kfm/niveum
1
0
Fork 0
mirror of https://github.com/kmein/niveum synced 2026-03-16 10:11:08 +01:00
Code Releases Activity

Revert "chore: get secrets via input, mock for CI"

Browse Source 
This reverts commit 3138fd23ef.
This commit is contained in:
Kierán Meinhardt
2023-07-04 16:28:26 +02:00
parent 17bf958923
commit 9148ab5ba8
32 changed files with 101 additions and 185 deletions
Download Patch File Download Diff File Expand all files Collapse all files

19
.github/workflows/niveum.yml vendored
View File

@@ -10,21 +10,10 @@ jobs:
system: [makanek,manakish,kabsa,zaatar,ful] system: [makanek,manakish,kabsa,zaatar,ful]
steps: steps:
- uses: actions/checkout@v2 - uses: actions/checkout@v2
- name: Install QEMU (ARM) - uses: cachix/install-nix-action@v16
run: sudo apt-get install -y qemu-user-static - name: Install nixos-rebuild
if: ${{ matrix.system == 'ful' }} run: GC_DONT_GC=1 nix-env -i nixos-rebuild -f '<nixpkgs>'
- name: Install Nix (ARM)
uses: cachix/install-nix-action@v16
if: ${{ matrix.system == 'ful' }}
with:
extra_nix_config: |
system = aarch64-linux
- name: Install Nix (x86_64)
uses: cachix/install-nix-action@v16
if: ${{ matrix.system != 'ful' }}
- run: | - run: |
rm -rf secrets rm -rf secrets
mkdir secrets mkdir secrets
cat secrets.txt | while read -r path; do echo dummy > $path; done - run: GC_DONT_GC=1 nixos-rebuild dry-build --flake .#{{matrix.system}}
find
- run: nix run nixpkgs#nixos-rebuild -- dry-build --override-input secrets ./secrets --flake .#${{matrix.system}}

15
configs/aerc.nix
View File

@@ -2,7 +2,6 @@
pkgs, pkgs,
config, config,
lib, lib,
inputs,
... ...
}: let }: let
defaults = { defaults = {
@@ -20,43 +19,43 @@
in { in {
age.secrets = { age.secrets = {
email-password-cock = { email-password-cock = {
file = inputs.secrets + "/email-password-cock.age"; file = ../secrets/email-password-cock.age;
owner = config.users.users.me.name; owner = config.users.users.me.name;
group = config.users.users.me.group; group = config.users.users.me.group;
mode = "400"; mode = "400";
}; };
email-password-fysi = { email-password-fysi = {
file = inputs.secrets + "/email-password-fysi.age"; file = ../secrets/email-password-fysi.age;
owner = config.users.users.me.name; owner = config.users.users.me.name;
group = config.users.users.me.group; group = config.users.users.me.group;
mode = "400"; mode = "400";
}; };
email-password-posteo = { email-password-posteo = {
file = inputs.secrets + "/email-password-posteo.age"; file = ../secrets/email-password-posteo.age;
owner = config.users.users.me.name; owner = config.users.users.me.name;
group = config.users.users.me.group; group = config.users.users.me.group;
mode = "400"; mode = "400";
}; };
email-password-meinhark = { email-password-meinhark = {
file = inputs.secrets + "/email-password-meinhark.age"; file = ../secrets/email-password-meinhark.age;
owner = config.users.users.me.name; owner = config.users.users.me.name;
group = config.users.users.me.group; group = config.users.users.me.group;
mode = "400"; mode = "400";
}; };
email-password-meinhaki = { email-password-meinhaki = {
file = inputs.secrets + "/email-password-meinhaki.age"; file = ../secrets/email-password-meinhaki.age;
owner = config.users.users.me.name; owner = config.users.users.me.name;
group = config.users.users.me.group; group = config.users.users.me.group;
mode = "400"; mode = "400";
}; };
email-password-dslalewa = { email-password-dslalewa = {
file = inputs.secrets + "/email-password-dslalewa.age"; file = ../secrets/email-password-dslalewa.age;
owner = config.users.users.me.name; owner = config.users.users.me.name;
group = config.users.users.me.group; group = config.users.users.me.group;
mode = "400"; mode = "400";
}; };
email-password-fsklassp = { email-password-fsklassp = {
file = inputs.secrets + "/email-password-fsklassp.age"; file = ../secrets/email-password-fsklassp.age;
owner = config.users.users.me.name; owner = config.users.users.me.name;
group = config.users.users.me.group; group = config.users.users.me.group;
mode = "400"; mode = "400";

