hektor/nix
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Compare commits

base: hektor:54913f0ef51b5191c2142acf21f22d4d4305d3b9
Branches Tags
hektor:main
...
compare: hektor:8e62844005ff386f3df24d3c56561f8ccb496543
Branches Tags
hektor:main

7 Commits
54913f0ef5 ... 8e62844005

Author SHA1 Message Date
hektor
8e62844005 refactor(secrets): simplify secrets 2026-04-20 20:11:10 +02:00
hektor
9e3652a55e refactor(backups): simplify backups module 2026-04-19 17:50:53 +02:00
hektor
1dfdd40827 fix: add home manager 'secrets' module to andromache 2026-04-19 17:49:59 +02:00
hektor
446bd52ed8 fix: remove nodeNixpkgs from colmena 2026-04-17 14:34:37 +02:00
hektor
4a3c03a10a refactor: modularize utils 2026-04-17 14:34:37 +02:00
hektor
4de7a6725c feat(direnv): set up direnv using '.envrc' 2026-04-17 14:34:37 +02:00
hektor
ed53b2be57 feat: set up tailscale on 'eetion' host 2026-04-17 14:34:37 +02:00
18 changed files with 160 additions and 141 deletions
Expand all files Collapse all files

1
.envrc Normal file
View File

@@ -0,0 +1 @@
use flake

3
.gitignore vendored
View File

@@ -9,4 +9,5 @@ result-*
nixos-efi-vars.fd nixos-efi-vars.fd
/.pre-commit-config.yaml .direnv/
.pre-commit-config.yaml

7
deploy/colmena.nix
View File

@@ -21,15 +21,12 @@ let
nodes = lib.genAttrs hostDirNames ( nodes = lib.genAttrs hostDirNames (
hostname: mkNode hostname (utils.hostMeta ../hosts/${hostname}).deployment.tags hostname: mkNode hostname (utils.hostMeta ../hosts/${hostname}).deployment.tags
); );
in in
inputs.colmena.lib.makeHive ( inputs.colmena.lib.makeHive (
{ {
meta = { meta = {
nixpkgs = import inputs.nixpkgs { nixpkgs = import inputs.nixpkgs { localSystem = "x86_64-linux"; };
localSystem = "x86_64-linux";
};
nodeNixpkgs = builtins.mapAttrs (_: v: v.pkgs) self.nixosConfigurations;
specialArgs = { specialArgs = {
inherit inputs; inherit inputs;
outputs = self; outputs = self;

1
home/hosts/andromache/default.nix
View File

@@ -25,6 +25,7 @@
../../modules/nvim ../../modules/nvim
../../modules/pandoc ../../modules/pandoc
../../modules/photography ../../modules/photography
../../modules/secrets
../../modules/shell ../../modules/shell
../../modules/ssh ../../modules/ssh
../../modules/taskwarrior ../../modules/taskwarrior

6
home/modules/anki/default.nix
View File

@@ -13,10 +13,12 @@ let
standalone = osConfig == null; standalone = osConfig == null;
in in
lib.optionalAttrs standalone { lib.optionalAttrs standalone {
sops.secrets = myUtils.mkSopsSecrets "${toString inputs.nix-secrets}/secrets" "anki" [ sops.secrets = myUtils.mkSopsSecrets "${toString inputs.nix-secrets}/secrets" null {
anki = [
"sync-user" "sync-user"
"sync-key" "sync-key"
] { }; ];
};
} }
// { // {
warnings = lib.optional ( warnings = lib.optional (

6
home/modules/taskwarrior/default.nix
View File

@@ -15,11 +15,13 @@ let
in in
lib.optionalAttrs standalone { lib.optionalAttrs standalone {
sops = { sops = {
secrets = myUtils.mkSopsSecrets "${toString inputs.nix-secrets}/secrets" "taskwarrior" [ secrets = myUtils.mkSopsSecrets "${toString inputs.nix-secrets}/secrets" null {
taskwarrior = [
"sync-server-url" "sync-server-url"
"sync-server-client-id" "sync-server-client-id"
"sync-encryption-secret" "sync-encryption-secret"
] { }; ];
};
templates."taskrc.d/sync" = { templates."taskrc.d/sync" = {
content = '' content = ''

