diff --git a/flake.nix b/flake.nix index 4e26ad3..56f10e3 100644 --- a/flake.nix +++ b/flake.nix @@ -147,4 +147,4 @@ ''; }; }); -} \ No newline at end of file +} diff --git a/hosts/luna/default.nix b/hosts/luna/default.nix index 079b447..e9cca72 100644 --- a/hosts/luna/default.nix +++ b/hosts/luna/default.nix @@ -1,5 +1,4 @@ -{ config, lib, nixpkgs, ... }: -{ +{ config, lib, nixpkgs, ... }: { imports = (lib.recurseFilesInDirs [ ./os ./modules ] ".nix"); system.stateVersion = "24.05"; -} \ No newline at end of file +} diff --git a/hosts/luna/modules/default.nix b/hosts/luna/modules/default.nix index f6f9624..45c60fc 100644 --- a/hosts/luna/modules/default.nix +++ b/hosts/luna/modules/default.nix @@ -5,4 +5,4 @@ systemd.extraConfig = '' DefaultTimeoutStopSec=10s ''; -} \ No newline at end of file +} diff --git a/hosts/luna/modules/docker/default.nix b/hosts/luna/modules/docker/default.nix index 0c73c4e..dfdbd9c 100644 --- a/hosts/luna/modules/docker/default.nix +++ b/hosts/luna/modules/docker/default.nix @@ -1,9 +1,5 @@ -{ pkgs, ... }: -{ - environment.systemPackages = with pkgs; [ - docker - docker-compose - ]; +{ pkgs, ... }: { + environment.systemPackages = with pkgs; [ docker docker-compose ]; virtualisation = { oci-containers.backend = "docker"; @@ -14,4 +10,4 @@ package = pkgs.docker; }; }; -} \ No newline at end of file +} diff --git a/hosts/luna/modules/monitoring/auditd.nix b/hosts/luna/modules/monitoring/auditd.nix index 3a2bab4..0bc41e8 100644 --- a/hosts/luna/modules/monitoring/auditd.nix +++ b/hosts/luna/modules/monitoring/auditd.nix @@ -33,4 +33,4 @@ # Root command executions "-a always,exit -F arch=b64 -F euid=0 -F auid>=1000 -F auid!=-1 -S execve -F key=rootcmd" ]; -} \ No newline at end of file +} diff --git a/hosts/luna/modules/monitoring/grafana.nix b/hosts/luna/modules/monitoring/grafana.nix index 0da915e..54471f4 100644 --- a/hosts/luna/modules/monitoring/grafana.nix +++ b/hosts/luna/modules/monitoring/grafana.nix @@ -24,4 +24,4 @@ in { }; }; }; -} \ No newline at end of file +} diff --git a/hosts/luna/modules/monitoring/prometheus.nix b/hosts/luna/modules/monitoring/prometheus.nix index 63fe39b..03d84e7 100644 --- a/hosts/luna/modules/monitoring/prometheus.nix +++ b/hosts/luna/modules/monitoring/prometheus.nix @@ -89,4 +89,4 @@ in { user = "prometheus"; group = "prometheus"; }]; -} \ No newline at end of file +} diff --git a/hosts/luna/modules/networking.nix b/hosts/luna/modules/networking.nix index 4dfe302..ee72c64 100755 --- a/hosts/luna/modules/networking.nix +++ b/hosts/luna/modules/networking.nix @@ -20,9 +20,9 @@ let "2620:fe::9#dns.quad9.net" "2001:4860:4860::8888#dns.google" ]; - resolved_fallback_nameservers = [ "1.1.1.1#one.one.one.one" "1.0.0.1#one.one.one.one" ]; -in -{ + resolved_fallback_nameservers = + [ "1.1.1.1#one.one.one.one" "1.0.0.1#one.one.one.one" ]; +in { systemd.network = { enable = true; # HACK: Disable wait-online, check in on https://github.com/NixOS/nixpkgs/pull/258680 & @@ -89,11 +89,7 @@ in nftables.enable = true; firewall = { enable = true; - allowedTCPPorts = [ - 80 - 443 - 2200 - ]; + allowedTCPPorts = [ 80 443 2200 ]; }; hostName = "${hostname}"; }; diff --git a/hosts/luna/modules/services/fail2ban.nix b/hosts/luna/modules/services/fail2ban.nix index 48ebaf4..3be9743 100644 --- a/hosts/luna/modules/services/fail2ban.nix +++ b/hosts/luna/modules/services/fail2ban.nix @@ -1,7 +1,6 @@ -{ ... }: -{ +{ ... }: { services.fail2ban = { enable = true; maxretry = 10; }; -} \ No newline at end of file +} diff --git a/hosts/luna/modules/services/gitea.nix b/hosts/luna/modules/services/gitea.nix index b6d8ca8..fc5bc15 100644 --- a/hosts/luna/modules/services/gitea.nix +++ b/hosts/luna/modules/services/gitea.nix @@ -59,9 +59,7 @@ in { url = config.services.gitea.settings.server.ROOT_URL; tokenFile = config.age.secrets.gitea-runner-token.path; name = "Default"; - settings = { - runner.capacity = 8; - }; + settings = { runner.capacity = 8; }; labels = [ "default:docker://nixos/nix:latest" "alpine:docker://alpine:latest" @@ -87,4 +85,4 @@ in { user = config.services.gitea.user; group = config.services.gitea.group; }]; -} \ No newline at end of file +} diff --git a/hosts/luna/modules/services/journald.nix b/hosts/luna/modules/services/journald.nix index a8902fe..de2051f 100644 --- a/hosts/luna/modules/services/journald.nix +++ b/hosts/luna/modules/services/journald.nix @@ -1,5 +1,4 @@ -{ ... }: -{ +{ ... }: { services.journald = { extraConfig = '' SystemMaxUse=100G diff --git a/hosts/luna/modules/services/nginx.nix b/hosts/luna/modules/services/nginx.nix index 5fe89d4..62793f3 100644 --- a/hosts/luna/modules/services/nginx.nix +++ b/hosts/luna/modules/services/nginx.nix @@ -1,5 +1,4 @@ -{ config, pkgs, blog, fqdn, ... }: -{ +{ config, pkgs, blog, fqdn, ... }: { services.nginx = { enable = true; recommendedProxySettings = true; @@ -18,4 +17,4 @@ root = blog.packages.${pkgs.system}.default; locations."/".index = "home.html"; }; -} \ No newline at end of file +} diff --git a/hosts/luna/modules/services/openssh.nix b/hosts/luna/modules/services/openssh.nix index 3eb2d84..0c86cf1 100644 --- a/hosts/luna/modules/services/openssh.nix +++ b/hosts/luna/modules/services/openssh.nix @@ -36,4 +36,4 @@ └────────────────────────────────────────────────────┘ ''; }; -} \ No newline at end of file +} diff --git a/hosts/luna/modules/services/postgresql.nix b/hosts/luna/modules/services/postgresql.nix index bdbc5d8..64afb54 100644 --- a/hosts/luna/modules/services/postgresql.nix +++ b/hosts/luna/modules/services/postgresql.nix @@ -1,5 +1,4 @@ -{ config, lib, pkgs, ... }: -{ +{ config, lib, pkgs, ... }: { services.postgresqlBackup = { location = "/var/backup/postgresql"; backupAll = true; @@ -16,18 +15,24 @@ log_statement = "all"; log_destination = lib.mkForce "syslog,jsonlog"; }; - ensureUsers = [ - { - name = "root"; - ensureClauses.superuser = true; - } - ]; + ensureUsers = [{ + name = "root"; + ensureClauses.superuser = true; + }]; }; environment.systemPackages = [ pkgs.pgloader ]; environment.persistence.save.directories = [ - { directory = config.services.postgresql.dataDir; user = "postgres"; group = "postgres"; } - { directory = config.services.postgresqlBackup.location; user = "postgres"; group = "postgres"; } + { + directory = config.services.postgresql.dataDir; + user = "postgres"; + group = "postgres"; + } + { + directory = config.services.postgresqlBackup.location; + user = "postgres"; + group = "postgres"; + } ]; -} \ No newline at end of file +} diff --git a/hosts/luna/modules/system.nix b/hosts/luna/modules/system.nix index 30dcf32..642d3e9 100644 --- a/hosts/luna/modules/system.nix +++ b/hosts/luna/modules/system.nix @@ -7,11 +7,7 @@ dates = "05:00"; allowReboot = true; flake = self.outPath; - flags = [ - "--update-input" - "nixpkgs" - "-L" - ]; + flags = [ "--update-input" "nixpkgs" "-L" ]; }; }; } diff --git a/hosts/luna/modules/users.nix b/hosts/luna/modules/users.nix index 55d5a1e..1eba818 100755 --- a/hosts/luna/modules/users.nix +++ b/hosts/luna/modules/users.nix @@ -14,6 +14,9 @@ }; environment.persistence.ephemeral.users = { price = { files = [ ".bash_history" ]; }; - root = { home = "/root"; files = [ ".bash_history" ]; }; + root = { + home = "/root"; + files = [ ".bash_history" ]; + }; }; -} \ No newline at end of file +} diff --git a/hosts/luna/os/boot.nix b/hosts/luna/os/boot.nix index bbe532c..da1abc8 100644 --- a/hosts/luna/os/boot.nix +++ b/hosts/luna/os/boot.nix @@ -1,10 +1,6 @@ -{ modulesPath, pkgs, ... }: -{ +{ modulesPath, pkgs, ... }: { - imports = - [ - (modulesPath + "/installer/scan/not-detected.nix") - ]; + imports = [ (modulesPath + "/installer/scan/not-detected.nix") ]; boot = { tmp = { @@ -73,4 +69,4 @@ }; }; -} \ No newline at end of file +} diff --git a/hosts/luna/os/default.nix b/hosts/luna/os/default.nix index 98e6cb4..c0248b5 100644 --- a/hosts/luna/os/default.nix +++ b/hosts/luna/os/default.nix @@ -2,4 +2,4 @@ { zramSwap.enable = true; -} \ No newline at end of file +} diff --git a/hosts/luna/os/fs.nix b/hosts/luna/os/fs.nix index 8924e02..c7a6a36 100644 --- a/hosts/luna/os/fs.nix +++ b/hosts/luna/os/fs.nix @@ -1,14 +1,9 @@ -{ lib, root-disk, persist-dir, ... }: -{ +{ lib, root-disk, persist-dir, ... }: { services = { fstrim.enable = true; btrfs.autoScrub = { enable = true; - fileSystems = [ - "/" - "/nix" - "/persist" - ]; + fileSystems = [ "/" "/nix" "/persist" ]; }; snapper = { # NOTE: According to `snapper-config(5)` the default timeline count for all timelines is 10 @@ -23,73 +18,61 @@ fileSystems."${persist-dir}".neededForBoot = true; - disko.devices = - { - disk.${lib.removePrefix "/dev/" root-disk} = { - type = "disk"; - device = "${root-disk}"; - content = { - type = "gpt"; - partitions = { - esp = - let - label = "NixOS-Boot"; - in - { - priority = 1; - size = "512M"; - type = "EF00"; - content = { - extraArgs = [ "-n ${label}" "-F 32" ]; - type = "filesystem"; - format = "vfat"; - mountpoint = "/boot"; - mountOptions = [ - "umask=0077" - "defaults" - ]; - }; - }; - root = - let - label = "NixOS-Primary"; - in - { - size = "100%"; - content = { - type = "btrfs"; - extraArgs = [ "-f" "--label ${label}" ]; - postCreateHook = '' - MOUNT="$(mktemp -d)" - mount "/dev/disk/by-label/${label}" "$MOUNT" -o subvol=/ - trap 'umount $MOUNT; rm -rf $MOUNT' EXIT - btrfs subvolume snapshot -r "$MOUNT/root" "$MOUNT/root-base" - ''; - subvolumes = { - "/root" = { - mountpoint = "/"; - }; - "/var-log" = { - mountpoint = "/var/log"; - mountOptions = [ "compress=zstd" "noatime" ]; - }; - "/nix" = { - mountpoint = "/nix"; - mountOptions = [ "compress=zstd" "noatime" ]; - }; - "${persist-dir}" = { - mountpoint = "${persist-dir}"; - mountOptions = [ "compress=zstd" "noatime" ]; - }; - "${persist-dir}/.snapshots" = { - mountpoint = "${persist-dir}/.snapshots"; - mountOptions = [ "compress=zstd" "noatime" ]; - }; - }; + disko.devices = { + disk.