From ee7bbc7b0d25b22fb2a5a5f73a40f44ca040d1eb Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Leon=20Schwarz=C3=A4ugl?= Date: Fri, 21 Mar 2025 19:44:21 +0100 Subject: [PATCH] refactor: remove obsoletions --- SwarselSystems.org | 140 +++++++++--------- hosts/nixos/nbl-imba-2/default.nix | 5 +- overlays/default.nix | 2 +- profiles/home/common/gammastep.nix | 11 +- profiles/home/optional/work.nix | 62 ++++---- profiles/nixos/common/home-manager.nix | 2 +- profiles/nixos/optional/work.nix | 24 +-- profiles/nixos/server/navidrome.nix | 10 +- profiles/nixos/server/ssh.nix | 4 +- profiles/nixos/server/syncthing.nix | 20 ++- scripts/swarsel-install.sh | 2 +- scripts/swarsel-rebuild.sh | 2 +- .../keys/ssh/{nbl-imba-2.pub => yubikey.pub} | 0 secrets/work/secrets.yaml | 12 +- 14 files changed, 155 insertions(+), 141 deletions(-) rename secrets/keys/ssh/{nbl-imba-2.pub => yubikey.pub} (100%) diff --git a/SwarselSystems.org b/SwarselSystems.org index 92b4d9b..5efb222 100644 --- a/SwarselSystems.org +++ b/SwarselSystems.org @@ -807,6 +807,7 @@ My work machine. Built for more security, this is the gold standard of my config #+begin_src nix :tangle hosts/nixos/nbl-imba-2/default.nix { self, inputs, pkgs, lib, ... }: let + secretsDirectory = builtins.toString inputs.nix-secrets; profilesPath = "${self}/profiles"; sharedOptions = { isBtrfs = true; @@ -885,8 +886,8 @@ My work machine. Built for more security, this is the gold standard of my config }; networking = { - hostName = "nbl-imba-2"; - fqdn = "nbl-imba-2.imp.univie.ac.at"; + hostName = lib.strings.trim (builtins.readFile "${secretsDirectory}/work/worklaptop-hostname"); + fqdn = lib.strings.trim (builtins.readFile "${secretsDirectory}/work/worklaptop-fqdn"); firewall.enable = true; }; @@ -3083,7 +3084,7 @@ This program builds a configuration locally. fi local_keys=$(ssh-add -L || true) - pub_key=$(cat /home/"$target_user"/.dotfiles/secrets/keys/ssh/nbl-imba-2.pub) + pub_key=$(cat /home/"$target_user"/.dotfiles/secrets/keys/ssh/yubikey.pub) read -ra pub_arr <<< "$pub_key" cd .dotfiles @@ -3239,7 +3240,7 @@ This program sets up a new NixOS host locally. fi local_keys=$(ssh-add -L || true) - pub_key=$(cat /home/"$target_user"/.dotfiles/secrets/keys/ssh/nbl-imba-2.pub) + pub_key=$(cat /home/"$target_user"/.dotfiles/secrets/keys/ssh/yubikey.pub) read -ra pub_arr <<< "$pub_key" cd .dotfiles @@ -3768,7 +3769,7 @@ When adding a new entry here, do not forget to add it in the default output of t let additions = final: _: import "${self}/pkgs" { pkgs = final; inherit lib; }; - modifications = final: prev: { + modifications = _: prev: { vesktop = prev.vesktop.override { withSystemVencord = true; }; @@ -4923,7 +4924,7 @@ We enable the use of =home-manager= as a NixoS module. A nice trick here is the home-manager = lib.mkIf config.swarselsystems.withHomeManager { useGlobalPkgs = true; useUserPackages = true; - extraSpecialArgs = inputs; # used mainly for inputs.self + extraSpecialArgs = { inherit (inputs) self nix-secrets; }; }; } #+end_src @@ -6535,11 +6536,11 @@ Here we just define some aliases for rebuilding the system, and we allow some in enable = true; }; users.users.swarsel.openssh.authorizedKeys.keyFiles = [ - (self + /secrets/keys/ssh/nbl-imba-2.pub) + (self + /secrets/keys/ssh/yubikey.pub) (self + /secrets/keys/ssh/magicant.pub) ]; users.users.root.openssh.authorizedKeys.keyFiles = [ - (self + /secrets/keys/ssh/nbl-imba-2.pub) + (self + /secrets/keys/ssh/yubikey.pub) (self + /secrets/keys/ssh/magicant.pub) ]; security.sudo.extraConfig = '' @@ -6718,10 +6719,10 @@ Here we just define some aliases for rebuilding the system, and we allow some in }; # Switch using --impure as these credential files are not stored within the flake # sops-nix is not supported for these which is why we need to resort to these - LastFM.ApiKey = builtins.readFile "${secretsDirectory}/navidrome/lastfm-secret"; - LastFM.Secret = builtins.readFile "${secretsDirectory}/navidrome/lastfm-key"; - Spotify.ID = builtins.readFile "${secretsDirectory}/navidrome/spotify-id"; - Spotify.Secret = builtins.readFile "${secretsDirectory}/navidrome/spotify-secret"; + LastFM.ApiKey = lib.strings.trim (builtins.readFile "${secretsDirectory}/navidrome/lastfm-secret"); + LastFM.Secret = lib.strings.trim (builtins.readFile "${secretsDirectory}/navidrome/lastfm-key"); + Spotify.ID = lib.strings.trim (builtins.readFile "${secretsDirectory}/navidrome/spotify-id"); + Spotify.Secret = lib.strings.trim (builtins.readFile "${secretsDirectory}/navidrome/spotify-secret"); UILoginBackgroundUrl = "https://i.imgur.com/OMLxi7l.png"; UIWelcomeMessage = "~SwarselSound~"; }; @@ -7525,7 +7526,11 @@ Here we just define some aliases for rebuilding the system, and we allow some in :END: #+begin_src nix :tangle profiles/nixos/server/syncthing.nix - { lib, config, ... }: + { lib, config, inputs, ... }: + let + secretsDirectory = builtins.toString inputs.nix-secrets; + workHostName = lib.strings.trim (builtins.readFile "${secretsDirectory}/work/worklaptop-hostname"); + in { config = lib.mkIf config.swarselsystems.server.syncthing { @@ -7554,7 +7559,7 @@ Here we just define some aliases for rebuilding the system, and we allow some in "sync (@oracle)" = { id = "ETW6TST-NPK7MKZ-M4LXMHA-QUPQHDT-VTSHH5X-CR5EIN2-YU7E55F-MGT7DQB"; }; - "nbl-imba-2" = { + "${workHostName}" = { id = "YAPV4BV-I26WPTN-SIP32MV-SQP5TBZ-3CHMTCI-Z3D6EP2-MNDQGLP-53FT3AB"; }; }; @@ -7563,7 +7568,7 @@ Here we just define some aliases for rebuilding the system, and we allow some in path = "/Vault/data/syncthing/Sync"; type = "receiveonly"; versioning = null; - devices = [ "sync (@oracle)" "magicant" "nbl-imba-2" ]; + devices = [ "sync (@oracle)" "magicant" "${workHostName}" ]; id = "default"; }; "Obsidian" = { @@ -7573,7 +7578,7 @@ Here we just define some aliases for rebuilding the system, and we allow some in type = "simple"; params.keep = "5"; }; - devices = [ "sync (@oracle)" "magicant" "nbl-imba-2" ]; + devices = [ "sync (@oracle)" "magicant" "${workHostName}" ]; id = "yjvni-9eaa7"; }; "Org" = { @@ -7583,7 +7588,7 @@ Here we just define some aliases for rebuilding the system, and we allow some in type = "simple"; params.keep = "5"; }; - devices = [ "sync (@oracle)" "magicant" "nbl-imba-2" ]; + devices = [ "sync (@oracle)" "magicant" "${workHostName}" ]; id = "a7xnl-zjj3d"; }; "Vpn" = { @@ -7593,7 +7598,7 @@ Here we just define some aliases for rebuilding the system, and we allow some in type = "simple"; params.keep = "5"; }; - devices = [ "sync (@oracle)" "magicant" "nbl-imba-2" ]; + devices = [ "sync (@oracle)" "magicant" "${workHostName}" ]; id = "hgp9s-fyq3p"; }; "Documents" = { @@ -7603,12 +7608,12 @@ Here we just define some aliases for rebuilding the system, and we allow some in type = "simple"; params.keep = "5"; }; - devices = [ "magicant" "nbl-imba-2" ]; + devices = [ "magicant" "${workHostName}" ]; id = "hgr3d-pfu3w"; }; # ".elfeed" = { # path = "/Vault/data/syncthing/.elfeed"; - # devices = [ "sync (@oracle)" "magicant" "nbl-imba-2" ]; + # devices = [ "sync (@oracle)" "magicant" "${workHostName}" ]; # id = "h7xbs-fs9v1"; # }; }; @@ -8229,7 +8234,7 @@ This smashes Atmosphere 1.3.2 on the switch, which is what I am currenty using. Options that I need specifically at work. There are more options at [[#h:f0b2ea93-94c8-48d8-8d47-6fe58f58e0e6][Work]] (home-manager side). #+begin_src nix :tangle profiles/nixos/optional/work.nix - { self, pkgs, config, ... }: + { self, lib, pkgs, config, ... }: let owner = "swarsel"; sopsFile = self + /secrets/work/secrets.yaml; @@ -8237,16 +8242,10 @@ Options that I need specifically at work. There are more options at [[#h:f0b2ea9 { sops = { secrets = { - clad = { + vcuser = { inherit owner sopsFile; }; - dcad = { - inherit owner sopsFile; - }; - wsad = { - inherit owner sopsFile; - }; - imbad = { + vcpw = { inherit owner sopsFile; }; }; @@ -8255,14 +8254,8 @@ Options that I need specifically at work. There are more options at [[#h:f0b2ea9 # boot.initrd.luks.yubikeySupport = true; programs = { zsh.shellInit = '' - export CLAD="$(cat ${config.sops.secrets.clad.path})" - export DCAD="$(cat ${config.sops.secrets.dcad.path})" - export GOVC_PASSWORD="$(cat ${config.sops.secrets.dcad.path})" - export WSAD="$(cat ${config.sops.secrets.wsad.path})" - export IMBAD="$(cat ${config.sops.secrets.imbad.path})" - export DCUSER="dc_adm_schwarzaeugl@IMP.UNIVIE.AC.AT" - export GOVC_USERNAME="dc_adm_schwarzaeugl@IMP.UNIVIE.AC.AT" - export PACKER_SSH_EXTRA_ARGS='"--scp-extra-args","'-O'"' + export VSPHERE_USER="$(cat ${config.sops.secrets.vcuser.path})" + export VSPHERE_PW="$(cat ${config.sops.secrets.vcpw.path})" ''; browserpass.enable = true; @@ -11023,13 +11016,16 @@ Settinfs that are needed for the gpg-agent. Also we are enabling emacs support f This service changes the screen hue at night. I am not sure if that really does something, but I like the color anyways. #+begin_src nix :tangle profiles/home/common/gammastep.nix - _: + { config, lib, nix-secrets, ... }: + let + secretsDirectory = builtins.toString nix-secrets; + in { - services.gammastep = { + services.gammastep = lib.mkIf (!config.swarselsystems.isPublic) { enable = true; provider = "manual"; - latitude = 48.210033; - longitude = 16.363449; + latitude = lib.strings.trim (builtins.readFile "${secretsDirectory}/home/gammastep-latitude"); + longitude = lib.strings.trim (builtins.readFile "${secretsDirectory}/home/gammastep-longitude"); }; } #+end_src @@ -11165,7 +11161,13 @@ The rest of the settings is at [[#h:fb3f3e01-7df4-4b06-9e91-aa9cac61a431][gaming The rest of the settings is at [[#h:bbf2ecb6-c8ff-4462-b5d5-d45b28604ddf][work]]. Here, I am setting up the different firefox profiles that I need for the SSO sites that I need to access at work as well as a few ssh shorthands. #+begin_src nix :tangle profiles/home/optional/work.nix :noweb yes - { self, config, pkgs, lib, ... }: + { self, config, pkgs, lib, nix-secrets, ... }: + let + secretsDirectory = builtins.toString nix-secrets; + dcUser = lib.strings.trim (builtins.readFile "${secretsDirectory}/work/dc-user"); + clUser = lib.strings.trim (builtins.readFile "${secretsDirectory}/work/cl-user"); + wsUser = lib.strings.trim (builtins.readFile "${secretsDirectory}/work/ws-user"); + in { home.packages = with pkgs; [ stable.teams-for-linux @@ -11200,14 +11202,20 @@ The rest of the settings is at [[#h:bbf2ecb6-c8ff-4462-b5d5-d45b28604ddf][work]] }; }; + stylix.targets.firefox.profileNames = [ + "dc" + "cl" + "ws" + ]; + programs = { - git.userEmail = "leon.schwarzaeugl@imba.oeaw.ac.at"; + git.userEmail = lib.strings.trim (builtins.readFile "${secretsDirectory}/work/git-email"); zsh = { shellAliases = { - dssh = "ssh -l dc_adm_schwarzaeugl"; - cssh = "ssh -l cl_adm_schwarzaeugl"; - wssh = "ssh -l ws_adm_schwarzaeugl"; + dssh = "ssh -l ${dcUser}"; + cssh = "ssh -l ${clUser}"; + wssh = "ssh -l ${wsUser}"; }; cdpath = [ "~/Documents/Work" @@ -11224,42 +11232,42 @@ The rest of the settings is at [[#h:bbf2ecb6-c8ff-4462-b5d5-d45b28604ddf][work]] ssh = { matchBlocks = { "uc" = { - hostname = "uc.clip.vbc.ac.at"; + hostname = lib.strings.trim (builtins.readFile "${secretsDirectory}/work/uc-prod"); user = "stack"; }; "uc.stg" = { - hostname = "uc.staging.clip.vbc.ac.at"; + hostname = lib.strings.trim (builtins.readFile "${secretsDirectory}/work/uc-stg"); user = "stack"; }; "uc.staging" = { - hostname = "uc.staging.clip.vbc.ac.at"; + hostname = lib.strings.trim (builtins.readFile "${secretsDirectory}/work/uc-stg"); user = "stack"; }; "uc.dev" = { - hostname = "uc.dev.clip.vbc.ac.at"; + hostname = lib.strings.trim (builtins.readFile "${secretsDirectory}/work/uc-dev"); user = "stack"; }; "cbe" = { - hostname = "cbe.vbc.ac.at"; - user = "dc_adm_schwarzaeugl"; + hostname = lib.strings.trim (builtins.readFile "${secretsDirectory}/work/cbe-prod"); + user = dcUser; }; "cbe.stg" = { - hostname = "cbe.staging.clip.vbc.ac.at"; - user = "dc_adm_schwarzaeugl"; + hostname = lib.strings.trim (builtins.readFile "${secretsDirectory}/work/cbe-stg"); + user = dcUser; }; "cbe.staging" = { - hostname = "cbe.staging.clip.vbc.ac.at"; - user = "dc_adm_schwarzaeugl"; + hostname = lib.strings.trim (builtins.readFile "${secretsDirectory}/work/cbe-stg"); + user = dcUser; }; "*.vbc.ac.at" = { - user = "dc_adm_schwarzaeugl"; + user = dcUser; }; }; }; firefox = { profiles = { - dc_adm = lib.recursiveUpdate + dc = lib.recursiveUpdate { id = 1; settings = { @@ -11267,7 +11275,7 @@ The rest of the settings is at [[#h:bbf2ecb6-c8ff-4462-b5d5-d45b28604ddf][work]] }; } config.swarselsystems.firefox; - cl_adm = lib.recursiveUpdate + cl = lib.recursiveUpdate { id = 2; settings = { @@ -11275,7 +11283,7 @@ The rest of the settings is at [[#h:bbf2ecb6-c8ff-4462-b5d5-d45b28604ddf][work]] }; } config.swarselsystems.firefox; - ws_adm = lib.recursiveUpdate { id = 3; } config.swarselsystems.firefox; + ws = lib.recursiveUpdate { id = 3; } config.swarselsystems.firefox; }; }; @@ -11430,23 +11438,23 @@ The rest of the settings is at [[#h:bbf2ecb6-c8ff-4462-b5d5-d45b28604ddf][work]] in { firefox_dc = { - name = "Firefox (dc_adm)"; + name = "Firefox (dc)"; genericName = "Firefox dc"; - exec = "firefox -p dc_adm"; + exec = "firefox -p dc"; inherit terminal categories icon; }; firefox_ws = { - name = "Firefox (ws_adm)"; + name = "Firefox (ws)"; genericName = "Firefox ws"; - exec = "firefox -p ws_adm"; + exec = "firefox -p ws"; inherit terminal categories icon; }; firefox_cl = { - name = "Firefox (cl_adm)"; + name = "Firefox (cl)"; genericName = "Firefox cl"; - exec = "firefox -p cl_adm"; + exec = "firefox -p cl"; inherit terminal categories icon; }; diff --git a/hosts/nixos/nbl-imba-2/default.nix b/hosts/nixos/nbl-imba-2/default.nix index 7ce02cb..f7463f9 100644 --- a/hosts/nixos/nbl-imba-2/default.nix +++ b/hosts/nixos/nbl-imba-2/default.nix @@ -1,5 +1,6 @@ { self, inputs, pkgs, lib, ... }: let + secretsDirectory = builtins.toString inputs.nix-secrets; profilesPath = "${self}/profiles"; sharedOptions = { isBtrfs = true; @@ -78,8 +79,8 @@ in }; networking = { - hostName = "nbl-imba-2"; - fqdn = "nbl-imba-2.imp.univie.ac.at"; + hostName = lib.strings.trim (builtins.readFile "${secretsDirectory}/work/worklaptop-hostname"); + fqdn = lib.strings.trim (builtins.readFile "${secretsDirectory}/work/worklaptop-fqdn"); firewall.enable = true; }; diff --git a/overlays/default.nix b/overlays/default.nix index f86d025..ae48f72 100644 --- a/overlays/default.nix +++ b/overlays/default.nix @@ -3,7 +3,7 @@ let additions = final: _: import "${self}/pkgs" { pkgs = final; inherit lib; }; - modifications = final: prev: { + modifications = _: prev: { vesktop = prev.vesktop.override { withSystemVencord = true; }; diff --git a/profiles/home/common/gammastep.nix b/profiles/home/common/gammastep.nix index 516dbf1..862b238 100644 --- a/profiles/home/common/gammastep.nix +++ b/profiles/home/common/gammastep.nix @@ -1,9 +1,12 @@ -_: +{ config, lib, nix-secrets, ... }: +let + secretsDirectory = builtins.toString nix-secrets; +in { - services.gammastep = { + services.gammastep = lib.mkIf (!config.swarselsystems.isPublic) { enable = true; provider = "manual"; - latitude = 48.210033; - longitude = 16.363449; + latitude = lib.strings.trim (builtins.readFile "${secretsDirectory}/home/gammastep-latitude"); + longitude = lib.strings.trim (builtins.readFile "${secretsDirectory}/home/gammastep-longitude"); }; } diff --git a/profiles/home/optional/work.nix b/profiles/home/optional/work.nix index b61698d..1950795 100644 --- a/profiles/home/optional/work.nix +++ b/profiles/home/optional/work.nix @@ -1,4 +1,10 @@ -{ self, config, pkgs, lib, ... }: +{ self, config, pkgs, lib, nix-secrets, ... }: +let + secretsDirectory = builtins.toString nix-secrets; + dcUser = lib.strings.trim (builtins.readFile "${secretsDirectory}/work/dc-user"); + clUser = lib.strings.trim (builtins.readFile "${secretsDirectory}/work/cl-user"); + wsUser = lib.strings.trim (builtins.readFile "${secretsDirectory}/work/ws-user"); +in { home.packages = with pkgs; [ stable.teams-for-linux @@ -33,14 +39,20 @@ }; }; + stylix.targets.firefox.profileNames = [ + "dc" + "cl" + "ws" + ]; + programs = { - git.userEmail = "leon.schwarzaeugl@imba.oeaw.ac.at"; + git.userEmail = lib.strings.trim (builtins.readFile "${secretsDirectory}/work/git-email"); zsh = { shellAliases = { - dssh = "ssh -l dc_adm_schwarzaeugl"; - cssh = "ssh -l cl_adm_schwarzaeugl"; - wssh = "ssh -l ws_adm_schwarzaeugl"; + dssh = "ssh -l ${dcUser}"; + cssh = "ssh -l ${clUser}"; + wssh = "ssh -l ${wsUser}"; }; cdpath = [ "~/Documents/Work" @@ -57,42 +69,42 @@ ssh = { matchBlocks = { "uc" = { - hostname = "uc.clip.vbc.ac.at"; + hostname = lib.strings.trim (builtins.readFile "${secretsDirectory}/work/uc-prod"); user = "stack"; }; "uc.stg" = { - hostname = "uc.staging.clip.vbc.ac.at"; + hostname = lib.strings.trim (builtins.readFile "${secretsDirectory}/work/uc-stg"); user = "stack"; }; "uc.staging" = { - hostname = "uc.staging.clip.vbc.ac.at"; + hostname = lib.strings.trim (builtins.readFile "${secretsDirectory}/work/uc-stg"); user = "stack"; }; "uc.dev" = { - hostname = "uc.dev.clip.vbc.ac.at"; + hostname = lib.strings.trim (builtins.readFile "${secretsDirectory}/work/uc-dev"); user = "stack"; }; "cbe" = { - hostname = "cbe.vbc.ac.at"; - user = "dc_adm_schwarzaeugl"; + hostname = lib.strings.trim (builtins.readFile "${secretsDirectory}/work/cbe-prod"); + user = dcUser; }; "cbe.stg" = { - hostname = "cbe.staging.clip.vbc.ac.at"; - user = "dc_adm_schwarzaeugl"; + hostname = lib.strings.trim (builtins.readFile "${secretsDirectory}/work/cbe-stg"); + user = dcUser; }; "cbe.staging" = { - hostname = "cbe.staging.clip.vbc.ac.at"; - user = "dc_adm_schwarzaeugl"; + hostname = lib.strings.trim (builtins.readFile "${secretsDirectory}/work/cbe-stg"); + user = dcUser; }; "*.vbc.ac.at" = { - user = "dc_adm_schwarzaeugl"; + user = dcUser; }; }; }; firefox = { profiles = { - dc_adm = lib.recursiveUpdate + dc = lib.recursiveUpdate { id = 1; settings = { @@ -100,7 +112,7 @@ }; } config.swarselsystems.firefox; - cl_adm = lib.recursiveUpdate + cl = lib.recursiveUpdate { id = 2; settings = { @@ -108,7 +120,7 @@ }; } config.swarselsystems.firefox; - ws_adm = lib.recursiveUpdate { id = 3; } config.swarselsystems.firefox; + ws = lib.recursiveUpdate { id = 3; } config.swarselsystems.firefox; }; }; @@ -263,23 +275,23 @@ in { firefox_dc = { - name = "Firefox (dc_adm)"; + name = "Firefox (dc)"; genericName = "Firefox dc"; - exec = "firefox -p dc_adm"; + exec = "firefox -p dc"; inherit terminal categories icon; }; firefox_ws = { - name = "Firefox (ws_adm)"; + name = "Firefox (ws)"; genericName = "Firefox ws"; - exec = "firefox -p ws_adm"; + exec = "firefox -p ws"; inherit terminal categories icon; }; firefox_cl = { - name = "Firefox (cl_adm)"; + name = "Firefox (cl)"; genericName = "Firefox cl"; - exec = "firefox -p cl_adm"; + exec = "firefox -p cl"; inherit terminal categories icon; }; diff --git a/profiles/nixos/common/home-manager.nix b/profiles/nixos/common/home-manager.nix index 95cc48f..89400a4 100644 --- a/profiles/nixos/common/home-manager.nix +++ b/profiles/nixos/common/home-manager.nix @@ -3,6 +3,6 @@ home-manager = lib.mkIf config.swarselsystems.withHomeManager { useGlobalPkgs = true; useUserPackages = true; - extraSpecialArgs = inputs; # used mainly for inputs.self + extraSpecialArgs = { inherit (inputs) self nix-secrets; }; }; } diff --git a/profiles/nixos/optional/work.nix b/profiles/nixos/optional/work.nix index c6cefbe..16e1069 100644 --- a/profiles/nixos/optional/work.nix +++ b/profiles/nixos/optional/work.nix @@ -1,4 +1,4 @@ -{ self, pkgs, config, ... }: +{ self, lib, pkgs, config, ... }: let owner = "swarsel"; sopsFile = self + /secrets/work/secrets.yaml; @@ -6,16 +6,10 @@ in { sops = { secrets = { - clad = { + vcuser = { inherit owner sopsFile; }; - dcad = { - inherit owner sopsFile; - }; - wsad = { - inherit owner sopsFile; - }; - imbad = { + vcpw = { inherit owner sopsFile; }; }; @@ -24,14 +18,8 @@ in # boot.initrd.luks.yubikeySupport = true; programs = { zsh.shellInit = '' - export CLAD="$(cat ${config.sops.secrets.clad.path})" - export DCAD="$(cat ${config.sops.secrets.dcad.path})" - export GOVC_PASSWORD="$(cat ${config.sops.secrets.dcad.path})" - export WSAD="$(cat ${config.sops.secrets.wsad.path})" - export IMBAD="$(cat ${config.sops.secrets.imbad.path})" - export DCUSER="dc_adm_schwarzaeugl@IMP.UNIVIE.AC.AT" - export GOVC_USERNAME="dc_adm_schwarzaeugl@IMP.UNIVIE.AC.AT" - export PACKER_SSH_EXTRA_ARGS='"--scp-extra-args","'-O'"' + export VSPHERE_USER="$(cat ${config.sops.secrets.vcuser.path})" + export VSPHERE_PW="$(cat ${config.sops.secrets.vcpw.path})" ''; browserpass.enable = true; @@ -52,7 +40,7 @@ in }; virtualisation = { - docker.enable = true; + docker.enable = lib.mkIf (!config.virtualisation.podman.dockerCompat) true; spiceUSBRedirection.enable = true; libvirtd = { enable = true; diff --git a/profiles/nixos/server/navidrome.nix b/profiles/nixos/server/navidrome.nix index caf6c6b..be4e43b 100644 --- a/profiles/nixos/server/navidrome.nix +++ b/profiles/nixos/server/navidrome.nix @@ -39,7 +39,7 @@ in enable = true; openFirewall = true; settings = { - LogLevel = "error"; + LogLevel = "debug"; Address = "127.0.0.1"; Port = 4040; MusicFolder = "/Vault/Eternor/Musik"; @@ -59,10 +59,10 @@ in }; # Switch using --impure as these credential files are not stored within the flake # sops-nix is not supported for these which is why we need to resort to these - LastFM.ApiKey = builtins.readFile "${secretsDirectory}/navidrome/lastfm-secret"; - LastFM.Secret = builtins.readFile "${secretsDirectory}/navidrome/lastfm-key"; - Spotify.ID = builtins.readFile "${secretsDirectory}/navidrome/spotify-id"; - Spotify.Secret = builtins.readFile "${secretsDirectory}/navidrome/spotify-secret"; + LastFM.ApiKey = lib.strings.trim (builtins.readFile "${secretsDirectory}/navidrome/lastfm-secret"); + LastFM.Secret = lib.strings.trim (builtins.readFile "${secretsDirectory}/navidrome/lastfm-key"); + Spotify.ID = lib.strings.trim (builtins.readFile "${secretsDirectory}/navidrome/spotify-id"); + Spotify.Secret = lib.strings.trim (builtins.readFile "${secretsDirectory}/navidrome/spotify-secret"); UILoginBackgroundUrl = "https://i.imgur.com/OMLxi7l.png"; UIWelcomeMessage = "~SwarselSound~"; }; diff --git a/profiles/nixos/server/ssh.nix b/profiles/nixos/server/ssh.nix index 5b0d371..21b1d6d 100644 --- a/profiles/nixos/server/ssh.nix +++ b/profiles/nixos/server/ssh.nix @@ -4,11 +4,11 @@ enable = true; }; users.users.swarsel.openssh.authorizedKeys.keyFiles = [ - (self + /secrets/keys/ssh/nbl-imba-2.pub) + (self + /secrets/keys/ssh/yubikey.pub) (self + /secrets/keys/ssh/magicant.pub) ]; users.users.root.openssh.authorizedKeys.keyFiles = [ - (self + /secrets/keys/ssh/nbl-imba-2.pub) + (self + /secrets/keys/ssh/yubikey.pub) (self + /secrets/keys/ssh/magicant.pub) ]; security.sudo.extraConfig = '' diff --git a/profiles/nixos/server/syncthing.nix b/profiles/nixos/server/syncthing.nix index 633afed..b5c551f 100644 --- a/profiles/nixos/server/syncthing.nix +++ b/profiles/nixos/server/syncthing.nix @@ -1,4 +1,8 @@ -{ lib, config, ... }: +{ lib, config, inputs, ... }: +let + secretsDirectory = builtins.toString inputs.nix-secrets; + workHostName = lib.strings.trim (builtins.readFile "${secretsDirectory}/work/worklaptop-hostname"); +in { config = lib.mkIf config.swarselsystems.server.syncthing { @@ -27,7 +31,7 @@ "sync (@oracle)" = { id = "ETW6TST-NPK7MKZ-M4LXMHA-QUPQHDT-VTSHH5X-CR5EIN2-YU7E55F-MGT7DQB"; }; - "nbl-imba-2" = { + "${workHostName}" = { id = "YAPV4BV-I26WPTN-SIP32MV-SQP5TBZ-3CHMTCI-Z3D6EP2-MNDQGLP-53FT3AB"; }; }; @@ -36,7 +40,7 @@ path = "/Vault/data/syncthing/Sync"; type = "receiveonly"; versioning = null; - devices = [ "sync (@oracle)" "magicant" "nbl-imba-2" ]; + devices = [ "sync (@oracle)" "magicant" "${workHostName}" ]; id = "default"; }; "Obsidian" = { @@ -46,7 +50,7 @@ type = "simple"; params.keep = "5"; }; - devices = [ "sync (@oracle)" "magicant" "nbl-imba-2" ]; + devices = [ "sync (@oracle)" "magicant" "${workHostName}" ]; id = "yjvni-9eaa7"; }; "Org" = { @@ -56,7 +60,7 @@ type = "simple"; params.keep = "5"; }; - devices = [ "sync (@oracle)" "magicant" "nbl-imba-2" ]; + devices = [ "sync (@oracle)" "magicant" "${workHostName}" ]; id = "a7xnl-zjj3d"; }; "Vpn" = { @@ -66,7 +70,7 @@ type = "simple"; params.keep = "5"; }; - devices = [ "sync (@oracle)" "magicant" "nbl-imba-2" ]; + devices = [ "sync (@oracle)" "magicant" "${workHostName}" ]; id = "hgp9s-fyq3p"; }; "Documents" = { @@ -76,12 +80,12 @@ type = "simple"; params.keep = "5"; }; - devices = [ "magicant" "nbl-imba-2" ]; + devices = [ "magicant" "${workHostName}" ]; id = "hgr3d-pfu3w"; }; # ".elfeed" = { # path = "/Vault/data/syncthing/.elfeed"; - # devices = [ "sync (@oracle)" "magicant" "nbl-imba-2" ]; + # devices = [ "sync (@oracle)" "magicant" "${workHostName}" ]; # id = "h7xbs-fs9v1"; # }; }; diff --git a/scripts/swarsel-install.sh b/scripts/swarsel-install.sh index 4d55f1c..c1f5769 100644 --- a/scripts/swarsel-install.sh +++ b/scripts/swarsel-install.sh @@ -115,7 +115,7 @@ else fi local_keys=$(ssh-add -L || true) -pub_key=$(cat /home/"$target_user"/.dotfiles/secrets/keys/ssh/nbl-imba-2.pub) +pub_key=$(cat /home/"$target_user"/.dotfiles/secrets/keys/ssh/yubikey.pub) read -ra pub_arr <<< "$pub_key" cd .dotfiles diff --git a/scripts/swarsel-rebuild.sh b/scripts/swarsel-rebuild.sh index 57e1a8a..2a6ea54 100644 --- a/scripts/swarsel-rebuild.sh +++ b/scripts/swarsel-rebuild.sh @@ -67,7 +67,7 @@ else fi local_keys=$(ssh-add -L || true) -pub_key=$(cat /home/"$target_user"/.dotfiles/secrets/keys/ssh/nbl-imba-2.pub) +pub_key=$(cat /home/"$target_user"/.dotfiles/secrets/keys/ssh/yubikey.pub) read -ra pub_arr <<< "$pub_key" cd .dotfiles diff --git a/secrets/keys/ssh/nbl-imba-2.pub b/secrets/keys/ssh/yubikey.pub similarity index 100% rename from secrets/keys/ssh/nbl-imba-2.pub rename to secrets/keys/ssh/yubikey.pub diff --git a/secrets/work/secrets.yaml b/secrets/work/secrets.yaml index aefe938..e616fed 100644 --- a/secrets/work/secrets.yaml +++ b/secrets/work/secrets.yaml @@ -1,7 +1,5 @@ -clad: ENC[AES256_GCM,data:pE/sks9TK6acHwAjNLD0SdRHj6b2ZMkge2w=,iv:aJESPMVXdK1iJ7ItZYZMTcWGgAwTWuMB4d78OlqFbYY=,tag:AtLY/myOjpE6fbQpatfgGg==,type:str] -dcad: ENC[AES256_GCM,data:advwwnnNSD53JaWwi3zlLbUTx515xw==,iv:4/B9Vr/IaV0HJUC73snbOeF9FvhCKvgp3CcK7GWh6uA=,tag:69yEWNJEjYnYWNTzXSBJmg==,type:str] -wsad: ENC[AES256_GCM,data:yNL4Ql93sr9PcK0mMihArl2FhATFAzZF1Fy6fgbykeDU,iv:qet1Aba9PkXpFUmTqFVifAN4EKw5BpOxhKxXnHeJYkU=,tag:AJSMdOky0HYEgdS5B/PAcw==,type:str] -imbad: ENC[AES256_GCM,data:/8bq5AtzsZrbXOLY73K2ie9R4GNEAA==,iv:EZHUbS58y1NVM6wkzlmxvWaDMjjWU0VU+9nrGmt9fcw=,tag:axFWhsQ7w1DOHN4yOoF1og==,type:str] +vcuser: ENC[AES256_GCM,data:M2LmjWGI6boQtOdTZz3dZ9Qb,iv:/KAC1RF0bqviHzPFP8F8GlX32f/8Qp07iXz2Yz5UO5o=,tag:rYzeylJIWtoQrSGy8OZqQg==,type:str] +vcpw: ENC[AES256_GCM,data:bgqPbdJMVZXPWXiNsr9GxFRE1Q==,iv:5HuagCnNWLBvw7Z+nmLhCfMFV6b9mOd+afqCBUvWjNc=,tag:LfMOFvQZtNUh+7z6a+mpZA==,type:str] sops: kms: [] gcp_kms: [] @@ -17,8 +15,8 @@ sops: Z0dpTnpXcnRub2NWU21PblBtUnBXTnMKfmW5I2G+XhXEi8ssdnlavppxhgI4G56B 555YBJ8mLRXKINtd37nUyfydEUYiM4zUbTFlJ+83VVF//+4KUeOCYw== -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-10-17T08:36:23Z" - mac: ENC[AES256_GCM,data:gVfvTcYIzp4xdmAE14VzdVyef1f7KYykWcoehSc6nkkKNEg7+wjkcsrGoJvE4lbx64IahOJLEzD5aL695RzV32uFz+V+juQVvPW9rZIwz8Y62LYN+Vnowa4VfANPQ7uuUVrk29GPOHfwII5SJWOJcddQwu1XOX1VabIqq9ZweMw=,iv:+HXbFohCMJGytoKbTZ+aR3Lo7bg7O1Wgy2R3KiLv9hE=,tag:dSxMKKqwF4HMW/PtL6ALGw==,type:str] + lastmodified: "2025-03-21T17:17:55Z" + mac: ENC[AES256_GCM,data:6jF3PUfhVaLe1pIlCYlGHOqXhetWij1WijaSt63x/9m81QIcPlrlihpL3jN6d8P57PpnQU0ZHk6vwotmzDH3fsqiYzBaNK7oPuJFQotnm1eHR2NVLCO8zQLY47XN2kjuOSl6N2WNociux0oiOssw5BTFym0uInDlX9Lt9+/YlHI=,iv:J40e5Aoi++2oTrx7JpUL8HdVumWrnLRDsbBfp8YjzCA=,tag:jiHu4mG5PLrrB3FGekpKYw==,type:str] pgp: - created_at: "2024-12-17T11:38:28Z" enc: |- @@ -52,4 +50,4 @@ sops: -----END PGP MESSAGE----- fp: 4BE7925262289B476DBBC17B76FD3810215AE097 unencrypted_suffix: _unencrypted - version: 3.9.1 + version: 3.9.4