-This file has 66113 words spanning 17398 lines and was last revised on 2025-06-11 02:30:06 +0200. +This file has 66327 words spanning 17467 lines and was last revised on 2025-06-11 21:36:46 +0200.
@@ -769,7 +771,7 @@ This section defines my Emacs configuration. For a while, I considered to use ry
-My emacs is built using the emacs-overlay nix flake, which builds a bleeding edge emacs on wayland (pgtk) with utilities like treesitter support. By executing the below source block, the current build setting can be updated at any time, and you can see my most up-to-date build options (last updated: 2025-06-11 02:30:06 +0200) +My emacs is built using the emacs-overlay nix flake, which builds a bleeding edge emacs on wayland (pgtk) with utilities like treesitter support. By executing the below source block, the current build setting can be updated at any time, and you can see my most up-to-date build options (last updated: 2025-06-11 21:36:46 +0200)
@@ -1779,9 +1781,8 @@ My work machine. Built for more security, this is the gold standard of my config{ self, inputs, lib, primaryUser, ... }:
+{ self, config, inputs, lib, primaryUser, ... }:
let
- secretsDirectory = builtins.toString inputs.nix-secrets;
sharedOptions = {
isBtrfs = true;
isLinux = true;
@@ -1804,7 +1805,7 @@ in
];
-
+ node.secretsDir = ./secrets;
swarselsystems = lib.recursiveUpdate
{
firewall = lib.mkForce true;
@@ -1814,8 +1815,8 @@ in
isImpermanence = false;
isSecureBoot = true;
isCrypted = true;
- hostName = lib.swarselsystems.getSecret "${secretsDirectory}/work/worklaptop-hostname";
- fqdn = lib.swarselsystems.getSecret "${secretsDirectory}/work/worklaptop-fqdn";
+ inherit (config.repo.secrets.local) hostName;
+ inherit (config.repo.secrets.local) fqdn;
hibernation.offset = 533760;
profiles = {
amdcpu = true;
@@ -2036,7 +2037,7 @@ This is my main server that I run at home. It handles most tasks that require bi
3.1.2.2.1. Main Configuration
-{ lib, primaryUser, ... }:
+{ lib, config, primaryUser, ... }:
let
sharedOptions = {
isBtrfs = false;
@@ -2058,14 +2059,15 @@ in
};
networking = {
+ inherit (config.repo.secrets.local) hostId;
hostName = "winters";
- hostId = "b7778a4a";
firewall.enable = true;
enableIPv6 = false;
firewall.allowedTCPPorts = [ 80 443 ];
};
+ node.secretsDir = ./secrets;
swarselsystems = lib.recursiveUpdate
{
isImpermanence = false;
@@ -2149,10 +2151,9 @@ A Mac notebook that I have received from work. I use this machine for getting ac
-{ lib, inputs, ... }:
+{ lib, ... }:
let
- secretsDirectory = builtins.toString inputs.nix-secrets;
- workUser = lib.swarselsystems.getSecret "${secretsDirectory}/work/work-user";
+ inherit (config.repo.secrets.local) workUser;
in
{
@@ -2268,18 +2269,14 @@ All of these are processes that use little cpu but can take a lot of storage. Fo
-{ lib, primaryUser, inputs, ... }:
+{ lib, primaryUser, ... }:
let
sharedOptions = {
isBtrfs = false;
isLinux = true;
};
- secretsDirectory = builtins.toString inputs.nix-secrets;
- workHostName = lib.swarselsystems.getSecret "${secretsDirectory}/work/worklaptop-hostname";
- dev1 = lib.swarselsystems.getSecret "${secretsDirectory}/oci/sync/syncthing/dev1";
- dev2 = lib.swarselsystems.getSecret "${secretsDirectory}/oci/sync/syncthing/dev2";
- dev3 = lib.swarselsystems.getSecret "${secretsDirectory}/oci/sync/syncthing/dev3";
- loc1 = lib.swarselsystems.getSecret "${secretsDirectory}/oci/sync/syncthing/loc1";
+ inherit (config.repo.secrets.common) workHostName;
+ inherit (config.repo.secrets.local.syncthing) dev1 dev2 dev3 loc1;
in
{
imports = [
@@ -2906,8 +2903,8 @@ This is just a demo host. It applies all the configuration found in the common p
I also set the WLR_RENDERER_ALLOW_SOFTWARE=1 to allow this configuration to run in a virtualized environment. I also enable qemuGuest for a smoother experience when testing on QEMU.
-
-3.1.4.4.1. Main configuration
+
+3.1.4.4.1. Main configuration
{ self, inputs, config, pkgs, lib, primaryUser, ... }:
@@ -2986,8 +2983,8 @@ in
-
-3.1.4.4.2. NixOS dummy options configuration
+
+3.1.4.4.2. NixOS dummy options configuration
_:
@@ -2997,8 +2994,8 @@ in
-
-3.1.4.4.3. home-manager dummy options configuration
+
+3.1.4.4.3. home-manager dummy options configuration
_:
@@ -4779,8 +4776,8 @@ appimageTools.wrapType2 {
-
-3.2.1.30. swarsel-deploy
+
+3.2.1.30. swarsel-deploy
# heavily inspired from https://github.com/oddlama/nix-config/blob/d42cbde676001a7ad8a3cace156e050933a4dcc3/pkgs/deploy.nix
@@ -4819,7 +4816,6 @@ writeShellApplication {
T_START="$T_END"
}
- cd ~/.dotfiles
USER_FLAKE_DIR=$(git rev-parse --show-toplevel 2> /dev/null || pwd) ||
die "Could not determine current working directory. Something went very wrong."
[[ -e "$USER_FLAKE_DIR/flake.nix" ]] ||
@@ -4866,7 +4862,8 @@ writeShellApplication {
declare -A TOPLEVEL_STORE_PATHS
for host in "''${HOSTS[@]}"; do
toplevel="''${TOPLEVEL_FLAKE_PATHS["$host"]}"
- echo "[1;36m Building [m📦 [34m$host[m"
+ # Make sudo call to get prompt out of the way
+ sudo echo "[1;36m Building [m📦 [34m$host[m"
nix build --no-link "''${OPTIONS[@]}" --show-trace --log-format internal-json -v "$toplevel" |& ${nix-output-monitor}/bin/nom --json ||
die "Failed to get derivation path for $host from ''${TOPLEVEL_FLAKE_PATHS["$host"]}"
TOPLEVEL_STORE_PATHS["$host"]=$(nix build --no-link --print-out-paths "''${OPTIONS[@]}" "$toplevel")
@@ -4904,7 +4901,6 @@ writeShellApplication {
time_next
echo -e "\033[1;32m Applied \033[m✅ \033[34m$host\033[m \033[90min ''${T_LAST}s\033[m"
done
- cd -
'';
}
@@ -4912,8 +4908,8 @@ writeShellApplication {
-
-3.2.1.31. sshrm
+
+3.2.1.31. sshrm
This programs simply runs ssh-keygen on the last host that I tried to ssh into. I need this frequently when working with cloud-init usually.
