;
eduroam = {
identity = fileContents <secrets/eduroam/identity>;
password = fileContents <secrets/eduroam/password>;
};
hu-berlin-cifs-options = [ hu-berlin-cifs-options = [
"uid=${toString config.users.users.me.uid}" "uid=${toString config.users.users.me.uid}"
"gid=${toString config.users.groups.users.gid}" "gid=${toString config.users.groups.users.gid}"
@@ -35,7 +29,7 @@ in {
options = hu-berlin-cifs-options; options = hu-berlin-cifs-options;
}; };
age.secrets.cifs-credentials-hu-berlin.file = ../secrets/cifs-credentials-hu-berlin.age; age.secrets.cifs-credentials-hu-berlin.file = inputs.secrets + "/cifs-credentials-hu-berlin.age";
home-manager.users.me.programs.ssh = { home-manager.users.me.programs.ssh = {
matchBlocks = { matchBlocks = {

5
configs/i3.nix
View File

@@ -3,6 +3,7 @@
pkgs, pkgs,
lib, lib,
niveumPackages, niveumPackages,
inputs,
... ...
}: let }: let
inherit (import ../lib) defaultApplications colours; inherit (import ../lib) defaultApplications colours;
@@ -65,13 +66,13 @@
in { in {
age.secrets = { age.secrets = {
github-token-i3status-rust = { github-token-i3status-rust = {
file = ../secrets/github-token-i3status-rust.age; file = inputs.secrets + "/github-token-i3status-rust.age";
owner = config.users.users.me.name; owner = config.users.users.me.name;
group = config.users.users.me.group; group = config.users.users.me.group;
mode = "400"; mode = "400";
}; };
openweathermap-api-key = { openweathermap-api-key = {
file = ../secrets/openweathermap-api-key.age; file = inputs.secrets + "/openweathermap-api-key.age";
owner = config.users.users.me.name; owner = config.users.users.me.name;
group = config.users.users.me.group; group = config.users.users.me.group;
mode = "400"; mode = "400";

6
configs/khal.nix
View File

@@ -1,7 +1,7 @@
{ {
config, config,
pkgs, pkgs,
lib, inputs,
... ...
}: let }: let
davHome = "~/.local/share/dav"; davHome = "~/.local/share/dav";
@@ -18,13 +18,13 @@
in { in {
age.secrets = { age.secrets = {
nextcloud-password-kieran = { nextcloud-password-kieran = {
file = ../secrets/nextcloud-password-kieran.age; file = inputs.secrets + "/nextcloud-password-kieran.age";
owner = config.users.users.me.name; owner = config.users.users.me.name;
group = config.users.users.me.group; group = config.users.users.me.group;
mode = "400"; mode = "400";
}; };
nextcloud-password-fysi = { nextcloud-password-fysi = {
file = ../secrets/nextcloud-password-fysi.age; file = inputs.secrets + "/nextcloud-password-fysi.age";
owner = config.users.users.me.name; owner = config.users.users.me.name;
group = config.users.users.me.group; group = config.users.users.me.group;
mode = "400"; mode = "400";

4
configs/packages.nix
View File

@@ -1,10 +1,8 @@
{ {
config, config,
pkgs, pkgs,
lib,
inputs, inputs,
niveumPackages, niveumPackages,
unstablePackages,
... ...
}: let }: let
worldradio = pkgs.callPackage ../packages/worldradio.nix {}; worldradio = pkgs.callPackage ../packages/worldradio.nix {};
@@ -291,7 +289,7 @@ in {
]; ];
age.secrets.home-assistant-token = { age.secrets.home-assistant-token = {
file = ../secrets/home-assistant-token.age; file = inputs.secrets + "/home-assistant-token.age";
owner = config.users.users.me.name; owner = config.users.users.me.name;
group = config.users.users.me.group; group = config.users.users.me.group;
mode = "400"; mode = "400";

