diff --git a/home-manager-modules/git/default.nix b/home-manager-modules/git/default.nix
index 4b19f26..ac93457 100644
--- a/home-manager-modules/git/default.nix
+++ b/home-manager-modules/git/default.nix
@@ -1,4 +1,9 @@
-{ config, pkgs, lib, ... }:
+{
+ config,
+ pkgs,
+ lib,
+ ...
+}:
let
cfg = config.luj.programs.git;
in
@@ -18,9 +23,7 @@ with lib;
key = "6FC74C847011FD83";
};
delta.enable = true;
- ignores = [
- ".direnv"
- ];
+ ignores = [ ".direnv" ];
extraConfig = {
init.defaultBranch = "main";
diff.colorMoved = "zebra";
@@ -32,11 +35,10 @@ with lib;
};
home.extraActivationPath = [ pkgs.gnupg ];
- home.activation =
- {
- myActivationAction = lib.hm.dag.entryAfter [ "writeBoundary" ] ''
- gpg --import /run/secrets/git-gpg-private-key
- '';
- };
+ home.activation = {
+ myActivationAction = lib.hm.dag.entryAfter [ "writeBoundary" ] ''
+ gpg --import /run/agenix/git-gpg-private-key
+ '';
+ };
};
}
diff --git a/machines/base.nix b/machines/base.nix
index bcdb5d8..d39ff8e 100644
--- a/machines/base.nix
+++ b/machines/base.nix
@@ -13,9 +13,6 @@
luj.programs.mosh.enable = true;
luj.deployment.enable = true;
- sops.defaultSopsFile = ../secrets/secrets.yaml;
- sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
-
time.timeZone = "Europe/Paris";
i18n.defaultLocale = "en_US.UTF-8";
console = {
@@ -42,32 +39,36 @@
systemd.services.NetworkManager-wait-online.enable = false;
-
- security.pki.certificates = [
- ''-----BEGIN CERTIFICATE-----
-MIIByzCCAXKgAwIBAgIQAcJCOR+99m5v3dHWQw5m9jAKBggqhkjOPQQDAjAwMRIw
-EAYDVQQKEwlTYXVtb25OZXQxGjAYBgNVBAMTEVNhdW1vbk5ldCBSb290IENBMB4X
-DTIyMDQyNDIwMDE1MFoXDTMyMDQyMTIwMDE1MFowODESMBAGA1UEChMJU2F1bW9u
-TmV0MSIwIAYDVQQDExlTYXVtb25OZXQgSW50ZXJtZWRpYXRlIENBMFkwEwYHKoZI
-zj0CAQYIKoZIzj0DAQcDQgAE5Sk6vYJcYlh4aW0vAN84MWr84TTVTTdsM2s8skH6
-7fDsqNMb7FMwUMEAFwQRiADjYy3saU2Dogh2ESuB1dDFFqNmMGQwDgYDVR0PAQH/
-BAQDAgEGMBIGA1UdEwEB/wQIMAYBAf8CAQAwHQYDVR0OBBYEFO5iTfZiutpsM7ja
-mP3yuMIy6iNTMB8GA1UdIwQYMBaAFBWOQHe4eAeothQTmTNKiG/pAowGMAoGCCqG
-SM49BAMCA0cAMEQCICu8u19I7RMfnQ7t3QXHP5fdUm/fX/puqF+jYSf9SZEoAiBc
-oVcd0OfuAExWHhOMUZ0OV4bws9WCax333I+Pg4nDNw==
------END CERTIFICATE-----''
- ''-----BEGIN CERTIFICATE-----
-MIIBpTCCAUqgAwIBAgIRALevKnnElllot/cRNGjnUqUwCgYIKoZIzj0EAwIwMDES
-MBAGA1UEChMJU2F1bW9uTmV0MRowGAYDVQQDExFTYXVtb25OZXQgUm9vdCBDQTAe