@@ -5070,8 +5066,8 @@ in
-
-3.2.3.1.1. Personal
+
+3.2.3.1.1. Personal
{ lib, config, ... }:
@@ -5094,6 +5090,7 @@ in
network = lib.mkDefault true;
time = lib.mkDefault true;
commonSops = lib.mkDefault true;
+ pii = lib.mkDefault true;
stylix = lib.mkDefault true;
programs = lib.mkDefault true;
zsh = lib.mkDefault true;
@@ -5140,8 +5137,8 @@ in
-
-3.2.3.1.2. Chaostheatre
+
+3.2.3.1.2. Chaostheatre
{ lib, config, ... }:
@@ -5203,8 +5200,8 @@ in
-
-3.2.3.1.3. toto
+
+3.2.3.1.3. toto
{ lib, config, ... }:
@@ -5236,8 +5233,8 @@ in
-
-3.2.3.1.4. Work
+
+3.2.3.1.4. Work
{ lib, config, ... }:
@@ -5258,8 +5255,8 @@ in
-
-3.2.3.1.5. Framework
+
+3.2.3.1.5. Framework
{ lib, config, ... }:
@@ -5280,8 +5277,8 @@ in
-
-3.2.3.1.6. AMD CPU
+
+3.2.3.1.6. AMD CPU
{ lib, config, ... }:
@@ -5302,8 +5299,8 @@ in
-
-3.2.3.1.7. AMD GPU
+
+3.2.3.1.7. AMD GPU
{ lib, config, ... }:
@@ -5324,8 +5321,8 @@ in
-
-3.2.3.1.8. Hibernation
+
+3.2.3.1.8. Hibernation
{ lib, config, ... }:
@@ -5346,8 +5343,8 @@ in
-
-3.2.3.1.9. BTRFS
+
+3.2.3.1.9. BTRFS
{ lib, config, ... }:
@@ -5368,8 +5365,8 @@ in
-
-3.2.3.1.10. Local Server
+
+3.2.3.1.10. Local Server
{ lib, config, ... }:
@@ -5380,6 +5377,7 @@ in
modules = {
general = lib.mkDefault true;
nix-ld = lib.mkDefault true;
+ pii = lib.mkDefault true;
home-manager = lib.mkDefault true;
home-managerExtra = lib.mkDefault true;
xserver = lib.mkDefault true;
@@ -5420,8 +5418,8 @@ in
-
-3.2.3.1.11. OCI Sync Server
+
+3.2.3.1.11. OCI Sync Server
{ lib, config, ... }:
@@ -5432,6 +5430,7 @@ in
modules = {
general = lib.mkDefault true;
nix-ld = lib.mkDefault true;
+ pii = lib.mkDefault true;
home-manager = lib.mkDefault true;
home-managerExtra = lib.mkDefault true;
xserver = lib.mkDefault true;
@@ -5476,8 +5475,8 @@ in
-
-3.2.3.2.1. Personal
+
+3.2.3.2.1. Personal
{ lib, config, ... }:
@@ -5534,8 +5533,8 @@ in
-
-3.2.3.2.2. Chaostheatre
+
+3.2.3.2.2. Chaostheatre
{ lib, config, ... }:
@@ -5587,8 +5586,8 @@ in
-
-3.2.3.2.3. toto
+
+3.2.3.2.3. toto
{ lib, config, ... }:
@@ -5608,8 +5607,8 @@ in
-
-3.2.3.2.4. Work
+
+3.2.3.2.4. Work
{ lib, config, ... }:
@@ -5629,8 +5628,8 @@ in
-
-3.2.3.2.5. Framework
+
+3.2.3.2.5. Framework
{ lib, config, ... }:
@@ -5651,8 +5650,8 @@ in
-
-3.2.3.2.6. Darwin
+
+3.2.3.2.6. Darwin
{ lib, config, ... }:
@@ -5670,8 +5669,8 @@ in
-
-3.2.3.2.7. Local Server
+
+3.2.3.2.7. Local Server
{ lib, config, ... }:
@@ -5902,12 +5901,12 @@ in
-
-3.2.5. Auxiliary files
+
+3.2.5. Auxiliary files
-
-3.2.5.1. extra-builtins
+
+3.2.5.1. extra-builtins
@@ -5930,8 +5929,8 @@ in
nixFile:
assert assertMsg (builtins.isPath nixFile)
"The file to decrypt must be given as a path to prevent impurity.";
- assert assertMsg (hasSuffix ".nix.age" nixFile)
- "The content of the decrypted file must be a nix expression and should therefore end in .nix.age";
+ assert assertMsg (hasSuffix ".nix.enc" nixFile)
+ "The content of the decrypted file must be a nix expression and should therefore end in .nix.enc";
exec [
./sops-decrypt-and-cache.sh
nixFile
@@ -5942,8 +5941,8 @@ in
-
-3.2.5.2. sops-decrypt-and-cache
+
+3.2.5.2. sops-decrypt-and-cache
#!/usr/bin/env bash
@@ -5959,7 +5958,7 @@ fi
file="$1"
shift
-basename="$file"
+basename="${file%".enc"}"
# store path prefix or ./ if applicable
[[ $file == "/nix/store/"* ]] && basename="${basename#*"-"}"
[[ $file == "./"* ]] && basename="${basename#"./"}"
@@ -6916,8 +6915,24 @@ Setup timezone and locale. I want to use the US layout, but have the rest adapte
+
+3.3.1.17. Meta options
+
+
+{ lib, ... }:
+{
+ options.node.secretsDir = lib.mkOption {
+ description = "Path to the secrets directory for this node.";
+ type = lib.types.path;
+ default = ./.;
+ };
+}
+
+
+
+
-3.3.1.17. sops
+3.3.1.18. sops
I use sops-nix to handle secrets that I want to have available on my machines at all times. Procedure to add a new machine:
@@ -6985,12 +7000,93 @@ in
};
};
}
+
+
+
+
+
+3.3.1.19. PII management
+
+
+{ config, inputs, lib, ... }:
+let
+
+ # If the given expression is a bare set, it will be wrapped in a function,
+ # so that the imported file can always be applied to the inputs, similar to
+ # how modules can be functions or sets.
+ constSet = x: if builtins.isAttrs x then (_: x) else x;
+
+ # Try to access the extra builtin we loaded via nix-plugins.
+ # Throw an error if that doesn't exist.
+ sopsImportEncrypted =
+ assert lib.assertMsg (builtins ? extraBuiltins.sopsImportEncrypted)
+ "The extra builtin 'sopsImportEncrypted' is not available, so repo.secrets cannot be decrypted. Did you forget to add nix-plugins and point it to `<flakeRoot>/nix/extra-builtins.nix` ?";
+ builtins.extraBuiltins.sopsImportEncrypted;
+
+ # This "imports" an encrypted .nix.age file by evaluating the decrypted content.
+ importEncrypted =
+ path:
+ constSet (
+ if builtins.pathExists path then
+ sopsImportEncrypted path
+ else
+ { }
+ );
+in
+{
+ options = {
+ repo = {
+ secretFiles = lib.mkOption {
+ default = { };
+ type = lib.types.attrsOf lib.types.path;
+ example = lib.literalExpression "{ local = ./pii.nix.enc; }";
+ description = ''
+ This file manages the origin for this machine's repository-secrets. Anything that is
+ technically not a secret in the classical sense (i.e. that it has to be protected
+ after it has been deployed), but something you want to keep secret from the public;
+ Anything that you wouldn't want people to see on GitHub, but that can live unencrypted
+ on your own devices. Consider it a more ergonomic nix alternative to using git-crypt.
+
+ All of these secrets may (and probably will be) put into the world-readable nix-store
+ on the build and target hosts. You'll most likely want to store personally identifiable
+ information here, such as:
+ - MAC Addreses
+ - Static IP addresses
+ - Your full name (when configuring your users)
+ - Your postal address (when configuring e.g. home-assistant)
+ - ...
+
+ Each path given here must be an sops-encrypted .nix file. For each attribute `<name>`,
+ the corresponding file will be decrypted, imported and exposed as {option}`repo.secrets.<name>`.
+ '';
+ };
+
+ secrets = lib.mkOption {
+ readOnly = true;
+ default = lib.mapAttrs (_: x: importEncrypted x inputs) config.repo.secretFiles;
+ type = lib.types.unspecified;
+ description = "Exposes the loaded repo secrets. This option is read-only.";
+ };
+ };
+ swarselsystems.modules.pii = lib.mkEnableOption "enable pii management";
+ };
+ config = lib.mkIf config.swarselsystems.modules.pii {
+ repo.secretFiles =
+ let
+ local = config.node.secretsDir + "/pii.nix.enc";
+ in
+ (lib.optionalAttrs (lib.pathExists local) { inherit local; }) // {
+ common = ../../../secrets/repo/pii.nix.enc;
+ };
+ };
+ }
+
-3.3.1.18. Theme (stylix)
+3.3.1.20. Theme (stylix)
-3.3.1.19. Programs (including zsh setup)
+3.3.1.21. Programs (including zsh setup)
Some programs profit from being installed through dedicated NixOS settings on system-level; these go here. Notably the zsh setup goes here and cannot be deleted under any circumstances.