4
configs/telegram-bots/autorenkalender.nix
View File

@@ -1,6 +1,6 @@
{ {
pkgs, pkgs,
lib, inputs,
config, config,
... ...
}: let }: let
@@ -22,7 +22,7 @@ in {
command = "${autorenkalender}/bin/autorenkalender"; command = "${autorenkalender}/bin/autorenkalender";
}; };
age.secrets.telegram-token-kmein.file = ../../secrets/telegram-token-kmein.age; age.secrets.telegram-token-kmein.file = inputs.secrets + "/telegram-token-kmein.age";
niveum.passport.services = [ niveum.passport.services = [
{ {

7
configs/telegram-bots/default.nix
View File

@@ -1,7 +1,6 @@
{ {
config, config,
pkgs, pkgs,
lib,
inputs, inputs,
... ...
}: let }: let
@@ -48,9 +47,9 @@ in {
]; ];
age.secrets = { age.secrets = {
telegram-token-reverse.file = ../../secrets/telegram-token-reverse.age; telegram-token-reverse.file = inputs.secrets + "/telegram-token-reverse.age";
telegram-token-betacode.file = ../../secrets/telegram-token-betacode.age; telegram-token-betacode.file = inputs.secrets + "/telegram-token-betacode.age";
telegram-token-proverb.file = ../../secrets/telegram-token-proverb.age; telegram-token-proverb.file = inputs.secrets + "/telegram-token-proverb.age";
}; };
systemd.services.telegram-reverse = { systemd.services.telegram-reverse = {

4
configs/telegram-bots/nachtischsatan.nix
View File

@@ -1,7 +1,7 @@
{ {
pkgs, pkgs,
config, config,
lib, inputs,
... ...
}: let }: let
nachtischsatan-bot = {tokenFile}: nachtischsatan-bot = {tokenFile}:
@@ -36,7 +36,7 @@ in {
serviceConfig.Restart = "always"; serviceConfig.Restart = "always";
}; };
age.secrets.telegram-token-nachtischsatan.file = ../../secrets/telegram-token-nachtischsatan.age; age.secrets.telegram-token-nachtischsatan.file = inputs.secrets + "/telegram-token-nachtischsatan.age";
niveum.passport.services = [ niveum.passport.services = [
{ {

4
configs/traadfri.nix
View File

@@ -1,7 +1,7 @@
{ {
config, config,
pkgs, pkgs,
lib, inputs,
... ...
}: let }: let
inherit (import ../lib) localAddresses; inherit (import ../lib) localAddresses;
@@ -20,7 +20,7 @@ in {
]; ];
age.secrets.traadfri-key = { age.secrets.traadfri-key = {
file = ../secrets/traadfri-key.age; file = inputs.secrets + "/traadfri-key.age";
owner = config.users.users.me.name; owner = config.users.users.me.name;
group = config.users.users.me.group; group = config.users.users.me.group;
mode = "400"; mode = "400";

14
flake.lock generated
View File

@@ -322,6 +322,7 @@
"retiolum": "retiolum", "retiolum": "retiolum",
"rust-overlay": "rust-overlay", "rust-overlay": "rust-overlay",
"scripts": "scripts", "scripts": "scripts",
"secrets": "secrets",
"telebots": "telebots", "telebots": "telebots",
"tinc-graph": "tinc-graph", "tinc-graph": "tinc-graph",
"traadfri": "traadfri", "traadfri": "traadfri",
@@ -377,6 +378,19 @@
"type": "github" "type": "github"
} }
}, },
"secrets": {
"flake": false,
"locked": {
"lastModified": 1,
"narHash": "sha256-D9ZMDdN7FOG+x8Ds2FuBUz/ujRLjJ07rxiV8AFuEqbQ=",
"path": "./secrets",
"type": "path"
},
"original": {
"path": "./secrets",
"type": "path"
}
},
"systems": { "systems": {
"locked": { "locked": {
"lastModified": 1681028828, "lastModified": 1681028828,

