feat: use private sops repo for secrets
This commit is contained in:
parent
956e845635
commit
117162cd5d
|
@ -5,14 +5,14 @@
|
||||||
...
|
...
|
||||||
}: let
|
}: let
|
||||||
caddy = caddy-plugins.packages.${pkgs.system}.default;
|
caddy = caddy-plugins.packages.${pkgs.system}.default;
|
||||||
|
|
||||||
# TODO: use agenix?
|
|
||||||
verySecretToken = "TODO";
|
|
||||||
in {
|
in {
|
||||||
imports = [caddy-plugins.nixosModules.default];
|
imports = [caddy-plugins.nixosModules.default];
|
||||||
environment.systemPackages = [caddy];
|
environment.systemPackages = [caddy];
|
||||||
users.users.${config.vars.user}.extraGroups = ["caddy"];
|
users.users.${config.vars.user}.extraGroups = ["caddy"];
|
||||||
|
|
||||||
|
systemd.services.caddy.serviceConfig.EnvironmentFile =
|
||||||
|
config.sops.secrets.caddy-cloudflare.path;
|
||||||
|
|
||||||
services.caddy = {
|
services.caddy = {
|
||||||
enable = true;
|
enable = true;
|
||||||
enableReload = false;
|
enableReload = false;
|
||||||
|
@ -28,7 +28,7 @@ in {
|
||||||
serverAliases = ["*.nelim.org"];
|
serverAliases = ["*.nelim.org"];
|
||||||
extraConfig = ''
|
extraConfig = ''
|
||||||
tls {
|
tls {
|
||||||
dns cloudflare ${verySecretToken}
|
dns cloudflare {$TLS}
|
||||||
resolvers 1.0.0.1
|
resolvers 1.0.0.1
|
||||||
}
|
}
|
||||||
'';
|
'';
|
||||||
|
|
100
flake.lock
100
flake.lock
|
@ -7,11 +7,11 @@
|
||||||
]
|
]
|
||||||
},
|
},
|
||||||
"locked": {
|
"locked": {
|
||||||
"lastModified": 1701731887,
|
"lastModified": 1701806563,
|
||||||
"narHash": "sha256-xgfThireUGD8/X6OYKXOpdGAkTUgPbpwW2FySBIjURc=",
|
"narHash": "sha256-HItBkG0whb7nVxBPSHm6ChD92Ua7i6YQQ9GU3skKaak=",
|
||||||
"owner": "Aylur",
|
"owner": "Aylur",
|
||||||
"repo": "ags",
|
"repo": "ags",
|
||||||
"rev": "93af4d4cbbc190c1116a02cdea99d327b0c5cec2",
|
"rev": "909b3011de4dc9a89fe7055766d47d48f00df28c",
|
||||||
"type": "github"
|
"type": "github"
|
||||||
},
|
},
|
||||||
"original": {
|
"original": {
|
||||||
|
@ -27,16 +27,16 @@
|
||||||
]
|
]
|
||||||
},
|
},
|
||||||
"locked": {
|
"locked": {
|
||||||
"lastModified": 1701596842,
|
"lastModified": 1701823507,
|
||||||
"narHash": "sha256-QUtozR8Bp/kZ1zlTsnR7rDtFEqEfhmuR93a3tprsEhQ=",
|
"narHash": "sha256-C56+hIpWjM5wVZZJRY+jGSJWAXs2rUimbZRITyjJk3I=",
|
||||||
"owner": "matt1432",
|
"owner": "matt1432",
|
||||||
"repo": "nixos-caddy-patched",
|
"repo": "nixos-caddy-cloudflare",
|
||||||
"rev": "7f996b07912ac4ce592de89a4a434da427b0ede9",
|
"rev": "aed7715b5c4961c3eb1d741a6ee92cd71a754234",
|
||||||
"type": "github"
|
"type": "github"
|
||||||
},
|
},
|
||||||
"original": {
|
"original": {
|
||||||
"owner": "matt1432",
|
"owner": "matt1432",
|
||||||
"repo": "nixos-caddy-patched",
|
"repo": "nixos-caddy-cloudflare",
|
||||||
"type": "github"
|
"type": "github"
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
|
@ -358,11 +358,11 @@
|
||||||
"xdph": "xdph"
|
"xdph": "xdph"
|
||||||
},
|
},
|
||||||
"locked": {
|
"locked": {
|
||||||
"lastModified": 1701790877,