@@ -7042,7 +7138,7 @@ Some programs profit from being installed through dedicated NixOS settings on sy
-3.3.1.19.1. zsh
+3.3.1.21.1. zsh
Here I disable global completion to prevent redundant compinit calls and cache invalidation that slow down shell startup (enabled on the home-manager side).
@@ -7067,7 +7163,7 @@ Here I disable global completion to prevent redundant compinit calls and cache i
-3.3.1.19.2. syncthing
+3.3.1.21.2. syncthing
{ lib, config, ... }:
@@ -7132,14 +7228,14 @@ in
-3.3.1.20. Services
+3.3.1.22. Services
Setting up some hardware services as well as keyboard related settings. Here we make sure that we can use the CAPS key as a ESC/CTRL double key, which is a lifesaver.
-3.3.1.20.1. blueman
+3.3.1.22.1. blueman
Enables the blueman service including the nice system tray icon.
@@ -7159,7 +7255,7 @@ Enables the blueman service including the nice system tray icon.
-3.3.1.20.2. Network devices
+3.3.1.22.2. Network devices
In this section we enable compatibility with several network devices I have at home, mainly printers and scanners.
@@ -7210,7 +7306,7 @@ Avahi is the service used for the network discovery.
-3.3.1.20.3. enable GVfs
+3.3.1.22.3. enable GVfs
This is being set to allow myself to use all functions of nautilus in NixOS
@@ -7229,7 +7325,7 @@ This is being set to allow myself to use all functions of nautilus in NixOS
-3.3.1.20.4. interception-tools: Make CAPS work as ESC/CTRL
+3.3.1.22.4. interception-tools: Make CAPS work as ESC/CTRL
This is a super-convenient package that lets my remap my CAPS key to ESC if pressed shortly, and CTRL if being held.
@@ -7273,7 +7369,7 @@ This is a super-convenient package that lets my remap my CAPS key t
-3.3.1.20.5. power-profiles-daemon
+3.3.1.22.5. power-profiles-daemon
This enables power profile management. The available modes are:
@@ -7301,9 +7397,9 @@ Most of the time I am using power-saver, however, it is good to be
-
-3.3.1.20.6. SwayOSD
-
+
+3.3.1.22.6. SwayOSD
+
{ lib, pkgs, config, ... }:
{
@@ -7333,11 +7429,11 @@ Most of the time I am using power-saver, however, it is good to be
-3.3.1.21. Hardware compatibility settings (Yubikey, Ledger, Keyboards) - udev rules
+3.3.1.23. Hardware compatibility settings (Yubikey, Ledger, Keyboards) - udev rules
-3.3.1.21.1. Yubikey
+3.3.1.23.1. Yubikey
This takes care of the main Yubikey related configuration on the NixOS side - note that the starting of the gpg-agent is done in the sway settings, to also perform this step of the setup for non NixOS-machines at the same time.
@@ -7377,7 +7473,7 @@ Also, since I use a GPG key in sops, it seems that scdaemon creates an instance
-3.3.1.21.2. Ledger
+3.3.1.23.2. Ledger
This performs the necessary configuration to support this hardware.
@@ -7401,7 +7497,7 @@ This performs the necessary configuration to support this hardware.
-3.3.1.21.3. Keyboards
+3.3.1.23.3. Keyboards
This loads some udev rules that I need for my split keyboards.
@@ -7425,7 +7521,7 @@ This loads some udev rules that I need for my split keyboards.
-3.3.1.22. System Login
+3.3.1.24. System Login
This section houses the greetd related settings. I do not really want to use a display manager, but it is useful to have setup in some ways - in my case for starting sway on system startup. Notably the default user login setting that is commented out here goes into the system specific settings, make sure to update it there
@@ -7460,7 +7556,7 @@ This section houses the greetd related settings. I do not really want to use a d
-3.3.1.23. nix-ld
+3.3.1.25. nix-ld
This provides libraries for binaries that are not patched for use on NixOS. This really makes the biggest gripe with NixOS go away, that being having to run a binary that is only found in a single spot. It is most of the times possible to patch such a file, but this makes such a situation take much less time to resolve.
@@ -7593,7 +7689,7 @@ When a program does not work, start with nix-ldd <program>. T
-3.3.1.24. Impermanence
+3.3.1.26. Impermanence
This is where the impermanence magic happens. When this is enabled, the root directory is rolled back to a blanket state on each reboot.
@@ -7703,7 +7799,7 @@ in
-3.3.1.25. Summary of nixos-rebuild diff
+3.3.1.27. Summary of nixos-rebuild diff
This snipped is added to the activation script that is run after every rebuild and shows what packages have been added and removed. This is actually not the optimal place to add that snipped, but the correct spot is in some perl file that I have not had the leisure to take a look at yet.
@@ -7728,7 +7824,7 @@ This snipped is added to the activation script that is run after every rebuild a
-3.3.1.26. gnome-keyring
+3.3.1.28. gnome-keyring
Used for storing sessions in e.g. Nextcloud. Using this on a system level keeps the login information when logging out of the session as well.
@@ -7751,7 +7847,7 @@ Used for storing sessions in e.g. Nextcloud. Using this on a system level keeps
-3.3.1.27. Sway
+3.3.1.29. Sway
This is used to better integrate Sway into the system on NixOS hosts. On the home-manager side, the package attribute will be null for such an host, using the systems derivation instead.
@@ -7787,7 +7883,7 @@ This is used to better integrate Sway into the system on NixOS hosts. On the hom
-3.3.1.28. xdg-portal
+3.3.1.30. xdg-portal
This allows me to use screen sharing on Wayland. The implementation is a bit crude and only the whole screen can be shared. However, most of the time that is all I need to do anyways.
@@ -7819,7 +7915,7 @@ This allows me to use screen sharing on Wayland. The implementation is a bit cru
-3.3.1.29. Podmam (distrobox)
+3.3.1.31. Podmam (distrobox)
I am using distrobox to quickly circumvent isses that I cannot immediately solve on NixOS. It is always the goal to quickly get things working on NixOS, but this prevents me from getting completely stuck.
@@ -7847,7 +7943,7 @@ I am using distrobox to quickly circumvent isses that I cannot immediately solve
-3.3.1.30. Appimage
+3.3.1.32. Appimage
Adds the necessary tools to allow .appimage programs easily.
@@ -7870,7 +7966,7 @@ Adds the necessary tools to allow .appimage programs easily.
-3.3.1.31. Handle lid switch correctly
+3.3.1.33. Handle lid switch correctly
This turns off the display when the lid is closed.
@@ -7919,7 +8015,7 @@ This turns off the display when the lid is closed.
-3.3.1.32. Low battery notification
+3.3.1.34. Low battery notification
Since I hide the waybar completely during normal operation, I run the risk of not noticing when my battery is about to run out. This module sends a notification when the battery level falls below 10%. Written by cafkafk.
@@ -7960,7 +8056,7 @@ Since I hide the waybar completely during normal operation, I run the risk of no
-3.3.1.33. Lanzaboote
+3.3.1.35. Lanzaboote
This dynamically uses systemd boot or Lanzaboote depending on `config.swarselsystems.initialSetup` and `config.swarselsystems.isSecureBoot`.
