From 4cd5edfeeeb796c3b97378e184cd85a5df4055f7 Mon Sep 17 00:00:00 2001 From: mjallen18 Date: Sun, 18 May 2025 19:41:16 -0500 Subject: [PATCH] cleanup --- flake.nix | 9 ++++- hosts/nas/sops.nix | 88 +++++++++++++++++++++++++++++++++++++++++----- hosts/pi4/sops.nix | 4 +++ hosts/pi5/sops.nix | 4 +++ 4 files changed, 96 insertions(+), 9 deletions(-) diff --git a/flake.nix b/flake.nix index 7edaeaf..55caeef 100755 --- a/flake.nix +++ b/flake.nix @@ -172,6 +172,11 @@ inputs.nixpkgs.follows = "pi4-nixpkgs"; }; + # Nix hardware + pi4-nixos-hardware = { + url = "github:NixOS/nixos-hardware/master"; + }; + pi4-nixos-raspberrypi.url = "github:nvmd/nixos-raspberrypi"; pi4-disko = { @@ -298,6 +303,7 @@ pi4-home-manager, pi4-impermanence, pi4-sops-nix, + pi4-nixos-hardware, pi4-nixos-raspberrypi, pi4-disko, @@ -434,6 +440,7 @@ pi5-impermanence.nixosModules.impermanence pi5-sops-nix.nixosModules.sops ./hosts/pi5/configuration.nix + pi5-nixos-hardware.nixosModules.raspberry-pi-5 { # Hardware specific configuration, see section below for a more complete # list of modules @@ -470,7 +477,7 @@ modules = [ pi4-disko.nixosModules.disko ./share/disko/pi-uefi-disko.nix - + pi4-nixos-hardware.nixosModules.raspberry-pi-4 pi4-impermanence.nixosModules.impermanence pi4-sops-nix.nixosModules.sops ./hosts/pi4/configuration.nix diff --git a/hosts/nas/sops.nix b/hosts/nas/sops.nix index 93fe5bf..138579b 100755 --- a/hosts/nas/sops.nix +++ b/hosts/nas/sops.nix @@ -32,6 +32,11 @@ in group = config.users.users."${user}".group; }; "wifi" = { }; + + # ------------------------------ + # ups + # ------------------------------ + "jallen-nas/ups_password" = { mode = "0777"; restartUnits = [ @@ -41,18 +46,51 @@ in "upsmon.service" ]; }; + + # ------------------------------ + # SSH keys + # ------------------------------ + + "ssh-keys-public/jallen-nas-root" = { + path = "/root/.ssh/id_ed25519.pub"; + mode = "0640"; + }; + "ssh-keys-private/jallen-nas-root" = { + path = "/root/.ssh/id_ed25519"; + mode = "0640"; + }; + + # ------------------------------ + # authentik + # ------------------------------ + "jallen-nas/authentik-env" = { restartUnits = [ "authentik.service" ]; }; + + # ------------------------------ + # collabora # TODO + # ------------------------------ + "jallen-nas/collabora" = { restartUnits = [ "podman-collabora.service" ]; }; + + # ------------------------------ + # mariadb # TODO + # ------------------------------ + "jallen-nas/mariadb/db_pass" = { restartUnits = [ "podman-mariadb.service" ]; }; "jallen-nas/mariadb/root_pass" = { restartUnits = [ "podman-mariadb.service" ]; }; + + # ------------------------------ + # nextcloud + # ------------------------------ + "jallen-nas/nextcloud/dbpassword" = { mode = "0650"; owner = config.users.users."${user}".name; @@ -71,23 +109,48 @@ in group = config.users.users."${user}".group; restartUnits = [ "container@nextcloud.service" ]; }; + + # ------------------------------ + # onlyoffice + # ------------------------------ + "jallen-nas/onlyoffice-key" = { mode = "0650"; owner = config.users.users."${user}".name; group = config.users.users."${user}".group; restartUnits = [ "container@nextcloud.service" ]; }; + + # ------------------------------ + # manyfold + # ------------------------------ + "jallen-nas/manyfold/secretkeybase" = { restartUnits = [ "podman-manyfold.service" ]; }; + + # ------------------------------ + # immich + # ------------------------------ + "jallen-nas/immich/db-password" = { mode = "0440"; group = "keys"; restartUnits = [ "container@immich.service" ]; }; + + # ------------------------------ + # open-webui + # ------------------------------ + "jallen-nas/open-webui" = { restartUnits = [ "open-webui.service" ]; }; + + # ------------------------------ + # paperless + # ------------------------------ + "jallen-nas/paperless/secret" = { restartUnits = [ "container@paperless.service" ]; }; @@ -97,6 +160,11 @@ in "jallen-nas/paperless/authentik-client-secret" = { restartUnits = [ "container@paperless.service" ]; }; + + # ------------------------------ + # Gitea + # ------------------------------ + "jallen-nas/gitea/mail-key" = { owner = "root"; group = "keys"; @@ -109,6 +177,10 @@ in mode = "0440"; restartUnits = [ "container@gitea.service" ]; }; + + # ------------------------------ + # free-games-claimer + # ------------------------------ "jallen-nas/free-games/eg-email" = { }; "jallen-nas/free-games/eg-pass" = { }; "jallen-nas/free-games/eg-otp" = { }; @@ -116,14 +188,11 @@ in "jallen-nas/free-games/pg-pass" = { }; "jallen-nas/free-games/gog-email" = { }; "jallen-nas/free-games/gog-pass" = { }; - "ssh-keys-public/jallen-nas-root" = { - path = "/root/.ssh/id_ed25519.pub"; - mode = "0640"; - }; - "ssh-keys-private/jallen-nas-root" = { - path = "/root/.ssh/id_ed25519"; - mode = "0640"; - }; + + # ------------------------------ + # Secureboot keys + # ------------------------------ + "secureboot/GUID" = { path = "/etc/secureboot/GUID"; mode = "0640"; @@ -154,6 +223,9 @@ in }; }; + # ------------------------------ + # Templates + # ------------------------------ templates = { "fgc.env" = { content = '' diff --git a/hosts/pi4/sops.nix b/hosts/pi4/sops.nix index d150cfb..9f83aa7 100755 --- a/hosts/pi4/sops.nix +++ b/hosts/pi4/sops.nix @@ -7,6 +7,9 @@ in defaultSopsFile = ../../secrets/secrets.yaml; age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ]; + # ------------------------------ + # Secrets + # ------------------------------ secrets = { "wifi" = { }; "desktop/matt_password" = { @@ -19,6 +22,7 @@ in # ------------------------------ # SSH keys # ------------------------------ + "ssh-keys-public/pi4" = { mode = "0644"; owner = config.users.users."${user}".name; diff --git a/hosts/pi5/sops.nix b/hosts/pi5/sops.nix index ec1670e..44194f8 100755 --- a/hosts/pi5/sops.nix +++ b/hosts/pi5/sops.nix @@ -7,6 +7,9 @@ in defaultSopsFile = ../../secrets/secrets.yaml; age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ]; + # ------------------------------ + # Secrets + # ------------------------------ secrets = { "wifi" = { }; "desktop/matt_password" = { @@ -19,6 +22,7 @@ in # ------------------------------ # SSH keys # ------------------------------ + "ssh-keys-public/pi5" = { mode = "0644"; owner = config.users.users."${user}".name;