phase 3: new flake.nix + extract common-{nix,doas,shell-fish}; rewire imports
- New unified flake with two nixpkgs channels (unstable for desktops, 25.11 for muffin)
- modules/common-{doas,shell-fish,nix}.nix extracted from duplicated blocks
- modules/desktop-common.nix: renamed from system/common.nix; secret paths point to secrets/desktop/
- hosts/{mreow,yarn}/default.nix import desktop-common; yarn imports modules/no-rgb.nix
- hosts/muffin/default.nix imports common-* + server-prefixed modules + services/; duplicate doas/fish/nix blocks removed; gc retention preserved as mkForce override
- modules/age-secrets.nix: file paths → ../secrets/server/*.age
- services/{minecraft,matrix/livekit}: secret paths → ../secrets/server/
- home/profiles/*.nix: ./progs/ → ../progs/
- hosts/{mreow,yarn}/home.nix: imports rewired to ../../home/profiles/ and ../../home/progs/
- home/progs/pi.nix and hosts/yarn/home.nix: secret reads → ../../secrets/home/
- tests/*.nix: ../modules/security.nix → ../modules/server-security.nix; ../modules/overlays.nix → ../lib/overlays.nix
- lib/default.nix: takes explicit lib param (defaults to nixpkgs-stable.lib)
This commit is contained in:
primary
@@ -15,7 +15,7 @@
|
||||
# ZFS encryption key
|
||||
# path is set to /etc/zfs-key to match the ZFS dataset keylocation property
|
||||
zfs-key = {
|
||||
file = ../secrets/zfs-key.age;
|
||||
file = ../secrets/server/zfs-key.age;
|
||||
mode = "0400";
|
||||
owner = "root";
|
||||
group = "root";
|
||||
@@ -24,7 +24,7 @@
|
||||
|
||||
# Secureboot keys archive
|
||||
secureboot-tar = {
|
||||
file = ../secrets/secureboot.tar.age;
|
||||
file = ../secrets/server/secureboot.tar.age;
|
||||
mode = "0400";
|
||||
owner = "root";
|
||||
group = "root";
|
||||
@@ -32,7 +32,7 @@
|
||||
|
||||
# System passwords
|
||||
hashedPass = {
|
||||
file = ../secrets/hashedPass.age;
|
||||
file = ../secrets/server/hashedPass.age;
|
||||
mode = "0400";
|
||||
owner = "root";
|
||||
group = "root";
|
||||
@@ -40,7 +40,7 @@
|
||||
|
||||
# Service authentication
|
||||
caddy_auth = {
|
||||
file = ../secrets/caddy_auth.age;
|
||||
file = ../secrets/server/caddy_auth.age;
|
||||
mode = "0400";
|
||||
owner = "caddy";
|
||||
group = "caddy";
|
||||
@@ -48,7 +48,7 @@
|
||||
|
||||
# Njalla API token (NJALLA_API_TOKEN=...) for Caddy DNS-01 challenge
|
||||
njalla-api-token-env = {
|
||||
file = ../secrets/njalla-api-token-env.age;
|
||||
file = ../secrets/server/njalla-api-token-env.age;
|
||||
mode = "0400";
|
||||
owner = "caddy";
|
||||
group = "caddy";
|
||||
@@ -56,21 +56,21 @@
|
||||
|
||||
# ddns-updater config.json with Njalla provider credentials
|
||||
ddns-updater-config = {
|
||||
file = ../secrets/ddns-updater-config.age;
|
||||
file = ../secrets/server/ddns-updater-config.age;
|
||||
mode = "0400";
|
||||
owner = "ddns-updater";
|
||||
group = "ddns-updater";
|
||||
};
|
||||
|
||||
jellyfin-api-key = {
|
||||
file = ../secrets/jellyfin-api-key.age;
|
||||
file = ../secrets/server/jellyfin-api-key.age;
|
||||
mode = "0400";
|
||||
owner = "root";
|
||||