3
configs/cloud.nix
View File

@@ -2,7 +2,6 @@
config, config,
lib, lib,
pkgs, pkgs,
inputs,
... ...
}: let }: let
inherit (import ../lib) tmpfilesConfig; inherit (import ../lib) tmpfilesConfig;
@@ -98,7 +97,7 @@ in {
]; ];
age.secrets.mega-password = { age.secrets.mega-password = {
file = inputs.secrets + "/mega-password.age"; file = ../secrets/mega-password.age;
owner = config.users.users.me.name; owner = config.users.users.me.name;
group = config.users.users.me.group; group = config.users.users.me.group;
mode = "400"; mode = "400";

6
configs/default.nix
View File

@@ -37,13 +37,13 @@ in {
{ {
age.secrets = { age.secrets = {
di-fm-key = { di-fm-key = {
file = inputs.secrets + "/di-fm-key.age"; file = ../secrets/di-fm-key.age;
owner = config.users.users.me.name; owner = config.users.users.me.name;
group = config.users.users.me.group; group = config.users.users.me.group;
mode = "400"; mode = "400";
}; };
restic = { restic = {
file = inputs.secrets + "/restic.age"; file = ../secrets/restic.age;
owner = config.users.users.me.name; owner = config.users.users.me.name;
group = config.users.users.me.group; group = config.users.users.me.group;
mode = "400"; mode = "400";
@@ -76,7 +76,7 @@ in {
}; };
age.secrets = { age.secrets = {
kfm-password.file = inputs.secrets + "/kfm-password.age"; kfm-password.file = ../secrets/kfm-password.age;
}; };
home-manager.users.me.xdg.enable = true; home-manager.users.me.xdg.enable = true;

10
configs/hu-berlin.nix
View File

@@ -1,9 +1,15 @@
{ {
config, config,
pkgs, pkgs,
inputs, lib,
... ...
}: let }: let
inherit (lib.strings) fileContents;
inherit (import ../lib) sshPort;
eduroam = {
identity = fileContents <secrets/eduroam/identity>;
password = fileContents <secrets/eduroam/password>;
};
hu-berlin-cifs-options = [ hu-berlin-cifs-options = [
"uid=${toString config.users.users.me.uid}" "uid=${toString config.users.users.me.uid}"
"gid=${toString config.users.groups.users.gid}" "gid=${toString config.users.groups.users.gid}"
@@ -29,7 +35,7 @@ in {
options = hu-berlin-cifs-options; options = hu-berlin-cifs-options;
}; };
age.secrets.cifs-credentials-hu-berlin.file = inputs.secrets + "/cifs-credentials-hu-berlin.age"; age.secrets.cifs-credentials-hu-berlin.file = ../secrets/cifs-credentials-hu-berlin.age;
home-manager.users.me.programs.ssh = { home-manager.users.me.programs.ssh = {
matchBlocks = { matchBlocks = {

5
configs/i3.nix
View File

@@ -3,7 +3,6 @@
pkgs, pkgs,
lib, lib,
niveumPackages, niveumPackages,
inputs,
... ...
}: let }: let
inherit (import ../lib) defaultApplications colours; inherit (import ../lib) defaultApplications colours;
@@ -66,13 +65,13 @@
in { in {
age.secrets = { age.secrets = {
github-token-i3status-rust = { github-token-i3status-rust = {
file = inputs.secrets + "/github-token-i3status-rust.age"; file = ../secrets/github-token-i3status-rust.age;
owner = config.users.users.me.name; owner = config.users.users.me.name;
group = config.users.users.me.group; group = config.users.users.me.group;
mode = "400"; mode = "400";
}; };
openweathermap-api-key = { openweathermap-api-key = {
file = inputs.secrets + "/openweathermap-api-key.age"; file = ../secrets/openweathermap-api-key.age;
owner = config.users.users.me.name; owner = config.users.users.me.name;
group = config.users.users.me.group; group = config.users.users.me.group;
mode = "400"; mode = "400";

6
configs/khal.nix
View File

@@ -1,7 +1,7 @@
{ {
config, config,
pkgs, pkgs,
inputs, lib,
... ...
}: let }: let
davHome = "~/.local/share/dav"; davHome = "~/.local/share/dav";
@@ -18,13 +18,13 @@
in { in {
age.secrets = { age.secrets = {
nextcloud-password-kieran = { nextcloud-password-kieran = {
file = inputs.secrets + "/nextcloud-password-kieran.age"; file = ../secrets/nextcloud-password-kieran.age;
owner = config.users.users.me.name; owner = config.users.users.me.name;
group = config.users.users.me.group; group = config.users.users.me.group;
mode = "400"; mode = "400";
}; };
nextcloud-password-fysi = { nextcloud-password-fysi = {
file = inputs.secrets + "/nextcloud-password-fysi.age"; file = ../secrets/nextcloud-password-fysi.age;
owner = config.users.users.me.name; owner = config.users.users.me.name;
group = config.users.users.me.group; group = config.users.users.me.group;
mode = "400"; mode = "400";

