diff --git a/flake.lock b/flake.lock index 77a5a43c..53d040bd 100644 --- a/flake.lock +++ b/flake.lock @@ -993,11 +993,11 @@ "zen-browser": "zen-browser" }, "locked": { - "lastModified": 1763388752, - "narHash": "sha256-wbxKwJ+kkixY93ZEQwRuMOxrmul+zWk5Gypl7blCj6U=", + "lastModified": 1763986668, + "narHash": "sha256-R6R8FHo22CYNUI6vBnwtePdkViJK+nl5SXFdCdSTXtI=", "owner": "thexyno", "repo": "nixos-config", - "rev": "62a64a79a8608712f1b2e07b902318679b022379", + "rev": "cea4be6b9e0d951189cf3ebee7e354223c09150f", "type": "github" }, "original": { diff --git a/flake.nix b/flake.nix index 15372389..2e074840 100644 --- a/flake.nix +++ b/flake.nix @@ -205,7 +205,7 @@ pkgs.colmena ] ++ (lib.attrValues self.packages.${system}); - SOPS_CONFIG = (pkgs.callPackage ./sops.nix { instanceConfigs = lib.xyno.getDirs ./instances; }); + SOPS_CONFIG = (pkgs.callPackage ./sops.nix { instanceConfigs = self.colmenaHive.nodes; }); }; diff --git a/instances/nemesis/configuration.nix b/instances/nemesis/configuration.nix index 3b53b1cc..f157e5a6 100644 --- a/instances/nemesis/configuration.nix +++ b/instances/nemesis/configuration.nix @@ -21,6 +21,7 @@ containers.ds9 = { autoStart = true; + timeoutStartSec = "10000000min"; privateNetwork = true; enableTun = true; additionalCapabilities = [ @@ -33,28 +34,40 @@ ]; hostAddress = "192.168.100.10"; localAddress = "192.168.100.11"; + # hostAddress6 = "fc00::1"; + # localAddress6 = "fc00::2"; path = inputs.oldConf.nixosConfigurations.ds9.config.system.build.toplevel; - + bindMounts = { "/data" = { hostPath = "/data"; isReadOnly = false; }; - "/backup" = { - hostPath = "/backup"; + "/backups" = { + hostPath = "/backups"; isReadOnly = false; }; "/persistent" = { hostPath = "/oldds9/persistent"; isReadOnly = false; }; + "/var/lib/containers" = { + hostPath = "/oldds9/persistent/var/lib/containers"; + isReadOnly = false; + }; }; }; networking.nat.enable = true; + networking.nat.enableIPv6 = true; networking.nat.internalInterfaces = [ "ve-+" ]; networking.nat.externalInterface = "enp1s0f1"; # TODO: changeme + services.traefik.dynamicConfigOptions.http.routers.simpleproxy-oldds9-router.rule = + lib.mkForce "HostRegexp(`^.+\.hailsatan\.eu$`)"; + # services.traefik.dynamicConfigOptions.http.routers.simpleproxy-oldds9-router.tls.options = "old"; + services.traefik.dynamicConfigOptions.http.routers.simpleproxy-oldds9-router-robotstxt.rule = + lib.mkForce "HostRegexp(`^.+\.hailsatan\.eu$`) && Path(`/robots.txt`)"; xyno.services.traefik = { enable = true; simpleProxy.oldds9 = { @@ -63,8 +76,27 @@ }; }; + users.users.root.password = "hunter2"; + + systemd.services."dyndns-refresh" = { + script = '' + set -eu + export PATH=$PATH:${pkgs.curl}/bin:${pkgs.jq}/bin:${pkgs.iproute2}/bin + ${pkgs.bash}/bin/bash ${config.sops.secrets.dyndns.path} + ''; + serviceConfig = { + Type = "oneshot"; + User = "root"; + }; + startAt = "*:0/10"; + }; + sops.secrets.dyndns = { + sopsFile = ./secrets/dyndns.yaml; + }; + xyno.presets.cli.enable = true; xyno.presets.server.enable = true; + xyno.impermanence.enable = true; # xyno.services.wireguard.enable = true; # xyno.services.caddy.enable = true; # xyno.services.monitoring.enable = true; @@ -74,6 +106,16 @@ xyno.networking.networkd = { enable = true; }; + networking.useDHCP = lib.mkForce false; + networking.interfaces."enp1s0f1" = { + useDHCP = true; + tempAddress = "enabled"; + }; + systemd.network.networks."40-enp1s0f1" = { + networkConfig = { + IPv6AcceptRA = true; + }; + }; system.stateVersion = "25.11"; } diff --git a/instances/nemesis/default.nix b/instances/nemesis/default.nix index 25b8ed78..b512efd1 100644 --- a/instances/nemesis/default.nix +++ b/instances/nemesis/default.nix @@ -6,6 +6,6 @@ }; # xyno.services.wireguard.pubKey = "aZvSeAhKG3B5I2My5IqQoSlntMzbCHM6OU92WEScohc="; deployment = { - targetHost = "nemesis.xyno.systems"; + targetHost = "10.0.0.2"; }; } diff --git a/instances/nemesis/hardware-configuration.nix b/instances/nemesis/hardware-configuration.nix index 907e43c7..4415af24 100644 --- a/instances/nemesis/hardware-configuration.nix +++ b/instances/nemesis/hardware-configuration.nix @@ -98,7 +98,7 @@ fsType = "zfs"; neededForBoot = true; }; - fileSystems."/var/log" = { + fileSystems."/var/log" = lib.mkForce { device = "spool/nemesis/varlog"; fsType = "zfs"; neededForBoot = true; @@ -130,6 +130,11 @@ fsType = "zfs"; neededForBoot = true; }; + fileSystems."/oldds9/persistent/var/lib/containers" = { + device = "spool/safe/containers"; + fsType = "zfs"; + neededForBoot = true; + }; fileSystems."/oldds9/varlog" = { device = "spool/local/journal"; fsType = "zfs"; diff --git a/instances/nemesis/secrets/dyndns.yaml b/instances/nemesis/secrets/dyndns.yaml new file mode 100644 index 00000000..2d6cfa8a --- /dev/null +++ b/instances/nemesis/secrets/dyndns.yaml @@ -0,0 +1,38 @@ +dyndns: ENC[AES256_GCM,data:yDDTTBimaFcd/MG+eSbYmOHq/Ij0fAoz0zDY+C4bv7ZNn1yAA6C8DE3fXnvAvWhatLLSbRGDxHRRm7JuAHOfGGisN9cXwL+fkB7rZMVZemaL2wrOAQxyzHDEeZnZHRwsVGYhAmTsbUCVLi4CyzjRHGbCLZtZ8b+DzT0644uTi9IQovcLrWun62KMt7yjFS+Wb85XItMrIk4gJRCOhllrAXKY/z0idgv8GCNRDsDsmKL8arfcWzo2+bU/Uqhqt1Md6++jySPNPxwwcORYUudqQM63N0g47jSnmbXJ11XRRq6ZBQJaHhx25YOj2WiDH1382Kn71hnnObWS8HcXI3pwAg51mQ7Wlu+Mlt/3iZjOS1ble4IrQGItLVQUqWjyKSLvTbPfe6P/AuQ9VFGLZ7VGhVUAuyum727bx7jg1oQmqETrkL9BwaW/2FsBCVfKobgBOM6s/XMO07dOrzkO14BxOgM7zcILkz0J3IClXDOnK+Qtqe9d0E4JiSItk1hlL+PI256dGt3J2oHHAZTNOhCn1f3/t1nwkDaPM379LhVHVGhGNFtPkwp1itAQPe/zY6apHCOrcd4sti7QjVssW+ekWjMGqIC0D41aw5oRUhE0pGSwVzVTwrxqc/IiLag8UxjFpBEWO9826I5qD3LQhH+sAfsrcBp9SeRrrt5icNbqLhKDxeB2,iv:Bj9aQZ8X1j5tV+iRPwFQ9NvNaxtlaRn6u60qqzHmWmw=,tag:gDKAPd8FEomSwyiT3yy2iw==,type:str] +sops: + lastmodified: "2025-11-24T15:13:32Z" + mac: ENC[AES256_GCM,data:f+3n2Xc7jU+qW+vHk98BTgwLwVHTXzWHMjLwNr3Y3Pp8VIQf8d8iF8QwhDFPWN1uqsxsb/XD48CXbd5AwxuVcgcSM7FIHkjfIn0pHRk0jTAkXTxjWIwg9pqnGAZ5B/fA8XAvcyPpE299gMYzU2soAL11DZtrEVVXJWN2sD5IlL8=,iv:Uykx2R6xO/KW1XP0Nm8GyaoepmdU96AfGQQhLz6BlNQ=,tag:bqe0gZF6WhQg55NhWyNC5A==,type:str] + pgp: + - created_at: "2025-11-24T13:05:23Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hL4DAAAAAAAAAAASBAMEDMeIdplYrk7VppUFRCTcB7Pv+xnVKSLhhSoN6kqbHXqA + YYv8o4AbT9bf1+L9wywA+Eg55tj8aocse/tdRQWTymy4+8grb/sm0oZQT22T51JP + mWxhWIX+sliCqHnS/W2tuVLyDzAiJ/Tg19kOc576OH1z6f2HMIM7yvADoKupfqIw + rbwo0G8CdZCW1hzutCnC2mD4Op2BxK1b26oZdNA06y+BMHHefyDTl/wXwiNQKWiq + 0l4BoaYNx2ma5ZTSBk7YNeIXikwM3XtZnUZU+V17EgClNbxhmTRc0h7fmeprjYcW + zETvhSIm+JFTR0mdQsrDvTs7kt+PnaYptoM0CHaYCHTq48pyYKL3Gm0NtCAHuFc3 + =UlnU + -----END PGP MESSAGE----- + fp: 0D98D5964AC8BB1CA034CE4EC456133700066642 + - created_at: "2025-11-24T15:13:16Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQGMAwAAAAAAAAAAAQv/SQPw9p1r4Sg9zYTyX1n3n6xJzhr+hEGLwwGhcmJh8mup + D9n+aaZU4WK2Huha8Jd1bNqNo3J9UpqQMIaexfd64HoVdDHCxBzfThiMvgwpQ30a + kTQqC0DGkLaFM5W8IVOremwjhLzrTBesu8ny8CasQYJ0tZ+QFU51OvxD4q0r9OLT + BcCGqDsKZ3HDr7OIi4FsqdZRfxinJ+zteK93uxA+fB8Hkxok2g7Z2A5Nv2cOo54X + NJxwsCN4l2Hs8MaVMTC+KGASn87m+Q1xwcVD7ujPmGGjMYb84j2sBn0DP3mNQh7y + 89jz6HPbq9goF++Sp172bwswmJwZLVCWkgvzQo+szfCqGnq6LTlG9JaVswkkSz7N + z9kvF6L2dg7N2XlkLLP9UnxMkNxUrA615LvSn/z9AA7Dp6ay7TCsOeSWrz5m7+PF + VVfTp4PN3y7hsZXvWWk1eqsOaThI5GY7N7W6aQlNmvhibjw7FJEF4Iv4FBJsOD23 + vYv+38yn377hnimtzoVt0lgBFtO8QhedShEvVjROUNjjEE2WB2jpP5/wZVIsrefs + tl87MAyLedE/Zs5MByubb0buC2jifQnkxsA1QSvbZB2/NTi/SLSPeCMdFrVkYdcG + hP8cp1HkI81F + =iDKg + -----END PGP MESSAGE----- + fp: b730b2bf54eb792a14bfd3e68c14c08894376c5f + unencrypted_suffix: _unencrypted + version: 3.11.0 diff --git a/instances/picard/configuration.nix b/instances/picard/configuration.nix index 384ebf17..80a49f24 100644 --- a/instances/picard/configuration.nix +++ b/instances/picard/configuration.nix @@ -20,7 +20,7 @@ xyno.presets.server.enable = true; xyno.presets.cli.enable = true; xyno.services.wireguard.enable = true; - xyno.services.caddy.enable = true; + # xyno.services.caddy.enable = true; xyno.services.monitoring.enable = true; xyno.presets.home-manager.enable = true; xyno.system.user.enable = true; diff --git a/modules/services/kanidm.nix b/modules/services/kanidm.nix new file mode 100644 index 00000000..953f1f66 --- /dev/null +++ b/modules/services/kanidm.nix @@ -0,0 +1,88 @@ +{ + pkgs, + lib, + config, + ... +}: +let + inherit (lib) mkEnableOption mkIf mkOption; + inherit (lib.types) str nullOr pathWith; + absPath = pathWith { + inStore = false; + absolute = true; + }; + cfg = config.xyno.services.kanidm; +in +{ + options.xyno.services.kanidm.enable = mkEnableOption "enables kanidm"; + options.xyno.services.kanidm.domain = mkOption { + default = "idm.xyno.systems"; + type = str; + }; + options.xyno.services.kanidm.isReplica = mkEnableOption "replica"; + options.xyno.services.kanidm.setupTraefik = mkEnableOption "traefik"; + + options.xyno.services.kanidm.tls = { + keyPem = mkOption { + type = nullOr absPath; + default = null; + description = "autogenerated if unset"; + }; + certPem = mkOption { + default = "/run/generated/kanidm-tls/cert.pem"; + type = absPath; + }; + }; + config = mkIf cfg.enable { + services.kanidm = { + enableServer = true; + enableClient = true; + adminPasswordFile = config.sops.secrets."kanidm.password".path; + provision = { + adminPasswordFile = config.sops.secrets."kanidm.password".path; + }; + serverSettings = { + tls_key = if cfg.tls.keyPem != null then cfg.tls.keyPem else "/run/generated/key.pem"; + tls_chain = cfg.tls.certPem; + bindaddress = "127.0.0.3:8443"; + }; + }; + xyno.services.traefik.simpleProxy = mkIf cfg.setupTraefik { + host = cfg.domain; + internal = "https://127.0.0.3:8443"; + transport = "kanidm-https"; + }; + services.traefik.dynamicConfigOptions.http = mkIf cfg.setupTraefik { + serversTransports."kanidm-https" = { + serverName = cfg.domain; + certificates = [ + cfg.certPem + ]; + }; + }; + + systemd.services.generate-kanidm-tls = mkIf (cfg.tls.keyPem == null) { + serviceConfig = { + User = "root"; + Group = "kanidm"; + }; + wantedBy = [ + "kanidm.service" + "traefik.service" + ]; + script = '' + mkdir -p /run/generated/kanidm-tls + ${pkgs.openssl}/bin/openssl req -x509 -newkey ed25519 -noenc -subj "/CN=generated.${cfg.domain}" -addext "subjectAltName=DNS:${cfg.domain}" -keyout /run/generated/key.pem -out /run/generated/cert.pem + ''; + }; + sops.secrets."kanidm.password" = { + sopsFile = ../../instances/${config.networking.hostName}/secrets/kanidm.yaml; + }; + # sops.templates."kanidm.env".content = '' + # DESEC_TOKEN=${config.sops.placeholder.desec_token} + # DESEC_PROPAGATION_TIMEOUT=1200 + # ''; + # sops.templates."kanidm.env".reloadUnits = [ "kanidm.service" ]; + + }; +} diff --git a/modules/services/monitoring.nix b/modules/services/monitoring.nix index 65c1be2e..0ad68d46 100644 --- a/modules/services/monitoring.nix +++ b/modules/services/monitoring.nix @@ -9,21 +9,21 @@ with lib; let cfg = config.xyno.services.monitoring; - firstInstanceWithPromServer = - if cfg.prometheusServer then - config.networking.hostName - else - (builtins.head ( - attrValues (filterAttrs (n: v: v.config.xyno.services.monitoring.prometheusServer) (otherNodes)) - )).config.networking.hostName; - vmBasicAuthUsername = "xyno-monitoring"; + # firstInstanceWithPromServer = + # if cfg.prometheusServer then + # config.networking.hostName + # else + # (builtins.head ( + # attrValues (filterAttrs (n: v: v.config.xyno.services.monitoring.prometheusServer) (otherNodes)) + # )).config.networking.hostName; + # vmBasicAuthUsername = "xyno-monitoring"; in { options.xyno.services.monitoring.enable = mkEnableOption "enables monitoring (prometheus exporters and stuff)"; options.xyno.services.monitoring.remoteWriteUrl = mkOption { type = types.str; - default = "http://${firstInstanceWithPromServer}.${config.xyno.services.wireguard.monHostsDomain}:8428/api/v1/write"; + default = "https://metrics.xyno.systems/api/v1/write"; description = "where prometheus metrics should be pushed to"; }; options.xyno.services.monitoring.prometheusServer = mkOption { @@ -48,8 +48,9 @@ in enabledCollectors = [ "systemd" ]; }; xyno.services.monitoring.exporters.node = config.services.prometheus.exporters.node.port; + # TODO: oauth2 with client per host -> kanidm -> oauth2-proxy -> victoriametrics server services.vmagent = { - remoteWrite.url = cfg.remoteWriteUrl; + remoteWrite.url = if cfg.prometheusServer then "http://localhost:8428/api/v1/write" else cfg.remoteWriteUrl; remoteWrite.basicAuthUsername = vmBasicAuthUsername; remoteWrite.basicAuthPasswordFile = config.sops.secrets."victoriametrics/basicAuthPassword".path; diff --git a/modules/services/traefik.nix b/modules/services/traefik.nix index 8fdf2a45..45a9626a 100644 --- a/modules/services/traefik.nix +++ b/modules/services/traefik.nix @@ -19,6 +19,7 @@ let routers."${router}-robotstxt" = { service = "robotstxt"; rule = "Host(`${v.host}`) && Path(`/robots.txt`)"; + tls.certResolver = "letsencrypt"; tls.domains = [ { main = certDomain; @@ -30,6 +31,7 @@ let routers.${router} = { inherit service; rule = "Host(`${v.host}`)"; + tls.certResolver = "letsencrypt"; tls.domains = [ { main = certDomain; @@ -41,10 +43,11 @@ let loadBalancer.servers = [ { url = v.internal; } ]; + loadBalancer.serverTransport = lib.mkIf (v.transport != null) v.transport; }; services.robotstxt = { loadBalancer.servers = [ - { url = "http://127.0.0.2"; } + { url = "http://127.0.0.2:8080"; } ]; }; } @@ -77,6 +80,10 @@ in host = lib.mkOption { type = lib.types.str; }; + transport = lib.mkOption { + type = lib.types.nullOr lib.types.anything; + default = null; + }; }; } @@ -86,12 +93,19 @@ in config = lib.mkIf cfg.enable { services.nginx = { enable = lib.mkIf cfg.noBots true; - defaultListenAddresses = lib.mkIf cfg.noBots [ "127.0.0.2" ]; - virtualHosts.localhost.locations."/".root = pkgs.writeTextFile { + defaultListen = lib.mkIf cfg.noBots [ + { + addr = "127.0.0.2"; + port = 8080; + } + ]; + virtualHosts._.default = true; + virtualHosts._.locations."/".root = pkgs.writeTextFile { name = "robots.txt"; + destination = "/robots.txt"; text = '' - User-Agent: * - Disallow / + User-agent: * + Disallow: / ''; }; }; @@ -104,7 +118,7 @@ in metrics = lib.mkIf config.xyno.services.monitoring.enable { otlp.http.endpoint = "http://localhost:8429/v1/metrics"; }; - entryponts.web = { + entryponits.web = { address = ":80"; redirections.entryPoint = { to = "websecure"; @@ -112,9 +126,9 @@ in permanent = true; }; }; - entryponts.websecure = { + entrypoints.websecure = { address = ":443"; - tls.certResolver = "letsencrypt"; + http.tls.certResolver = "letsencrypt"; http3 = { }; }; @@ -123,39 +137,40 @@ in email = "ssl@xyno.systems"; caServer = "https://acme-v02.api.letsencrypt.org/directory"; dnsChallenge = { + resolvers = [ "8.8.8.8" "1.1.1.1" ]; provider = "desec"; }; }; }; dynamicConfigOptions = { http = lib.mkMerge simpleProxyOpts; - tls.options.default = { - # mozilla modern - minVersion = "VersionTLS13"; - curvePreferences = [ - "X25519" - "CurveP256" - "CurveP384" - ]; - }; - tls.options.old = { - # mozilla intermediate - minVersion = "VersionTLS12"; - curvePreferences = [ - "X25519" - "CurveP256" - "CurveP384" - ]; - cipherSuites = [ - "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256" - "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256" - "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384" - "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384" - "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305" - "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305" - ]; + # tls.options.default = { + # # mozilla modern + # minVersion = "VersionTLS13"; + # curvePreferences = [ + # "X25519" + # "CurveP256" + # "CurveP384" + # ]; + # }; + # tls.options.old = { + # # mozilla intermediate + # minVersion = "VersionTLS12"; + # curvePreferences = [ + # "X25519" + # "CurveP256" + # "CurveP384" + # ]; + # cipherSuites = [ + # "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256" + # "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256" + # "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384" + # "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384" + # "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305" + # "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305" + # ]; - }; + # }; }; }; networking.firewall.allowedTCPPorts = [ @@ -169,6 +184,7 @@ in sops.templates."traefik.env".content = '' DESEC_TOKEN=${config.sops.placeholder.desec_token} DESEC_PROPAGATION_TIMEOUT=1200 + LEGO_DISABLE_CNAME_SUPPORT=true ''; sops.templates."traefik.env".reloadUnits = [ "traefik.service" ]; # services.borgmatic.settings.traefikql_databases = [ diff --git a/modules/system/impermanence.nix b/modules/system/impermanence.nix index ca725075..0e231fe4 100644 --- a/modules/system/impermanence.nix +++ b/modules/system/impermanence.nix @@ -21,24 +21,25 @@ in { options.xyno.impermanence = { enable = lib.mkEnableOption "erase all your darlings (they hate you anyways)"; - files = lib.mkOption { type = lib.types.listOf lib.types.str; }; - directories = lib.mkOption { type = lib.types.listOf lib.types.str; }; + files = lib.mkOption { type = lib.types.listOf lib.types.str; default = []; }; + directories = lib.mkOption { type = lib.types.listOf lib.types.anything; default = [];}; user = { - files = lib.mkOption { type = lib.types.listOf lib.types.str; }; - directories = lib.mkOption { type = lib.types.listOf lib.types.str; }; + files = lib.mkOption { type = lib.types.listOf lib.types.str; default = [];}; + directories = lib.mkOption { type = lib.types.listOf lib.types.anything; default = [];}; }; # have a seperate impermanence tree for "cache" files that can just be deleted if wanted cache = { - files = lib.mkOption { type = lib.types.listOf lib.types.str; }; - directories = lib.mkOption { type = lib.types.listOf lib.types.str; }; + files = lib.mkOption { type = lib.types.listOf lib.types.str; default = [];}; + directories = lib.mkOption { type = lib.types.listOf lib.types.anything; default = [];}; user = { - files = lib.mkOption { type = lib.types.listOf lib.types.str; }; - directories = lib.mkOption { type = lib.types.listOf lib.types.str; }; + files = lib.mkOption { type = lib.types.listOf lib.types.str; default = [];}; + directories = lib.mkOption { type = lib.types.listOf lib.types.anything; default = [];}; }; }; }; config = lib.mkIf cfg.enable { + users.mutableUsers = false; xyno.impermanence.files = [ "/etc/machine-id" # systemd/zfs unhappy otherwise ]; @@ -47,6 +48,7 @@ in "/var/lib/systemd/coredump" "/etc/ssh" # host keys "/var/lib/sbctl" # lanzaboote + "/var/lib/nixos" ]; xyno.impermanence.user.directories = [ diff --git a/modules/system/meta.nix b/modules/system/meta.nix index 76eabcdb..410bf60b 100644 --- a/modules/system/meta.nix +++ b/modules/system/meta.nix @@ -1,6 +1,6 @@ {lib,...