1
hosts/andromache/default.nix
View File

@@ -68,6 +68,7 @@ in
nixSigningKey.enable = true; nixSigningKey.enable = true;
}; };
restic-backup.enable = true;
tailscale.enable = true; tailscale.enable = true;
docker.user = config.host.username; docker.user = config.host.username;

1
hosts/astyanax/default.nix
View File

@@ -64,6 +64,7 @@ in
nixSigningKey.enable = true; nixSigningKey.enable = true;
}; };
restic-backup.enable = true;
tailscale.enable = true; tailscale.enable = true;
docker.user = config.host.username; docker.user = config.host.username;
nfc.user = config.host.username; nfc.user = config.host.username;

3
hosts/eetion/default.nix
View File

@@ -9,9 +9,12 @@
./host.nix ./host.nix
../../modules/common ../../modules/common
../../modules/ssh ../../modules/ssh
../../modules/tailscale
# ../../modules/uptime-kuma # ../../modules/uptime-kuma
]; ];
tailscale.enable = true;
ssh = { ssh = {
inherit (config.host) username; inherit (config.host) username;
publicHostname = config.host.name; publicHostname = config.host.name;

11
modules/ai-tools/default.nix
View File

@@ -1,14 +1,13 @@
{ config, myUtils, ... }: { config, ... }:
let let
inherit (config.secrets) sopsDir username; inherit (config.secrets) username owner;
owner = config.users.users.${username}.name;
in in
{ {
config.sops = { config = {
secrets = myUtils.mkSopsSecrets sopsDir "opencode" [ "api-key" ] { inherit owner; }; secrets.groups.opencode = [ "api-key" ];
templates."opencode/auth.json" = { sops.templates."opencode/auth.json" = {
inherit owner; inherit owner;
path = "/home/${username}/.local/share/opencode/auth.json"; path = "/home/${username}/.local/share/opencode/auth.json";
content = '' content = ''

13
modules/anki/default.nix
View File

@@ -1,11 +1,6 @@
{ config, myUtils, ... }:
let
inherit (config.secrets) sopsDir username;
owner = config.users.users.${username}.name;
in
{ {
config.sops = { config.secrets.groups.anki = [
secrets = myUtils.mkSopsSecrets sopsDir "anki" [ "sync-user" "sync-key" ] { inherit owner; }; "sync-user"
}; "sync-key"
];
} }

42
modules/backups/default.nix
View File

@@ -1,21 +1,16 @@
{ {
lib, lib,
config, config,
myUtils,
... ...
}: }:
let let
cfg = config.restic-backup; cfg = config.restic-backup;
inherit (config.secrets) sopsDir; host = config.networking.hostName;
in in
{ {
options = { options.restic-backup = {
restic-backup = { enable = lib.mkEnableOption "restic backups";
repository = lib.mkOption {
type = lib.types.str;
default = "b2:${config.sops.placeholder."backblaze-b2/bucket-name"}:${config.networking.hostName}";
};
passwordFile = lib.mkOption { passwordFile = lib.mkOption {
type = lib.types.str; type = lib.types.str;
@@ -27,31 +22,32 @@ in
default = [ "/home" ]; default = [ "/home" ];
}; };
}; };
config = lib.mkIf cfg.enable {
secrets.groups = {
restic = [ "password" ];
backblaze-b2 = [
"bucket-name"
"account-id"
"account-key"
];
}; };
config = { sops.templates = {
sops = { "restic/repo-${host}" = {
secrets = lib.mkMerge [ content = "b2:${config.sops.placeholder."backblaze-b2/bucket-name"}:${host}";
(myUtils.mkSopsSecrets sopsDir "restic" [ "password" ] { })
(myUtils.mkSopsSecrets sopsDir "backblaze-b2" [ "bucket-name" "account-id" "account-key" ] { })
];
templates = {
"restic/repo-${config.networking.hostName}" = {
content = "b2:${config.sops.placeholder."backblaze-b2/bucket-name"}:${config.networking.hostName}";
}; };
"restic/b2-env-${config.networking.hostName}" = { "restic/b2-env-${host}" = {
content = '' content = ''
B2_ACCOUNT_ID=${config.sops.placeholder."backblaze-b2/account-id"} B2_ACCOUNT_ID=${config.sops.placeholder."backblaze-b2/account-id"}
B2_ACCOUNT_KEY=${config.sops.placeholder."backblaze-b2/account-key"} B2_ACCOUNT_KEY=${config.sops.placeholder."backblaze-b2/account-key"}
''; '';
}; };
}; };
};
services.restic.backups.home = { services.restic.backups.home = {
repositoryFile = config.sops.templates."restic/repo-${config.networking.hostName}".path; repositoryFile = config.sops.templates."restic/repo-${host}".path;
inherit (cfg) passwordFile; inherit (cfg) passwordFile paths;
inherit (cfg) paths;
timerConfig = { timerConfig = {
OnCalendar = "daily"; OnCalendar = "daily";
Persistent = true; Persistent = true;
@@ -64,7 +60,7 @@ in
"--keep-monthly 6" "--keep-monthly 6"
"--keep-yearly 1" "--keep-yearly 1"
]; ];
environmentFile = config.sops.templates."restic/b2-env-${config.networking.hostName}".path; environmentFile = config.sops.templates."restic/b2-env-${host}".path;
}; };
}; };
} }