4
configs/packages.nix
View File

@@ -1,8 +1,10 @@
{ {
config, config,
pkgs, pkgs,
lib,
inputs, inputs,
niveumPackages, niveumPackages,
unstablePackages,
... ...
}: let }: let
worldradio = pkgs.callPackage ../packages/worldradio.nix {}; worldradio = pkgs.callPackage ../packages/worldradio.nix {};
@@ -289,7 +291,7 @@ in {
]; ];
age.secrets.home-assistant-token = { age.secrets.home-assistant-token = {
file = inputs.secrets + "/home-assistant-token.age"; file = ../secrets/home-assistant-token.age;
owner = config.users.users.me.name; owner = config.users.users.me.name;
group = config.users.users.me.group; group = config.users.users.me.group;
mode = "400"; mode = "400";

4
configs/telegram-bots/autorenkalender.nix
View File

@@ -1,6 +1,6 @@
{ {
pkgs, pkgs,
inputs, lib,
config, config,
... ...
}: let }: let
@@ -22,7 +22,7 @@ in {
command = "${autorenkalender}/bin/autorenkalender"; command = "${autorenkalender}/bin/autorenkalender";
}; };
age.secrets.telegram-token-kmein.file = inputs.secrets + "/telegram-token-kmein.age"; age.secrets.telegram-token-kmein.file = ../../secrets/telegram-token-kmein.age;
niveum.passport.services = [ niveum.passport.services = [
{ {

7
configs/telegram-bots/default.nix
View File

@@ -1,6 +1,7 @@
{ {
config, config,
pkgs, pkgs,
lib,
inputs, inputs,
... ...
}: let }: let
@@ -47,9 +48,9 @@ in {
]; ];
age.secrets = { age.secrets = {
telegram-token-reverse.file = inputs.secrets + "/telegram-token-reverse.age"; telegram-token-reverse.file = ../../secrets/telegram-token-reverse.age;
telegram-token-betacode.file = inputs.secrets + "/telegram-token-betacode.age"; telegram-token-betacode.file = ../../secrets/telegram-token-betacode.age;
telegram-token-proverb.file = inputs.secrets + "/telegram-token-proverb.age"; telegram-token-proverb.file = ../../secrets/telegram-token-proverb.age;
}; };
systemd.services.telegram-reverse = { systemd.services.telegram-reverse = {

4
configs/telegram-bots/nachtischsatan.nix
View File

@@ -1,7 +1,7 @@
{ {
pkgs, pkgs,
config, config,
inputs, lib,
... ...
}: let }: let
nachtischsatan-bot = {tokenFile}: nachtischsatan-bot = {tokenFile}:
@@ -36,7 +36,7 @@ in {
serviceConfig.Restart = "always"; serviceConfig.Restart = "always";
}; };
age.secrets.telegram-token-nachtischsatan.file = inputs.secrets + "/telegram-token-nachtischsatan.age"; age.secrets.telegram-token-nachtischsatan.file = ../../secrets/telegram-token-nachtischsatan.age;
niveum.passport.services = [ niveum.passport.services = [
{ {

4
configs/traadfri.nix
View File

@@ -1,7 +1,7 @@
{ {
config, config,
pkgs, pkgs,
inputs, lib,
... ...
}: let }: let
inherit (import ../lib) localAddresses; inherit (import ../lib) localAddresses;
@@ -20,7 +20,7 @@ in {
]; ];
age.secrets.traadfri-key = { age.secrets.traadfri-key = {
file = inputs.secrets + "/traadfri-key.age"; file = ../secrets/traadfri-key.age;
owner = config.users.users.me.name; owner = config.users.users.me.name;
group = config.users.users.me.group; group = config.users.users.me.group;
mode = "400"; mode = "400";

14
flake.lock generated
View File

@@ -322,7 +322,6 @@
"retiolum": "retiolum", "retiolum": "retiolum",
"rust-overlay": "rust-overlay", "rust-overlay": "rust-overlay",
"scripts": "scripts", "scripts": "scripts",
"secrets": "secrets",
"telebots": "telebots", "telebots": "telebots",
"tinc-graph": "tinc-graph", "tinc-graph": "tinc-graph",
"traadfri": "traadfri", "traadfri": "traadfri",
@@ -378,19 +377,6 @@
"type": "github" "type": "github"
} }
}, },
"secrets": {
"flake": false,
"locked": {
"lastModified": 1,
"narHash": "sha256-pQpattmS9VmO3ZIQUFn66az8GSmB4IvYhTTCFn6SUmo=",
"path": "./secrets",
"type": "path"
},
"original": {
"path": "./secrets",
"type": "path"
}
},
"systems": { "systems": {
"locked": { "locked": {
"lastModified": 1681028828, "lastModified": 1681028828,