${lib.removePrefix "/dev/" root-disk} = { + type = "disk"; + device = "${root-disk}"; + content = { + type = "gpt"; + partitions = { + esp = let label = "NixOS-Boot"; + in { + priority = 1; + size = "512M"; + type = "EF00"; + content = { + extraArgs = [ "-n ${label}" "-F 32" ]; + type = "filesystem"; + format = "vfat"; + mountpoint = "/boot"; + mountOptions = [ "umask=0077" "defaults" ]; + }; + }; + root = let label = "NixOS-Primary"; + in { + size = "100%"; + content = { + type = "btrfs"; + extraArgs = [ "-f" "--label ${label}" ]; + postCreateHook = '' + MOUNT="$(mktemp -d)" + mount "/dev/disk/by-label/${label}" "$MOUNT" -o subvol=/ + trap 'umount $MOUNT; rm -rf $MOUNT' EXIT + btrfs subvolume snapshot -r "$MOUNT/root" "$MOUNT/root-base" + ''; + subvolumes = { + "/root" = { mountpoint = "/"; }; + "/var-log" = { + mountpoint = "/var/log"; + mountOptions = [ "compress=zstd" "noatime" ]; + }; + "/nix" = { + mountpoint = "/nix"; + mountOptions = [ "compress=zstd" "noatime" ]; + }; + "${persist-dir}" = { + mountpoint = "${persist-dir}"; + mountOptions = [ "compress=zstd" "noatime" ]; + }; + "${persist-dir}/.snapshots" = { + mountpoint = "${persist-dir}/.snapshots"; + mountOptions = [ "compress=zstd" "noatime" ]; }; }; + }; }; }; }; }; -} \ No newline at end of file + }; +} diff --git a/hosts/luna/os/hardware.nix b/hosts/luna/os/hardware.nix index 7803acf..3c38abe 100644 --- a/hosts/luna/os/hardware.nix +++ b/hosts/luna/os/hardware.nix @@ -1,6 +1,6 @@ -{ lib, config, ... }: -{ - hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; +{ lib, config, ... }: { + hardware.cpu.intel.updateMicrocode = + lib.mkDefault config.hardware.enableRedistributableFirmware; nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; services.fstrim.enable = true; } diff --git a/hosts/luna/pubkey.nix b/hosts/luna/pubkey.nix index 2073e28..8f98f27 100644 --- a/hosts/luna/pubkey.nix +++ b/hosts/luna/pubkey.nix @@ -1 +1 @@ -"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJZzZ6q/V7f8zbb9Xm0uZPn4zfdXAj3QgwGkGKzEV9Q5 luna" \ No newline at end of file +"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJZzZ6q/V7f8zbb9Xm0uZPn4zfdXAj3QgwGkGKzEV9Q5 luna" diff --git a/hosts/orion/default.nix b/hosts/orion/default.nix index 079b447..e9cca72 100644 --- a/hosts/orion/default.nix +++ b/hosts/orion/default.nix @@ -1,5 +1,4 @@ -{ config, lib, nixpkgs, ... }: -{ +{ config, lib, nixpkgs, ... }: { imports = (lib.recurseFilesInDirs [ ./os ./modules ] ".nix"); system.stateVersion = "24.05"; -} \ No newline at end of file +} diff --git a/hosts/orion/modules/bluetooth.nix b/hosts/orion/modules/bluetooth.nix index 1dd475b..8abeb9d 100644 --- a/hosts/orion/modules/bluetooth.nix +++ b/hosts/orion/modules/bluetooth.nix @@ -3,9 +3,7 @@ { hardware.bluetooth.enable = true; services.blueman.enable = true; - environment.systemPackages = with pkgs; [ - bluez - ]; + environment.systemPackages = with pkgs; [ bluez ]; systemd.user.services.mpris-proxy = { description = "Mpris proxy"; diff --git a/hosts/orion/modules/hardware.nix b/hosts/orion/modules/hardware.nix index 74be2bb..d951e7d 100644 --- a/hosts/orion/modules/hardware.nix +++ b/hosts/orion/modules/hardware.nix @@ -16,6 +16,7 @@ # Remove NVIDIA VGA/3D controller devices ACTION=="add", SUBSYSTEM=="pci", ATTR{vendor}=="0x10de", ATTR{class}=="0x03[0-9]*", ATTR{power/control}="auto", ATTR{remove}="1" ''; - boot.blacklistedKernelModules = [ "nouveau" "nvidia" "nvidia_drm" "nvidia_modeset" ]; + boot.blacklistedKernelModules = + [ "nouveau" "nvidia" "nvidia_drm" "nvidia_modeset" ]; } diff --git a/hosts/orion/modules/networking.nix b/hosts/orion/modules/networking.nix index b1823d5..7ec6577 100644 --- a/hosts/orion/modules/networking.nix +++ b/hosts/orion/modules/networking.nix @@ -25,8 +25,7 @@ let "2606:4700:4700::1111#cloudflare-dns.com" "2606:4700:4700::1001#cloudflare-dns.com" ]; -in -{ +in { systemd.network = { enable = true; networks = { @@ -89,4 +88,4 @@ in useNetworkd = true; }; -} \ No newline at end of file +} diff --git a/hosts/orion/modules/nix.nix b/hosts/orion/modules/nix.nix index edf6fa7..19dd3eb 100644 --- a/hosts/orion/modules/nix.nix +++ b/hosts/orion/modules/nix.nix @@ -5,7 +5,7 @@ settings = { experimental-features = [ "nix-command" "flakes" ]; auto-optimise-store = true; - trusted-users = ["@wheel"]; + trusted-users = [ "@wheel" ]; }; gc = { automatic = true; diff --git a/hosts/orion/modules/services/openssh.nix b/hosts/orion/modules/services/openssh.nix index d816617..1a73f5f 100644 --- a/hosts/orion/modules/services/openssh.nix +++ b/hosts/orion/modules/services/openssh.nix @@ -1,19 +1,14 @@ -{ config, ... }: -{ +{ config, ... }: { services.openssh = { enable = true; startWhenNeeded = true; # We set the hostkeys manually so they persist through reboots - hostKeys = [ - { - path = (config.environment.persistence.ephemeral.persistentStoragePath + "/etc/ssh/ssh_host_ed25519_key"); - type = "ed25519"; - } - ]; - sftpFlags = [ - "-f AUTHPRIV" - "-l INFO" - ]; + hostKeys = [{ + path = (config.environment.persistence.ephemeral.persistentStoragePath + + "/etc/ssh/ssh_host_ed25519_key"); + type = "ed25519"; + }]; + sftpFlags = [ "-f AUTHPRIV" "-l INFO" ]; extraConfig = '' AllowUsers price ''; @@ -41,9 +36,7 @@ "umac-128-etm@openssh.com" ]; }; - ports = [ - 2200 - ]; + ports = [ 2200 ]; banner = '' ┌────────────────────────────────────────────────────┐ │ Orion Technologies - Security Notice │ @@ -59,4 +52,4 @@ └────────────────────────────────────────────────────┘ ''; }; -} \ No newline at end of file +} diff --git a/hosts/orion/modules/users.nix b/hosts/orion/modules/users.nix index c433482..35c0a53 100644 --- a/hosts/orion/modules/users.nix +++ b/hosts/orion/modules/users.nix @@ -14,6 +14,9 @@ }; environment.persistence.ephemeral.users = { price = { files = [ ".bash_history" ]; }; - root = { home = "/root"; files = [ ".bash_history" ]; }; + root = { + home = "/root"; + files = [ ".bash_history" ]; + }; }; -} \ No newline at end of file +} diff --git a/hosts/orion/os/boot.nix b/hosts/orion/os/boot.nix index 1818c9d..95d9baf 100644 --- a/hosts/orion/os/boot.nix +++ b/hosts/orion/os/boot.nix @@ -1,9 +1,7 @@ { modulesPath, pkgs, ... }: { # imports = [ (modulesPath + "/installer/scan/not-detected.nix") ]; - imports = - [ (modulesPath + "/profiles/qemu-guest.nix") - ]; + imports = [ (modulesPath + "/profiles/qemu-guest.nix") ]; boot = { loader = { @@ -14,7 +12,8 @@ kernelParams = [ "audit=1" ]; extraModulePackages = [ ]; initrd = { - availableKernelModules = [ "ahci" "xhci_pci" "virtio_pci" "sr_mod" "virtio_blk" ]; + availableKernelModules = + [ "ahci" "xhci_pci" "virtio_pci" "sr_mod" "virtio_blk" ]; # availableKernelModules = # [ "xhci_pci" "thunderbolt" "vmd" "nvme" "usbhid" "rtsx_pci_sdmmc" ]; # kernelModules = [ ]; @@ -70,4 +69,4 @@ }; }; -} \ No newline at end of file +} diff --git a/hosts/orion/os/fs.nix b/hosts/orion/os/fs.nix index d0a91bf..69bed98 100644 --- a/hosts/orion/os/fs.nix +++ b/hosts/orion/os/fs.nix @@ -72,4 +72,4 @@ }; }; }; -} \ No newline at end of file +} diff --git a/hosts/orion/pubkey.nix b/hosts/orion/pubkey.nix index 59f8876..c63effb 100644 --- a/hosts/orion/pubkey.nix +++ b/hosts/orion/pubkey.nix @@ -1 +1 @@ -"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKuypHJpFMaElzWO2QrPNF5o97LGJK/LckHuWvfwIFWI orion" \ No newline at end of file +"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKuypHJpFMaElzWO2QrPNF5o97LGJK/LckHuWvfwIFWI orion" diff --git a/lib/default.nix b/lib/default.nix index 930c9b9..e771a4f 100644 --- a/lib/default.nix +++ b/lib/default.nix @@ -1,31 +1,22 @@ # Some of these functions were taken from https://github.com/NixOS/nixpkgs/blob/master/lib/ -{ lib ? (import { }).lib }: -rec { - hasSuffix = - suffix: - string: +{ lib ? (import { }).lib }: rec { + hasSuffix = suffix: string: let lenSuffix = builtins.stringLength suffix; lenString = builtins.stringLength string; - in - ( - lenString >= lenSuffix && (builtins.substring (lenString - lenSuffix) lenString string) == suffix - ); + in (lenString >= lenSuffix + && (builtins.substring (lenString - lenSuffix) lenString string) + == suffix); recurseDir = dir: - let - dirContents = builtins.readDir dir; - in - (builtins.concatMap - (dirItem: - let - itemType = builtins.getAttr dirItem dirContents; - itemPath = dir + "/${dirItem}"; - in - if itemType == "directory" then - (recurseDir itemPath) - else - [ itemPath ]) - (builtins.attrNames dirContents)); + let dirContents = builtins.readDir dir; + in (builtins.concatMap (dirItem: + let + itemType = builtins.getAttr dirItem dirContents; + itemPath = dir + "/${dirItem}"; + in if itemType == "directory" then + (recurseDir itemPath) + else + [ itemPath ]) (builtins.attrNames dirContents)); recurseFilesInDir = dir: suffix: (builtins.filter (file: hasSuffix "${suffix}" file) (recurseDir dir)); recurseFilesInDirs = dirs: suffix: @@ -35,14 +26,13 @@ rec { let f = attrPath: lib.zipAttrsWith (n: values: - if lib.tail values == [ ] - then