32
flake.nix
View File

@@ -13,6 +13,7 @@
nixpkgs-unstable.url = "github:NixOS/nixpkgs/master"; nixpkgs-unstable.url = "github:NixOS/nixpkgs/master";
nur.url = "github:nix-community/NUR"; nur.url = "github:nix-community/NUR";
recht.url = "github:kmein/recht"; recht.url = "github:kmein/recht";
secrets.url = "path:./secrets";
scripts.url = "github:kmein/scripts"; scripts.url = "github:kmein/scripts";
retiolum.url = "git+https://git.thalheim.io/Mic92/retiolum"; retiolum.url = "git+https://git.thalheim.io/Mic92/retiolum";
rust-overlay.url = "github:oxalica/rust-overlay"; rust-overlay.url = "github:oxalica/rust-overlay";
@@ -38,6 +39,7 @@
scripts.inputs.flake-utils.follows = "flake-utils"; scripts.inputs.flake-utils.follows = "flake-utils";
scripts.inputs.nixpkgs.follows = "nixpkgs"; scripts.inputs.nixpkgs.follows = "nixpkgs";
scripts.inputs.rust-overlay.follows = "rust-overlay"; scripts.inputs.rust-overlay.follows = "rust-overlay";
secrets.flake = false;
tinc-graph.inputs.flake-utils.follows = "flake-utils"; tinc-graph.inputs.flake-utils.follows = "flake-utils";
tinc-graph.inputs.nixpkgs.follows = "nixpkgs"; tinc-graph.inputs.nixpkgs.follows = "nixpkgs";
tinc-graph.inputs.rust-overlay.follows = "rust-overlay"; tinc-graph.inputs.rust-overlay.follows = "rust-overlay";
@@ -62,19 +64,27 @@
apps = apps =
nixinate.nixinate.x86_64-linux self nixinate.nixinate.x86_64-linux self
// { // {
x86_64-linux.deploy = let x86_64-linux = let
pkgs = nixpkgs.legacyPackages.x86_64-linux; pkgs = nixpkgs.legacyPackages.x86_64-linux;
in { in {
type = "app"; mock-secrets = {
program = toString (pkgs.writers.writeDash "deploy" '' type = "app";
if [ $# -eq 0 ] program = toString (pkgs.writers.writeDash "mock-secrets" ''
then ${pkgs.findutils}/bin/find secrets -not -path '*/.*' -type f > secrets.txt
systems='${toString (builtins.attrNames self.nixosConfigurations)}' '');
else };
systems=$* deploy = {
fi type = "app";
${pkgs.parallel}/bin/parallel --line-buffer --tagstring '{}' 'nix run .\?submodules=1\#apps.nixinate.{}' ::: $systems program = toString (pkgs.writers.writeDash "deploy" ''
''); if [ $# -eq 0 ]
then
systems='${toString (builtins.attrNames self.nixosConfigurations)}'
else
systems=$*
fi
${pkgs.parallel}/bin/parallel --line-buffer --tagstring '{}' 'nix run .\?submodules=1\#apps.nixinate.{}' ::: $systems
'');
};
}; };
}; };