4
flake.nix
View File

@@ -13,7 +13,6 @@
nixpkgs-unstable.url = "github:NixOS/nixpkgs/master"; nixpkgs-unstable.url = "github:NixOS/nixpkgs/master";
nur.url = "github:nix-community/NUR"; nur.url = "github:nix-community/NUR";
recht.url = "github:kmein/recht"; recht.url = "github:kmein/recht";
secrets.url = "path:./secrets";
scripts.url = "github:kmein/scripts"; scripts.url = "github:kmein/scripts";
retiolum.url = "git+https://git.thalheim.io/Mic92/retiolum"; retiolum.url = "git+https://git.thalheim.io/Mic92/retiolum";
rust-overlay.url = "github:oxalica/rust-overlay"; rust-overlay.url = "github:oxalica/rust-overlay";
@@ -39,7 +38,6 @@
scripts.inputs.flake-utils.follows = "flake-utils"; scripts.inputs.flake-utils.follows = "flake-utils";
scripts.inputs.nixpkgs.follows = "nixpkgs"; scripts.inputs.nixpkgs.follows = "nixpkgs";
scripts.inputs.rust-overlay.follows = "rust-overlay"; scripts.inputs.rust-overlay.follows = "rust-overlay";
secrets.flake = false;
tinc-graph.inputs.flake-utils.follows = "flake-utils"; tinc-graph.inputs.flake-utils.follows = "flake-utils";
tinc-graph.inputs.nixpkgs.follows = "nixpkgs"; tinc-graph.inputs.nixpkgs.follows = "nixpkgs";
tinc-graph.inputs.rust-overlay.follows = "rust-overlay"; tinc-graph.inputs.rust-overlay.follows = "rust-overlay";
@@ -64,7 +62,7 @@
apps = apps =
nixinate.nixinate.x86_64-linux self nixinate.nixinate.x86_64-linux self
// { // {
x86_64-linux = let x86_64-linux.deploy = let
pkgs = nixpkgs.legacyPackages.x86_64-linux; pkgs = nixpkgs.legacyPackages.x86_64-linux;
in { in {
mock-secrets = { mock-secrets = {

62
secrets.txt
View File

@@ -1,62 +0,0 @@
secrets/di-fm-key.age
secrets/email-password-meinhark.age
secrets/kabsa-retiolum-privateKey-ed25519.age
secrets/makanek-specus-privateKey.age
secrets/manakish-retiolum-privateKey-rsa.age
secrets/kfm-password.age
secrets/email-password-fysi.age
secrets/github-token-i3status-rust.age
secrets/nextcloud-password-admin.age
secrets/zaatar-retiolum-privateKey-ed25519.age
secrets/manakish-syncthing-cert.age
secrets/telegram-token-betacode.age
secrets/tabula-retiolum-privateKey-rsa.age
secrets/zaatar-ympd-basicAuth.age
secrets/zaatar-moodle-dl-basicAuth.age
secrets/mega-password.age
secrets/telegram-token-reverse.age
secrets/email-password-meinhaki.age
secrets/spotify-password.age
secrets/telegram-token-kmein.age
secrets/maxmind-license-key.age
secrets/makanek-retiolum-privateKey-rsa.age
secrets/spotify-username.age
secrets/onlyoffice-jwt-key.age
secrets/miniflux-credentials.age
secrets/email-password-fsklassp.age
secrets/kabsa-retiolum-privateKey-rsa.age
secrets/traadfri-key.age
secrets/tahina-retiolum-privateKey-rsa.age
secrets/makanek-retiolum-privateKey-ed25519.age
secrets/zaatar-retiolum-privateKey-rsa.age
secrets/kabsa-specus-privateKey.age
secrets/nextcloud-password-kieran.age
secrets/ful-root.age
secrets/manakish-syncthing-key.age
secrets/email-password-dslalewa.age
secrets/zaatar-moodle-dl-tokens.json.age
secrets/tabula-retiolum-privateKey-ed25519.age
secrets/tahina-retiolum-privateKey-ed25519.age
secrets/cifs-credentials-hu-berlin.age
secrets/kabsa-syncthing-key.age
secrets/ful-retiolum-privateKey-rsa.age
secrets/ful-retiolum-privateKey-ed25519.age
secrets/zaatar-syncthing-key.age
secrets/openweathermap-api-key.age
secrets/secrets.nix
secrets/email-password-cock.age
secrets/telegram-token-nachtischsatan.age
secrets/kabsa-syncthing-cert.age
secrets/grafana-password-admin.age
secrets/email-password-posteo.age
secrets/manakish-retiolum-privateKey-ed25519.age
secrets/restic.age
secrets/home-assistant-token.age
secrets/zaatar-syncthing-cert.age
secrets/nextcloud-password-database.age
secrets/telegram-token-menstruation.age
secrets/alertmanager-token-reporters.age
secrets/ful-specus-privateKey.age
secrets/nextcloud-password-fysi.age
secrets/weechat-sec.conf.age
secrets/telegram-token-proverb.age

