commit a0dd6439df4ad6e724f942c06d52c72fa9ccd1a4 · yemou.pink/nix-configs

.sops.yaml

···

       10
       10
        
               - *dandelion

     

       11
       11
        
               - *lily

     

       12
       12
        
               - *lutea

     

       13
       13
       +
         - path_regex: hidden/syncthing.json$

     

       14
       14
       +
           key_groups:

     

       15
       15
       +
             - age:

     

       16
       16
       +
               - *dandelion

     

       17
       17
       +
               - *lily

     

       18
       18
       +
               - *lutea

     

       13
       19
        
         - path_regex: secrets/dali.yaml$

     

       14
       20
        
           key_groups:

     

       15
       21
        
             - age:

dandelion/config.nix

···

       17
       17
        
           ../modules/nix.nix

     

       18
       18
        
           ../modules/remote-build-machines.nix

     

       19
       19
        
           ../modules/sss.nix

     

       20
       20
       +
           ../modules/syncthing.nix

     

       20
       21
        
       

     

       21
       22
        
           ../modules/services/caddy

     

       22
       23
        
           ../modules/services/caddy/atproto-did.nix

+28

hidden/syncthing.json

···

       1
       1
       +
       {

     

       2
       2
       +
       	"dandelion": {

     

       3
       3
       +
       		"device-id": "ENC[AES256_GCM,data:9cQ0UcJPHf3cWT6ABbSGA7yXjFx259lY88ZNbwwJjzMLF2fg/O5wU3qV9zbhhvClTkOepDSYKT1vSSGUT2U6,iv:evUyvt0VfnE/7KWGjI5cwmf7sIODuU/xfozAJJV3qIk=,tag:oYZlKJuRDoEh6vzGJFkpNA==,type:str]"

     

       4
       4
       +
       	},

     

       5
       5
       +
       	"lily": {

     

       6
       6
       +
       		"device-id": "ENC[AES256_GCM,data:QBoqthsC94CjSh5ZnmtkMJjdHVaNeop/rCfraEPMh4nGUqpy3PS2vRmPu3OfK4Avw02y3EPyoP8plqBXBRbc,iv:ZDCCequtiX9Bk0NF3hP4h/GGkbu6sBSKCXOFIcL3U/E=,tag:XZqzbasSBWo472YPIugklA==,type:str]"

     

       7
       7
       +
       	},

     

       8
       8
       +
       	"sops": {

     

       9
       9
       +
       		"age": [

     

       10
       10
       +
       			{

     

       11
       11
       +
       				"recipient": "age1p5y7px4qnlgxgxd6j5vg4wtpzs24fnh4808ws7gah3x89j66muasxz7ck2",

     

       12
       12
       +
       				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBWa0JpcEhYTytSZEFMWnMr\nRXo1TGozd0o5MUpIZ2kyTXFneWszRVRoMVd3CkJYOUZhRzR5b3kzbmxHcVByalFP\nRzJlMG0yQjNYVHEydDAvQ2dvSUZwR2sKLS0tIGU3OFRYdml5YmNyK0hzZFRmWnpJ\nTGdnUW9MUTVBRmRSSVplMHVKSUUyVUkKt/qajgJ2+CSZexX9Syzpzuowl36Otk+F\nXOlD3LUEIciza6sCsTuIi6PSAt1Ro6GgSw128AegO2YUG3zEe5DFGA==\n-----END AGE ENCRYPTED FILE-----\n"

     

       13
       13
       +
       			},

     

       14
       14
       +
       			{

     

       15
       15
       +
       				"recipient": "age1amaa55e7nusv904a9ucfvtnjlw4srtet42suehey6u3yc4t2xc5sdldepj",

     

       16
       16
       +
       				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBUWE5aNkxFOE1ZdXRTNTVv\naXJmSkU4YXJ1SUQxQkZNQW1EWHFaR1dScGtRClhGc2VLUFA5T1NlMFMvU1VveC93\nb1AzSHNDVXNtMldHczQ4TG85dEV5dmMKLS0tIGh0SFdwbktxR25Ja2s0dTJaTnlM\nczZhTDhzWTNpRnQ3ZVhHQWtWbXpCWE0KEg9F/2NVATX1pQjmC1cNmJAtqVsIOhtl\n8jU2FuaBwukrlB92iAsJIgi0YTLiEC/y6KRLXfBW7Qmf1ePnvrqstw==\n-----END AGE ENCRYPTED FILE-----\n"