11
modules/hcloud/default.nix
View File

@@ -1,30 +1,27 @@
{ {
lib, lib,
config, config,
myUtils,
... ...
}: }:
let let
cfg = config.hcloud; cfg = config.hcloud;
inherit (config.secrets) sopsDir; inherit (config.secrets) owner;
in in
{ {
options.hcloud = { options.hcloud = {
enable = lib.mkEnableOption "hcloud CLI configuration"; enable = lib.mkEnableOption "hcloud CLI configuration";
username = lib.mkOption { username = lib.mkOption {
type = lib.types.str; type = lib.types.str;
description = "Username for hcloud CLI configuration"; description = "username for hcloud CLI configuration";
}; };
}; };
config = lib.mkIf cfg.enable { config = lib.mkIf cfg.enable {
sops.secrets = myUtils.mkSopsSecrets sopsDir "hcloud" [ "api-token" ] { secrets.groups.hcloud = [ "api-token" ];
owner = config.users.users.${cfg.username}.name;
};
sops.templates."hcloud/cli.toml" = { sops.templates."hcloud/cli.toml" = {
owner = config.users.users.${cfg.username}.name; inherit owner;
path = "/home/${cfg.username}/.config/hcloud/cli.toml"; path = "/home/${cfg.username}/.config/hcloud/cli.toml";
content = '' content = ''
active_context = "server" active_context = "server"

38
modules/secrets/default.nix
View File

@@ -11,13 +11,11 @@ let
cfg = config.secrets; cfg = config.secrets;
inherit (cfg) sopsDir; inherit (cfg) sopsDir;
owner = config.users.users.${cfg.username}.name; owner = config.users.users.${cfg.username}.name;
mkSopsSecrets = myUtils.mkSopsSecrets sopsDir;
in in
{ {
imports = [ inputs.sops-nix.nixosModules.sops ]; imports = [ inputs.sops-nix.nixosModules.sops ];
options = { options.secrets = {
secrets = {
username = lib.mkOption { username = lib.mkOption {
type = lib.types.str; type = lib.types.str;
}; };
@@ -27,6 +25,16 @@ in
default = "${toString inputs.nix-secrets}/secrets"; default = "${toString inputs.nix-secrets}/secrets";
}; };
groups = lib.mkOption {
type = lib.types.attrsOf (lib.types.listOf lib.types.str);
default = { };
description = "Declarative secret groups: { group = [ key names ]; }";
};
owner = lib.mkOption {
type = lib.types.unspecified;
};
nixSigningKey = { nixSigningKey = {
enable = lib.mkEnableOption "nix signing key configuration"; enable = lib.mkEnableOption "nix signing key configuration";
}; };
@@ -35,26 +43,26 @@ in
enable = lib.mkEnableOption "set up Yubikey"; enable = lib.mkEnableOption "set up Yubikey";
}; };
}; };
};
config = { config = {
secrets = {
inherit owner;
groups = {
email = [
"personal"
"work"
];
nix = lib.optional cfg.nixSigningKey.enable "signing-key";
};
};
sops = { sops = {
# for yubikey, generate as follows: # for yubikey, generate as follows:
# ``` # ```
# age-plugin-yubikey --identity > <keyfile-path> # age-plugin-yubikey --identity > <keyfile-path>
# ``` # ```
age.keyFile = "/home/${cfg.username}/.config/sops/age/keys.txt"; age.keyFile = "/home/${cfg.username}/.config/sops/age/keys.txt";
secrets = myUtils.mkSopsSecrets sopsDir owner cfg.groups;
secrets = lib.mkMerge [
(mkSopsSecrets "email" [ "personal" "work" ] { inherit owner; })
(lib.mkIf cfg.nixSigningKey.enable {
nix-signing-key = {
sopsFile = "${sopsDir}/nix.yaml";
key = "signing-key";
inherit owner;
};
})
];
}; };
nix.settings.secret-key-files = lib.mkIf cfg.nixSigningKey.enable [ nix.settings.secret-key-files = lib.mkIf cfg.nixSigningKey.enable [