10
systems/ful/configuration.nix
View File

@@ -1,5 +1,5 @@
{ {
inputs, lib,
config, config,
pkgs, pkgs,
... ...
@@ -36,19 +36,19 @@ in {
age.secrets = { age.secrets = {
retiolum-rsa = { retiolum-rsa = {
file = inputs.secrets + "/ful-retiolum-privateKey-rsa.age"; file = ../../secrets/ful-retiolum-privateKey-rsa.age;
mode = "400"; mode = "400";
owner = "tinc.retiolum"; owner = "tinc.retiolum";
group = "tinc.retiolum"; group = "tinc.retiolum";
}; };
retiolum-ed25519 = { retiolum-ed25519 = {
file = inputs.secrets + "/ful-retiolum-privateKey-ed25519.age"; file = ../../secrets/ful-retiolum-privateKey-ed25519.age;
mode = "400"; mode = "400";
owner = "tinc.retiolum"; owner = "tinc.retiolum";
group = "tinc.retiolum"; group = "tinc.retiolum";
}; };
root.file = inputs.secrets + "/ful-root.age"; root.file = ../../secrets/ful-root.age;
restic.file = inputs.secrets + "/restic.age"; restic.file = ../../secrets/restic.age;
}; };
services.restic.backups.niveum = { services.restic.backups.niveum = {

13
systems/kabsa/configuration.nix
View File

@@ -1,6 +1,7 @@
{ {
inputs, config,
pkgs, pkgs,
lib,
... ...
}: let }: let
inherit (import ../../lib) retiolumAddresses; inherit (import ../../lib) retiolumAddresses;
@@ -25,20 +26,20 @@ in {
age.secrets = { age.secrets = {
retiolum-rsa = { retiolum-rsa = {
file = inputs.secrets + "/kabsa-retiolum-privateKey-rsa.age"; file = ../../secrets/kabsa-retiolum-privateKey-rsa.age;
mode = "400"; mode = "400";
owner = "tinc.retiolum"; owner = "tinc.retiolum";
group = "tinc.retiolum"; group = "tinc.retiolum";
}; };
retiolum-ed25519 = { retiolum-ed25519 = {
file = inputs.secrets + "/kabsa-retiolum-privateKey-ed25519.age"; file = ../../secrets/kabsa-retiolum-privateKey-ed25519.age;
mode = "400"; mode = "400";
owner = "tinc.retiolum"; owner = "tinc.retiolum";
group = "tinc.retiolum"; group = "tinc.retiolum";
}; };
restic.file = inputs.secrets + "/restic.age"; restic.file = ../../secrets/restic.age;
syncthing-cert.file = inputs.secrets + "/kabsa-syncthing-cert.age"; syncthing-cert.file = ../../secrets/kabsa-syncthing-cert.age;
syncthing-key.file = inputs.secrets + "/kabsa-syncthing-key.age"; syncthing-key.file = ../../secrets/kabsa-syncthing-key.age;
}; };
environment.systemPackages = [pkgs.minecraft pkgs.zeroad]; environment.systemPackages = [pkgs.minecraft pkgs.zeroad];