     

       17
       17
       +
       			},

     

       18
       18
       +
       			{

     

       19
       19
       +
       				"recipient": "age1p55em5e3uk3fprj2mpum7ulrslcqgly63pjsyw2yv6hx99trdsnsvvv9ex",

     

       20
       20
       +
       				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAzT3g4cXowbyt6UXZJa0Uw\nU2JmQWFFOGNGekcrcDVIWWM5azVnTHdnYUVjCnpXMmV3RXNQei9XaTcvamVDWlhR\neFZYbC9qM2dJS21UbHFaSnE2TXpUSjgKLS0tIDlDRzBaTjFQVXRsVXFXWng2VExu\nZUNzaVdnSG9qaE93cHNvZHg4OHJEaFEKBZ4+MAMbzu49WZfac0m0rvBGwjN5WKge\ncz0/GqBOjcHzOo1Bc0UkM4SMjD/7l7cUZxLw8IO1LiTx4kJgxk7OZw==\n-----END AGE ENCRYPTED FILE-----\n"

     

       21
       21
       +
       			}

     

       22
       22
       +
       		],

     

       23
       23
       +
       		"lastmodified": "2025-05-14T11:07:45Z",

     

       24
       24
       +
       		"mac": "ENC[AES256_GCM,data:NyH9pU3bAxOgeXxGOeGXGgchUZ4pNINVBznzCMv1WsfeIRORh/w7VmsflqPFZxkbE/XKtmPZG+wFB9QQaUcCIQB9SW1fqlnlpygHFpTcAjqz+gfGFYRtFmNKAaveuLYpA02wluXxSHZCzRW8JgqVVjyMsEBm5ifm8sq7NrtJt8k=,iv:Yq2LW3b1EKQtIFB/eUuOtuiEX6F7yZe2ZE7uCbreImY=,tag:jQxspW81i4Ysm8cnuaKYAA==,type:str]",

     

       25
       25
       +
       		"unencrypted_suffix": "_unencrypted",

     

       26
       26
       +
       		"version": "3.10.2"

     

       27
       27
       +
       	}

     

       28
       28
       +
       }

+3 -7

modules/packages/buildConfig/buildConfig.sh

···

       20
       20
        
       	done

     

       21
       21
        
       )

     

       22
       22
        
       

     

       23
       23
       -
       [ -e "$temp_dir/hidden/network.json" ] || {

     

       24
       24
       -
       	printf '%s\n' "/config/hidden/network.json is not yet staged"

     

       25
       25
       -
       	exit 1

     

       26
       26
       -
       }

     

       27
       27
       -
       

     

       28
       28
       -
       SOPS_AGE_KEY_FILE=${SOPS_AGE_KEY_FILE:=/data/keys.txt} \

     

       29
       29
       -
       	sops decrypt --in-place "$temp_dir/hidden/network.json"

     

       23
       23
       +
       for json in "$temp_dir/hidden/"*".json"

     

       24
       24
       +
       do SOPS_AGE_KEY_FILE=${SOPS_AGE_KEY_FILE:=/data/keys.txt} sops decrypt --in-place "$json"

     

       25
       25
       +
       done

     

       30
       26
        
       

     

       31
       27
        
       nixos-rebuild switch --flake "$temp_dir#$hostname" "$@"

     

       32
       28
        
       rm -r "$temp_dir"

modules/services/caddy/default.nix

···

       14
       14
        
           443

     

       15
       15
        
         ];

     

       16
       16
        
       

     

       17
       17
       +
         users.users.syncthing.extraGroups = [ "caddy" ];

     

       18
       18
       +
         services.syncthing.settings.folders.caddy-certs = {

     

       19
       19
       +
           enable = true;

     

       20
       20
       +
           path = "/var/lib/caddy/.local/share/caddy/certificates";

     

       21
       21
       +
           devices = [ "lily" ];

     

       22
       22
       +
           type = "sendonly";

     

       23
       23
       +
         };

