diff --git a/.justfile b/.justfile index 99e2d75..9b4041a 100644 --- a/.justfile +++ b/.justfile @@ -15,8 +15,8 @@ update: nix flake update @edit-secrets: - git clone ssh://forgejo@git.everest.tailscale:4222/Toast/nix-secrets.git /tmp/secrets - sed -i 's\git+ssh://forgejo@git.everest.tailscale:4222/Toast/nix-secrets\/tmp/secrets\g' flake.nix + git clone ssh://forgejo@git.toast003.xyz:4222/Toast/nix-secrets.git /tmp/secrets + sed -i 's\git+ssh://forgejo@git.toast003.xyz:4222/Toast/nix-secrets\/tmp/secrets\g' flake.nix nix flake update secrets echo "{{bold}}All done!" echo "{{normal}}Remember to restore flake.nix" diff --git a/flake.lock b/flake.lock index e622e4e..dcad82e 100644 --- a/flake.lock +++ b/flake.lock @@ -517,17 +517,18 @@ "nixpkgs-raw": "nixpkgs-raw", "nixpkgs-unstable-raw": "nixpkgs-unstable-raw", "plasma-manager": "plasma-manager", - "secrets": "secrets" + "secrets": "secrets", + "sops-nix": "sops-nix" } }, "secrets": { "flake": false, "locked": { - "lastModified": 1737970846, - "narHash": "sha256-+b44nvv+rKiRdABSHGaTLbp9ysRaHE+s/CuUsA9zNac=", + "lastModified": 1764992299, + "narHash": "sha256-6vJ4teDUQus5TsOMfJZEfDOslsjvkhHPELZiOAeOX8s=", "ref": "refs/heads/main", - "rev": "d8262fb108d0810d21c5e098b54a105e867e72ce", - "revCount": 28, + "rev": "5c3122fc8dd5d6fe855d7da42740272cb2c313d4", + "revCount": 32, "type": "git", "url": "ssh://forgejo@git.toast003.xyz:4222/Toast/nix-secrets" }, @@ -536,6 +537,26 @@ "url": "ssh://forgejo@git.toast003.xyz:4222/Toast/nix-secrets" } }, + "sops-nix": { + "inputs": { + "nixpkgs": [ + "nixpkgs-unstable-raw" + ] + }, + "locked": { + "lastModified": 1764483358, + "narHash": "sha256-EyyvCzXoHrbL467YSsQBTWWg4sR96MH1sPpKoSOelB4=", + "owner": "Mic92", + "repo": "sops-nix", + "rev": "5aca6ff67264321d47856a2ed183729271107c9c", + "type": "github" + }, + "original": { + "owner": "Mic92", + "repo": "sops-nix", + "type": "github" + } + }, "systems": { "locked": { "lastModified": 1681028828, diff --git a/flake.nix b/flake.nix index 07875bb..b73ccd4 100644 --- a/flake.nix +++ b/flake.nix @@ -16,6 +16,10 @@ darwin.follows = ""; # Not using this on MacOS, so this doesn't pull it's dependencies }; }; + sops-nix = { + url = "github:Mic92/sops-nix"; + inputs.nixpkgs.follows = "nixpkgs-unstable-raw"; + }; home-manager = { url = "github:nix-community/home-manager/release-25.11"; @@ -167,6 +171,7 @@ modules = [ agenix.nixosModules.default + sops-nix.nixosModules.sops ( if stable then home-manager diff --git a/lib/default.nix b/lib/default.nix index 400dc18..b3febf7 100644 --- a/lib/default.nix +++ b/lib/default.nix @@ -4,5 +4,6 @@ nixpkgs.lib.extend (final: prev: { importLib = file: import file {lib = final;}; in { patches = importLib ./patches.nix; + networkManager = importLib ./networkManager.nix; }; }) diff --git a/lib/networkManager.nix b/lib/networkManager.nix new file mode 100644 index 0000000..183501b --- /dev/null +++ b/lib/networkManager.nix @@ -0,0 +1,18 @@ +{lib}: { + /** + Make a NetworkManager wifi profile, to be used with ensureProfiles + */ + mkWifiProfile = {id, ssid, priority ? 0, wifi-security}: { + connection = { + inherit id; + type = "wifi"; + autoconnect-priority = priority; + }; + ipv4.method = "auto"; + wifi = { + mode = "infrastructure"; + inherit ssid; + }; + inherit wifi-security; + }; +} diff --git a/roles/common/configuration.nix b/roles/common/configuration.nix index 284565f..d26b350 100755 --- a/roles/common/configuration.nix +++ b/roles/common/configuration.nix @@ -129,7 +129,10 @@ backupFileExtension = "hm-backup"; useGlobalPkgs = true; verbose = true; - sharedModules = [flakeSelf.inputs.catppuccin.homeModules.catppuccin]; + sharedModules = with flakeSelf; [ + inputs.catppuccin.homeModules.catppuccin + inputs.sops-nix.homeManagerModules.sops + ]; users.toast = {osConfig, ...}: { catppuccin.flavor = osConfig.catppuccin.flavor; catppuccin.accent = osConfig.catppuccin.accent; @@ -156,6 +159,9 @@ "/persist/id_host" ]; }; + sops = { + age.sshKeyPaths = ["/persist/id_host"]; + }; catppuccin.grub.enable = true; diff --git a/roles/desktop/services/networkmanager.nix b/roles/desktop/services/networkmanager.nix index a9917e3..f19610b 100644 --- a/roles/desktop/services/networkmanager.nix +++ b/roles/desktop/services/networkmanager.nix @@ -1,12 +1,14 @@ { config, + lib, flakeSelf, ... }: let tailscaleName = config.services.tailscale.interfaceName; in { - age.secrets = { - wifiPasswords.file = "${flakeSelf.inputs.secrets}/wifi-passwords.age"; + sops.secrets.wifiPasswords = { + sopsFile = "${flakeSelf.inputs.secrets}/wifi-passwords.env"; + format = "dotenv"; }; networking.networkmanager = { enable = true; @@ -14,42 +16,36 @@ in { "interface-name:${tailscaleName}" ]; ensureProfiles = { - environmentFiles = [config.age.secrets.wifiPasswords.path]; - profiles = { - "4g-modem" = { - connection = { - id = "4G Modem"; - type = "wifi"; - autoconnect-priority = 5; - }; - ipv4.method = "auto"; - wifi = { - mode = "infrastructure"; - ssid = "TP-Link_CCB4"; - }; + environmentFiles = [config.sops.secrets.wifiPasswords.path]; + profiles = with lib.toast.networkManager; { + "4g-modem" = mkWifiProfile { + id = "4G Modem"; + priority = 5; + ssid = "TP-Link_CCB4"; wifi-security = { auth-alg = "open"; key-mgmt = "wpa-psk"; psk = "$MODEM"; }; }; - phone = { - connection = { - id = "Phone"; - type = "wifi"; - autoconnect-priority = 5; - }; - ipv4.method = "auto"; - wifi = { - mode = "infrastructure"; - ssid = "Redmi Note 10 Pro_5197"; - }; + phone = mkWifiProfile { + id = "Phone"; + priority = 5; + ssid = "Redmi Note 10 Pro_5197"; wifi-security = { auth-alg = "open"; key-mgmt = "sae"; psk = "$PHONE"; }; }; + home = mkWifiProfile { + id = "Home"; + ssid = "MOVISTAR-WIFI6-DC98"; + wifi-security = { + key-mgmt = "sae"; + psk = "$HOME"; + }; + }; }; }; };