From 8a8b69b79bf4b005d5d50a8ae6791e1b303a7c81 Mon Sep 17 00:00:00 2001 From: Toast Date: Mon, 19 Feb 2024 13:22:25 +0100 Subject: [PATCH 1/4] Flake: add secrets repo --- flake.lock | 17 +++++++++++++++++ flake.nix | 4 ++++ 2 files changed, 21 insertions(+) diff --git a/flake.lock b/flake.lock index 15b7eeb..76a0889 100644 --- a/flake.lock +++ b/flake.lock @@ -411,9 +411,26 @@ "nixpkgs-unstable-raw": "nixpkgs-unstable-raw", "nur": "nur", "plasma-manager": "plasma-manager", + "secrets": "secrets", "vscode-extensions": "vscode-extensions" } }, + "secrets": { + "flake": false, + "locked": { + "lastModified": 1708347322, + "narHash": "sha256-30rLLNMGvVz8xbklqRpA3uE6UDneAUGFz7dCmH9YbA8=", + "ref": "refs/heads/main", + "rev": "409536f1d2b8ffe741fe47b8701ba28137f9de38", + "revCount": 3, + "type": "git", + "url": "http://git.everest.sable-pancake.ts.net/Toast/nix-secrets" + }, + "original": { + "type": "git", + "url": "http://git.everest.sable-pancake.ts.net/Toast/nix-secrets" + } + }, "systems": { "locked": { "lastModified": 1681028828, diff --git a/flake.nix b/flake.nix index 4074c49..326a5f9 100644 --- a/flake.nix +++ b/flake.nix @@ -2,6 +2,10 @@ description = "Configuration for Everest"; inputs = { + secrets = { + url = "git+http://git.everest.sable-pancake.ts.net/Toast/nix-secrets"; + flake = false; + }; nixpkgs-raw.url = "nixpkgs/nixos-23.11"; nixpkgs-unstable-raw.url = "nixpkgs/nixos-unstable"; From a1f41b62954084027a5ee0914b5399f598d9cd78 Mon Sep 17 00:00:00 2001 From: Toast Date: Mon, 19 Feb 2024 14:00:39 +0100 Subject: [PATCH 2/4] WinMax2: mount persist subvolume --- machines/WinMax2/hardware-configuration.nix | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/machines/WinMax2/hardware-configuration.nix b/machines/WinMax2/hardware-configuration.nix index de97fb0..39126af 100755 --- a/machines/WinMax2/hardware-configuration.nix +++ b/machines/WinMax2/hardware-configuration.nix @@ -43,12 +43,12 @@ in fsType = "btrfs"; options = [ "subvol=@" ]; }; - /*"btrfs_boot" = { - mountPoint = "/boot"; + "btrfs_persist" = { + mountPoint = "/persist"; label = ssdLabel; fsType = "btrfs"; - options = [ "subvol=@boot" ]; - };*/ + options = [ "subvol=@persist" ]; + }; "btrfs_home" = { mountPoint = "/home"; label = ssdLabel; From 2f0230c4010641bd4e08f99e8bb699a9b224d26c Mon Sep 17 00:00:00 2001 From: Toast Date: Mon, 19 Feb 2024 14:01:17 +0100 Subject: [PATCH 3/4] Common: set up secrets --- roles/common/configuration.nix | 6 +----- 1 file changed, 1 insertion(+), 5 deletions(-) diff --git a/roles/common/configuration.nix b/roles/common/configuration.nix index 9caaeb9..3e42588 100755 --- a/roles/common/configuration.nix +++ b/roles/common/configuration.nix @@ -105,11 +105,7 @@ # Set up secrets age = { identityPaths = [ - "/etc/ssh/ssh_host_rsa_key" - "/etc/ssh/ssh_host_ed25519_key" - # This key has a passcode, so if you need to use it you'll have to - # enter the password A LOT of times. Only on the first setup tho - "/tmp/id_ed25519_bootstrap" + "/persist/id_host" ]; }; From 436c1785a8a03316d19d7b2118b0fbf60d31330c Mon Sep 17 00:00:00 2001 From: Toast Date: Mon, 19 Feb 2024 14:02:05 +0100 Subject: [PATCH 4/4] Common/syncthing: use key and cert from secrets --- roles/common/services/syncthing.nix | 14 +++++++++++++- 1 file changed, 13 insertions(+), 1 deletion(-) diff --git a/roles/common/services/syncthing.nix b/roles/common/services/syncthing.nix index 5691ef3..9bcfb63 100755 --- a/roles/common/services/syncthing.nix +++ b/roles/common/services/syncthing.nix @@ -1,7 +1,19 @@ -{ config, ... }: +{ config, flakeSelf, ... }: + +let + hostSecrets = "${flakeSelf.inputs.secrets}/" + config.networking.hostName; +in { + # Get secrets + age.secrets = { + syncthingKey.file = hostSecrets + "/syncthingKey.age"; + syncthingCert.file = hostSecrets + "/syncthingCert.age"; + }; + services.syncthing = { + key = config.age.secrets.syncthingKey.path; + cert = config.age.secrets.syncthingCert.path; overrideDevices = true; overrideFolders = true; openDefaultPorts = true;