     

       24
       24
       +
       

     

       17
       25
        
         services.caddy = {

     

       18
       26
        
           enable = true;

     

       19
       27
        
           email = "acme@mou.pink";

+83

modules/syncthing.nix

···

       1
       1
       +
       { config, lib, ... }:

     

       2
       2
       +
       {

     

       3
       3
       +
         options.garden.info.syncthing = lib.mkOption {

     

       4
       4
       +
           description = "Information about the syncthing network";

     

       5
       5
       +
           type =

     

       6
       6
       +
             with lib.types;

     

       7
       7
       +
             attrsOf (

     

       8
       8
       +
               submodule (

     

       9
       9
       +
                 { name, ... }:

     

       10
       10
       +
                 {

     

       11
       11
       +
                   options = {

     

       12
       12
       +
                     name = lib.mkOption {

     

       13
       13
       +
                       type = str;

     

       14
       14
       +
                       description = "Name of the device";

     

       15
       15
       +
                     };

     

       16
       16
       +
                     device-id = lib.mkOption {

     

       17
       17
       +
                       type = str;

     

       18
       18
       +
                       description = "Syncthing ID for the device";

     

       19
       19
       +
                     };

     

       20
       20
       +
                   };

     

       21
       21
       +
       

     

       22
       22
       +
                   config.name = name;

     

       23
       23
       +
                 }

     

       24
       24
       +
               )

     

       25
       25
       +
             );

     

       26
       26
       +
         };

     

       27
       27
       +
       

     

       28
       28
       +
         config = {

     

       29
       29
       +
           garden.info.syncthing = builtins.fromJSON (builtins.readFile ../hidden/syncthing.json);

     

       30
       30
       +
       

     

       31
       31
       +
           sops.secrets = {

     

       32
       32
       +
             "syncthing/cert" = { };

     

       33
       33
       +
             "syncthing/key" = { };

     

       34
       34
       +
           };

     

       35
       35
       +
       

     

       36
       36
       +
           networking.firewall.interfaces.${config.services.netbird.clients.homelab.interface} = {

     

       37
       37
       +
             allowedTCPPorts = [ 22000 ];

     

       38
       38
       +
             allowedUDPPorts = [ 22000 ];

     

       39
       39
       +
           };

     

       40
       40
       +
       

     

       41
       41
       +
           services.syncthing = {

     

       42
       42
       +
             enable = true;

     

       43
       43
       +
             cert = config.sops.secrets."syncthing/cert".path;

     

       44
       44
       +
             key = config.sops.secrets."syncthing/key".path;

     

       45
       45
       +
             overrideFolders = true;

     

       46
       46
       +
             overrideDevices = true;

     

       47
       47
       +
             settings = {

     

       48
       48
       +
               devices =

     

       49
       49
       +
                 if (config.networking.hostName == "dandelion") then

     

       50
       50
       +
                   {

     

       51
       51
       +
                     "lily" = {

     

       52
       52
       +
                       id = config.garden.info.syncthing.lily.device-id;

     

       53
       53
       +
                       addresses = [

     

       54
       54
       +
                         "tcp://${config.garden.info.network.lily.netbird-ip}"

     

       55
       55
       +
                         "quic://${config.garden.info.network.lily.netbird-ip}"

     

       56
       56
       +
                       ];

     

       57
       57
       +
                     };

     

       58
       58
       +
                   }

     

       59
       59
       +
                 else if (config.networking.hostName == "lily") then

     

       60
       60
       +
                   {

     

       61
       61
       +
                     "dandelion" = {

     

       62
       62
       +
                       id = config.garden.info.syncthing.dandelion.device-id;

     

       63
       63
       +
                       addresses = [

     

       64
       64
       +
                         "tcp://${config.garden.info.network.dandelion.netbird-ip}"

     

       65
       65
       +
                         "quic://${config.garden.info.network.dandelion.netbird-ip}"

     

       66
       66
       +
                       ];

     

       67
       67
       +
                     };

     

       68
       68
       +
                   }

     

       69
       69
       +
                 # Unknown device

     

       70
       70
       +
                 else

     

       71
       71
       +
                   { };

     

       72
       72
       +
               options = {

     