62
secrets.txt Normal file
View File

@@ -0,0 +1,62 @@
secrets/di-fm-key.age
secrets/email-password-meinhark.age
secrets/kabsa-retiolum-privateKey-ed25519.age
secrets/makanek-specus-privateKey.age
secrets/manakish-retiolum-privateKey-rsa.age
secrets/kfm-password.age
secrets/email-password-fysi.age
secrets/github-token-i3status-rust.age
secrets/nextcloud-password-admin.age
secrets/zaatar-retiolum-privateKey-ed25519.age
secrets/manakish-syncthing-cert.age
secrets/telegram-token-betacode.age
secrets/tabula-retiolum-privateKey-rsa.age
secrets/zaatar-ympd-basicAuth.age
secrets/zaatar-moodle-dl-basicAuth.age
secrets/mega-password.age
secrets/telegram-token-reverse.age
secrets/email-password-meinhaki.age
secrets/spotify-password.age
secrets/telegram-token-kmein.age
secrets/maxmind-license-key.age
secrets/makanek-retiolum-privateKey-rsa.age
secrets/spotify-username.age
secrets/onlyoffice-jwt-key.age
secrets/miniflux-credentials.age
secrets/email-password-fsklassp.age
secrets/kabsa-retiolum-privateKey-rsa.age
secrets/traadfri-key.age
secrets/tahina-retiolum-privateKey-rsa.age
secrets/makanek-retiolum-privateKey-ed25519.age
secrets/zaatar-retiolum-privateKey-rsa.age
secrets/kabsa-specus-privateKey.age
secrets/nextcloud-password-kieran.age
secrets/ful-root.age
secrets/manakish-syncthing-key.age
secrets/email-password-dslalewa.age
secrets/zaatar-moodle-dl-tokens.json.age
secrets/tabula-retiolum-privateKey-ed25519.age
secrets/tahina-retiolum-privateKey-ed25519.age
secrets/cifs-credentials-hu-berlin.age
secrets/kabsa-syncthing-key.age
secrets/ful-retiolum-privateKey-rsa.age
secrets/ful-retiolum-privateKey-ed25519.age
secrets/zaatar-syncthing-key.age
secrets/openweathermap-api-key.age
secrets/secrets.nix
secrets/email-password-cock.age
secrets/telegram-token-nachtischsatan.age
secrets/kabsa-syncthing-cert.age
secrets/grafana-password-admin.age
secrets/email-password-posteo.age
secrets/manakish-retiolum-privateKey-ed25519.age
secrets/restic.age
secrets/home-assistant-token.age
secrets/zaatar-syncthing-cert.age
secrets/nextcloud-password-database.age
secrets/telegram-token-menstruation.age
secrets/alertmanager-token-reporters.age
secrets/ful-specus-privateKey.age
secrets/nextcloud-password-fysi.age
secrets/weechat-sec.conf.age
secrets/telegram-token-proverb.age

10
systems/ful/configuration.nix
View File

@@ -1,5 +1,5 @@
{ {
lib, inputs,
config, config,
pkgs, pkgs,
... ...
@@ -36,19 +36,19 @@ in {
age.secrets = { age.secrets = {
retiolum-rsa = { retiolum-rsa = {
file = ../../secrets/ful-retiolum-privateKey-rsa.age; file = inputs.secrets + "/ful-retiolum-privateKey-rsa.age";
mode = "400"; mode = "400";
owner = "tinc.retiolum"; owner = "tinc.retiolum";
group = "tinc.retiolum"; group = "tinc.retiolum";
}; };
retiolum-ed25519 = { retiolum-ed25519 = {
file = ../../secrets/ful-retiolum-privateKey-ed25519.age; file = inputs.secrets + "/ful-retiolum-privateKey-ed25519.age";
mode = "400"; mode = "400";
owner = "tinc.retiolum"; owner = "tinc.retiolum";
group = "tinc.retiolum"; group = "tinc.retiolum";
}; };
root.file = ../../secrets/ful-root.age; root.file = inputs.secrets + "/ful-root.age";
restic.file = ../../secrets/restic.age; restic.file = inputs.secrets + "/restic.age";
}; };
services.restic.backups.niveum = { services.restic.backups.niveum = {