-Fw0yMjA0MjQyMDAxNDlaFw0zMjA0MjEyMDAxNDlaMDAxEjAQBgNVBAoTCVNhdW1v
-bk5ldDEaMBgGA1UEAxMRU2F1bW9uTmV0IFJvb3QgQ0EwWTATBgcqhkjOPQIBBggq
-hkjOPQMBBwNCAAQG356Ui437dBTSOiJILKjVkwrJMsXN3eba/T1N+IJeqRBfigo7
-BW9YZfs1xIbMZ5wL0Zc/DsSEo5xCC7j4YaXro0UwQzAOBgNVHQ8BAf8EBAMCAQYw
-EgYDVR0TAQH/BAgwBgEB/wIBATAdBgNVHQ4EFgQUFY5Ad7h4B6i2FBOZM0qIb+kC
-jAYwCgYIKoZIzj0EAwIDSQAwRgIhALdsEqiRa4ak5Cnin6Tjnel5uOiHSjoC6LKf
-VfXtULncAiEA2gmqdr+ugFz5tvPdKwanroTiMTUMhhCRYVlQlyTApyQ=
------END CERTIFICATE-----''
+ age.identityPaths = [
+ "/etc/ssh/ssh_host_ed25519_key"
+ "/persistent/etc/ssh/ssh_host_ed25519_key"
];
-
+ security.pki.certificates = [
+ ''
+ -----BEGIN CERTIFICATE-----
+ MIIByzCCAXKgAwIBAgIQAcJCOR+99m5v3dHWQw5m9jAKBggqhkjOPQQDAjAwMRIw
+ EAYDVQQKEwlTYXVtb25OZXQxGjAYBgNVBAMTEVNhdW1vbk5ldCBSb290IENBMB4X
+ DTIyMDQyNDIwMDE1MFoXDTMyMDQyMTIwMDE1MFowODESMBAGA1UEChMJU2F1bW9u
+ TmV0MSIwIAYDVQQDExlTYXVtb25OZXQgSW50ZXJtZWRpYXRlIENBMFkwEwYHKoZI
+ zj0CAQYIKoZIzj0DAQcDQgAE5Sk6vYJcYlh4aW0vAN84MWr84TTVTTdsM2s8skH6
+ 7fDsqNMb7FMwUMEAFwQRiADjYy3saU2Dogh2ESuB1dDFFqNmMGQwDgYDVR0PAQH/
+ BAQDAgEGMBIGA1UdEwEB/wQIMAYBAf8CAQAwHQYDVR0OBBYEFO5iTfZiutpsM7ja
+ mP3yuMIy6iNTMB8GA1UdIwQYMBaAFBWOQHe4eAeothQTmTNKiG/pAowGMAoGCCqG
+ SM49BAMCA0cAMEQCICu8u19I7RMfnQ7t3QXHP5fdUm/fX/puqF+jYSf9SZEoAiBc
+ oVcd0OfuAExWHhOMUZ0OV4bws9WCax333I+Pg4nDNw==
+ -----END CERTIFICATE-----''
+ ''
+ -----BEGIN CERTIFICATE-----
+ MIIBpTCCAUqgAwIBAgIRALevKnnElllot/cRNGjnUqUwCgYIKoZIzj0EAwIwMDES
+ MBAGA1UEChMJU2F1bW9uTmV0MRowGAYDVQQDExFTYXVtb25OZXQgUm9vdCBDQTAe
+ Fw0yMjA0MjQyMDAxNDlaFw0zMjA0MjEyMDAxNDlaMDAxEjAQBgNVBAoTCVNhdW1v
+ bk5ldDEaMBgGA1UEAxMRU2F1bW9uTmV0IFJvb3QgQ0EwWTATBgcqhkjOPQIBBggq
+ hkjOPQMBBwNCAAQG356Ui437dBTSOiJILKjVkwrJMsXN3eba/T1N+IJeqRBfigo7
+ BW9YZfs1xIbMZ5wL0Zc/DsSEo5xCC7j4YaXro0UwQzAOBgNVHQ8BAf8EBAMCAQYw
+ EgYDVR0TAQH/BAgwBgEB/wIBATAdBgNVHQ4EFgQUFY5Ad7h4B6i2FBOZM0qIb+kC
+ jAYwCgYIKoZIzj0EAwIDSQAwRgIhALdsEqiRa4ak5Cnin6Tjnel5uOiHSjoC6LKf
+ VfXtULncAiEA2gmqdr+ugFz5tvPdKwanroTiMTUMhhCRYVlQlyTApyQ=
+ -----END CERTIFICATE-----''
+ ];
}
diff --git a/machines/core-security/default.nix b/machines/core-security/default.nix
index b48173a..9beb169 100644
--- a/machines/core-security/default.nix
+++ b/machines/core-security/default.nix
@@ -1,11 +1,15 @@
-{ config, pkgs, lib, ... }:
+{
+ config,
+ pkgs,
+ lib,
+ ...