@@ -8381,10 +8477,7 @@ Here I am forcing startWhenNeeded to false so that the value will n
3.3.2.10. navidrome
-{ pkgs, lib, inputs, config, ... }:
-let
- secretsDirectory = builtins.toString inputs.nix-secrets;
-in
+{ pkgs, config, lib, ... }:
{
options.swarselsystems.modules.server.navidrome = lib.mkEnableOption "enable navidrome on server";
config = lib.mkIf config.swarselsystems.modules.server.navidrome {
@@ -8443,10 +8536,12 @@ in
};
# Switch using --impure as these credential files are not stored within the flake
# sops-nix is not supported for these which is why we need to resort to these
- LastFM.ApiKey = lib.swarselsystems.getSecret "${secretsDirectory}/navidrome/lastfm-secret";
- LastFM.Secret = lib.swarselsystems.getSecret "${secretsDirectory}/navidrome/lastfm-key";
- Spotify.ID = lib.swarselsystems.getSecret "${secretsDirectory}/navidrome/spotify-id";
- Spotify.Secret = lib.swarselsystems.getSecret "${secretsDirectory}/navidrome/spotify-secret";
+ LastFM = {
+ inherit (config.repo.secrets.local.LastFM) ApiKey Secret;
+ };
+ Spotify = {
+ inherit (config.repo.secrets.local.Spotify) ID Secret;
+ };
UILoginBackgroundUrl = "https://i.imgur.com/OMLxi7l.png";
UIWelcomeMessage = "~SwarselSound~";
};
@@ -9341,10 +9436,9 @@ Also I install Tika and Gotenberg, which are needed to create PDFs out of
3.3.2.19. syncthing
-{ lib, config, inputs, ... }:
+{ lib, config, ... }:
let
- secretsDirectory = builtins.toString inputs.nix-secrets;
- workHostName = lib.swarselsystems.getSecret "${secretsDirectory}/work/worklaptop-hostname";
+ inherit (config.repo.secrets.common) workHostName;
in
{
options.swarselsystems.modules.server.syncthing = lib.mkEnableOption "enable syncthing on server";
@@ -9468,10 +9562,9 @@ This manages backups for my pictures and obsidian files.
-{ lib, pkgs, config, inputs, ... }:
+{ lib, pkgs, config, ... }:
let
- secretsDirectory = builtins.toString inputs.nix-secrets;
- resticRepo = lib.swarselsystems.getSecret "${secretsDirectory}/restic/wintersRepo";
+ inherit (config.repo.secrets.local) resticRepo;
in
{
options.swarselsystems.modules.server.restic = lib.mkEnableOption "enable restic backups on server";
@@ -10137,8 +10230,8 @@ in
-
-3.3.2.27. IDM (kanidm + oauth2-proxy)
+
+3.3.2.27. IDM (kanidm + oauth2-proxy)
The forgejo configuration is a little broken and will show a 500 error when signing in through kanidm. However, when pressing back and refreshing the page, I am logged in. Currently I cannot be bothered to fix this.
@@ -10695,8 +10788,8 @@ This smashes Atmosphere 1.3.2 on the switch, which is what I am currenty using.
-
-3.3.4.6. Framework
+
+3.3.4.6. Framework
This holds configuration that is specific to framework laptops.
@@ -10734,8 +10827,8 @@ This holds configuration that is specific to framework laptops.
-
-3.3.4.7. AMD CPU
+
+3.3.4.7. AMD CPU
{ lib, config, ... }:
@@ -10751,8 +10844,8 @@ This holds configuration that is specific to framework laptops.
-
-3.3.4.8. AMD GPU
+
+3.3.4.8. AMD GPU
{ lib, config, ... }:
@@ -10774,8 +10867,8 @@ This holds configuration that is specific to framework laptops.
-
-3.3.4.9. Hibernation
+
+3.3.4.9. Hibernation
{ lib, config, ... }:
@@ -10806,8 +10899,8 @@ This holds configuration that is specific to framework laptops.
-
-3.3.4.10. BTRFS
+
+3.3.4.10. BTRFS
{ lib, config, ... }:
@@ -11871,19 +11964,15 @@ in
3.4.1.7. Yubikey
-{ lib, config, nix-secrets, ... }:
-let
- secretsDirectory = builtins.toString nix-secrets;
- yubikey1 = lib.swarselsystems.getSecret "${secretsDirectory}/yubikey/yubikey1";
- yubikey2 = lib.swarselsystems.getSecret "${secretsDirectory}/yubikey/yubikey2";
-in
+{ lib, config, nixosConfig, ... }:
{
options.swarselsystems.modules.yubikey = lib.mkEnableOption "yubikey settings";
+
config = lib.mkIf config.swarselsystems.modules.yubikey {
pam.yubico.authorizedYubiKeys = {
ids = [
- "${yubikey1}"
- "${yubikey2}"
+ nixosConfig.repo.secrets.common.yubikeys.dev1
+ nixosConfig.repo.secrets.common.yubikeys.dev2
];
};
};
@@ -12148,15 +12237,10 @@ Sets environment variables. Here I am only setting the EDITOR variable, most var
-{ lib, config, nix-secrets, ... }:
+{ lib, config, nixosConfig, ... }:
let
- secretsDirectory = builtins.toString nix-secrets;
- leonMail = lib.swarselsystems.getSecret "${secretsDirectory}/mail/leon";
- nautilusMail = lib.swarselsystems.getSecret "${secretsDirectory}/mail/nautilus";
- mrswarselMail = lib.swarselsystems.getSecret "${secretsDirectory}/mail/mrswarsel";
- swarselMail = lib.swarselsystems.getSecret "${secretsDirectory}/mail/swarsel";
- fullName = lib.swarselsystems.getSecret "${secretsDirectory}/info/fullname";
- allMailAddresses = lib.swarselsystems.getSecret "${secretsDirectory}/mail/list";
+ inherit (nixosConfig.repo.secrets.common.mail) address1 address2 address3 address4 allMailAddresses;
+ inherit (nixosConfig.repo.secrets.common) fullName;
in
{
options.swarselsystems.modules.env = lib.mkEnableOption "env settings";
@@ -12168,10 +12252,10 @@ in
SWARSEL_HI_RES = config.swarselsystems.highResolution;
};
systemd.user.sessionVariables = {
- SWARSEL_LEON_MAIL = leonMail;
- SWARSEL_NAUTILUS_MAIL = nautilusMail;
- SWARSEL_MRSWARSEL_MAIL = mrswarselMail;
- SWARSEL_SWARSEL_MAIL = swarselMail;
+ SWARSEL_MAIL1 = address1;
+ SWARSEL_MAIL2 = address2;
+ SWARSEL_MAIL3 = address3;
+ SWARSEL_MAIL4 = address4;
SWARSEL_FULLNAME = fullName;
SWARSEL_MAIL_ALL = allMailAddresses;
};
@@ -12337,11 +12421,10 @@ Here I set up my git config, automatic signing of commits, useful aliases for my
-{ lib, config, nix-secrets, ... }:
+{ lib, config, nixosConfig, ... }:
let
- secretsDirectory = builtins.toString nix-secrets;
- leonMail = lib.swarselsystems.getSecret "${secretsDirectory}/mail/leon";
- fullName = lib.swarselsystems.getSecret "${secretsDirectory}/info/fullname";
+ inherit (nixosConfig.repo.secrets.common.mail) address1;
+ inherit (nixosConfig.repo.secrets.common) fullName;
in
{
options.swarselsystems.modules.git = lib.mkEnableOption "git settings";