13
systems/kabsa/configuration.nix
View File

@@ -1,7 +1,6 @@
{ {
config, inputs,
pkgs, pkgs,
lib,
... ...
}: let }: let
inherit (import ../../lib) retiolumAddresses; inherit (import ../../lib) retiolumAddresses;
@@ -26,20 +25,20 @@ in {
age.secrets = { age.secrets = {
retiolum-rsa = { retiolum-rsa = {
file = ../../secrets/kabsa-retiolum-privateKey-rsa.age; file = inputs.secrets + "/kabsa-retiolum-privateKey-rsa.age";
mode = "400"; mode = "400";
owner = "tinc.retiolum"; owner = "tinc.retiolum";
group = "tinc.retiolum"; group = "tinc.retiolum";
}; };
retiolum-ed25519 = { retiolum-ed25519 = {
file = ../../secrets/kabsa-retiolum-privateKey-ed25519.age; file = inputs.secrets + "/kabsa-retiolum-privateKey-ed25519.age";
mode = "400"; mode = "400";
owner = "tinc.retiolum"; owner = "tinc.retiolum";
group = "tinc.retiolum"; group = "tinc.retiolum";
}; };
restic.file = ../../secrets/restic.age; restic.file = inputs.secrets + "/restic.age";
syncthing-cert.file = ../../secrets/kabsa-syncthing-cert.age; syncthing-cert.file = inputs.secrets + "/kabsa-syncthing-cert.age";
syncthing-key.file = ../../secrets/kabsa-syncthing-key.age; syncthing-key.file = inputs.secrets + "/kabsa-syncthing-key.age";
}; };
environment.systemPackages = [pkgs.minecraft pkgs.zeroad]; environment.systemPackages = [pkgs.minecraft pkgs.zeroad];

8
systems/makanek/configuration.nix
View File

@@ -1,5 +1,5 @@
{ {
lib, inputs,
config, config,
pkgs, pkgs,
... ...
@@ -84,18 +84,18 @@ in {
age.secrets = { age.secrets = {
retiolum-rsa = { retiolum-rsa = {
file = ../../secrets/makanek-retiolum-privateKey-rsa.age; file = inputs.secrets + "/makanek-retiolum-privateKey-rsa.age";
mode = "400"; mode = "400";
owner = "tinc.retiolum"; owner = "tinc.retiolum";
group = "tinc.retiolum"; group = "tinc.retiolum";
}; };
retiolum-ed25519 = { retiolum-ed25519 = {
file = ../../secrets/makanek-retiolum-privateKey-ed25519.age; file = inputs.secrets + "/makanek-retiolum-privateKey-ed25519.age";
mode = "400"; mode = "400";
owner = "tinc.retiolum"; owner = "tinc.retiolum";
group = "tinc.retiolum"; group = "tinc.retiolum";
}; };
restic.file = ../../secrets/restic.age; restic.file = inputs.secrets + "/restic.age";
}; };
system.stateVersion = "20.03"; system.stateVersion = "20.03";

3
systems/makanek/menstruation.nix
View File

@@ -1,7 +1,6 @@
{ {
config, config,
pkgs, pkgs,
lib,
inputs, inputs,
... ...
}: let }: let
@@ -47,7 +46,7 @@ in {
}; };
}; };
age.secrets.telegram-token-menstruation.file = ../../secrets/telegram-token-menstruation.age; age.secrets.telegram-token-menstruation.file = inputs.secrets + "/telegram-token-menstruation.age";
systemd.services.menstruation-backend = { systemd.services.menstruation-backend = {
wants = ["network-online.target"]; wants = ["network-online.target"];

7
systems/makanek/monitoring/default.nix
View File

@@ -2,6 +2,7 @@
lib, lib,
config, config,
pkgs, pkgs,
inputs,
... ...
}: let }: let
lokiConfig = import ./loki.nix; lokiConfig = import ./loki.nix;
@@ -241,19 +242,19 @@ in {
age.secrets = { age.secrets = {
email-password-cock = { email-password-cock = {
file = ../../../secrets/email-password-cock.age; file = inputs.secrets + "/email-password-cock.age";
owner = "grafana"; owner = "grafana";
group = "grafana"; group = "grafana";
mode = "440"; mode = "440";
}; };
grafana-password-admin = { grafana-password-admin = {
file = ../../../secrets/grafana-password-admin.age; file = inputs.secrets + "/grafana-password-admin.age";
owner = "grafana"; owner = "grafana";
group = "grafana"; group = "grafana";
mode = "440"; mode = "440";
}; };
alertmanager-token-reporters = { alertmanager-token-reporters = {
file = ../../../secrets/alertmanager-token-reporters.age; file = inputs.secrets + "/alertmanager-token-reporters.age";
owner = "prometheus"; owner = "prometheus";
group = "prometheus"; group = "prometheus";
mode = "440"; mode = "440";