lib.head values - else if lib.all builtins.isList values - then lib.unique (lib.concatLists values) - else if lib.all builtins.isAttrs values - then f (attrPath ++ [ n ]) values - else lib.last values - ); - in - f [ ] attrList; -} \ No newline at end of file + if lib.tail values == [ ] then + lib.head values + else if lib.all builtins.isList values then + lib.unique (lib.concatLists values) + else if lib.all builtins.isAttrs values then + f (attrPath ++ [ n ]) values + else + lib.last values); + in f [ ] attrList; +} diff --git a/secrets/default.nix b/secrets/default.nix index ac327c4..02a547d 100644 --- a/secrets/default.nix +++ b/secrets/default.nix @@ -5,52 +5,32 @@ let "age1ur2lr3z6d2eftgxcalc6s5x9840ew9x43upl9k23wg0ugacrn5as4zl6sj" ]; hosts = { - luna = - let - secrets = "luna"; - in - { - users-root-pw = "${secrets}/users-root-pw.age"; - users-price-pw = "${secrets}/users-price-pw.age"; - gitea-db-pass = "${secrets}/gitea-db-pass.age"; - gitea-runner-token = "${secrets}/gitea-runner-token.age"; - }; - orion = - let - secrets = "orion"; - in - { - users-root-pw = "${secrets}/users-root-pw.age"; - users-price-pw = "${secrets}/users-price-pw.age"; - }; + luna = let secrets = "luna"; + in { + users-root-pw = "${secrets}/users-root-pw.age"; + users-price-pw = "${secrets}/users-price-pw.age"; + gitea-db-pass = "${secrets}/gitea-db-pass.age"; + gitea-runner-token = "${secrets}/gitea-runner-token.age"; + }; + orion = let secrets = "orion"; + in { + users-root-pw = "${secrets}/users-root-pw.age"; + users-price-pw = "${secrets}/users-price-pw.age"; + }; }; -in -if agenix then - (builtins.listToAttrs - (builtins.concatMap - (host: - let - hostSecrets = (builtins.getAttr host hosts); - in - (builtins.map - (hostSecretName: - let - secret = (builtins.getAttr hostSecretName hostSecrets); - in - { - name = builtins.toString secret; - value = { - publicKeys = [ (import ./../hosts/${host}/pubkey.nix) ] ++ masterKeys; - }; - }) - (builtins.attrNames hostSecrets))) - (builtins.attrNames hosts))) +in if agenix then + (builtins.listToAttrs (builtins.concatMap (host: + let hostSecrets = (builtins.getAttr host hosts); + in (builtins.map (hostSecretName: + let secret = (builtins.getAttr hostSecretName hostSecrets); + in { + name = builtins.toString secret; + value = { + publicKeys = [ (import ./../hosts/${host}/pubkey.nix) ] ++ masterKeys; + }; + }) (builtins.attrNames hostSecrets))) (builtins.attrNames hosts))) else - (builtins.mapAttrs - (host: secrets: - (lib.recursiveMerge (builtins.map - (secretName: { - age.secrets.${secretName}.file = ./${secrets.${secretName}}; - }) - (builtins.attrNames hosts.${host})))) - hosts) \ No newline at end of file + (builtins.mapAttrs (host: secrets: + (lib.recursiveMerge (builtins.map (secretName: { + age.secrets.${secretName}.file = ./${secrets.${secretName}}; + }) (builtins.attrNames hosts.${host})))) hosts) diff --git a/secrets/secrets.nix b/secrets/secrets.nix index acebfcd..3ffcbf8 100644 --- a/secrets/secrets.nix +++ b/secrets/secrets.nix @@ -1 +1 @@ -import ./default.nix { agenix = true; } \ No newline at end of file +import ./default.nix { agenix = true; }