+}:
{
- imports =
- [
- ./hardware.nix
- ./home-julien.nix
- ];
+ imports = [
+ ./hardware.nix
+ ./home-julien.nix
+ ];
# Bootloader.
boot.loader.grub.enable = true;
@@ -18,7 +22,6 @@
systemd.network.enable = true;
-
systemd.network.networks."10-wan" = {
matchConfig.Name = "ens18";
networkConfig = {
@@ -31,7 +34,6 @@
linkConfig.RequiredForOnline = "routable";
};
-
# Set your time zone.
time.timeZone = "Europe/Paris";
@@ -66,15 +68,20 @@
services.openssh.enable = true;
- networking.firewall.allowedTCPPorts = [ 80 443 ];
- networking.firewall.allowedUDPPorts = [ 80 443 ];
+ networking.firewall.allowedTCPPorts = [
+ 80
+ 443
+ ];
+ networking.firewall.allowedUDPPorts = [
+ 80
+ 443
+ ];
networking.firewall.checkReversePath = "loose";
systemd.services.NetworkManager-wait-online.enable = lib.mkForce false;
systemd.services.systemd-networkd-wait-online.enable = lib.mkForce false;
-
luj.nginx.enable = true;
services.nginx.virtualHosts."vaults.malka.family" = {
forceSSL = true;
@@ -99,7 +106,7 @@
services.keycloak = {
enable = true;
database.createLocally = true;
- database.passwordFile = "/run/secrets/keycloak";
+ database.passwordFile = "/run/agenix/keycloak-db";
settings = {
hostname = "auth.julienmalka.me";
hostname-admin-url = "https://auth.julienmalka.me";
@@ -107,7 +114,9 @@
hostname-strict-backchannel = true;
proxy = "edge";
};
- themes = { keywind = pkgs.keycloak-keywind; };
+ themes = {
+ keywind = pkgs.keycloak-keywind;
+ };
};
services.nginx.virtualHosts."auth.julienmalka.me" = {
@@ -115,22 +124,15 @@
enableACME = true;
locations."/" = {
proxyPass = "http://127.0.0.1:8080";
- extraConfig = ''
- proxy_buffer_size 128k;
- proxy_buffers 4 256k;
- proxy_busy_buffers_size 256k;
+ extraConfig = ''
+ proxy_buffer_size 128k;
+ proxy_buffers 4 256k;
+ proxy_busy_buffers_size 256k;
'';
};
};
-
- sops.secrets.keycloak = {
- owner = "root";
- sopsFile = ../../secrets/keycloak-db;
- format = "binary";
- };
-
-
+ age.secrets.keycloak-db.file = ../../secrets/keycloak-db.age;
services.openssh.extraConfig = ''
HostCertificate /etc/ssh/ssh_host_ed25519_key-cert.pub
@@ -139,8 +141,6 @@
MaxAuthTries 20
'';
-
-
services.step-ca.enable = true;
services.step-ca.intermediatePasswordFile = "/root/capw";
services.step-ca.address = "100.100.45.14";
@@ -162,38 +162,37 @@
};
};
-
security.acme.certs."ca.luj".server = "https://127.0.0.1:8444/acme/acme/directory";
systemd.services."step-ca".after = [ "keycloak.service" ];
security.pki.certificates = [