13
modules/taskwarrior/default.nix
View File

@@ -1,18 +1,17 @@
{ config, myUtils, ... }: { config, ... }:
let let
inherit (config.secrets) sopsDir username; inherit (config.secrets) owner;
owner = config.users.users.${username}.name;
in in
{ {
config.sops = { config = {
secrets = myUtils.mkSopsSecrets sopsDir "taskwarrior" [ secrets.groups.taskwarrior = [
"sync-server-url" "sync-server-url"
"sync-server-client-id" "sync-server-client-id"
"sync-encryption-secret" "sync-encryption-secret"
] { inherit owner; }; ];
templates."taskrc.d/sync" = { sops.templates."taskrc.d/sync" = {
inherit owner; inherit owner;
content = '' content = ''
sync.server.url=${config.sops.placeholder."taskwarrior/sync-server-url"} sync.server.url=${config.sops.placeholder."taskwarrior/sync-server-url"}

41
utils/default.nix
View File

@@ -1,41 +1,12 @@
{ lib }: { lib }:
let
hosts = import ./hosts.nix;
secrets = import ./secrets.nix { inherit lib; };
in
{ {
dirNames = dirNames =
path: builtins.attrNames (lib.filterAttrs (_: type: type == "directory") (builtins.readDir path)); path: builtins.attrNames (lib.filterAttrs (_: type: type == "directory") (builtins.readDir path));
hostMeta =
hostDir:
if builtins.pathExists (hostDir + "/meta.nix") then
import (hostDir + "/meta.nix")
else
throw "meta.nix required in ${hostDir}";
mkSopsSecrets =
sopsDir: group: names: extraOpts:
let
file = "${group}.yaml";
in
lib.foldl' lib.mergeAttrs { } (
map (name: {
"${group}/${name}" = {
sopsFile = "${sopsDir}/${file}";
key = name;
}
// extraOpts;
}) names
);
sopsAvailability =
config: osConfig:
let
osSopsAvailable = osConfig != null && osConfig ? sops && osConfig.sops ? secrets;
hmSopsAvailable = config ? sops && config.sops ? secrets;
preferOs = osSopsAvailable;
in
{
available = osSopsAvailable || hmSopsAvailable;
secrets = if preferOs then osConfig.sops.secrets else config.sops.secrets;
templates = if preferOs then osConfig.sops.templates else config.sops.templates;
};
} }
// hosts
// secrets

8
utils/hosts.nix Normal file
View File

@@ -0,0 +1,8 @@
{
hostMeta =
hostDir:
if builtins.pathExists (hostDir + "/meta.nix") then
import (hostDir + "/meta.nix")
else
throw "meta.nix required in ${hostDir}";
}

37
utils/secrets.nix Normal file
View File

@@ -0,0 +1,37 @@
{ lib }:
{
mkSopsSecrets =
sopsDir: owner: groups:
let
opts = lib.optionalAttrs (owner != null) { inherit owner; };
mkGroup =
group: names:
let
file = "${group}.yaml";
in
lib.foldl' lib.mergeAttrs { } (
map (name: {
"${group}/${name}" = {
sopsFile = "${sopsDir}/${file}";
key = name;
}
// opts;
}) names
);
in
lib.foldl' lib.mergeAttrs { } (lib.mapAttrsToList mkGroup groups);
sopsAvailability =
config: osConfig:
let
osSopsAvailable = osConfig != null && osConfig ? sops && osConfig.sops ? secrets;
hmSopsAvailable = config ? sops && config.sops ? secrets;
preferOs = osSopsAvailable;
in
{
available = osSopsAvailable || hmSopsAvailable;
secrets = if preferOs then osConfig.sops.secrets else config.sops.secrets;
templates = if preferOs then osConfig.sops.templates else config.sops.templates;
};
}