@@ -12365,7 +12448,7 @@ in
key = "0x76FD3810215AE097";
signByDefault = true;
};
- userEmail = lib.mkDefault leonMail;
+ userEmail = lib.mkDefault address1;
userName = fullName;
difftastic.enable = true;
lfs.enable = true;
@@ -12898,14 +12981,10 @@ Normally I use 4 mail accounts - here I set them all up. Three of them are Googl
-{ lib, config, nix-secrets, ... }:
+{ lib, config, nixosConfig, ... }:
let
- secretsDirectory = builtins.toString nix-secrets;
- leonMail = lib.swarselsystems.getSecret "${secretsDirectory}/mail/leon";
- nautilusMail = lib.swarselsystems.getSecret "${secretsDirectory}/mail/nautilus";
- mrswarselMail = lib.swarselsystems.getSecret "${secretsDirectory}/mail/mrswarsel";
- swarselMail = lib.swarselsystems.getSecret "${secretsDirectory}/mail/swarsel";
- fullName = lib.swarselsystems.getSecret "${secretsDirectory}/info/fullname";
+ inherit (nixosConfig.repo.secrets.common.mail) address1 address2 add2Name address3 add3Name address4;
+ inherit (nixosConfig.repo.secrets.common) fullName;
in
{
options.swarselsystems.modules.mail = lib.mkEnableOption "mail settings";
@@ -12934,8 +13013,8 @@ in
accounts = {
leon = {
primary = true;
- address = leonMail;
- userName = leonMail;
+ address = address1;
+ userName = address1;
realName = fullName;
passwordCommand = "cat ${config.sops.secrets.leon.path}";
gpg = {
@@ -12966,7 +13045,7 @@ in
};
swarsel = {
- address = swarselMail;
+ address = address4;
userName = "8227dc594dd515ce232eda1471cb9a19";
realName = fullName;
passwordCommand = "cat ${config.sops.secrets.swarselmail.path}";
@@ -12989,9 +13068,9 @@ in
nautilus = {
primary = false;
- address = nautilusMail;
- userName = nautilusMail;
- realName = "Nautilus";
+ address = address2;
+ userName = address2;
+ realName = add2Name;
passwordCommand = "cat ${config.sops.secrets.nautilus.path}";
imap.host = "imap.gmail.com";
smtp.host = "smtp.gmail.com";
@@ -13016,9 +13095,9 @@ in
mrswarsel = {
primary = false;
- address = mrswarselMail;
- userName = mrswarselMail;
- realName = "Swarsel";
+ address = address3;
+ userName = address3;
+ realName = add3Name;
passwordCommand = "cat ${config.sops.secrets.mrswarsel.path}";
imap.host = "imap.gmail.com";
smtp.host = "smtp.gmail.com";
@@ -13759,8 +13838,8 @@ The `extraConfig` section here CANNOT be reindented. This has something to do wi
-
-3.4.1.29.4. SwayOSD
+
+3.4.1.29.4. SwayOSD
{ lib, config, ... }:
@@ -14397,9 +14476,9 @@ This service changes the screen hue at night. I am not sure if that really does
-{ lib, config, nix-secrets, ... }:
+{ lib, config, nixosConfig, ... }:
let
- secretsDirectory = builtins.toString nix-secrets;
+ inherit (nixosConfig.repo.secrets.common.location) latitude longitude;
in
{
options.swarselsystems.modules.gammastep = lib.mkEnableOption "gammastep settings";
@@ -14407,8 +14486,7 @@ in
services.gammastep = {
enable = true;
provider = "manual";
- latitude = lib.swarselsystems.getSecret "${secretsDirectory}/home/gammastep-latitude";
- longitude = lib.swarselsystems.getSecret "${secretsDirectory}/home/gammastep-longitude";
+ inherit longitude latitude;
};
};
}
@@ -14567,13 +14645,10 @@ The rest of the settings is at
-{ self, config, pkgs, lib, nix-secrets, ... }:
+{ self, config, pkgs, lib, nixosConfig, ... }:
let
inherit (config.swarselsystems) homeDir;
- secretsDirectory = builtins.toString nix-secrets;
- dcUser = lib.swarselsystems.getSecret "${secretsDirectory}/work/dc-user";
- clUser = lib.swarselsystems.getSecret "${secretsDirectory}/work/cl-user";
- wsUser = lib.swarselsystems.getSecret "${secretsDirectory}/work/ws-user";
+ inherit (nixosConfig.repo.secrets.local.work) user1 user1Long user2 user2Long user3 user3Long user4 path1 loc1 loc2 site1 site2 site3 site4 site5 site6 site7 lifecycle1 lifecycle2 domain1 domain2 gitMail;
in
{
options.swarselsystems.modules.optional.work = lib.mkEnableOption "optional work settings";
@@ -14585,7 +14660,7 @@ in
docker
postman
rclone
- stable.awscli2
+ stable24_05.awscli2
libguestfs-with-appliance
stable.prometheus.cli
tigervnc
@@ -14612,20 +14687,20 @@ in
};
stylix.targets.firefox.profileNames = [
- "dc"
- "cl"
- "ws"
+ "${user1}"
+ "${user2}"
+ "${user3}"
"work"
];
programs = {
- git.userEmail = lib.swarselsystems.getSecret "${secretsDirectory}/work/git-email";
+ git.userEmail = lib.mkForce gitMail;
zsh = {
shellAliases = {
- dssh = "ssh -l ${dcUser}";
- cssh = "ssh -l ${clUser}";
- wssh = "ssh -l ${wsUser}";
+ dssh = "ssh -l ${user1Long}";
+ cssh = "ssh -l ${user2Long}";
+ wssh = "ssh -l ${user3Long}";
};
cdpath = [
"~/Documents/Work"
@@ -14635,42 +14710,42 @@ in
w = "$HOME/Documents/Work";
s = "$HOME/.dotfiles/secrets";
pr = "$HOME/Documents/Private";
- ac = "$HOME/.ansible/collections/ansible_collections/vbc/linux/roles";
+ ac = path1;
};
};
ssh = {
matchBlocks = {
- "uc" = {
- hostname = lib.swarselsystems.getSecret "${secretsDirectory}/work/uc-prod";
- user = "stack";
+ "${loc1}" = {
+ hostname = "${loc1}.${domain2}";
+ user = user4;
};
- "uc.stg" = {
- hostname = lib.swarselsystems.getSecret "${secretsDirectory}/work/uc-stg";
- user = "stack";
+ "${loc1}.stg" = {
+ hostname = "${loc1}.${lifecycle1}.${domain2}";
+ user = user4;
};
- "uc.staging" = {
- hostname = lib.swarselsystems.getSecret "${secretsDirectory}/work/uc-stg";
- user = "stack";
+ "${loc1}.staging" = {
+ hostname = "${loc1}.${lifecycle1}.${domain2}";
+ user = user4;
};
- "uc.dev" = {
- hostname = lib.swarselsystems.getSecret "${secretsDirectory}/work/uc-dev";
- user = "stack";
+ "${loc1}.dev" = {
+ hostname = "${loc1}.${lifecycle2}.${domain2}";
+ user = user4;
};
- "cbe" = {
- hostname = lib.swarselsystems.getSecret "${secretsDirectory}/work/cbe-prod";
- user = dcUser;
+ "${loc2}" = {
+ hostname = "${loc2}.${domain1}";
+ user = user1Long;
};
- "cbe.stg" = {
- hostname = lib.swarselsystems.getSecret "${secretsDirectory}/work/cbe-stg";
- user = dcUser;
+ "${loc2}.stg" = {
+ hostname = "${loc2}.${lifecycle1}.${domain2}";
+ user = user1Long;
};
- "cbe.staging" = {