- ''-----BEGIN CERTIFICATE-----
-MIIByzCCAXKgAwIBAgIQAcJCOR+99m5v3dHWQw5m9jAKBggqhkjOPQQDAjAwMRIw
-EAYDVQQKEwlTYXVtb25OZXQxGjAYBgNVBAMTEVNhdW1vbk5ldCBSb290IENBMB4X
-DTIyMDQyNDIwMDE1MFoXDTMyMDQyMTIwMDE1MFowODESMBAGA1UEChMJU2F1bW9u
-TmV0MSIwIAYDVQQDExlTYXVtb25OZXQgSW50ZXJtZWRpYXRlIENBMFkwEwYHKoZI
-zj0CAQYIKoZIzj0DAQcDQgAE5Sk6vYJcYlh4aW0vAN84MWr84TTVTTdsM2s8skH6
-7fDsqNMb7FMwUMEAFwQRiADjYy3saU2Dogh2ESuB1dDFFqNmMGQwDgYDVR0PAQH/
-BAQDAgEGMBIGA1UdEwEB/wQIMAYBAf8CAQAwHQYDVR0OBBYEFO5iTfZiutpsM7ja
-mP3yuMIy6iNTMB8GA1UdIwQYMBaAFBWOQHe4eAeothQTmTNKiG/pAowGMAoGCCqG
-SM49BAMCA0cAMEQCICu8u19I7RMfnQ7t3QXHP5fdUm/fX/puqF+jYSf9SZEoAiBc
-oVcd0OfuAExWHhOMUZ0OV4bws9WCax333I+Pg4nDNw==
------END CERTIFICATE-----''
- ''-----BEGIN CERTIFICATE-----
-MIIBpTCCAUqgAwIBAgIRALevKnnElllot/cRNGjnUqUwCgYIKoZIzj0EAwIwMDES
-MBAGA1UEChMJU2F1bW9uTmV0MRowGAYDVQQDExFTYXVtb25OZXQgUm9vdCBDQTAe
-Fw0yMjA0MjQyMDAxNDlaFw0zMjA0MjEyMDAxNDlaMDAxEjAQBgNVBAoTCVNhdW1v
-bk5ldDEaMBgGA1UEAxMRU2F1bW9uTmV0IFJvb3QgQ0EwWTATBgcqhkjOPQIBBggq
-hkjOPQMBBwNCAAQG356Ui437dBTSOiJILKjVkwrJMsXN3eba/T1N+IJeqRBfigo7
-BW9YZfs1xIbMZ5wL0Zc/DsSEo5xCC7j4YaXro0UwQzAOBgNVHQ8BAf8EBAMCAQYw
-EgYDVR0TAQH/BAgwBgEB/wIBATAdBgNVHQ4EFgQUFY5Ad7h4B6i2FBOZM0qIb+kC
-jAYwCgYIKoZIzj0EAwIDSQAwRgIhALdsEqiRa4ak5Cnin6Tjnel5uOiHSjoC6LKf
-VfXtULncAiEA2gmqdr+ugFz5tvPdKwanroTiMTUMhhCRYVlQlyTApyQ=
------END CERTIFICATE-----''
+ ''
+ -----BEGIN CERTIFICATE-----
+ MIIByzCCAXKgAwIBAgIQAcJCOR+99m5v3dHWQw5m9jAKBggqhkjOPQQDAjAwMRIw
+ EAYDVQQKEwlTYXVtb25OZXQxGjAYBgNVBAMTEVNhdW1vbk5ldCBSb290IENBMB4X
+ DTIyMDQyNDIwMDE1MFoXDTMyMDQyMTIwMDE1MFowODESMBAGA1UEChMJU2F1bW9u
+ TmV0MSIwIAYDVQQDExlTYXVtb25OZXQgSW50ZXJtZWRpYXRlIENBMFkwEwYHKoZI
+ zj0CAQYIKoZIzj0DAQcDQgAE5Sk6vYJcYlh4aW0vAN84MWr84TTVTTdsM2s8skH6
+ 7fDsqNMb7FMwUMEAFwQRiADjYy3saU2Dogh2ESuB1dDFFqNmMGQwDgYDVR0PAQH/
+ BAQDAgEGMBIGA1UdEwEB/wQIMAYBAf8CAQAwHQYDVR0OBBYEFO5iTfZiutpsM7ja
+ mP3yuMIy6iNTMB8GA1UdIwQYMBaAFBWOQHe4eAeothQTmTNKiG/pAowGMAoGCCqG
+ SM49BAMCA0cAMEQCICu8u19I7RMfnQ7t3QXHP5fdUm/fX/puqF+jYSf9SZEoAiBc
+ oVcd0OfuAExWHhOMUZ0OV4bws9WCax333I+Pg4nDNw==
+ -----END CERTIFICATE-----''
+ ''
+ -----BEGIN CERTIFICATE-----
+ MIIBpTCCAUqgAwIBAgIRALevKnnElllot/cRNGjnUqUwCgYIKoZIzj0EAwIwMDES
+ MBAGA1UEChMJU2F1bW9uTmV0MRowGAYDVQQDExFTYXVtb25OZXQgUm9vdCBDQTAe
+ Fw0yMjA0MjQyMDAxNDlaFw0zMjA0MjEyMDAxNDlaMDAxEjAQBgNVBAoTCVNhdW1v
+ bk5ldDEaMBgGA1UEAxMRU2F1bW9uTmV0IFJvb3QgQ0EwWTATBgcqhkjOPQIBBggq
+ hkjOPQMBBwNCAAQG356Ui437dBTSOiJILKjVkwrJMsXN3eba/T1N+IJeqRBfigo7
+ BW9YZfs1xIbMZ5wL0Zc/DsSEo5xCC7j4YaXro0UwQzAOBgNVHQ8BAf8EBAMCAQYw