8
systems/makanek/configuration.nix
View File

@@ -1,5 +1,5 @@
{ {
inputs, lib,
config, config,
pkgs, pkgs,
... ...
@@ -84,18 +84,18 @@ in {
age.secrets = { age.secrets = {
retiolum-rsa = { retiolum-rsa = {
file = inputs.secrets + "/makanek-retiolum-privateKey-rsa.age"; file = ../../secrets/makanek-retiolum-privateKey-rsa.age;
mode = "400"; mode = "400";
owner = "tinc.retiolum"; owner = "tinc.retiolum";
group = "tinc.retiolum"; group = "tinc.retiolum";
}; };
retiolum-ed25519 = { retiolum-ed25519 = {
file = inputs.secrets + "/makanek-retiolum-privateKey-ed25519.age"; file = ../../secrets/makanek-retiolum-privateKey-ed25519.age;
mode = "400"; mode = "400";
owner = "tinc.retiolum"; owner = "tinc.retiolum";
group = "tinc.retiolum"; group = "tinc.retiolum";
}; };
restic.file = inputs.secrets + "/restic.age"; restic.file = ../../secrets/restic.age;
}; };
system.stateVersion = "20.03"; system.stateVersion = "20.03";

3
systems/makanek/menstruation.nix
View File

@@ -1,6 +1,7 @@
{ {
config, config,
pkgs, pkgs,
lib,
inputs, inputs,
... ...
}: let }: let
@@ -46,7 +47,7 @@ in {
}; };
}; };
age.secrets.telegram-token-menstruation.file = inputs.secrets + "/telegram-token-menstruation.age"; age.secrets.telegram-token-menstruation.file = ../../secrets/telegram-token-menstruation.age;
systemd.services.menstruation-backend = { systemd.services.menstruation-backend = {
wants = ["network-online.target"]; wants = ["network-online.target"];

7
systems/makanek/monitoring/default.nix
View File

@@ -2,7 +2,6 @@
lib, lib,
config, config,
pkgs, pkgs,
inputs,
... ...
}: let }: let
lokiConfig = import ./loki.nix; lokiConfig = import ./loki.nix;
@@ -242,19 +241,19 @@ in {
age.secrets = { age.secrets = {
email-password-cock = { email-password-cock = {
file = inputs.secrets + "/email-password-cock.age"; file = ../../../secrets/email-password-cock.age;
owner = "grafana"; owner = "grafana";
group = "grafana"; group = "grafana";
mode = "440"; mode = "440";
}; };
grafana-password-admin = { grafana-password-admin = {
file = inputs.secrets + "/grafana-password-admin.age"; file = ../../../secrets/grafana-password-admin.age;
owner = "grafana"; owner = "grafana";
group = "grafana"; group = "grafana";
mode = "440"; mode = "440";
}; };
alertmanager-token-reporters = { alertmanager-token-reporters = {
file = inputs.secrets + "/alertmanager-token-reporters.age"; file = ../../../secrets/alertmanager-token-reporters.age;
owner = "prometheus"; owner = "prometheus";
group = "prometheus"; group = "prometheus";
mode = "440"; mode = "440";

5
systems/makanek/nextcloud.nix
View File

@@ -1,7 +1,6 @@
{ {
pkgs, pkgs,
config, config,
inputs,
lib, lib,
... ...
}: let }: let
@@ -9,13 +8,13 @@
in { in {
age.secrets = { age.secrets = {
nextcloud-password-database = { nextcloud-password-database = {
file = inputs.secrets + "/nextcloud-password-database.age"; file = ../../secrets/nextcloud-password-database.age;
owner = "nextcloud"; owner = "nextcloud";
group = "nextcloud"; group = "nextcloud";
mode = "440"; mode = "440";
}; };
nextcloud-password-admin = { nextcloud-password-admin = {
file = inputs.secrets + "/nextcloud-password-admin.age"; file = ../../secrets/nextcloud-password-admin.age;
owner = "nextcloud"; owner = "nextcloud";
group = "nextcloud"; group = "nextcloud";
mode = "440"; mode = "440";

4
systems/makanek/onlyoffice.nix
View File

@@ -1,5 +1,5 @@
{ {
inputs, pkgs,
config, config,
... ...
}: { }: {
@@ -11,7 +11,7 @@
}; };
age.secrets.onlyoffice-key = { age.secrets.onlyoffice-key = {
file = inputs.secrets + "/onlyoffice-jwt-key.age"; file = ../../secrets/onlyoffice-jwt-key.age;
owner = "onlyoffice"; owner = "onlyoffice";
}; };

2
systems/makanek/retiolum-map.nix
View File

@@ -45,7 +45,7 @@ in {
}; };
}; };
age.secrets.maxmind-license-key.file = inputs.secrets + "/maxmind-license-key.age"; age.secrets.maxmind-license-key.file = ../../secrets/maxmind-license-key.age;
niveum.passport.services = [ niveum.passport.services = [
{ {