5
systems/makanek/nextcloud.nix
View File

@@ -1,6 +1,7 @@
{ {
pkgs, pkgs,
config, config,
inputs,
lib, lib,
... ...
}: let }: let
@@ -8,13 +9,13 @@
in { in {
age.secrets = { age.secrets = {
nextcloud-password-database = { nextcloud-password-database = {
file = ../../secrets/nextcloud-password-database.age; file = inputs.secrets + "/nextcloud-password-database.age";
owner = "nextcloud"; owner = "nextcloud";
group = "nextcloud"; group = "nextcloud";
mode = "440"; mode = "440";
}; };
nextcloud-password-admin = { nextcloud-password-admin = {
file = ../../secrets/nextcloud-password-admin.age; file = inputs.secrets + "/nextcloud-password-admin.age";
owner = "nextcloud"; owner = "nextcloud";
group = "nextcloud"; group = "nextcloud";
mode = "440"; mode = "440";

4
systems/makanek/onlyoffice.nix
View File

@@ -1,5 +1,5 @@
{ {
pkgs, inputs,
config, config,
... ...
}: { }: {
@@ -11,7 +11,7 @@
}; };
age.secrets.onlyoffice-key = { age.secrets.onlyoffice-key = {
file = ../../secrets/onlyoffice-jwt-key.age; file = inputs.secrets + "/onlyoffice-jwt-key.age";
owner = "onlyoffice"; owner = "onlyoffice";
}; };

2
systems/makanek/retiolum-map.nix
View File

@@ -45,7 +45,7 @@ in {
}; };
}; };
age.secrets.maxmind-license-key.file = ../../secrets/maxmind-license-key.age; age.secrets.maxmind-license-key.file = inputs.secrets + "/maxmind-license-key.age";
niveum.passport.services = [ niveum.passport.services = [
{ {

5
systems/makanek/tt-rss.nix
View File

@@ -1,6 +1,5 @@
{ {
pkgs, inputs,
lib,
config, config,
... ...
}: let }: let
@@ -19,7 +18,7 @@ in {
}; };
}; };
age.secrets.miniflux-credentials.file = ../../secrets/miniflux-credentials.age; age.secrets.miniflux-credentials.file = inputs.secrets + "/miniflux-credentials.age";
services.postgresqlBackup = { services.postgresqlBackup = {
enable = true; enable = true;

4
systems/makanek/weechat.nix
View File

@@ -1,7 +1,7 @@
{ {
lib, lib,
pkgs, pkgs,
config, inputs,
... ...
}: let }: let
inherit (import ../../lib) kieran; inherit (import ../../lib) kieran;
@@ -205,7 +205,7 @@ in {
}; };
age.secrets.weechat-sec = { age.secrets.weechat-sec = {
file = ../../secrets/weechat-sec.conf.age; file = inputs.secrets + "/weechat-sec.conf.age";
path = "/var/lib/weechat/sec.conf"; path = "/var/lib/weechat/sec.conf";
owner = "weechat"; owner = "weechat";
group = "weechat"; group = "weechat";