|
"lastModified": 1701819597,
|
||||||
"narHash": "sha256-xNjSypJirandCE1/OLFwndGYhFdoSqcbjW77rVZ86uI=",
|
"narHash": "sha256-X0K2v/SOMQj18/O9daDlizlnlGRDMWuuGoU3jm06b7k=",
|
||||||
"owner": "hyprwm",
|
"owner": "hyprwm",
|
||||||
"repo": "Hyprland",
|
"repo": "Hyprland",
|
||||||
"rev": "37d7a8c64dfabfe81330c819c24fd6b13b292194",
|
"rev": "8bd86cf37e245088433156796f1bc72542ca09ad",
|
||||||
"type": "github"
|
"type": "github"
|
||||||
},
|
},
|
||||||
"original": {
|
"original": {
|
||||||
|
@ -426,11 +426,11 @@
|
||||||
]
|
]
|
||||||
},
|
},
|
||||||
"locked": {
|
"locked": {
|
||||||
"lastModified": 1701734705,
|
"lastModified": 1701821276,
|
||||||
"narHash": "sha256-Zf5xsGvxLXmnDEtF2j9ZQ81Ot03vfM8jFtE2hiU4A+E=",
|
"narHash": "sha256-i7SIJRT3eMmhFTu5BG+uVIeOFUUFVbD6nQtpTf4xqkI=",
|
||||||
"owner": "nix-community",
|
"owner": "nix-community",
|
||||||
"repo": "neovim-nightly-overlay",
|
"repo": "neovim-nightly-overlay",
|
||||||
"rev": "692f9f3cbeaf82824961d9d03ef6322792b2a706",
|
"rev": "103e90e0d34fc97632714d573fa9f1dbb3c8be0d",
|
||||||
"type": "github"
|
"type": "github"
|
||||||
},
|
},
|
||||||
"original": {
|
"original": {
|
||||||
|
@ -449,11 +449,11 @@
|
||||||
},
|
},
|
||||||
"locked": {
|
"locked": {
|
||||||
"dir": "contrib",
|
"dir": "contrib",
|
||||||
"lastModified": 1701729159,
|
"lastModified": 1701818162,
|
||||||
"narHash": "sha256-RrCbMfSdHO3H04WTX5Eo8EH9c+H5hs7bxgD/BoxEtEs=",
|
"narHash": "sha256-FvPz/66+HcAcD8Xg2BZMEQkStNLEkN0P8miFeSRw0oc=",
|
||||||
"owner": "neovim",
|
"owner": "neovim",
|
||||||
"repo": "neovim",
|
"repo": "neovim",
|
||||||
"rev": "c3836e40a2bffbc1d4e06531145b7825788dd818",
|
"rev": "06ff540e1ca25f4c26670f184d4087f6e3188064",
|
||||||
"type": "github"
|
"type": "github"
|
||||||
},
|
},
|
||||||
"original": {
|
"original": {
|
||||||
|
@ -630,6 +630,22 @@
|
||||||
"type": "github"
|
"type": "github"
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
|
"nixpkgs-stable": {
|
||||||
|
"locked": {
|
||||||
|
"lastModified": 1701568804,
|
||||||
|
"narHash": "sha256-iwr1fjOCvlirVL/xNvOTwY9kg3L/F3TC/7yh/QszaPI=",
|
||||||
|
"owner": "NixOS",
|
||||||
|
"repo": "nixpkgs",
|
||||||
|
"rev": "dc01248a9c946953ad4d438b0a626f5c987a93e4",
|
||||||
|
"type": "github"
|
||||||
|
},
|
||||||
|
"original": {
|
||||||
|
"owner": "NixOS",
|
||||||
|
"ref": "release-23.05",
|
||||||
|
"repo": "nixpkgs",
|
||||||
|
"type": "github"
|
||||||
|
}
|
||||||
|
},
|
||||||
"nixpkgs-wayland": {
|
"nixpkgs-wayland": {
|
||||||
"inputs": {
|
"inputs": {
|
||||||
"flake-compat": "flake-compat_2",
|
"flake-compat": "flake-compat_2",
|
||||||
|
@ -749,11 +765,11 @@
|
||||||
},
|
},
|
||||||
"nur": {
|
"nur": {
|
||||||
"locked": {
|
"locked": {
|
||||||
"lastModified": 1701798379,
|
"lastModified": 1701817202,
|
||||||
"narHash": "sha256-o+uFCoZalr5csUdWD84I2ELd78VGxt9+8PZbJXwaHA8=",
|
"narHash": "sha256-ReuTsHGgs99DIO8Gg32Ho9aIKnW0rcZa42ltdHWfkD8=",
|
||||||
"owner": "nix-community",
|
"owner": "nix-community",
|