- hostname = lib.swarselsystems.getSecret "${secretsDirectory}/work/cbe-stg";
- user = dcUser;
+ "${loc2}.staging" = {
+ hostname = "${loc2}.${lifecycle1}.${domain2}";
+ user = user1Long;
};
- "*.vbc.ac.at" = {
- user = dcUser;
+ "*.${domain1}" = {
+ user = user1Long;
};
};
};
@@ -14681,25 +14756,25 @@ in
isDefault = false;
in
{
- dc = lib.recursiveUpdate
+ "${user1}" = lib.recursiveUpdate
{
inherit isDefault;
id = 1;
settings = {
- "browser.startup.homepage" = "https://tower.vbc.ac.at|https://artifactory.vbc.ac.at";
+ "browser.startup.homepage" = "${site1}|${site2}";
};
}
config.swarselsystems.firefox;
- cl = lib.recursiveUpdate
+ "${user2}" = lib.recursiveUpdate
{
inherit isDefault;
id = 2;
settings = {
- "browser.startup.homepage" = "https://portal.azure.com";
+ "browser.startup.homepage" = "${site3}";
};
}
config.swarselsystems.firefox;
- ws = lib.recursiveUpdate
+ "${user3}" = lib.recursiveUpdate
{
inherit isDefault;
id = 3;
@@ -14710,7 +14785,7 @@ in
inherit isDefault;
id = 4;
settings = {
- "browser.startup.homepage" = "https://outlook.office.com|https://satellite.vbc.ac.at|https://bitbucket.vbc.ac.at|https://github.com";
+ "browser.startup.homepage" = "${site4}|${site5}|${site6}|${site7}";
};
}
config.swarselsystems.firefox;
@@ -14873,27 +14948,28 @@ in
exec = "firefox -p work";
inherit terminal categories icon;
};
- firefox_dc = {
- name = "Firefox (dc)";
- genericName = "Firefox dc";
- exec = "firefox -p dc";
+ "firefox_${user1}" = {
+ name = "Firefox (${user1})";
+ genericName = "Firefox ${user1}";
+ exec = "firefox -p ${user4}";
inherit terminal categories icon;
};
- firefox_ws = {
- name = "Firefox (ws)";
- genericName = "Firefox ws";
- exec = "firefox -p ws";
+ "firefox_${user2}" = {
+ name = "Firefox (${user2})";
+ genericName = "Firefox ${user2}";
+ exec = "firefox -p ${user2}";
inherit terminal categories icon;
};
- firefox_cl = {
- name = "Firefox (cl)";
- genericName = "Firefox cl";
- exec = "firefox -p cl";
+ "firefox_${user3}" = {
+ name = "Firefox (${user3})";
+ genericName = "Firefox ${user3}";
+ exec = "firefox -p ${user3}";
inherit terminal categories icon;
};
+
};
};
swarselsystems = {
@@ -15009,8 +15085,8 @@ in
-
-3.4.4.3. Framework
+
+3.4.4.3. Framework
-
-6.3. tridactyl theme
+
+6.3. tridactyl theme
@@ -19348,7 +19424,7 @@ sync USER HOST:
diff --git a/modules/home/common/env.nix b/modules/home/common/env.nix
index 424df5e..0c36301 100644
--- a/modules/home/common/env.nix
+++ b/modules/home/common/env.nix
@@ -1,12 +1,7 @@
-{ lib, config, nix-secrets, ... }:
+{ lib, config, nixosConfig, ... }:
let
- secretsDirectory = builtins.toString nix-secrets;
- leonMail = lib.swarselsystems.getSecret "${secretsDirectory}/mail/leon";
- nautilusMail = lib.swarselsystems.getSecret "${secretsDirectory}/mail/nautilus";
- mrswarselMail = lib.swarselsystems.getSecret "${secretsDirectory}/mail/mrswarsel";
- swarselMail = lib.swarselsystems.getSecret "${secretsDirectory}/mail/swarsel";
- fullName = lib.swarselsystems.getSecret "${secretsDirectory}/info/fullname";
- allMailAddresses = lib.swarselsystems.getSecret "${secretsDirectory}/mail/list";
+ inherit (nixosConfig.repo.secrets.common.mail) address1 address2 address3 address4 allMailAddresses;
+ inherit (nixosConfig.repo.secrets.common) fullName;
in
{
options.swarselsystems.modules.env = lib.mkEnableOption "env settings";
@@ -18,10 +13,10 @@ in
SWARSEL_HI_RES = config.swarselsystems.highResolution;
};
systemd.user.sessionVariables = {
- SWARSEL_LEON_MAIL = leonMail;
- SWARSEL_NAUTILUS_MAIL = nautilusMail;
- SWARSEL_MRSWARSEL_MAIL = mrswarselMail;
- SWARSEL_SWARSEL_MAIL = swarselMail;
+ SWARSEL_MAIL1 = address1;
+ SWARSEL_MAIL2 = address2;
+ SWARSEL_MAIL3 = address3;
+ SWARSEL_MAIL4 = address4;
SWARSEL_FULLNAME = fullName;
SWARSEL_MAIL_ALL = allMailAddresses;
};
diff --git a/modules/home/common/gammastep.nix b/modules/home/common/gammastep.nix
index d2fbbb5..e97f770 100644
--- a/modules/home/common/gammastep.nix
+++ b/modules/home/common/gammastep.nix
@@ -1,6 +1,6 @@
-{ lib, config, nix-secrets, ... }:
+{ lib, config, nixosConfig, ... }:
let
- secretsDirectory = builtins.toString nix-secrets;
+ inherit (nixosConfig.repo.secrets.common.location) latitude longitude;
in
{
options.swarselsystems.modules.gammastep = lib.mkEnableOption "gammastep settings";
@@ -8,8 +8,7 @@ in
services.gammastep = {
enable = true;
provider = "manual";
- latitude = lib.swarselsystems.getSecret "${secretsDirectory}/home/gammastep-latitude";
- longitude = lib.swarselsystems.getSecret "${secretsDirectory}/home/gammastep-longitude";
+ inherit longitude latitude;
};
};
}
diff --git a/modules/home/common/git.nix b/modules/home/common/git.nix
index 3a88d2d..f593392 100644
--- a/modules/home/common/git.nix
+++ b/modules/home/common/git.nix
@@ -1,8 +1,7 @@
-{ lib, config, nix-secrets, ... }:
+{ lib, config, nixosConfig, ... }:
let
- secretsDirectory = builtins.toString nix-secrets;
- leonMail = lib.swarselsystems.getSecret "${secretsDirectory}/mail/leon";
- fullName = lib.swarselsystems.getSecret "${secretsDirectory}/info/fullname";
+ inherit (nixosConfig.repo.secrets.common.mail) address1;
+ inherit (nixosConfig.repo.secrets.common) fullName;
in
{
options.swarselsystems.modules.git = lib.mkEnableOption "git settings";
@@ -26,7 +25,7 @@ in
key = "0x76FD3810215AE097";
signByDefault = true;
};
- userEmail = lib.mkDefault leonMail;
+ userEmail = lib.mkDefault address1;
userName = fullName;
difftastic.enable = true;
lfs.enable = true;
diff --git a/modules/home/common/mail.nix b/modules/home/common/mail.nix
index ce98fba..fbc10ae 100644
--- a/modules/home/common/mail.nix
+++ b/modules/home/common/mail.nix
@@ -1,11 +1,7 @@
-{ lib, config, nix-secrets, ... }:
+{ lib, config, nixosConfig, ... }:
let
- secretsDirectory = builtins.toString nix-secrets;
- leonMail = lib.swarselsystems.getSecret "${secretsDirectory}/mail/leon";
- nautilusMail = lib.swarselsystems.getSecret "${secretsDirectory}/mail/nautilus";
