diff --git a/flake.lock b/flake.lock index 49dbe50e..3d257c51 100644 --- a/flake.lock +++ b/flake.lock @@ -21,6 +21,29 @@ "type": "github" } }, + "agenix": { + "inputs": { + "darwin": "darwin", + "home-manager": "home-manager", + "nixpkgs": [ + "nixpkgs" + ], + "systems": "systems_2" + }, + "locked": { + "lastModified": 1722339003, + "narHash": "sha256-ZeS51uJI30ehNkcZ4uKqT4ZDARPyqrHADSKAwv5vVCU=", + "owner": "ryantm", + "repo": "agenix", + "rev": "3f1dae074a12feb7327b4bf43cbac0d124488bb7", + "type": "github" + }, + "original": { + "owner": "ryantm", + "repo": "agenix", + "type": "github" + } + }, "arkenfox": { "inputs": { "flake-compat": "flake-compat", @@ -59,6 +82,28 @@ "type": "github" } }, + "darwin": { + "inputs": { + "nixpkgs": [ + "agenix", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1700795494, + "narHash": "sha256-gzGLZSiOhf155FW7262kdHo2YDeugp3VuIFb4/GGng0=", + "owner": "lnl7", + "repo": "nix-darwin", + "rev": "4b9b83d5a92e8c1fbfd8eb27eda375908c11ec4d", + "type": "github" + }, + "original": { + "owner": "lnl7", + "ref": "master", + "repo": "nix-darwin", + "type": "github" + } + }, "flake-compat": { "flake": false, "locked": { @@ -184,24 +229,6 @@ } }, "flake-utils_2": { - "inputs": { - "systems": "systems_2" - }, - "locked": { - "lastModified": 1710146030, - "narHash": "sha256-SZ5L6eA7HJ/nmkzGG7/ISclqe6oZdOZTNoesiInkXPQ=", - "owner": "numtide", - "repo": "flake-utils", - "rev": "b1d9ab70662946ef0850d488da1c9019f3a9752a", - "type": "github" - }, - "original": { - "owner": "numtide", - "repo": "flake-utils", - "type": "github" - } - }, - "flake-utils_3": { "inputs": { "systems": "systems_3" }, @@ -219,7 +246,7 @@ "type": "github" } }, - "flake-utils_4": { + "flake-utils_3": { "inputs": { "systems": "systems_4" }, @@ -365,6 +392,27 @@ } }, "home-manager": { + "inputs": { + "nixpkgs": [ + "agenix", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1703113217, + "narHash": "sha256-7ulcXOk63TIT2lVDSExj7XzFx09LpdSAPtvgtM7yQPE=", + "owner": "nix-community", + "repo": "home-manager", + "rev": "3bfaacf46133c037bb356193bd2f1765d9dc82c1", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "home-manager", + "type": "github" + } + }, + "home-manager_2": { "inputs": { "nixpkgs": [ "nixpkgs" @@ -490,27 +538,6 @@ "type": "github" } }, - "opnix": { - "inputs": { - "flake-utils": "flake-utils_3", - "nixpkgs": [ - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1723662754, - "narHash": "sha256-oT/Me0YUnGajhYcMzuTXnbuRQXLV8Pac7Ktm20nMxAM=", - "owner": "mrjones2014", - "repo": "opnix", - "rev": "1ac285a2766895e31b664e2f10d1e149327c614b", - "type": "github" - }, - "original": { - "owner": "mrjones2014", - "repo": "opnix", - "type": "github" - } - }, "pre-commit": { "inputs": { "flake-compat": "flake-compat_2", @@ -535,12 +562,12 @@ "root": { "inputs": { "_1password-shell-plugins": "_1password-shell-plugins", + "agenix": "agenix", "arkenfox": "arkenfox", "catppuccin": "catppuccin", - "home-manager": "home-manager", + "home-manager": "home-manager_2", "neovim-nightly-overlay": "neovim-nightly-overlay", "nixpkgs": "nixpkgs_2", - "opnix": "opnix", "tokyonight": "tokyonight", "wezterm-nightly": "wezterm-nightly" } @@ -679,7 +706,7 @@ }, "wezterm-nightly": { "inputs": { - "flake-utils": "flake-utils_4", + "flake-utils": "flake-utils_3", "freetype2": "freetype2", "harfbuzz": "harfbuzz", "libpng": "libpng", diff --git a/flake.nix b/flake.nix index fc561e51..406dc17d 100644 --- a/flake.nix +++ b/flake.nix @@ -5,10 +5,6 @@ nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable"; catppuccin.url = "github:catppuccin/nix"; tokyonight.url = "github:mrjones2014/tokyonight.nix"; - opnix = { - url = "github:mrjones2014/opnix"; - inputs.nixpkgs.follows = "nixpkgs"; - }; wezterm-nightly = { url = "github:wez/wezterm?dir=nix"; inputs.nixpkgs.follows = "nixpkgs"; @@ -29,9 +25,13 @@ url = "github:1Password/shell-plugins"; inputs.nixpkgs.follows = "nixpkgs"; }; + agenix = { + url = "github:ryantm/agenix"; + inputs.nixpkgs.follows = "nixpkgs"; + }; }; - outputs = inputs@{ self, nixpkgs, home-manager, opnix, ... }: { + outputs = inputs@{ self, nixpkgs, home-manager, agenix, ... }: { nixosConfigurations = { server = nixpkgs.lib.nixosSystem { specialArgs = { @@ -43,7 +43,11 @@ system = "x86_64-linux"; modules = [ home-manager.nixosModules.home-manager - opnix.nixosModules.default + agenix.nixosModules.default + { + environment.systemPackages = + [ agenix.packages.x86_64-linux.default ]; + } ./nixos-modules/common.nix ./hosts/server { diff --git a/homepage.age b/homepage.age new file mode 100644 index 00000000..ecb20cda Binary files /dev/null and b/homepage.age differ diff --git a/hosts/server/default.nix b/hosts/server/default.nix index e6861a13..6f760179 100644 --- a/hosts/server/default.nix +++ b/hosts/server/default.nix @@ -1,4 +1,4 @@ -{ inputs, lib, ... }: { +{ inputs, ... }: { # This option defines the first version of NixOS you have installed on this particular machine, # and is used to maintain compatibility with application data (e.g. databases) created on older NixOS versions. # @@ -21,12 +21,9 @@ environment.systemPackages = [ inputs.wezterm-nightly.packages.x86_64-linux.default ]; - nixpkgs.config.allowUnfreePredicate = pkg: - builtins.elem (lib.getName pkg) [ "1password-cli" ]; - opnix.environmentFile = "/etc/opnix.env"; - imports = [ ./hardware-configuration.nix + ./secrets.nix ./ollama.nix ./content.nix ./nas.nix diff --git a/hosts/server/deluge.nix b/hosts/server/deluge.nix index aa0c77b6..22df4b6b 100644 --- a/hosts/server/deluge.nix +++ b/hosts/server/deluge.nix @@ -1,30 +1,16 @@ -let configDir = "/var/lib/delugevpn"; +{ config, ... }: +let + configDir = "/var/lib/delugevpn"; + wireguardConfigPath = config.age.secrets.mullvad_wireguard.path; in { - opnix = { - secrets.mullvad_wireguard_conf = { - source = '' - [Interface] - # Device: Clever Ibex - PrivateKey = {{ op://nixos-server/Mullvad VPN Private Key/Private Key }} - Address = 10.64.35.106/32,fc00:bbbb:bbbb:bb01::1:2369/128 - DNS = 10.64.0.1 - PostUp = iptables -I OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT && ip6tables -I OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT - PreDown = iptables -D OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT && ip6tables -D OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT - - [Peer] - PublicKey = IzqkjVCdJYC1AShILfzebchTlKCqVCt/SMEXolaS3Uc= - AllowedIPs = 0.0.0.0/0,::0/0 - Endpoint = 143.244.47.65:51820 - ''; - path = "${configDir}/wireguard/mullvad_wireguard.conf"; - }; - systemdWantedBy = [ "podman-delugevpn" ]; - }; systemd.tmpfiles.rules = [ "d ${configDir} 055 delugevpn delugevpn - -" "d ${configDir}/wireguard 055 delugevpn delugevpn - -" ]; + system.activationScripts.copyWireguardConfigIntoContainer.text = '' + mkdir -p ${configDir}/wireguard && cp ${wireguardConfigPath} ${configDir}/wireguard/mullvad_wireguard.conf + ''; networking.firewall = { allowedTCPPorts = [ 8112 8118 58846 58946 ]; allowedUDPPorts = [ 8112 8118 58846 58946 ]; diff --git a/hosts/server/homepage.nix b/hosts/server/homepage.nix index ae0430b5..5f53fc00 100644 --- a/hosts/server/homepage.nix +++ b/hosts/server/homepage.nix @@ -1,20 +1,8 @@ { config, ... }: { - opnix = { - secrets.homepage_env_file.source = '' - HOMEPAGE_VAR_NEXTDNS_API_KEY="{{ op://nixos-server/NextDNS/API Key }}" - HOMEPAGE_VAR_JELLYSEERR_API_KEY="{{ op://nixos-server/Jellyfin/Jellyseerr API Key }}" - HOMEPAGE_VAR_JELLYFIN_API_KEY="{{ op://nixos-server/Jellyfin/Jellyfin API Key }}" - HOMEPAGE_VAR_DELUGE_PASSWORD="{{ op://nixos-server/Deluge/password }}" - HOMEPAGE_VAR_SONARR_API_KEY="{{ op://nixos-server/dfbnv6enwexvbz2apxgdlzul3m/Sonarr API Key }}" - HOMEPAGE_VAR_RADARR_API_KEY="{{ op://nixos-server/dfbnv6enwexvbz2apxgdlzul3m/Radarr API Key }}" - HOMEPAGE_VAR_BAZARR_API_KEY="{{ op://nixos-server/dfbnv6enwexvbz2apxgdlzul3m/Bazarr API Key }}" - ''; - systemdWantedBy = [ "homepage-dashboard" ]; - }; services.homepage-dashboard = { enable = true; openFirewall = true; - environmentFile = config.opnix.secrets.homepage_env_file.path; + environmentFile = config.age.secrets.homepage.path; settings = { theme = "dark"; background = diff --git a/hosts/server/secrets.nix b/hosts/server/secrets.nix new file mode 100644 index 00000000..0c2ec5fe --- /dev/null +++ b/hosts/server/secrets.nix @@ -0,0 +1,9 @@ +{ + age = { + secrets = { + mullvad_wireguard.file = ../../mullvad_wireguard.age; + homepage.file = ../../homepage.age; + wireguard_server.file = ../../wireguard_server.age; + }; + }; +} diff --git a/hosts/server/wireguard.nix b/hosts/server/wireguard.nix index db3a6826..fa74d9bc 100644 --- a/hosts/server/wireguard.nix +++ b/hosts/server/wireguard.nix @@ -9,13 +9,6 @@ in { enable = true; settings = { interface = wireguard_interface; }; }; - - opnix = { - secrets.wg_private_key.source = - "{{ op://nixos-server/Wireguard Home VPN/Server Private Key }}"; - systemdWantedBy = [ "wg-quick-${wireguard_interface}" ]; - }; - networking = { # Enable NAT nat = { @@ -37,7 +30,7 @@ in { # The port that WireGuard listens to - recommended that this be changed from default listenPort = wireguard_port; # Path to the server's private key - privateKeyFile = config.opnix.secrets.wg_private_key.path; + privateKeyFile = config.age.secrets.wireguard_server.path; # This allows the wireguard server to route your traffic to the internet and hence be like a VPN postUp = '' diff --git a/mullvad_wireguard.age b/mullvad_wireguard.age new file mode 100644 index 00000000..cb3c8dec Binary files /dev/null and b/mullvad_wireguard.age differ diff --git a/secrets.nix b/secrets.nix new file mode 100644 index 00000000..c1b1368f --- /dev/null +++ b/secrets.nix @@ -0,0 +1,17 @@ +# This module is NOT imported into the NixOS config, +# it is only used by the agenix CLI to determine which +# keys to use to encrypt secrets. +let + # my public key + users = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDXHRx83f5MWdhcEHXduTINyUu6yqd2eOgZHE0XNYFlO mat@nixos-server" + ]; + # server host key + systems = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILUa3f8x3mb2fHF5JXjGKdWF5EUX8GQj7hMhEUn7LffI root@nixos-server" + ]; +in { + "mullvad_wireguard.age".publicKeys = users ++ systems; + "homepage.age".publicKeys = users ++ systems; + "wireguard_server.age".publicKeys = users ++ systems; +} diff --git a/wireguard_server.age b/wireguard_server.age new file mode 100644 index 00000000..268a01ab --- /dev/null +++ b/wireguard_server.age @@ -0,0 +1,7 @@ +age-encryption.org/v1 +-> ssh-ed25519 FeK1Dw QonlTODP9dEYT8Kd2Uokr1J0YyPk/mTHRp1uPtVuKXE +k2MwbDTcJKdImB0uckZR5pW7VTvbs2kbQnu9LpsLA5s +-> ssh-ed25519 kfVkkw 0F5xVfkfEGltzBDHV1PF/Er656n1MjBr9Yoqe/Ji5Vo +2IiYHU+d3V/JCSEtmuPvDSsPv38sX1ns4SM9cYsOiVE +--- wT31A5BaM+VUbKRwO86efENRIiJc5eIrmYiZ3iXhuU8 +�R.sp�Rլti�ĉU��~x���O\��z�\�_��%15:T��dyJv To�vW�*K��,�W�ƈAK�s�� \ No newline at end of file