diff --git a/.gitmodules b/.gitmodules index 810e39f..dcfaddd 100644 --- a/.gitmodules +++ b/.gitmodules @@ -1,3 +1,3 @@ [submodule "secrets"] path = secrets - url = git@git.jan-leila.com:jan-leila/nix-config.git + url = git@git.jan-leila.com:jan-leila/nix-config-secrets.git diff --git a/README.md b/README.md index d086102..b42f061 100644 --- a/README.md +++ b/README.md @@ -43,7 +43,6 @@ to update passwords run: `nix shell nixpkgs#sops -c sops secrets/user-passwords. - join config for systemd.tmpfiles.rules and service directory bindings - monitor configuration in `~/.config/monitors.xml` should be sym linked to `/run/gdm/.config/monitors.xml` - move applications in server environment into their own flakes -- make subrepo a flake that gets imported (and then remove `path:` from build scripts) ## New Features - offline access for nfs mounts (overlay with rsync might be a good option here? https://www.spinics.net/lists/linux-unionfs/msg07105.html note about nfs4 and overlay fs) - fix pre commit hook diff --git a/enviroments/server/default.nix b/enviroments/server/default.nix index 5a55a69..a36a1db 100644 --- a/enviroments/server/default.nix +++ b/enviroments/server/default.nix @@ -2,6 +2,7 @@ lib, config, pkgs, + inputs, ... }: { imports = [ @@ -77,7 +78,7 @@ config = { sops.secrets = { "services/pi-hole" = { - sopsFile = ../../secrets/defiant-services.yaml; + sopsFile = "${inputs.secrets}/defiant-services.yaml"; }; }; diff --git a/flake.lock b/flake.lock index a424800..d6f3015 100644 --- a/flake.lock +++ b/flake.lock @@ -167,9 +167,27 @@ "nix-vscode-extensions": "nix-vscode-extensions", "nixos-hardware": "nixos-hardware", "nixpkgs": "nixpkgs", + "secrets": "secrets", "sops-nix": "sops-nix" } }, + "secrets": { + "flake": false, + "locked": { + "lastModified": 1727152771, + "narHash": "sha256-GYtrV//xaqamqRynEaHJrbklliHyAN9/4NZRXBZlahs=", + "ref": "main", + "rev": "46172e93709498e57d188a1bd19349c28fe4e3e3", + "revCount": 2, + "type": "git", + "url": "https://git.jan-leila.com/jan-leila/nix-config-secrets" + }, + "original": { + "ref": "main", + "type": "git", + "url": "https://git.jan-leila.com/jan-leila/nix-config-secrets" + } + }, "sops-nix": { "inputs": { "nixpkgs": "nixpkgs_2", diff --git a/flake.nix b/flake.nix index 70992b0..d1ff05b 100644 --- a/flake.nix +++ b/flake.nix @@ -5,9 +5,14 @@ # base packages nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable"; - # encrypt files that contain secreats that I would like to not encrypt + # encrypt files that contain secrets that I would like to not encrypt sops-nix.url = "github:Mic92/sops-nix"; + secrets = { + url = "git+https://git.jan-leila.com/jan-leila/nix-config-secrets?ref=main"; + flake = false; + }; + # declairtive disk configuration disko = { url = "github:nix-community/disko"; diff --git a/install.sh b/install.sh index d7e10df..882a935 100755 --- a/install.sh +++ b/install.sh @@ -51,4 +51,4 @@ mkdir -p $temp$SOPS_AGE_KEY_DIRECTORY cp -r $SOPS_AGE_KEY_DIRECTORY/* $temp$SOPS_AGE_KEY_DIRECTORY # commit number in this is because the main branch of nixos-anywhere is broken right now -nix run github:nix-community/nixos-anywhere/b3b6bfebba35d55fba485ceda588984dec74c54f -- --extra-files $temp --flake "path:.#$flake" ${user:-nixos}@$target +nix run github:nix-community/nixos-anywhere/b3b6bfebba35d55fba485ceda588984dec74c54f -- --extra-files $temp --flake ".#$flake" ${user:-nixos}@$target diff --git a/rebuild.sh b/rebuild.sh index 96cfc3d..630a2b4 100755 --- a/rebuild.sh +++ b/rebuild.sh @@ -58,9 +58,9 @@ user=${user:-$USER} # access secret files in the submodule this is kinda bad and we should find a way to not need it if [[ "$target" == "$(hostname)" ]]; then - nixos-rebuild $mode --use-remote-sudo --flake path:.#$flake + nixos-rebuild $mode --use-remote-sudo --flake .#$flake else - nixos-rebuild $mode --use-remote-sudo --target-host $user@$target --flake path:.#$flake + nixos-rebuild $mode --use-remote-sudo --target-host $user@$target --flake .#$flake fi if [ -d "result" ]; diff --git a/users/ester/default.nix b/users/ester/default.nix index 3597d2d..f6a1203 100644 --- a/users/ester/default.nix +++ b/users/ester/default.nix @@ -2,6 +2,7 @@ lib, config, pkgs, + inputs, ... }: let cfg = config.users.ester; @@ -16,7 +17,7 @@ in { sops.secrets = lib.mkIf cfg.isFullUser { "passwords/ester" = { neededForUsers = true; - sopsFile = ../../secrets/user-passwords.yaml; + sopsFile = "${inputs.secrets}/user-passwords.yaml"; }; }; diff --git a/users/eve/default.nix b/users/eve/default.nix index 16787f8..7902ff2 100644 --- a/users/eve/default.nix +++ b/users/eve/default.nix @@ -2,6 +2,7 @@ lib, config, pkgs, + inputs, ... }: let cfg = config.users.eve; @@ -16,7 +17,7 @@ in { sops.secrets = lib.mkIf cfg.isFullUser { "passwords/eve" = { neededForUsers = true; - sopsFile = ../../secrets/user-passwords.yaml; + sopsFile = "${inputs.secrets}/user-passwords.yaml"; }; }; diff --git a/users/leyla/default.nix b/users/leyla/default.nix index 20f99ab..1cd30fe 100644 --- a/users/leyla/default.nix +++ b/users/leyla/default.nix @@ -1,6 +1,7 @@ { lib, config, + inputs, ... }: let cfg = config.users.leyla; @@ -21,7 +22,7 @@ in { sops.secrets = lib.mkIf (cfg.isFullUser || cfg.isThinUser) { "passwords/leyla" = { neededForUsers = true; - sopsFile = ../../secrets/user-passwords.yaml; + sopsFile = "${inputs.secrets}/user-passwords.yaml"; }; };