+ EgYDVR0TAQH/BAgwBgEB/wIBATAdBgNVHQ4EFgQUFY5Ad7h4B6i2FBOZM0qIb+kC
+ jAYwCgYIKoZIzj0EAwIDSQAwRgIhALdsEqiRa4ak5Cnin6Tjnel5uOiHSjoC6LKf
+ VfXtULncAiEA2gmqdr+ugFz5tvPdKwanroTiMTUMhhCRYVlQlyTApyQ=
+ -----END CERTIFICATE-----''
];
-
system.stateVersion = "22.11";
-
}
diff --git a/machines/lisa/home-julien.nix b/machines/lisa/home-julien.nix
index b300d3c..3fa01cd 100644
--- a/machines/lisa/home-julien.nix
+++ b/machines/lisa/home-julien.nix
@@ -1,25 +1,20 @@
-_:
-{
+_: {
- sops.secrets.ssh-lisa-pub = {
+ age.secrets.ssh-lisa-pub = {
+ file = ../../secrets/ssh-lisa-pub.age;
+ mode = "0644";
owner = "julien";
path = "/home/julien/.ssh/id_ed25519.pub";
- mode = "0644";
- format = "binary";
- sopsFile = ../../secrets/ssh-lisa-pub;
};
- sops.secrets.ssh-lisa-priv = {
+ age.secrets.ssh-lisa-priv = {
+ file = ../../secrets/ssh-lisa-priv.age;
+ mode = "0600";
owner = "julien";
path = "/home/julien/.ssh/id_ed25519";
- mode = "0600";
- format = "binary";
- sopsFile = ../../secrets/ssh-lisa-priv;
};
-
-
- luj.hmgr.julien = {
+ luj.hmgr.julien = {
luj.programs.neovim.enable = true;
luj.programs.ssh-client.enable = true;
luj.programs.git.enable = true;
diff --git a/modules/buildbot/default.nix b/modules/buildbot/default.nix
index 4f564b2..0afb121 100644
--- a/modules/buildbot/default.nix
+++ b/modules/buildbot/default.nix
@@ -1,4 +1,4 @@
-{ lib, pkgs, config, ... }:
+{ lib, config, ... }:
with lib;
let
cfg = config.luj.buildbot;
@@ -14,12 +14,15 @@ in
services.buildbot-nix.master = {
enable = true;
domain = "ci.julienmalka.me";
- workersFile = config.sops.secrets.buildbot-nix-workers.path;
- buildSystems = [ "x86_64-linux" "aarch64-linux" ];
+ workersFile = config.age.secrets.buildbot-nix-workers.path;
+ buildSystems = [
+ "x86_64-linux"
+ "aarch64-linux"
+ ];
github = {
- tokenFile = config.sops.secrets.github-token.path;
- webhookSecretFile = config.sops.secrets.github-webhook-secret.path;
- oauthSecretFile = config.sops.secrets.github-oauth-secret.path;
+ tokenFile = config.age.secrets.github-token.path;
+ webhookSecretFile = config.age.secrets.github-webhook-secret.path;
+ oauthSecretFile = config.age.secrets.github-oauth-secret.path;
oauthId = "bba3e144501aa5b8a5dd";
user = "JulienMalka";
admins = [ "JulienMalka" ];
@@ -33,37 +36,21 @@ in
enableACME = true;
};
- sops.secrets = {
- github-token = {
- format = "binary";
- sopsFile = ../../secrets/github-token-secret;
- };
- github-webhook-secret = {
- format = "binary";