       73
       73
       +
                 urAccepted = -1;

     

       74
       74
       +
                 relaysEnabled = false;

     

       75
       75
       +
                 globalAnnounceEnabled = false;

     

       76
       76
       +
                 localAnnounceEnabled = false;

     

       77
       77
       +
                 startBrowser = false;

     

       78
       78
       +
                 stunServer = "butwho.org:3478";

     

       79
       79
       +
               };

     

       80
       80
       +
             };

     

       81
       81
       +
           };

     

       82
       82
       +
         };

     

       83
       83
       +
       }

+6 -8

secrets/dandelion.yaml

···

       2
       2
        
       passwordHashes:

     

       3
       3
        
           root: ENC[AES256_GCM,data:Sd7brLDa9QLKBUrPMPMDDMG1rZc1jklLXjDprhK/X27ZPg/T6hDFvfc0buWoY8Rbidw9WoT3oA8Me9SQF6U70Mr1HNUHYlT2zA==,iv:1z2SgWdghTk5dp+OCWdj1h5KWMXgO8gjDKoG1FljMy8=,tag:T4nkg2jJudq8JOsf8w06zA==,type:str]

     

       4
       4
        
           mou: ENC[AES256_GCM,data:xKNnwWsLSh41U7n8aGa7kkO8ylo2hcCpuZ7tptZKm132eyH5rUk1poVqqqoxQSMdiWQKrTlLAXZuQJM/lG9xr62Yfvy4mhz1sA==,iv:UL1+u/Beilym5sL5AeqVky/o7q332Hm0nDJ9CJ1lVec=,tag:LuO4dqTERugIap6oOsNokA==,type:str]

     

       5
       5
       +
       syncthing:

     

       6
       6
       +
           cert: ENC[AES256_GCM,data:o7yV7nSqMKqpJ5zZ9s6CmQYgm4L8KyntdlJ2gQedmSocR3UYjkwJkQflrEORiTOJR6DJGjdyFhg37k8cfNApIK2aDyVD8pKbH6iUcFF0asg+aUlkr0X6MZh6B+NAOfz1qHpFDrE8hbn2rqMNC1+eanV85ROYVrEuWNDo1u4G1jLhRzqi4gzKNCOl0D6+3ol8sgkaZAPtRO0IBh3UUmgrGwmVGQMyavpS2tcqlJ3E6icjSWepX0UzRYUBmSermQeIZDO5W+BpU4hkmrPfWrMGeEWEumIBPxxLuWHMoossOq10NVJ6FjS5z9ud2AwXMngWZ5p9p6+f1azWqSp6cLh8rD03ZnfztJQw9/J/nEsF9O1OqDRIG1uhEOD7URrvhRl51hDbwOm6lFNonmbKFi2JUyxKLK/uVQABx7zsslcGuCU/xPgi3XFngYgYwnj9rNAfD+ImaogPmIW7XMU/NTgG/P3+9eMjR0XEzeZXMT0MVk/RT3+XWzOjTePCC7fOUCoAcN0CFT3vx/HsOLX/h4HpLLVmqz9u7qjG3/6GcNA2NRx9AOkjsLd8BcTzoTfwX/hYrQXpMyOHIjmI1Y29bWEmeecbiz+kZpnI0BsXYpCICqvPGxoMQo/T3hYDLdTDIAmtsUTgqjPbudGKeM/fxjDY8kOpmcOjf2GEBGLfe8w500vb/QYlbALXD+PpuwQgS6sPtsXdEnw7d5Sw6+9AEPPGzeTe6U2xONS6H+aTwpfWqS1RwwJCXZpc9sP5I4AQzaVUk/j6uLmyOKGwXdbt+T5G7yUD/PRnYPriDi4ruKj5jtHEEAQdhDLnUqCZGfX+3/qwB9BTyQdx13bNaYmOPrkfy9MY4mMoBVnkk1M3wFtv+XTXKMkDk2CbRPH2t7ifnkVxKYWnwWSdGR4MC+1VC7YvutMZB5/pE26BA685IVGxNjyQ/cF0x0Bw3To5ft4edS/89V3k46ty9XTnjDsPJZwrj+SJ586EzX9Pzlo9s4zCW7xjry7OxB81ZMLlI6WOivd2umZNomL2hl/ld0sFEkl2CIiQahBDA/l2HA==,iv:GGQrllOl1zM3euq+Lffq/BrEM+D/Xso2AfKBGMDSPIk=,tag:PYp0THpNq9ZQhxmrB/WNyw==,type:str]

