andreijiroh.dev / nixops-config
NixOS + home-manager configs, mirrored from GitLab SaaS. gitlab.com/andreijiroh-dev/nixops-config
nix-flake nixos home-manager nixpkgs nix-flakes
1
fork

Configure Feed

Select the types of activity you want to include in your feed.

chore(agenix): setup agenix-rekey configs before secrets setup

Signed-off-by: ajhalili2006 <ajhalili2006@gmail.com>

ajhalili2006 7b1ccd6e 158d4765

+67 -6
+21
flake.nix
··· 570 570 cockpit = ./shared/server/cockpit.nix; 571 571 }; 572 572 }; 573 + } 574 + // flake-utils.lib.eachDefaultSystem (system: rec { 575 + pkgs = import nixpkgs { 576 + inherit system; 577 + overlays = [ agenix-rekey.overlays.default ]; 573 578 }; 579 + devShells.default = pkgs.mkShell { 580 + packages = with pkgs; [ 581 + agenix-rekey 582 + gitFull 583 + gh 584 + glab 585 + fjo 586 + nixfmt 587 + nixfmt-tree 588 + nil 589 + nixd 590 + rage 591 + ragenix 592 + ]; 593 + }; 594 + }); 574 595 }
+4
hosts/lairland/configuration.nix
··· 51 51 # Bootloader. 52 52 boot.loader.systemd-boot.enable = true; 53 53 boot.loader.efi.canTouchEfiVariables = true; 54 + 54 55 # we're not using the TPM at the moment 55 56 systemd.tpm2.enable = false; 56 57 boot.initrd.systemd.tpm2.enable = false; ··· 96 97 live-restore = true; 97 98 }; 98 99 }; 100 + 101 + # agenix stuff 102 + age.reky.hostPubkey = with import ../../shared/ssh-keys.nix; hosts.stellapent-cier; 99 103 }
+3
hosts/stellapent-cier/configuration.nix
··· 116 116 # Some programs need SUID wrappers, can be configured further or are 117 117 # started in user sessions. 118 118 programs.mtr.enable = true; 119 + 120 + # agenix stuff 121 + age.reky.hostPubkey = with import ../../shared/ssh-keys.nix; hosts.stellapent-cier; 119 122 }
+29
shared/agenix.nix
··· 1 + # This is my agenix setup for all things SecretOps on my NixOS and home-manager 2 + # configurations. 3 + { lib, pkgs, config, self, ... }: 4 + 5 + let 6 + pubkeys = import ../shared/ssh-keys.nix; 7 + 8 + # the you do you part 9 + main = pubkeys.personal.y2022; 10 + work = pubkeys.work.recaptime-dev.crew; 11 + hackclub_yk = pubkeys.fido2Keys.hackclub_yubikey; 12 + in 13 + { 14 + age.rekey = { 15 + # Master identity - private key used for decryption (must exist on machine running rekey) 16 + masterIdentities = [ 17 + main 18 + work 19 + hackclub_yk.main 20 + ]; 21 + 22 + # Store rekeyed secrets locally per-host 23 + storageMode = "local"; 24 + localStorageDir = lib.mkDefault (self + "/secrets/rekeyed/${config.networking.hostName}"); 25 + 26 + # Host pubkey must be set per-host in configurations/nixos/<host>/default.nix: 27 + # age.rekey.hostPubkey = "ssh-ed25519 AAAA..."; 28 + }; 29 + }
+1
shared/meta.nix
··· 22 22 ./vscode/main.nix 23 23 ./server/ssh.nix 24 24 ./server/tailscale.nix 25 + ./agenix.nix 25 26 ]; 26 27 27 28 # and then the base packages itself
+7 -5
shared/networking.nix
··· 12 12 "45.90.30.0#c393f6.dns.nextdns.io" 13 13 ]; 14 14 15 - services.resolved = { 16 - enable = true; 17 - dnssec = "false"; # https://superuser.com/a/1493674 15 + # systemd-resolved related settings 16 + boot.initrd.services.resolved.enable = true; 17 + services.resolved.enable = true; 18 + services.resolved.settings.Resolve = { 19 + DNSSEC = "false"; # https://superuser.com/a/1493674 18 20 # Commented this out since Tailscale do thee heavy work for MagicDNS 19 21 #domains = [ "~." "fawn-cod.ts.net" ]; 20 22 # Use Cloudflare DNS resolver as fallback if things go wrong. 21 - fallbackDns = [ 23 + FallbackDNS = [ 22 24 "172.64.36.1#y24o2ptvff.cloudflare-gateway.com" 23 25 ]; 24 - dnsovertls = "true"; 26 + DNSOverTLS = "true"; 25 27 }; 26 28 27 29 networking.networkmanager.wifi.powersave = false;
+2 -1
shared/server/devenv.nix
··· 6 6 direnv 7 7 cachix 8 8 devbox 9 - nixfmt-rfc-style 9 + nixfmt 10 + nixfmt-tree 10 11 nil 11 12 nixd 12 13