diff --git a/.sops.yaml b/.sops.yaml new file mode 100644 index 0000000..0b573f8 --- /dev/null +++ b/.sops.yaml @@ -0,0 +1,7 @@ +keys: + - &host_loki age16a4ywf6pycs9l8rn7y34c6y8pqfz9utmwwkr70d0hapknkzdaafsesn0ff +creation_rules: + - path_regex: secrets.yaml$ + key_groups: + - age: + - *host_loki diff --git a/flake.nix b/flake.nix index d0d007a..d625685 100644 --- a/flake.nix +++ b/flake.nix @@ -6,6 +6,7 @@ inputs = { nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable"; + sops-nix.url = "github:Mic92/sops-nix"; # nixpkgs.url = "github:nixos/nixpkgs/nixos-25.05"; nixpkgs-stable.url = "github:nixos/nixpkgs/nixos-25.05"; # disko.inputs.nixpkgs.follows = "nixpkgs"; @@ -26,13 +27,14 @@ outputs = inputs @ { self, - nixpkgs, - nix, - nixpkgs-stable, - nixos-hardware, - home-manager, catppuccin, colmena, + home-manager, + nix, + nixos-hardware, + nixpkgs, + nixpkgs-stable, + sops-nix, ... }: let inherit (self) outputs; diff --git a/home/default.nix b/home/default.nix index 63ef93a..16e99d1 100644 --- a/home/default.nix +++ b/home/default.nix @@ -1,13 +1,20 @@ -{ inputs, outputs, pkgs, pkgs-stable, ... }: { - imports = [ inputs.home-manager.nixosModules.home-manager ]; +{ + inputs, + outputs, + pkgs, + pkgs-stable, + ... +}: { + imports = [inputs.home-manager.nixosModules.home-manager]; home-manager.extraSpecialArgs = { - pkgs-stable = import pkgs-stable { config.allowUnfree = true; }; + pkgs-stable = import pkgs-stable {config.allowUnfree = true;}; inherit inputs outputs; }; home-manager = { # useGlobalPkgs = true; useUserPackages = true; backupFileExtension = "home-manager-backup"; + sharedModules = [inputs.sops-nix.homeManagerModules.sops]; users = { don = { imports = [ @@ -22,8 +29,8 @@ stateVersion = "23.05"; }; programs = { - home-manager = { enable = true; }; - go = { enable = true; }; + home-manager = {enable = true;}; + go = {enable = true;}; }; }; }; diff --git a/hosts/ace/default.nix b/hosts/ace/default.nix index ae079e8..090c9e1 100644 --- a/hosts/ace/default.nix +++ b/hosts/ace/default.nix @@ -1,5 +1,13 @@ -{ inputs, outputs, lib, config, pkgs, ... }: { +{ + inputs, + outputs, + lib, + config, + pkgs, + ... +}: { imports = [ + inputs.sops-nix.nixosModules.sops ./hardware-configuration.nix # ../disko/mmcblk.nix ../workstation @@ -11,5 +19,5 @@ gui.enable = true; kmscon.enable = true; }; - wm = { sway.enable = true; }; + wm = {sway.enable = true;}; } diff --git a/hosts/book/default.nix b/hosts/book/default.nix index 3d24dd2..268cdbc 100644 --- a/hosts/book/default.nix +++ b/hosts/book/default.nix @@ -8,6 +8,7 @@ }: { imports = [ inputs.nixos-hardware.nixosModules.google-pixelbook + inputs.sops-nix.nixosModules.sops ./hardware-configuration.nix # ../disko/mmcblk.nix ../workstation diff --git a/hosts/display/default.nix b/hosts/display/default.nix index 05218d3..af4eaf5 100644 --- a/hosts/display/default.nix +++ b/hosts/display/default.nix @@ -1,6 +1,14 @@ -{ inputs, outputs, lib, config, pkgs, ... }: { +{ + inputs, + outputs, + lib, + config, + pkgs, + ... +}: { imports = [ inputs.nixos-hardware.nixosModules.raspberry-pi-4 + inputs.sops-nix.nixosModules.sops ./hardware-configuration.nix ../pi-server ./kiosk.nix @@ -10,7 +18,7 @@ nixpkgs.overlays = [ (final: super: { makeModulesClosure = x: - super.makeModulesClosure (x // { allowMissing = true; }); + super.makeModulesClosure (x // {allowMissing = true;}); }) ]; } diff --git a/hosts/dragon/default.nix b/hosts/dragon/default.nix index c90f6f0..03b7149 100644 --- a/hosts/dragon/default.nix +++ b/hosts/dragon/default.nix @@ -1,5 +1,11 @@ -{ inputs, config, pkgs, ... }: { +{ + inputs, + config, + pkgs, + ... +}: { imports = [ + inputs.sops-nix.nixosModules.sops ./hardware-configuration.nix inputs.nixos-hardware.nixosModules.common-cpu-intel inputs.nixos-hardware.nixosModules.common-gpu-intel @@ -15,5 +21,5 @@ kmscon.enable = true; auto-cpufreq.enable = true; }; - wm = { sway.enable = true; }; + wm = {sway.enable = true;}; } diff --git a/hosts/eve/default.nix b/hosts/eve/default.nix index d399499..54bc6a9 100644 --- a/hosts/eve/default.nix +++ b/hosts/eve/default.nix @@ -1,6 +1,14 @@ -{ inputs, outputs, lib, config, pkgs, ... }: { +{ + inputs, + outputs, + lib, + config, + pkgs, + ... +}: { imports = [ inputs.nixos-hardware.nixosModules.google-pixelbook + inputs.sops-nix.nixosModules.sops ./hardware-configuration.nix # ../disko/mmcblk.nix ../workstation @@ -14,5 +22,5 @@ kmscon.enable = true; auto-cpufreq.enable = true; }; - wm = { sway.enable = true; }; + wm = {sway.enable = true;}; } diff --git a/hosts/fred/default.nix b/hosts/fred/default.nix index c593b19..59a5f05 100644 --- a/hosts/fred/default.nix +++ b/hosts/fred/default.nix @@ -1,5 +1,13 @@ -{ inputs, outputs, lib, config, pkgs, ... }: { +{ + inputs, + outputs, + lib, + config, + pkgs, + ... +}: { imports = [ + inputs.sops-nix.nixosModules.sops ./hardware-configuration.nix ../server ./docker.nix @@ -9,9 +17,9 @@ networking.hostName = "fred"; variables.address = "100.72.236.170"; boot = { - binfmt.emulatedSystems = [ "aarch64-linux" ]; + binfmt.emulatedSystems = ["aarch64-linux"]; loader = { - systemd-boot = { enable = true; }; + systemd-boot = {enable = true;}; efi = { canTouchEfiVariables = true; efiSysMountPoint = "/boot"; diff --git a/hosts/harper/default.nix b/hosts/harper/default.nix index ff0dc57..d115583 100644 --- a/hosts/harper/default.nix +++ b/hosts/harper/default.nix @@ -1,5 +1,16 @@ -{ inputs, outputs, lib, config, pkgs, ... }: { - imports = [ ./hardware-configuration.nix ../../server ]; +{ + inputs, + outputs, + lib, + config, + pkgs, + ... +}: { + imports = [ + inputs.sops-nix.nixosModules.sops + ./hardware-configuration.nix + ../../server + ]; networking.hostName = "harper"; variables.address = "100.72.0.3"; } diff --git a/hosts/harper2/default.nix b/hosts/harper2/default.nix index eaea630..cdce096 100644 --- a/hosts/harper2/default.nix +++ b/hosts/harper2/default.nix @@ -1,5 +1,16 @@ -{ inputs, outputs, lib, config, pkgs, ... }: { - imports = [ ./hardware-configuration.nix ../../server ]; +{ + inputs, + outputs, + lib, + config, + pkgs, + ... +}: { + imports = [ + inputs.sops-nix.nixosModules.sops + ./hardware-configuration.nix + ../../server + ]; networking.hostName = "harper2"; variables.address = "100.72.0.4"; } diff --git a/hosts/loki/default.nix b/hosts/loki/default.nix index ad0a609..59f84c8 100644 --- a/hosts/loki/default.nix +++ b/hosts/loki/default.nix @@ -8,6 +8,7 @@ }: { imports = [ inputs.nixos-hardware.nixosModules.framework-amd-ai-300-series + inputs.sops-nix.nixosModules.sops ./hardware-configuration.nix # ../disko/nvme.nix ../workstation diff --git a/hosts/nuwww/default.nix b/hosts/nuwww/default.nix index f5e6844..9a72ac6 100644 --- a/hosts/nuwww/default.nix +++ b/hosts/nuwww/default.nix @@ -1,5 +1,16 @@ -{ inputs, outputs, lib, config, pkgs, ... }: { - imports = [ ./hardware-configuration.nix ../../server ]; +{ + inputs, + outputs, + lib, + config, + pkgs, + ... +}: { + imports = [ + inputs.sops-nix.nixosModules.sops + ./hardware-configuration.nix + ../../server + ]; networking.hostName = "nuwww"; variables.address = "100.72.2.1"; } diff --git a/hosts/pi-server/default.nix b/hosts/pi-server/default.nix index 6486158..88e1f69 100644 --- a/hosts/pi-server/default.nix +++ b/hosts/pi-server/default.nix @@ -126,6 +126,7 @@ environment.systemPackages = with pkgs; [ python313 + age base16-schemes bash-completion btop diff --git a/hosts/pi1/default.nix b/hosts/pi1/default.nix index b791108..f6dc824 100644 --- a/hosts/pi1/default.nix +++ b/hosts/pi1/default.nix @@ -1,4 +1,16 @@ -{ inputs, outputs, lib, config, pkgs, ... }: { - imports = [ ./hardware-configuration.nix ../pi-server ./kiosk.nix ]; +{ + inputs, + outputs, + lib, + config, + pkgs, + ... +}: { + imports = [ + inputs.sops-nix.nixosModules.sops + ./hardware-configuration.nix + ../pi-server + ./kiosk.nix + ]; networking.hostName = "pi1"; } diff --git a/hosts/pihole/default.nix b/hosts/pihole/default.nix index e595ddf..6134b3b 100644 --- a/hosts/pihole/default.nix +++ b/hosts/pihole/default.nix @@ -1,4 +1,15 @@ -{ inputs, outputs, lib, config, pkgs, ... }: { - imports = [ ./hardware-configuration.nix ../../server ]; +{ + inputs, + outputs, + lib, + config, + pkgs, + ... +}: { + imports = [ + inputs.sops-nix.nixosModules.sops + ./hardware-configuration.nix + ../../server + ]; networking.hostName = "pihole"; } diff --git a/hosts/pocket2/default.nix b/hosts/pocket2/default.nix index 03c06c9..fef4063 100644 --- a/hosts/pocket2/default.nix +++ b/hosts/pocket2/default.nix @@ -7,6 +7,7 @@ ... }: { imports = [ + inputs.sops-nix.nixosModules.sops ./hardware-configuration.nix inputs.nixos-hardware.nixosModules.common-cpu-intel inputs.nixos-hardware.nixosModules.common-gpu-intel diff --git a/hosts/server/default.nix b/hosts/server/default.nix index 6e3f469..e1a883b 100644 --- a/hosts/server/default.nix +++ b/hosts/server/default.nix @@ -156,6 +156,7 @@ in { environment.systemPackages = with pkgs; [ python-with-my-packages + age aspell aspellDicts.en base16-schemes diff --git a/hosts/smaug/default.nix b/hosts/smaug/default.nix index 717356c..0ea7c3f 100644 --- a/hosts/smaug/default.nix +++ b/hosts/smaug/default.nix @@ -1,8 +1,16 @@ -{ inputs, outputs, lib, config, pkgs, ... }: { +{ + inputs, + outputs, + lib, + config, + pkgs, + ... +}: { imports = [ inputs.nixos-hardware.nixosModules.lenovo-thinkpad-x260 inputs.nixos-hardware.nixosModules.common-pc-laptop inputs.nixos-hardware.nixosModules.common-pc-ssd + inputs.sops-nix.nixosModules.sops ./hardware-configuration.nix # ../disko/sda.nix ../workstation @@ -17,5 +25,5 @@ auto-cpufreq.enable = true; gnome-calendar.enable = true; }; - wm = { sway.enable = true; }; + wm = {sway.enable = true;}; } diff --git a/hosts/template/default.nix b/hosts/template/default.nix index 3ae972a..7fcc8ce 100644 --- a/hosts/template/default.nix +++ b/hosts/template/default.nix @@ -1,5 +1,13 @@ -{ inputs, outputs, lib, config, pkgs, ... }: { +{ + inputs, + outputs, + lib, + config, + pkgs, + ... +}: { imports = [ + inputs.sops-nix.nixosModules.sops ./hardware-configuration.nix # ../disko/mmcblk.nix ../workstation diff --git a/hosts/vm/default.nix b/hosts/vm/default.nix index c7a922b..fcfc608 100644 --- a/hosts/vm/default.nix +++ b/hosts/vm/default.nix @@ -1,4 +1,15 @@ -{ inputs, outputs, lib, config, pkgs, ... }: { - imports = [ ./hardware-configuration.nix ../server ]; +{ + inputs, + outputs, + lib, + config, + pkgs, + ... +}: { + imports = [ + inputs.sops-nix.nixosModules.sops + ./hardware-configuration.nix + ../server + ]; networking.hostName = "vm"; } diff --git a/hosts/vm1/default.nix b/hosts/vm1/default.nix index 2e22e73..07d54a4 100644 --- a/hosts/vm1/default.nix +++ b/hosts/vm1/default.nix @@ -1,4 +1,14 @@ -{ inputs, outputs, lib, config, pkgs, ... }: { - imports = [ ./hardware-configuration.nix ]; +{ + inputs, + outputs, + lib, + config, + pkgs, + ... +}: { + imports = [ + inputs.sops-nix.nixosModules.sops + ./hardware-configuration.nix + ]; networking.hostName = "vm1"; } diff --git a/hosts/w1/default.nix b/hosts/w1/default.nix index 96fef6a..2347dfb 100644 --- a/hosts/w1/default.nix +++ b/hosts/w1/default.nix @@ -1,5 +1,13 @@ -{ inputs, outputs, lib, config, pkgs, ... }: { +{ + inputs, + outputs, + lib, + config, + pkgs, + ... +}: { imports = [ + inputs.sops-nix.nixosModules.sops ./hardware-configuration.nix ./network.nix ../server @@ -10,9 +18,8 @@ variables.address = "100.72.16.240"; boot = { initrd = { - availableKernelModules = - [ "ata_piix" "uhci_hcd" "xen_blkfront" "vmw_pvscsi" ]; - kernelModules = [ "nvme" ]; + availableKernelModules = ["ata_piix" "uhci_hcd" "xen_blkfront" "vmw_pvscsi"]; + kernelModules = ["nvme"]; }; loader = { grub = { diff --git a/hosts/w2/default.nix b/hosts/w2/default.nix index eebffb6..56b798d 100644 --- a/hosts/w2/default.nix +++ b/hosts/w2/default.nix @@ -1,5 +1,13 @@ -{ inputs, outputs, lib, config, pkgs, ... }: { +{ + inputs, + outputs, + lib, + config, + pkgs, + ... +}: { imports = [ + inputs.sops-nix.nixosModules.sops ./hardware-configuration.nix ./network.nix ../server @@ -8,9 +16,8 @@ networking.hostName = "w1"; boot = { initrd = { - availableKernelModules = - [ "ata_piix" "uhci_hcd" "xen_blkfront" "vmw_pvscsi" ]; - kernelModules = [ "nvme" ]; + availableKernelModules = ["ata_piix" "uhci_hcd" "xen_blkfront" "vmw_pvscsi"]; + kernelModules = ["nvme"]; }; loader = { grub = { diff --git a/hosts/www2/default.nix b/hosts/www2/default.nix index d7cd327..2748d3c 100644 --- a/hosts/www2/default.nix +++ b/hosts/www2/default.nix @@ -1,4 +1,11 @@ -{ inputs, outputs, lib, config, pkgs, ... }: { - imports = [ ./hardware-configuration.nix ../../server ]; +{ + inputs, + outputs, + lib, + config, + pkgs, + ... +}: { + imports = [inputs.sops-nix.nixosModules.sops ./hardware-configuration.nix ../../server]; networking.hostName = "www2"; } diff --git a/secrets.yaml b/secrets.yaml new file mode 100644 index 0000000..d4b6978 --- /dev/null +++ b/secrets.yaml @@ -0,0 +1,28 @@ +#ENC[AES256_GCM,data:ZNxS2TSn,iv:29wdug8DNsqXK9gi3+HNSW1eeJGTcMtvccH2nFLk1DY=,tag:S3qAU5HB8Y5595dA6ItCmQ==,type:comment] +root_password: ENC[AES256_GCM,data:T4xaN92i7Q==,iv:dBznOslNEYSv2b90PZbR0G84hJyrI2sYR1YzJuLWPK0=,tag:mXT4ir6t4oOeT0X8S3QTSA==,type:str] +root_sshauth: ENC[AES256_GCM,data:eSxg81u5yRSSev2clW4YL2b6T4ygfUon636T+q2MTnoBQTbZxaknvJxNJemEGQKJRRNmzFQzP2LVWH7WbcNsALt0FQyo8oRJnSlGxebk+1MIlgrFxqFlY8c=,iv:7jyZ9WrKyX5EbbGYunzN/Ez2ULuKGo+FkVHk7hBtEtY=,tag:Gbr/ylA1S/9ZDfvK4xUvGg==,type:str] +don_password: ENC[AES256_GCM,data:LUAJQBmJlQ==,iv:FKmu8y6DuWa/XD0wqb7dxJNxITzrKOZNGZF94pqaaUo=,tag:YZdiWDImCi7AXYoU3uB0vw==,type:str] +don_sshauth: ENC[AES256_GCM,data:No8G1fgYWWKhUbaydGoxHe+fGWI5p0fD9cx2qegI+dZ9DV1ENKiACsJzWd004ZHA2G9PGzSeGb/p8Ay/3zVbSLJccWeblNE+P7e/HlGixZRXmv9BcvXm5cE=,iv:Bd3QLGrctTaBfOHMAnmPys8uViQFbBh4D2cxxhEeQJE=,tag:LD2QStSyEJ5yxQMbHOz3WA==,type:str] +vicky_password: ENC[AES256_GCM,data:XCKBMoOV,iv:swdBKF0STzMFbzYMBI8/nuNTE5B5DN7STkdNVx0w8Ys=,tag:Lw4SkSm3W0xh80M8loD/BQ==,type:str] +vicky_sshauth: ENC[AES256_GCM,data:1ec9IXnH4FSPG+9M2fMuDsDEo2E4PatwZiH8zIAKPCjlLIgvxRlioDO6fd+a9eaoAOoEIRaIwCOyK+VAlAxshrDA72nGH3xT/RmSeX6nVHGNh7gswdYh2Ts=,iv:jyuN5+Yj3Tfzk7h3ASPrNhxaFezJGLE5eWtgKl1SulY=,tag:gsQCp5g1ZpQA/wrWfGODqA==,type:str] +#ENC[AES256_GCM,data:wPhrf7k=,iv:2HQ4jzpjasLF1gZCfVCGv30xajhBUzhAXsi9s5Cy9JM=,tag:aCM86v27N+TAGVrxbuO5tg==,type:comment] +smtp_password: ENC[AES256_GCM,data:UvXraq2vRWejRscrg6ZSTg==,iv:ClAb/8jkLgBQC8FsTfEZNC/D9yzW2jZCCz82ziwF/oM=,tag:XxF4y10Dl7DLhvkCR1hV4A==,type:str] +smtp_server: ENC[AES256_GCM,data:WqiUBqsOvkGTFzMevId6Ug==,iv:ESeB2sKoyacK4nEEULIsCOUKF7WfFPdEcn0AfZ+ENfY=,tag:SgPgSz1ljKR1TynXrcD1Ag==,type:str] +smtp_port: ENC[AES256_GCM,data:9dtc,iv:M8RhdH1BYBQZ4NqoSKbO6UT22MOtNjmCPaz9AL90nF8=,tag:IUI0z4r+CHTJzwkF/99Ykw==,type:int] +#ENC[AES256_GCM,data:SFZglQQ16U0jDBTmBuxHH2TGFRt9rOxZTzc=,iv:MnzSRM4bte5WACvlTDSVTqFTBJMFFv8l8e7p1lu/bZE=,tag:v6JKaBu6dl+1jrK0VmpPBg==,type:comment] +ts_api: ENC[AES256_GCM,data:IkJ2+er8agfcTwPwWriensoEg8CQeNl3ZXUcadm3rbraXNKyqLY5UO6RNZxLk2CAvAY4MB7/fDRryDGZ3Po=,iv:ml9vhPKmKI2PlYjzFrVoUMjHRrPdI69zSY2qBa71ODU=,tag:TXnXEbN7X51PYwu8O8DfKw==,type:str] +sops: + age: + - recipient: age16a4ywf6pycs9l8rn7y34c6y8pqfz9utmwwkr70d0hapknkzdaafsesn0ff + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBvWkF2Q21TTW9NTE9EVXFI + NlI4Y1pZdWZaUkNDQUZxR0lzS1k5ZTZSb2xvCk9jVE9KQytFQXlZdWZXWGgrM3ZV + dnd2TlZlMDV6RlF6RitTeE9BWnJERzgKLS0tIEdKT0xHaDFpMlR1YmJCRkdnaDBp + em9ZMDljK2tXVnVDN1Q2UnYrZWVwblEKE/z1PQsld/r4AEWFyUgt6zNf7QfcLNYh + Btn5qGBPYizmYzAwleNOq5PDINUAlfT9fTfU6QBdRYkarbVjqDV6Pg== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2025-11-12T02:13:51Z" + mac: ENC[AES256_GCM,data:ntO/fVmW2w04YQab12rvDa6feFmiNO4CQmi7LA/5wWt+J4z3qTyfYdNfb0mKEMFo5Wu3KhZWKIi97HDOAsKJqhIEgsdLOY9RbKuH+KHC81qjfRhbKC/yK84JHU2mc3K2cTpuFqw+xhJaGsbLNQYsWxi+dot7QvZTEPcC11XskFY=,iv:erleqHDriT1TQ86s1U8znD4s4o3g+mmClfELWtNNuss=,tag:McJZcWDdDb3X/emXvckPPg==,type:str] + unencrypted_suffix: _unencrypted + version: 3.11.0