     

       7
       7
       +
           key: ENC[AES256_GCM,data:PsOpgifBULla8rCdxFPzujl0YHYY8s+r/Pd7GYMZqe+Jybni9roHlVsfqGChBPBvvHhE4EDFGo+vfncjGGUjlhGGIIuJstyepoYaU7k2t480NdJ5j1lDH/ualuzD4Vvvo3gqRS9SMYxes1bKOP9a8PJ1m1zEcBCH6qn4DvI0yqsZhf53km46b/EBTZjeLrt/p0tSM6WdRP8wArDsn3Myb15bwVF4Qs4oPlS5Dm8K+dYbksphxe/Exod0b2ZRIiDuSF6bLwdM6nEBC46oF7qUsD/3XpzmmbRCGY/3UrbOzRhyuhDB4ze3baEjeNwJQVzgBsJMSE8bX7vDcWGBD3S/hqSrp3BCrnKTN38Dw+y4baaMSpIAsQx7Wy3Q2GCBorg=,iv:5OrV6odFEreWrUjczCGI4r2kUuG+FumqqiybeAeoV2c=,tag:+DXZ/0RcoqeIbew3S/MDXA==,type:str]

     

       5
       8
        
       sops:

     

       6
       6
       -
           kms: []

     

       7
       7
       -
           gcp_kms: []

     

       8
       8
       -
           azure_kv: []

     

       9
       9
       -
           hc_vault: []

     

       10
       9
        
           age:

     

       11
       10
        
               - recipient: age1p5y7px4qnlgxgxd6j5vg4wtpzs24fnh4808ws7gah3x89j66muasxz7ck2

     

       12
       11
        
                 enc: |

     
···

       17
       16
        
                   bFpBYWRMYi9wcXlvSkExNVEzNldMZ2MKSfrbClrpiSz4ZPlScIY3EpTyZMa9aiaY

     

       18
       17
        
                   6UhOvLwesOKm7TCFyKbSR+xFmro6kOCt0VpcxXtRBQ6Je0bo6HvuSA==

     

       19
       18
        
                   -----END AGE ENCRYPTED FILE-----

     

       20
       20
       -
           lastmodified: "2024-10-27T22:06:02Z"

     

       21
       21
       -
           mac: ENC[AES256_GCM,data:c9wPpSRqCDEKw+wUjjJrHhYCOedZz8mJuGrGLlDcJ4SPHudqCBM2hmYEGWoGpape/8CtmayLI6x3/xkA/SzgRFQaFQHG3oOh3smrLXEo1ir7NCVVL8+xnRmQPBbrP6tTkOYb4d21ogeMXRnBwXxypf+YN5r7E6+GIyd/plx5usc=,iv:I+SA27LuHAvI1uysVeKBJDrCI6V0voAiexNnwAYNiUs=,tag:R3GU6Kf/GalOcLBLnhDbhA==,type:str]

     

       22
       22
       -
           pgp: []

     

       19
       19
       +
           lastmodified: "2025-05-14T10:44:55Z"

     

       20
       20
       +
           mac: ENC[AES256_GCM,data:iUYApCuh0T3vzhn4oebX1NaGgMsQF+U7q3mSdx5/IAPLxnv2++0w1+hZ3Yv4S8ij1OyL9sAedOsEt/3kCwXf3GblxofstbTO0srhQRvRjF16URmzjGj18ts8OdDDSUWdwRktGYEqlDeGetA75KAo/S2Zewx72MJCq0mOLyIqH8A=,iv:Mn+qTHaVQDFDbrykVUmPkjPjjfTXWoTZ0IF3KOskC6g=,tag:E5bO9sIsomAPfEB3PWziKQ==,type:str]

     

       23
       21
        
           unencrypted_suffix: _unencrypted

     

       24
       24
       -
           version: 3.9.1

     

       22
       22
       +
           version: 3.10.2