- sopsFile = ../../secrets/github-webhook-secret;
- };
- github-oauth-secret = {
- format = "binary";
- sopsFile = ../../secrets/github-oauth-secret;
- };
- buildbot-nix-workers = {
- format = "binary";
- sopsFile = ../../secrets/buildbot-nix-workers;
+ age.secrets = {
+ github-token.file = ../../secrets/github-token-secret.age;
+ github-webhook-secret.file = ../../secrets/github-webhook-secret.age;
+ github-oauth-secret.file = ../../secrets/github-oauth-secret.age;
+ buildbot-nix-workers.file = ../../secrets/buildbot-nix-workers.age;
+ buildbot-nix-worker-password = {
+ file = ../../secrets/buildbot-nix-worker-password.age;
+ owner = "buildbot-worker";
};
};
systemd.services.buildbot-worker.environment.WORKER_COUNT = "14";
services.buildbot-nix.worker = {
enable = true;
- workerPasswordFile = config.sops.secrets.buildbot-nix-worker-password.path;
+ workerPasswordFile = config.age.secrets.buildbot-nix-worker-password.path;
};
-
- sops.secrets.buildbot-nix-worker-password = {
- format = "binary";
- owner = "buildbot-worker";
- sopsFile = ../../secrets/buildbot-nix-worker-password;
- };
-
};
}
-
diff --git a/modules/deluge/default.nix b/modules/deluge/default.nix
index ab3678f..2b2d784 100644
--- a/modules/deluge/default.nix
+++ b/modules/deluge/default.nix
@@ -22,19 +22,15 @@ in
};
nginx.enable = mkEnableOption "activate nginx";
- nginx.subdomain = mkOption {
- type = types.str;
- };
-
+ nginx.subdomain = mkOption { type = types.str; };
};
- config = mkIf cfg.enable (
- mkMerge [{
+ config = mkIf cfg.enable (mkMerge [
+ {
- sops.secrets.deluge = {
+ age.secrets.deluge-webui-password = {
owner = cfg.user;
- format = "binary";
- sopsFile = ../../secrets/deluge-login;
+ file = ../../secrets/deluge-webui-password.age;
};
services.deluge = {
@@ -42,21 +38,16 @@ in
inherit (cfg) user group;
openFirewall = true;
declarative = true;
- authFile = "/run/secrets/deluge";
+ authFile = "/run/agenix/deluge-webui-password";
web.enable = true;
config = {
download_location = "/home/mediaserver/downloads/complete/";
allow_remote = true;
};
dataDir = "/home/mediaserver/deluge";
-
};
}
-
-
- (mkIf cfg.nginx.enable (mkVPNSubdomain cfg.nginx.subdomain port))]);
-
-
-
+ (mkIf cfg.nginx.enable (mkVPNSubdomain cfg.nginx.subdomain port))
+ ]);
}
diff --git a/modules/mailserver/default.nix b/modules/mailserver/default.nix
index 66a52c2..277b348 100644
--- a/modules/mailserver/default.nix
+++ b/modules/mailserver/default.nix
@@ -8,45 +8,45 @@ with lib;