- mrswarselMail = lib.swarselsystems.getSecret "${secretsDirectory}/mail/mrswarsel";
- swarselMail = lib.swarselsystems.getSecret "${secretsDirectory}/mail/swarsel";
- fullName = lib.swarselsystems.getSecret "${secretsDirectory}/info/fullname";
+ inherit (nixosConfig.repo.secrets.common.mail) address1 address2 add2Name address3 add3Name address4;
+ inherit (nixosConfig.repo.secrets.common) fullName;
in
{
options.swarselsystems.modules.mail = lib.mkEnableOption "mail settings";
@@ -34,8 +30,8 @@ in
accounts = {
leon = {
primary = true;
- address = leonMail;
- userName = leonMail;
+ address = address1;
+ userName = address1;
realName = fullName;
passwordCommand = "cat ${config.sops.secrets.leon.path}";
gpg = {
@@ -66,7 +62,7 @@ in
};
swarsel = {
- address = swarselMail;
+ address = address4;
userName = "8227dc594dd515ce232eda1471cb9a19";
realName = fullName;
passwordCommand = "cat ${config.sops.secrets.swarselmail.path}";
@@ -89,9 +85,9 @@ in
nautilus = {
primary = false;
- address = nautilusMail;
- userName = nautilusMail;
- realName = "Nautilus";
+ address = address2;
+ userName = address2;
+ realName = add2Name;
passwordCommand = "cat ${config.sops.secrets.nautilus.path}";
imap.host = "imap.gmail.com";
smtp.host = "smtp.gmail.com";
@@ -116,9 +112,9 @@ in
mrswarsel = {
primary = false;
- address = mrswarselMail;
- userName = mrswarselMail;
- realName = "Swarsel";
+ address = address3;
+ userName = address3;
+ realName = add3Name;
passwordCommand = "cat ${config.sops.secrets.mrswarsel.path}";
imap.host = "imap.gmail.com";
smtp.host = "smtp.gmail.com";
diff --git a/modules/home/optional/work.nix b/modules/home/optional/work.nix
index a6289da..3567b14 100644
--- a/modules/home/optional/work.nix
+++ b/modules/home/optional/work.nix
@@ -1,10 +1,7 @@
-{ self, config, pkgs, lib, nix-secrets, ... }:
+{ self, config, pkgs, lib, nixosConfig, ... }:
let
inherit (config.swarselsystems) homeDir;
- secretsDirectory = builtins.toString nix-secrets;
- dcUser = lib.swarselsystems.getSecret "${secretsDirectory}/work/dc-user";
- clUser = lib.swarselsystems.getSecret "${secretsDirectory}/work/cl-user";
- wsUser = lib.swarselsystems.getSecret "${secretsDirectory}/work/ws-user";
+ inherit (nixosConfig.repo.secrets.local.work) user1 user1Long user2 user2Long user3 user3Long user4 path1 loc1 loc2 site1 site2 site3 site4 site5 site6 site7 lifecycle1 lifecycle2 domain1 domain2 gitMail;
in
{
options.swarselsystems.modules.optional.work = lib.mkEnableOption "optional work settings";
@@ -43,20 +40,20 @@ in
};
stylix.targets.firefox.profileNames = [
- "dc"
- "cl"
- "ws"
+ "${user1}"
+ "${user2}"
+ "${user3}"
"work"
];
programs = {
- git.userEmail = lib.swarselsystems.getSecret "${secretsDirectory}/work/git-email";
+ git.userEmail = lib.mkForce gitMail;
zsh = {
shellAliases = {
- dssh = "ssh -l ${dcUser}";
- cssh = "ssh -l ${clUser}";
- wssh = "ssh -l ${wsUser}";
+ dssh = "ssh -l ${user1Long}";
+ cssh = "ssh -l ${user2Long}";
+ wssh = "ssh -l ${user3Long}";
};
cdpath = [
"~/Documents/Work"
@@ -66,42 +63,42 @@ in
w = "$HOME/Documents/Work";
s = "$HOME/.dotfiles/secrets";
pr = "$HOME/Documents/Private";
- ac = "$HOME/.ansible/collections/ansible_collections/vbc/linux/roles";
+ ac = path1;
};
};
ssh = {
matchBlocks = {
- "uc" = {
- hostname = lib.swarselsystems.getSecret "${secretsDirectory}/work/uc-prod";
- user = "stack";
+ "${loc1}" = {
+ hostname = "${loc1}.${domain2}";
+ user = user4;
};
- "uc.stg" = {
- hostname = lib.swarselsystems.getSecret "${secretsDirectory}/work/uc-stg";
- user = "stack";
+ "${loc1}.stg" = {
+ hostname = "${loc1}.${lifecycle1}.${domain2}";
+ user = user4;
};
- "uc.staging" = {
- hostname = lib.swarselsystems.getSecret "${secretsDirectory}/work/uc-stg";
- user = "stack";
+ "${loc1}.staging" = {
+ hostname = "${loc1}.${lifecycle1}.${domain2}";
+ user = user4;
};
- "uc.dev" = {
- hostname = lib.swarselsystems.getSecret "${secretsDirectory}/work/uc-dev";
- user = "stack";
+ "${loc1}.dev" = {
+ hostname = "${loc1}.${lifecycle2}.${domain2}";
+ user = user4;
};
- "cbe" = {
- hostname = lib.swarselsystems.getSecret "${secretsDirectory}/work/cbe-prod";
- user = dcUser;
+ "${loc2}" = {
+ hostname = "${loc2}.${domain1}";
+ user = user1Long;
};
- "cbe.stg" = {
- hostname = lib.swarselsystems.getSecret "${secretsDirectory}/work/cbe-stg";
- user = dcUser;
+ "${loc2}.stg" = {
+ hostname = "${loc2}.${lifecycle1}.${domain2}";
+ user = user1Long;
};
- "cbe.staging" = {
- hostname = lib.swarselsystems.getSecret "${secretsDirectory}/work/cbe-stg";
- user = dcUser;
+ "${loc2}.staging" = {
+ hostname = "${loc2}.${lifecycle1}.${domain2}";
+ user = user1Long;
};
- "*.vbc.ac.at" = {
- user = dcUser;
+ "*.${domain1}" = {
+ user = user1Long;
};
};
};
@@ -112,25 +109,25 @@ in
isDefault = false;
in
{
- dc = lib.recursiveUpdate
+ "${user1}" = lib.recursiveUpdate
{
inherit isDefault;
id = 1;
settings = {
- "browser.startup.homepage" = "https://tower.vbc.ac.at|https://artifactory.vbc.ac.at";
+ "browser.startup.homepage" = "${site1}|${site2}";
};
}
config.swarselsystems.firefox;
- cl = lib.recursiveUpdate
+ "${user2}" = lib.recursiveUpdate
{
inherit isDefault;
id = 2;
settings = {
- "browser.startup.homepage" = "https://portal.azure.com";
+ "browser.startup.homepage" = "${site3}";
};
}
config.swarselsystems.firefox;
- ws = lib.recursiveUpdate
+ "${user3}" = lib.recursiveUpdate
{
inherit isDefault;
id = 3;
@@ -141,7 +138,7 @@ in
inherit isDefault;
id = 4;
settings = {
- "browser.startup.homepage" = "https://outlook.office.com|https://satellite.vbc.ac.at|https://bitbucket.vbc.ac.at|https://github.com";
+ "browser.startup.homepage" = "${site4}|${site5}|${site6}|${site7}";
};
}
config.swarselsystems.firefox;
@@ -304,27 +301,28 @@ in
exec = "firefox -p work";
inherit terminal categories icon;
};
- firefox_dc = {
- name = "Firefox (dc)";
- genericName = "Firefox dc";
- exec = "firefox -p dc";
+ "firefox_${user1}" = {
+ name = "Firefox (${user1})";
+ genericName = "Firefox ${user1}";
+ exec = "firefox -p ${user4}";