}: with lib;{ options.xyno.meta = { - sopsKey = mkOption { type = types.text; }; + sopsKey = mkOption { type = types.str; }; }; config = { sops.defaultSopsFile = ../../secrets/common.yaml; diff --git a/secrets/common.yaml b/secrets/common.yaml index 2b1fbc70..b97ac868 100644 --- a/secrets/common.yaml +++ b/secrets/common.yaml @@ -5,14 +5,14 @@ wg: psk: ENC[AES256_GCM,data:Anpe6IxtzsqZyvas+ddV3yjJozdZgZOl2KG/Z4YtWUB5gAVLtxsQKc/WA/M=,iv:j/A5k2VXbdqUDXEd1WRfJYdb3DsUZ1B9gPHCpDpRjmw=,tag:KQGi1O5iP2+nQccgBzytSQ==,type:str] msmtp: host: ENC[AES256_GCM,data:YxiLT5t2H52IZvB02Pjntvg=,iv:nuMPI6fuvQ4U0+xj3SF27ZO/b2knKUsO6jCf9aJqQa4=,tag:9DucIq+LUozuPLL3s8UjDQ==,type:str] - port: ENC[AES256_GCM,data:zbe7,iv:cwoK0oCIzwmQ6xHFX94KDfd7Fu+pC96c9+AnK/KpQp4=,tag:IfsCHk0SpBeQ4bD0WXyQcw==,type:int] + port: ENC[AES256_GCM,data:W7L1,iv:q2TQTGTxOWCWqgjTBmVKarVbe+mNd/rwAupXJOl4WYQ=,tag:xW/GUGCIfn466icpIvyvCQ==,type:str] from: ENC[AES256_GCM,data:QpUgsghc7e5OFJO8afzx6bt1,iv:ffrlbqFu2p5/uwv5MN9rf7iZSmfozYSwr3WkEvXNZhA=,tag:B3g+6WexBw6j6EgukX5LDg==,type:str] user: ENC[AES256_GCM,data:H2OxJp6q1QCxBxIXThXrj+SU,iv:Cu7KFDaiqM0cuofnqkLnE6Zb6ufLw6wQRSk1pthDAAo=,tag:oM1VefUo9kK8k7lHKnxOjA==,type:str] password: ENC[AES256_GCM,data:mAgsvDPzt8f/RB/2T8nrd+KUcuxUGIdCBDs5sFla5x0=,iv:qndiiKTuSpbf/gtNXPaZ6AnHHwzZ7IPJrDFriM7bKwE=,tag:5j+gjpaxIu03x1lBkRMLhQ==,type:str] aliases: ENC[AES256_GCM,data:fOZRYZ8rVs3IXhiS+VaP54gF4bir66oIZvb7ZfKV,iv:bsmh1ZCwERZuHrvORP68hj5Gz7j3+K6ZW8BR3/IQVQg=,tag:jWozmXpjk3JHCINSgP4KGg==,type:str] sops: - lastmodified: "2025-11-19T16:17:02Z" - mac: ENC[AES256_GCM,data:dt2iRLTxfPWpYlxsZnOQgtUAvU/MWoXp6eLOJgP/uWLe5ooeU5K868I7PQNVGEnqkJGZTiiENpY7mkmt0niKn2nw7nD5KzRPMvFZ0/JXrLkzCScBfJDlbcuTtKFVqlDkPpz7kgF+fQy1cg5KiDyc9bsJAi/9qHhQHF3wFbeG5rI=,iv:E6YtLKZdnqgVZKx/goxdvn41p+hfMpkSbc7FJ/3yXQA=,tag:6iW9vkEsEuXOhptGdDwpdw==,type:str] + lastmodified: "2025-11-24T11:48:22Z" + mac: ENC[AES256_GCM,data:wA4AwEX67amH4UneZqV03PnaLUscUnj4VAmOqzjOTA9dKAV3KzFwD4NqRs2Dy8ap6kOOIS67gZ+3WV8QySyLT84zhEPSjB6M1FURV+LQjd4nc5EBP4Y67osy/QGB4U0d6shHt1sTFmHG2dJvTB7sPDSlRvgDhHE/ApcWuNFUfTY=,iv:Umacpqk+Zge9a9tlSsfjz1mcQvtequK8K4qLVJu8PCg=,tag:H09qfzM/xyn7TLkPCgtS6Q==,type:str] pgp: - created_at: "2025-09-06T16:37:33Z" enc: |- diff --git a/sops.nix b/sops.nix index af34e3b3..d991b2db 100644 --- a/sops.nix +++ b/sops.nix @@ -12,7 +12,7 @@ let "0D98D5964AC8BB1CA034CE4EC456133700066642" # xyno main gpg key ]; keysPerHost = ( - mapAttrs (n: v: (toList v.sopsKey)) (filterAttrs (n: v: v ? sopsKey) instanceConfigs) + mapAttrs (n: v: (toList v.config.xyno.meta.sopsKey)) (filterAttrs (n: v: v.config.xyno.meta.sopsKey != null) instanceConfigs) ); desktopHostNames = [ "theseus" ];