||||||
"repo": "NUR",
|
"repo": "NUR",
|
||||||
"rev": "e3ef2421e85a36a8b5650cfb3cc9096f53059609",
|
"rev": "36cffb929d12255feafaa6ba4d286e13ba41f8e1",
|
||||||
"type": "github"
|
"type": "github"
|
||||||
},
|
},
|
||||||
"original": {
|
"original": {
|
||||||
|
@ -819,9 +835,53 @@
|
||||||
"nur": "nur",
|
"nur": "nur",
|
||||||
"nurl": "nurl",
|
"nurl": "nurl",
|
||||||
"pihole": "pihole",
|
"pihole": "pihole",
|
||||||
|
"secrets": "secrets",
|
||||||
"tree-sitter-hypr-flake": "tree-sitter-hypr-flake"
|
"tree-sitter-hypr-flake": "tree-sitter-hypr-flake"
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
|
"secrets": {
|
||||||
|
"inputs": {
|
||||||
|
"nixpkgs": [
|
||||||
|
"nixpkgs"
|
||||||
|
],
|
||||||
|
"sops-nix": "sops-nix"
|
||||||
|
},
|
||||||
|
"locked": {
|
||||||
|
"lastModified": 1701824407,
|
||||||
|
"narHash": "sha256-+7FB+KP6T1Gdw0pLvxmgAdoP3YDPcD5JGjgCDpiXNcg=",
|
||||||
|
"ref": "refs/heads/main",
|
||||||
|
"rev": "7968d9603ac78e87d96f568a7e79020f6c6344d8",
|
||||||
|
"revCount": 3,
|
||||||
|
"type": "git",
|
||||||
|
"url": "ssh://git@git.nelim.org/matt1432/nixos-secrets"
|
||||||
|
},
|
||||||
|
"original": {
|
||||||
|
"type": "git",
|
||||||
|
"url": "ssh://git@git.nelim.org/matt1432/nixos-secrets"
|
||||||
|
}
|
||||||
|
},
|
||||||
|
"sops-nix": {
|
||||||
|
"inputs": {
|
||||||
|
"nixpkgs": [
|
||||||
|
"secrets",
|
||||||
|
"nixpkgs"
|
||||||
|
],
|
||||||
|
"nixpkgs-stable": "nixpkgs-stable"
|
||||||
|
},
|
||||||
|
"locked": {
|
||||||
|
"lastModified": 1701728052,
|
||||||
|
"narHash": "sha256-7lOMc3PtW5a55vFReBJLLLOnopsoi1W7MkjJ93jPV4E=",
|
||||||
|
"owner": "Mic92",
|
||||||
|
"repo": "sops-nix",
|
||||||
|
"rev": "e91ece6d2cf5a0ae729796b8f0dedceab5107c3d",
|
||||||
|
"type": "github"
|
||||||
|
},
|
||||||
|
"original": {
|
||||||
|
"owner": "Mic92",
|
||||||
|
"repo": "sops-nix",
|
||||||
|
"type": "github"
|
||||||
|
}
|
||||||
|
},
|
||||||
"systems": {
|
"systems": {
|
||||||
"locked": {
|
"locked": {
|
||||||
"lastModified": 1681028828,
|
"lastModified": 1681028828,
|
||||||
|
|
|
@ -3,6 +3,7 @@
|
||||||
self,
|
self,
|
||||||
home-manager,
|
home-manager,
|
||||||
nixpkgs,
|
nixpkgs,
|
||||||
|
secrets,
|
||||||
...
|
...
|
||||||
}: let
|
}: let
|
||||||
supportedSystems = ["x86_64-linux" "aarch64-linux"];
|
supportedSystems = ["x86_64-linux" "aarch64-linux"];
|
||||||
|
@ -36,6 +37,10 @@
|
||||||
|
|
||||||
inputs = {
|
inputs = {
|
||||||
nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable";
|
nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable";
|
||||||
|
secrets = {
|
||||||
|
url = "git+ssh://git@git.nelim.org/matt1432/nixos-secrets";
|
||||||
|
inputs.nixpkgs.follows = "nixpkgs";
|
||||||
|
};
|
||||||
|
|
||||||
nixpkgs-wayland.url = "github:nix-community/nixpkgs-wayland";
|
nixpkgs-wayland.url = "github:nix-community/nixpkgs-wayland";
|
||||||
nur.url = "github:nix-community/NUR";
|
nur.url = "github:nix-community/NUR";
|
||||||
|
|
Loading…
Reference in a new issue