inherit terminal categories icon;
};
- firefox_ws = {
- name = "Firefox (ws)";
- genericName = "Firefox ws";
- exec = "firefox -p ws";
+ "firefox_${user2}" = {
+ name = "Firefox (${user2})";
+ genericName = "Firefox ${user2}";
+ exec = "firefox -p ${user2}";
inherit terminal categories icon;
};
- firefox_cl = {
- name = "Firefox (cl)";
- genericName = "Firefox cl";
- exec = "firefox -p cl";
+ "firefox_${user3}" = {
+ name = "Firefox (${user3})";
+ genericName = "Firefox ${user3}";
+ exec = "firefox -p ${user3}";
inherit terminal categories icon;
};
+
};
};
swarselsystems = {
diff --git a/modules/nixos/server/navidrome.nix b/modules/nixos/server/navidrome.nix
index f88cd25..029729d 100644
--- a/modules/nixos/server/navidrome.nix
+++ b/modules/nixos/server/navidrome.nix
@@ -1,7 +1,4 @@
-{ pkgs, lib, inputs, config, ... }:
-let
- secretsDirectory = builtins.toString inputs.nix-secrets;
-in
+{ pkgs, config, lib, ... }:
{
options.swarselsystems.modules.server.navidrome = lib.mkEnableOption "enable navidrome on server";
config = lib.mkIf config.swarselsystems.modules.server.navidrome {
@@ -60,10 +57,12 @@ in
};
# Switch using --impure as these credential files are not stored within the flake
# sops-nix is not supported for these which is why we need to resort to these
- LastFM.ApiKey = lib.swarselsystems.getSecret "${secretsDirectory}/navidrome/lastfm-secret";
- LastFM.Secret = lib.swarselsystems.getSecret "${secretsDirectory}/navidrome/lastfm-key";
- Spotify.ID = lib.swarselsystems.getSecret "${secretsDirectory}/navidrome/spotify-id";
- Spotify.Secret = lib.swarselsystems.getSecret "${secretsDirectory}/navidrome/spotify-secret";
+ LastFM = {
+ inherit (config.repo.secrets.local.LastFM) ApiKey Secret;
+ };
+ Spotify = {
+ inherit (config.repo.secrets.local.Spotify) ID Secret;
+ };
UILoginBackgroundUrl = "https://i.imgur.com/OMLxi7l.png";
UIWelcomeMessage = "~SwarselSound~";
};
diff --git a/modules/nixos/server/restic.nix b/modules/nixos/server/restic.nix
index 86d22bd..3611824 100644
--- a/modules/nixos/server/restic.nix
+++ b/modules/nixos/server/restic.nix
@@ -1,7 +1,6 @@
-{ lib, pkgs, config, inputs, ... }:
+{ lib, pkgs, config, ... }:
let
- secretsDirectory = builtins.toString inputs.nix-secrets;
- resticRepo = lib.swarselsystems.getSecret "${secretsDirectory}/restic/wintersRepo";
+ inherit (config.repo.secrets.local) resticRepo;
in
{
options.swarselsystems.modules.server.restic = lib.mkEnableOption "enable restic backups on server";
diff --git a/modules/nixos/server/syncthing.nix b/modules/nixos/server/syncthing.nix
index 8837dd7..5cf7e1f 100644
--- a/modules/nixos/server/syncthing.nix
+++ b/modules/nixos/server/syncthing.nix
@@ -1,7 +1,6 @@
-{ lib, config, inputs, ... }:
+{ lib, config, ... }:
let
- secretsDirectory = builtins.toString inputs.nix-secrets;
- workHostName = lib.swarselsystems.getSecret "${secretsDirectory}/work/worklaptop-hostname";
+ inherit (config.repo.secrets.common) workHostName;
in
{
options.swarselsystems.modules.server.syncthing = lib.mkEnableOption "enable syncthing on server";
diff --git a/programs/emacs/init.el b/programs/emacs/init.el
index eeb6a0f..50e3237 100644
--- a/programs/emacs/init.el
+++ b/programs/emacs/init.el
@@ -1502,7 +1502,7 @@ create a new one."
(:maildir "/Drafts" :key ?d)
(:maildir "/All Mail" :key ?a)))
- (setq user-mail-address (getenv "SWARSEL_SWARSEL_MAIL")
+ (setq user-mail-address (getenv "SWARSEL_MAIL4")
user-full-name (getenv "SWARSEL_FULLNAME"))
;; this does the equivalent of (setq mu4e-user-mail-address-list '(address1@about.com address2@about.com [...])))
diff --git a/secrets/repo/pii.nix.enc b/secrets/repo/pii.nix.enc
index b25dffd..49f0016 100644
--- a/secrets/repo/pii.nix.enc
+++ b/secrets/repo/pii.nix.enc
@@ -1,5 +1,5 @@
{
- "data": "ENC[AES256_GCM,data:s7upsped0qBHSmSbW4ESqH9RbroHNMSO7wYwXRf12aWo6Ula6vpwQYHyCqhuiI4WtSL1osRLoosLipfNJLJRgunLB+qAJgkof+5njmCw,iv:ywC5bm4W9dkuxgqA7GxTE40pgzjGdLsHQifoMHYgEaY=,tag:bOf0xTa2VxZ+zONVRoXf9g==,type:str]",
+ "data": "ENC[AES256_GCM,data:t46tqCQNV0Anyt3ZhfoFA6HnSC7ECCjbsdMAGQ+Xno4BjBFXBJdhcKuEdfqqKylBberfQ5zpS7PI9TWUrhjJdQJq8uC7pMcLK652OjAJAdxHaHAt2eBPq2+UXAHvwzXwEauEZ78m7iv0VuFvN9pLbUBVDGFRdWLrt32DD2xVASLSscn/wpYnXhBrd+fi9nKtt41mhe8UvAEIxdYtIEh4/ylL3PjvCEJBBEci7Fe/UuokNxhlMNc2xV0AVo25aM3mQbXny8LPF5++PVteVr4RWHm9R1qtRR8cKmJI/j2ObwS5WSsnRAJHgO6b6Wq9F4SNdEFscqW7d8/WWBPTvv+H3VSQ3K0xxaOrbnJYxBbSAboTDZogkbYSrY41SXqXh1Gorvh92eCvYCSxTFLnbkKVx3F35+3NKYK8RQ0OYsIl+k8qE9kK35kNjXrm3gl7p/WjyDXJ2mhHmt5ZQSleseh4meOhg73kJFC+VeUlI5no+kDeaYwn5EM/pi/ZzsAQwq/wGqVrPgSVnTbyfBAD1FRqeUxNCo2ceTGW12ZvOvm+XxUJ8tVef2PvUuqKvg1Xx4TN3hRQUcYhXwZWzKgseiAonRA4Euzs/BKA5K233uP22t8klCy23Ngti0LJt5tbmsNeBBwb2f5Wcs4oDn2YIFTm9Bg9QLbfkYyZf/ZkbA0U7HfbvhlIKANmzy1G8+MYlpS4ZED36wT1fEDcEBVygzyHVx9sXEZuj6Nm1ekxSGgJciVL,iv:PBwZiNQjDguQF/GFegm1oVYHF0lG6fjK0vxBuQN1HFo=,tag:VH2pH+rKgyBSIzGo8py6bw==,type:str]",
"sops": {
"age": [
{
@@ -23,8 +23,8 @@
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB4bFIrQjZ5cUFBQUp4dTRW\ndEdaZys0OHE5L3BPaVNic3ZZRDQ5N09SaGdZCllhWnY4T2lLZzVUMlp5VjMvQ2lP\ndGFNSTBqbjNMaUcwbVRaWFVCazU3OEUKLS0tIHBIWUZCYjFDVDgzbUUxMC9TNzdp\naFdiWmV6TGIva0RNUDNHWmdJZGgzNHMKiIzjo6sH/SP12cAXTvXiP0X9EE/A8Qw1\nIfgZfyEHdf/Mxd/iNzlWb2Nb0MLerYYw/qZ/+L5eDpUr4Vl051qOXA==\n-----END AGE ENCRYPTED FILE-----\n"
}
],
- "lastmodified": "2025-06-11T01:57:02Z",
- "mac": "ENC[AES256_GCM,data:c/fERNdNCLBb26sZzse/liAQWosjFB20nP7xje1qsJ+NpGa9fvZXGtbxMTbFx/BWy5VB2LEwXLzOTNv10gbjCa7Ovr6fzWaZZ9PoadsrDA2nSiAvTu3v+a70vKCwsTWTUA42w61lEEWBJwjU3kKiI3WF8TPOCeB0CLf3J1t4AHo=,iv:BoPCpP2VwDSHJllcQMpcClHFr6YWDQIT5GJGSZ1HAYY=,tag:hdQUQEFHH3a0PhlEmKdPoQ==,type:str]",
+ "lastmodified": "2025-06-11T12:35:26Z",
+ "mac": "ENC[AES256_GCM,data:qySqNhw1CPbilUmJPSOsLGG3mbLrvPMXzkzUGIj5l1EBLl//BVfAqvkgc06AhjDexr708CyUU5tiW0JydFBkEcByxDK21JhnZGVTdiTidBUl5lS392bCxdnrWgNCm6BnIznLsF3UpuqStsztOgjRJa2pawC2b5i6VCm4asif2lQ=,iv:M0JEy5+8g2wesVMpfhl0OZOKh4MFnh6RwUm9tteSYJ4=,tag:2zxRZLab6Z5XDsh9MMHSlg==,type:str]",
"pgp": [
{
"created_at": "2025-06-11T01:05:00Z",