14
systems/manakish/configuration.nix
View File

@@ -1,8 +1,4 @@
{ {inputs, ...}: let
config,
pkgs,
...
}: let
inherit (import ../../lib) retiolumAddresses; inherit (import ../../lib) retiolumAddresses;
in { in {
imports = [ imports = [
@@ -16,19 +12,19 @@ in {
age.secrets = { age.secrets = {
retiolum-rsa = { retiolum-rsa = {
file = ../../secrets/manakish-retiolum-privateKey-rsa.age; file = inputs.secrets + "/manakish-retiolum-privateKey-rsa.age";
mode = "400"; mode = "400";
owner = "tinc.retiolum"; owner = "tinc.retiolum";
group = "tinc.retiolum"; group = "tinc.retiolum";
}; };
retiolum-ed25519 = { retiolum-ed25519 = {
file = ../../secrets/manakish-retiolum-privateKey-ed25519.age; file = inputs.secrets + "/manakish-retiolum-privateKey-ed25519.age";
mode = "400"; mode = "400";
owner = "tinc.retiolum"; owner = "tinc.retiolum";
group = "tinc.retiolum"; group = "tinc.retiolum";
}; };
syncthing-cert.file = ../../secrets/manakish-syncthing-cert.age; syncthing-cert.file = inputs.secrets + "/manakish-syncthing-cert.age";
syncthing-key.file = ../../secrets/manakish-syncthing-key.age; syncthing-key.file = inputs.secrets + "/manakish-syncthing-key.age";
}; };
niveum = { niveum = {

6
systems/tabula/configuration.nix
View File

@@ -1,5 +1,5 @@
{ {
config, inputs,
pkgs, pkgs,
... ...
}: let }: let
@@ -15,13 +15,13 @@ in {
age.secrets = { age.secrets = {
retiolum-rsa = { retiolum-rsa = {
file = ../../secrets/tabula-retiolum-privateKey-rsa.age; file = inputs.secrets + "/tabula-retiolum-privateKey-rsa.age";
mode = "400"; mode = "400";
owner = "tinc.retiolum"; owner = "tinc.retiolum";
group = "tinc.retiolum"; group = "tinc.retiolum";
}; };
retiolum-ed25519 = { retiolum-ed25519 = {
file = ../../secrets/tabula-retiolum-privateKey-ed25519.age; file = inputs.secrets + "/tabula-retiolum-privateKey-ed25519.age";
mode = "400"; mode = "400";
owner = "tinc.retiolum"; owner = "tinc.retiolum";
group = "tinc.retiolum"; group = "tinc.retiolum";

6
systems/tahina/configuration.nix
View File

@@ -1,5 +1,5 @@
{ {
config, inputs,
pkgs, pkgs,
... ...
}: let }: let
@@ -15,13 +15,13 @@ in {
age.secrets = { age.secrets = {
retiolum-rsa = { retiolum-rsa = {
file = ../../secrets/tahina-retiolum-privateKey-rsa.age; file = inputs.secrets + "/tahina-retiolum-privateKey-rsa.age";
mode = "400"; mode = "400";
owner = "tinc.retiolum"; owner = "tinc.retiolum";
group = "tinc.retiolum"; group = "tinc.retiolum";
}; };
retiolum-ed25519 = { retiolum-ed25519 = {
file = ../../secrets/tahina-retiolum-privateKey-ed25519.age; file = inputs.secrets + "/tahina-retiolum-privateKey-ed25519.age";
mode = "400"; mode = "400";
owner = "tinc.retiolum"; owner = "tinc.retiolum";
group = "tinc.retiolum"; group = "tinc.retiolum";

