chn/nixos
1
0
Fork 0
mirror of https://github.com/CHN-beta/nixos.git synced 2024-10-23 07:08:45 +08:00
Code Issues Packages Projects Releases Wiki Activity

move sops to system

Browse Source
This commit is contained in:
陈浩南 2023-09-02 22:11:08 +08:00
parent 4483e28dfe
commit 7e15a7f3b3
4 changed files with 31 additions and 25 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
flake.nix
View File

@ -130,6 +130,7 @@
};
impermanence.enable = true;
networking.hostname = "pc";
sops = { enable = true; keyPathPrefix = "/nix/persistent"; };
};
hardware =
{
@ -162,7 +163,6 @@
{
snapper = { enable = true; configs.persistent = "/nix/persistent"; };
fontconfig.enable = true;
sops = { enable = true; keyPathPrefix = "/nix/persistent"; };
samba =
{
enable = true;
@ -258,12 +258,12 @@
kernel.patches = [ "preempt" ];
impermanence.enable = true;
networking.hostname = "vps6";
sops = { enable = true; keyPathPrefix = "/nix/persistent"; };
};
packages.packageSet = "server";
services =
{
snapper = { enable = true; configs.persistent = "/nix/persistent"; };
sops = { enable = true; keyPathPrefix = "/nix/persistent"; };
sshd.enable = true;
xrayServer = { enable = true; serverName = "vps6.xserver.chn.moe"; };
frpServer = { enable = true; serverName = "frp.chn.moe"; };
@ -325,12 +325,12 @@
kernel.patches = [ "preempt" ];
impermanence.enable = true;
networking.hostname = "vps4";
sops = { enable = true; keyPathPrefix = "/nix/persistent"; };
};
packages.packageSet = "server";
services =
{
snapper = { enable = true; configs.persistent = "/nix/persistent"; };
sops = { enable = true; keyPathPrefix = "/nix/persistent"; };
sshd.enable = true;
};
};})
@ -371,6 +371,7 @@
kernel.patches = [ "preempt" ];
impermanence = { enable = true; nodatacow = "/nix/nodatacow"; };
networking.hostname = "vps7";
sops = { enable = true; keyPathPrefix = "/nix/persistent"; };
};
packages =
{
@ -379,7 +380,6 @@
services =
{
snapper = { enable = true; configs.persistent = "/nix/persistent"; };
sops = { enable = true; keyPathPrefix = "/nix/persistent"; };
sshd.enable = true;
rsshub.enable = true;
nginx = { enable = true; transparentProxy.externalIp = "95.111.228.40"; };
@ -425,12 +425,12 @@
kernel.patches = [ "preempt" ];
impermanence.enable = true;
networking.hostname = "nas";
sops = { enable = true; keyPathPrefix = "/nix/persistent"; };
};
packages.packageSet = "server";
services =
{
snapper = { enable = true; configs.persistent = "/nix/persistent"; };
sops = { enable = true; keyPathPrefix = "/nix/persistent"; };
sshd.enable = true;
};
};})
@ -488,6 +488,7 @@
};
impermanence.enable = true;
networking.hostname = "xmupc1";
sops = { enable = true; keyPathPrefix = "/nix/persistent"; };
};
hardware =
{
@ -510,7 +511,6 @@
{
snapper = { enable = true; configs.persistent = "/nix/persistent"; };
fontconfig.enable = true;
sops = { enable = true; keyPathPrefix = "/nix/persistent"; };
samba =
{
enable = true;
@ -587,6 +587,7 @@
kernel.patches = [ "cjktty" "preempt" ];
impermanence.enable = true;
networking.hostname = "yoga";
sops = { enable = true; keyPathPrefix = "/nix/persistent"; };
};
hardware =
{
@ -603,7 +604,6 @@
{
snapper = { enable = true; configs.persistent = "/nix/persistent"; };
fontconfig.enable = true;
sops = { enable = true; keyPathPrefix = "/nix/persistent"; };
sshd.enable = true;
xrayClient =
{
@ -644,6 +644,7 @@
kernel.patches = [ "cjktty" "preempt" ];
impermanence.enable = true;
networking.hostname = "pe";
sops = { enable = true; keyPathPrefix = "/nix/persistent"; };
};
hardware =
{
@ -660,7 +661,6 @@
{
snapper = { enable = true; configs.persistent = "/nix/persistent"; };
fontconfig.enable = true;
sops = { enable = true; keyPathPrefix = "/nix/persistent"; };
sshd.enable = true;
xrayClient =
{

17
modules/services/default.nix
View File

@ -24,11 +24,6 @@ inputs:
};
kmscon.enable = mkOption { type = types.bool; default = false; };
fontconfig.enable = mkOption { type = types.bool; default = false; };
sops =
{
enable = mkOption { type = types.bool; default = false; };
keyPathPrefix = mkOption { type = types.str; default = ""; };
};
samba =
{
enable = mkOption { type = types.bool; default = false; };
@ -154,18 +149,6 @@ inputs:
};
}
)
(
mkIf services.sops.enable
{
sops =
{
defaultSopsFile = ../../secrets/${inputs.config.networking.hostName}.yaml;
# sops start before impermanence, so we need to use the absolute path
age.sshKeyPaths = [ "${services.sops.keyPathPrefix}/etc/ssh/ssh_host_ed25519_key" ];
gnupg.sshKeyPaths = [ "${services.sops.keyPathPrefix}/etc/ssh/ssh_host_rsa_key" ];
};
}
)
(
mkIf services.samba.enable
{

1
modules/system/default.nix
View File

@ -13,6 +13,7 @@ inputs:
./networking.nix
./systemd.nix
./security.nix
./sops.nix
];
config =
{

22
modules/system/sops.nix Normal file
View File

@ -0,0 +1,22 @@
inputs:
{
options.nixos.system.sops = let inherit (inputs.lib) mkOption types; in
{
enable = mkOption { type = types.bool; default = false; };
keyPathPrefix = mkOption { type = types.str; default = ""; };
};
config =
let
inherit (inputs.lib) mkIf;
inherit (inputs.config.nixos.system) sops;
in mkIf sops.enable
{
sops =
{
defaultSopsFile = ../../secrets/${inputs.config.networking.hostName}.yaml;
# sops start before impermanence, so we need to use the absolute path
age.sshKeyPaths = [ "${sops.keyPathPrefix}/etc/ssh/ssh_host_ed25519_key" ];
gnupg.sshKeyPaths = [ "${sops.keyPathPrefix}/etc/ssh/ssh_host_rsa_key" ];
};
};
}