enable = mkEnableOption "Enable mailserver";
};
- config = mkIf cfg.enable
- {
- mailserver = {
- enable = true;
- fqdn = "mail.julienmalka.me";
- domains = [ "malka.sh" "ens.school" ];
+ config = mkIf cfg.enable {
+ mailserver = {
+ enable = true;
+ fqdn = "mail.julienmalka.me";
+ domains = [
+ "malka.sh"
+ "ens.school"
+ ];
- enableManageSieve = true;
-
- # A list of all login accounts. To create the password hashes, use
- # nix run nixpkgs.apacheHttpd -c htpasswd -nbB "" "super secret password" | cut -d: -f2
- loginAccounts = {
- "julien@malka.sh" = {
- hashedPasswordFile = "/run/secrets/malkash-pw";
- aliases = [ "@malka.sh" ];
- sieveScript = builtins.readFile ./malka-sh.sieve;
- };
- "julien.malka@ens.school" = {
- hashedPasswordFile = "/run/secrets/ensmailmalka-pw";
- };
- "camille.mondon@ens.school" = {
- hashedPasswordFile = "/run/secrets/ensmailmondon-pw";
- };
+ enableManageSieve = true;
+ # A list of all login accounts. To create the password hashes, use
+ # nix run nixpkgs.apacheHttpd -c htpasswd -nbB "" "super secret password" | cut -d: -f2
+ loginAccounts = {
+ "julien@malka.sh" = {
+ hashedPasswordFile = "/run/agenix/malkash-pw";
+ aliases = [ "@malka.sh" ];
+ sieveScript = builtins.readFile ./malka-sh.sieve;
};
- extraVirtualAliases = {
- "postmaster@ens.school" = "julien.malka@ens.school";
+ "julien.malka@ens.school" = {
+ hashedPasswordFile = "/run/agenix/ensmailmalka-pw";
+ };
+ "camille.mondon@ens.school" = {
+ hashedPasswordFile = "/run/agenix/ensmailmondon-pw";
};
- certificateScheme = "acme-nginx";
};
-
- services.roundcube = {
- enable = true;
- hostName = "webmail.julienmalka.me";
+ extraVirtualAliases = {
+ "postmaster@ens.school" = "julien.malka@ens.school";
};
-
- sops.secrets.malkash-pw = { };
- sops.secrets.ensmailmalka-pw = { };
- sops.secrets.ensmailmondon-pw = { };
-
+ certificateScheme = "acme-nginx";
};
+
+ services.roundcube = {
+ enable = true;
+ hostName = "webmail.julienmalka.me";
+ };
+
+ age.secrets.malkash-pw.file = ../../secrets/julien-malka-sh-mail-password.age;
+ age.secrets.ensmailmalka-pw.file = ../../secrets/malka-ens-school-mail-password.age;
+ age.secrets.ensmailmondon-pw.file = ../../secrets/mondon-ens-school-mail-password.age;
+ };
}
diff --git a/modules/navidrome/default.nix b/modules/navidrome/default.nix
index 0b09562..96f1a6c 100644
--- a/modules/navidrome/default.nix
+++ b/modules/navidrome/default.nix
@@ -1,4 +1,9 @@
-{ lib, pkgs, config, ... }:
+{
+ lib,
+ pkgs,
+ config,
+ ...