8
systems/zaatar/configuration.nix
View File

@@ -1,7 +1,7 @@
{ {
config, config,
pkgs, pkgs,
lib, inputs,
... ...
}: let }: let
inherit (import ../../lib) retiolumAddresses restic; inherit (import ../../lib) retiolumAddresses restic;
@@ -31,18 +31,18 @@ in {
age.secrets = { age.secrets = {
retiolum-rsa = { retiolum-rsa = {
file = ../../secrets/zaatar-retiolum-privateKey-rsa.age; file = inputs.secrets + "/zaatar-retiolum-privateKey-rsa.age";
mode = "400"; mode = "400";
owner = "tinc.retiolum"; owner = "tinc.retiolum";
group = "tinc.retiolum"; group = "tinc.retiolum";
}; };
retiolum-ed25519 = { retiolum-ed25519 = {
file = ../../secrets/zaatar-retiolum-privateKey-ed25519.age; file = inputs.secrets + "/zaatar-retiolum-privateKey-ed25519.age";
mode = "400"; mode = "400";
owner = "tinc.retiolum"; owner = "tinc.retiolum";
group = "tinc.retiolum"; group = "tinc.retiolum";
}; };
restic.file = ../../secrets/restic.age; restic.file = inputs.secrets + "/restic.age";
}; };
services.restic.backups.moodle-dl = { services.restic.backups.moodle-dl = {

5
systems/zaatar/moodle-dl-meinhark.nix
View File

@@ -2,6 +2,7 @@
config, config,
pkgs, pkgs,
lib, lib,
inputs,
... ...
}: let }: let
moodle-dl-package = pkgs.moodle-dl.overrideAttrs (old: moodle-dl-package = pkgs.moodle-dl.overrideAttrs (old:
@@ -13,14 +14,14 @@ in {
age.secrets = { age.secrets = {
/* /*
moodle-dl-tokens = { moodle-dl-tokens = {
file = ../../secrets/zaatar-moodle-dl-tokens.json.age; file = inputs.secrets + "/zaatar-moodle-dl-tokens.json.age";
owner = "moodle-dl"; owner = "moodle-dl";
group = "moodle-dl"; group = "moodle-dl";
mode = "400"; mode = "400";
}; };
*/ */
moodle-dl-basicAuth = { moodle-dl-basicAuth = {
file = ../../secrets/zaatar-moodle-dl-basicAuth.age; file = inputs.secrets + "/zaatar-moodle-dl-basicAuth.age";
owner = "nginx"; owner = "nginx";
group = "nginx"; group = "nginx";
mode = "400"; mode = "400";

9
systems/zaatar/mpd.nix
View File

@@ -2,6 +2,7 @@
config, config,
pkgs, pkgs,
lib, lib,
inputs,
... ...
}: let }: let
firewall = (import ../../lib).firewall lib; firewall = (import ../../lib).firewall lib;
@@ -102,14 +103,14 @@ in {
age.secrets = { age.secrets = {
ympd-basicAuth = { ympd-basicAuth = {
file = ../../secrets/zaatar-ympd-basicAuth.age; file = inputs.secrets + "/zaatar-ympd-basicAuth.age";
owner = "nginx"; owner = "nginx";
group = "nginx"; group = "nginx";
mode = "400"; mode = "400";
}; };
syncthing-cert.file = ../../secrets/zaatar-syncthing-cert.age; syncthing-cert.file = inputs.secrets + "/zaatar-syncthing-cert.age";
syncthing-key.file = ../../secrets/zaatar-syncthing-key.age; syncthing-key.file = inputs.secrets + "/zaatar-syncthing-key.age";
di-fm-key.file = ../../secrets/di-fm-key.age; di-fm-key.file = inputs.secrets + "/di-fm-key.age";
}; };
services.nginx = { services.nginx = {

10
systems/zaatar/spotifyd.nix
View File

@@ -1,4 +1,8 @@
{config, ...}: { {
config,
inputs,
...
}: {
services.spotifyd = { services.spotifyd = {
enable = true; enable = true;
settings = { settings = {
@@ -21,8 +25,8 @@
}; };
age.secrets = { age.secrets = {
spotify-username.file = ../../secrets/spotify-username.age; spotify-username.file = inputs.secrets + "/spotify-username.age";
spotify-password.file = ../../secrets/spotify-password.age; spotify-password.file = inputs.secrets + "/spotify-password.age";
}; };
# ref https://github.com/NixOS/nixpkgs/issues/71362#issuecomment-753461502 # ref https://github.com/NixOS/nixpkgs/issues/71362#issuecomment-753461502