5
systems/makanek/tt-rss.nix
View File

@@ -1,5 +1,6 @@
{ {
inputs, pkgs,
lib,
config, config,
... ...
}: let }: let
@@ -18,7 +19,7 @@ in {
}; };
}; };
age.secrets.miniflux-credentials.file = inputs.secrets + "/miniflux-credentials.age"; age.secrets.miniflux-credentials.file = ../../secrets/miniflux-credentials.age;
services.postgresqlBackup = { services.postgresqlBackup = {
enable = true; enable = true;

4
systems/makanek/weechat.nix
View File

@@ -1,7 +1,7 @@
{ {
lib, lib,
pkgs, pkgs,
inputs, config,
... ...
}: let }: let
inherit (import ../../lib) kieran; inherit (import ../../lib) kieran;
@@ -205,7 +205,7 @@ in {
}; };
age.secrets.weechat-sec = { age.secrets.weechat-sec = {
file = inputs.secrets + "/weechat-sec.conf.age"; file = ../../secrets/weechat-sec.conf.age;
path = "/var/lib/weechat/sec.conf"; path = "/var/lib/weechat/sec.conf";
owner = "weechat"; owner = "weechat";
group = "weechat"; group = "weechat";

14
systems/manakish/configuration.nix
View File

@@ -1,4 +1,8 @@
{inputs, ...}: let {
config,
pkgs,
...
}: let
inherit (import ../../lib) retiolumAddresses; inherit (import ../../lib) retiolumAddresses;
in { in {
imports = [ imports = [
@@ -12,19 +16,19 @@ in {
age.secrets = { age.secrets = {
retiolum-rsa = { retiolum-rsa = {
file = inputs.secrets + "/manakish-retiolum-privateKey-rsa.age"; file = ../../secrets/manakish-retiolum-privateKey-rsa.age;
mode = "400"; mode = "400";
owner = "tinc.retiolum"; owner = "tinc.retiolum";
group = "tinc.retiolum"; group = "tinc.retiolum";
}; };
retiolum-ed25519 = { retiolum-ed25519 = {
file = inputs.secrets + "/manakish-retiolum-privateKey-ed25519.age"; file = ../../secrets/manakish-retiolum-privateKey-ed25519.age;
mode = "400"; mode = "400";
owner = "tinc.retiolum"; owner = "tinc.retiolum";
group = "tinc.retiolum"; group = "tinc.retiolum";
}; };
syncthing-cert.file = inputs.secrets + "/manakish-syncthing-cert.age"; syncthing-cert.file = ../../secrets/manakish-syncthing-cert.age;
syncthing-key.file = inputs.secrets + "/manakish-syncthing-key.age"; syncthing-key.file = ../../secrets/manakish-syncthing-key.age;
}; };
niveum = { niveum = {

6
systems/tabula/configuration.nix
View File

@@ -1,5 +1,5 @@
{ {
inputs, config,
pkgs, pkgs,
... ...
}: let }: let
@@ -15,13 +15,13 @@ in {
age.secrets = { age.secrets = {
retiolum-rsa = { retiolum-rsa = {
file = inputs.secrets + "/tabula-retiolum-privateKey-rsa.age"; file = ../../secrets/tabula-retiolum-privateKey-rsa.age;
mode = "400"; mode = "400";
owner = "tinc.retiolum"; owner = "tinc.retiolum";
group = "tinc.retiolum"; group = "tinc.retiolum";
}; };
retiolum-ed25519 = { retiolum-ed25519 = {
file = inputs.secrets + "/tabula-retiolum-privateKey-ed25519.age"; file = ../../secrets/tabula-retiolum-privateKey-ed25519.age;
mode = "400"; mode = "400";
owner = "tinc.retiolum"; owner = "tinc.retiolum";
group = "tinc.retiolum"; group = "tinc.retiolum";

6
systems/tahina/configuration.nix
View File

@@ -1,5 +1,5 @@
{ {
inputs, config,
pkgs, pkgs,
... ...
}: let }: let
@@ -15,13 +15,13 @@ in {
age.secrets = { age.secrets = {
retiolum-rsa = { retiolum-rsa = {
file = inputs.secrets + "/tahina-retiolum-privateKey-rsa.age"; file = ../../secrets/tahina-retiolum-privateKey-rsa.age;
mode = "400"; mode = "400";
owner = "tinc.retiolum"; owner = "tinc.retiolum";
group = "tinc.retiolum"; group = "tinc.retiolum";
}; };
retiolum-ed25519 = { retiolum-ed25519 = {
file = inputs.secrets + "/tahina-retiolum-privateKey-ed25519.age"; file = ../../secrets/tahina-retiolum-privateKey-ed25519.age;
mode = "400"; mode = "400";
owner = "tinc.retiolum"; owner = "tinc.retiolum";
group = "tinc.retiolum"; group = "tinc.retiolum";