+}:
with lib;
let
cfg = config.luj.navidrome;
@@ -22,23 +27,12 @@ in
description = "Group under which Navidrome runs.";
};
-
nginx.enable = mkEnableOption "activate nginx";
- nginx.subdomain = mkOption {
- type = types.str;
- };
+ nginx.subdomain = mkOption { type = types.str; };
};
- config = mkIf cfg.enable (
- mkMerge [{
-
- sops.secrets."navidrome.json" = {
- owner = cfg.user;
- format = "binary";
- sopsFile = ../../secrets/navidrome-config;
- };
-
-
+ config = mkIf cfg.enable (mkMerge [
+ {
systemd.services.navidrome = {
@@ -55,16 +49,10 @@ in
WorkingDirectory = "/var/lib/navidrome";
};
};
-
-
-
}
+ (mkIf cfg.nginx.enable (mkSubdomain cfg.nginx.subdomain port))
-
- (mkIf cfg.nginx.enable (mkSubdomain cfg.nginx.subdomain port))
-
- (mkIf cfg.nginx.enable (mkVPNSubdomain cfg.nginx.subdomain port))]);
-
-
+ (mkIf cfg.nginx.enable (mkVPNSubdomain cfg.nginx.subdomain port))
+ ]);
}
diff --git a/modules/secrets/default.nix b/modules/secrets/default.nix
index 2a5d491..9094942 100644
--- a/modules/secrets/default.nix
+++ b/modules/secrets/default.nix
@@ -8,24 +8,19 @@ with lib;
enable = mkEnableOption "Create secrets";
};
- config = mkIf cfg.enable
- {
- sops.secrets.ens-mail-passwd = {
- owner = "julien";
- path = "/home/julien/.config/ens-mail-passwd";
- };
-
- sops.secrets.sendinblue-mail-passwd = { };
- sops.secrets.git-gpg-private-key = {
- owner = "julien";
- mode = "0440";
- group = config.users.groups.keys.name;
- sopsFile = ../secrets/git-gpg-private-key;
- format = "binary";
- };
-
+ config = mkIf cfg.enable {
+ age.secrets.ens-mail-password = {
+ file = ../../secrets/ens-mail-password.age;
+ owner = "julien";
+ path = "/home/julien/.config/ens-mail-passwd";
};
-
+ age.secrets.git-gpg-private-key = {
+ file = ../../secrets/git-gpg-private-key.age;
+ owner = "julien";
+ mode = "0440";
+ group = config.users.groups.keys.name;
+ };
+ };
}
diff --git a/users/default.nix b/users/default.nix
index 8aa7c2b..bc73138 100644
--- a/users/default.nix
+++ b/users/default.nix
@@ -1,20 +1,27 @@
-{ config, pkgs, lib, ... }: {
+{
+ config,
+ pkgs,
+ lib,
+ ...
+}:
+{
users.mutableUsers = false;
users.defaultUserShell = pkgs.fish;
- sops.secrets.user-root-password.neededForUsers = true;
programs.fish.enable = true;
+ age.secrets.user-root-password.file = ../secrets/user-root-password.age;
+
users.users.root = {
uid = config.ids.uids.root;
description = "System administrator";
home = "/root";
shell = lib.mkForce config.users.defaultUserShell;
group = "root";
- hashedPasswordFile = config.sops.secrets.user-root-password.path;
- openssh.authorizedKeys.keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGa+7n7kNzb86pTqaMn554KiPrkHRGeTJ0asY1NjSbpr julien@tower" ];
+ hashedPasswordFile = config.age.secrets.user-root-password.path;
+ openssh.authorizedKeys.keys = [
+ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGa+7n7kNzb86pTqaMn554KiPrkHRGeTJ0asY1NjSbpr julien@tower"
+ ];
};
-
-
}
diff --git a/users/julien.nix b/users/julien.nix
index edbc593..eb31ea6 100644
--- a/users/julien.nix
+++ b/users/julien.nix
@@ -1,30 +1,26 @@
-{ config, pkgs, ... }: {
-
- sops.secrets.user-julien-password.neededForUsers = true;
+{ config, pkgs, ... }:
+{
users.users.julien = {
isNormalUser = true;
home = "/home/julien";
- extraGroups = [ "wheel" config.users.groups.keys.name "networkmanager" "davfs2" "adbusers" "audio" "pipewire" "dialout" "video" ];
+ extraGroups = [
+ "wheel"
+ config.users.groups.keys.name
+ "networkmanager"
+ "davfs2"
+ "adbusers"
+ "audio"
+ "pipewire"
+ "dialout"
+ "video"
+ ];
shell = pkgs.fish;
- hashedPasswordFile = config.sops.secrets.user-julien-password.path;
+ hashedPasswordFile = config.age.secrets.julien-password.path;
};
nix.settings.allowed-users = [ "julien" ];
nix.settings.trusted-users = [ "julien" ];
- sops.secrets.ens-mail-passwd = {
- owner = "julien";
- path = "/home/julien/.config/ens-mail-passwd";
- };
-
- sops.secrets.git-gpg-private-key = {
- owner = "julien";
- mode = "0440";
- group = config.users.groups.keys.name;
- sopsFile = ../secrets/git-gpg-private-key;
- format = "binary";
- };
-
-
+ age.secrets.julien-password.file = ../secrets/user-julien-password.age;
}