8
systems/zaatar/configuration.nix
View File

@@ -1,7 +1,7 @@
{ {
config, config,
pkgs, pkgs,
inputs, lib,
... ...
}: let }: let
inherit (import ../../lib) retiolumAddresses restic; inherit (import ../../lib) retiolumAddresses restic;
@@ -31,18 +31,18 @@ in {
age.secrets = { age.secrets = {
retiolum-rsa = { retiolum-rsa = {
file = inputs.secrets + "/zaatar-retiolum-privateKey-rsa.age"; file = ../../secrets/zaatar-retiolum-privateKey-rsa.age;
mode = "400"; mode = "400";
owner = "tinc.retiolum"; owner = "tinc.retiolum";
group = "tinc.retiolum"; group = "tinc.retiolum";
}; };
retiolum-ed25519 = { retiolum-ed25519 = {
file = inputs.secrets + "/zaatar-retiolum-privateKey-ed25519.age"; file = ../../secrets/zaatar-retiolum-privateKey-ed25519.age;
mode = "400"; mode = "400";
owner = "tinc.retiolum"; owner = "tinc.retiolum";
group = "tinc.retiolum"; group = "tinc.retiolum";
}; };
restic.file = inputs.secrets + "/restic.age"; restic.file = ../../secrets/restic.age;
}; };
services.restic.backups.moodle-dl = { services.restic.backups.moodle-dl = {

5
systems/zaatar/moodle-dl-meinhark.nix
View File

@@ -2,7 +2,6 @@
config, config,
pkgs, pkgs,
lib, lib,
inputs,
... ...
}: let }: let
moodle-dl-package = pkgs.moodle-dl.overrideAttrs (old: moodle-dl-package = pkgs.moodle-dl.overrideAttrs (old:
@@ -14,14 +13,14 @@ in {
age.secrets = { age.secrets = {
/* /*
moodle-dl-tokens = { moodle-dl-tokens = {
file = inputs.secrets + "/zaatar-moodle-dl-tokens.json.age"; file = ../../secrets/zaatar-moodle-dl-tokens.json.age;
owner = "moodle-dl"; owner = "moodle-dl";
group = "moodle-dl"; group = "moodle-dl";
mode = "400"; mode = "400";
}; };
*/ */
moodle-dl-basicAuth = { moodle-dl-basicAuth = {
file = inputs.secrets + "/zaatar-moodle-dl-basicAuth.age"; file = ../../secrets/zaatar-moodle-dl-basicAuth.age;
owner = "nginx"; owner = "nginx";
group = "nginx"; group = "nginx";
mode = "400"; mode = "400";

9
systems/zaatar/mpd.nix
View File

@@ -2,7 +2,6 @@
config, config,
pkgs, pkgs,
lib, lib,
inputs,
... ...
}: let }: let
firewall = (import ../../lib).firewall lib; firewall = (import ../../lib).firewall lib;
@@ -103,14 +102,14 @@ in {
age.secrets = { age.secrets = {
ympd-basicAuth = { ympd-basicAuth = {
file = inputs.secrets + "/zaatar-ympd-basicAuth.age"; file = ../../secrets/zaatar-ympd-basicAuth.age;
owner = "nginx"; owner = "nginx";
group = "nginx"; group = "nginx";
mode = "400"; mode = "400";
}; };
syncthing-cert.file = inputs.secrets + "/zaatar-syncthing-cert.age"; syncthing-cert.file = ../../secrets/zaatar-syncthing-cert.age;
syncthing-key.file = inputs.secrets + "/zaatar-syncthing-key.age"; syncthing-key.file = ../../secrets/zaatar-syncthing-key.age;
di-fm-key.file = inputs.secrets + "/di-fm-key.age"; di-fm-key.file = ../../secrets/di-fm-key.age;
}; };
services.nginx = { services.nginx = {

10
systems/zaatar/spotifyd.nix
View File

@@ -1,8 +1,4 @@
{ {config, ...}: {
config,
inputs,
...
}: {
services.spotifyd = { services.spotifyd = {
enable = true; enable = true;
settings = { settings = {
@@ -25,8 +21,8 @@
}; };
age.secrets = { age.secrets = {
spotify-username.file = inputs.secrets + "/spotify-username.age"; spotify-username.file = ../../secrets/spotify-username.age;
spotify-password.file = inputs.secrets + "/spotify-password.age"; spotify-password.file = ../../secrets/spotify-password.age;
}; };
# ref https://github.com/NixOS/nixpkgs/issues/71362#issuecomment-753461502 # ref https://github.com/NixOS/nixpkgs/issues/71362#issuecomment-753461502