group = "root";
|
||||
};
|
||||
|
||||
slskd_env = {
|
||||
file = ../secrets/slskd_env.age;
|
||||
file = ../secrets/server/slskd_env.age;
|
||||
mode = "0500";
|
||||
owner = config.services.slskd.user;
|
||||
group = config.services.slskd.group;
|
||||
@@ -78,7 +78,7 @@
|
||||
|
||||
# Network configuration
|
||||
wg0-conf = {
|
||||
file = ../secrets/wg0.conf.age;
|
||||
file = ../secrets/server/wg0.conf.age;
|
||||
mode = "0400";
|
||||
owner = "root";
|
||||
group = "root";
|
||||
@@ -86,14 +86,14 @@
|
||||
|
||||
# ntfy-alerts secrets (group-readable for CI runner notifications)
|
||||
ntfy-alerts-topic = {
|
||||
file = ../secrets/ntfy-alerts-topic.age;
|
||||
file = ../secrets/server/ntfy-alerts-topic.age;
|
||||
mode = "0440";
|
||||
owner = "root";
|
||||
group = "gitea-runner";
|
||||
};
|
||||
|
||||
ntfy-alerts-token = {
|
||||
file = ../secrets/ntfy-alerts-token.age;
|
||||
file = ../secrets/server/ntfy-alerts-token.age;
|
||||
mode = "0440";
|
||||
owner = "root";
|
||||
group = "gitea-runner";
|
||||
@@ -101,19 +101,19 @@
|
||||
|
||||
# Firefox Sync server secrets (SYNC_MASTER_SECRET)
|
||||
firefox-syncserver-env = {
|
||||
file = ../secrets/firefox-syncserver-env.age;
|
||||
file = ../secrets/server/firefox-syncserver-env.age;
|
||||
mode = "0400";
|
||||
};
|
||||
|
||||
# MollySocket env (MOLLY_VAPID_PRIVKEY + MOLLY_ALLOWED_UUIDS)
|
||||
mollysocket-env = {
|
||||
file = ../secrets/mollysocket-env.age;
|
||||
file = ../secrets/server/mollysocket-env.age;
|
||||
mode = "0400";
|
||||
};
|
||||
|
||||
# Murmur (Mumble) server password
|
||||
murmur-password-env = {
|
||||
file = ../secrets/murmur-password-env.age;
|
||||
file = ../secrets/server/murmur-password-env.age;
|
||||
mode = "0400";
|
||||
owner = "murmur";
|
||||
group = "murmur";
|
||||
@@ -121,7 +121,7 @@
|
||||
|
||||
# Coturn static auth secret
|
||||
coturn-auth-secret = {
|
||||
file = ../secrets/coturn-auth-secret.age;
|
||||
file = ../secrets/server/coturn-auth-secret.age;
|
||||
mode = "0400";
|
||||
owner = "turnserver";
|
||||
group = "turnserver";
|
||||
@@ -129,7 +129,7 @@
|
||||
|
||||
# Matrix (continuwuity) registration token
|
||||
matrix-reg-token = {
|
||||
file = ../secrets/matrix-reg-token.age;
|
||||
file = ../secrets/server/matrix-reg-token.age;
|
||||
mode = "0400";
|
||||
owner = "continuwuity";
|
||||
group = "continuwuity";
|
||||
@@ -138,7 +138,7 @@
|
||||
# Matrix (continuwuity) TURN secret — same secret as coturn-auth-secret,
|
||||
# decrypted separately so continuwuity can read it with its own ownership
|
||||
matrix-turn-secret = {
|
||||
file = ../secrets/coturn-auth-secret.age;
|
||||
file = ../secrets/server/coturn-auth-secret.age;
|
||||
mode = "0400";
|
||||
owner = "continuwuity";
|
||||
group = "continuwuity";
|
||||
@@ -146,7 +146,7 @@
|
||||
|
||||
# CI deploy SSH key
|
||||
ci-deploy-key = {
|
||||
file = ../secrets/ci-deploy-key.age;
|
||||
file = ../secrets/server/ci-deploy-key.age;
|
||||
mode = "0400";
|
||||
owner = "gitea-runner";
|
||||
group = "gitea-runner";
|
||||
@@ -154,7 +154,7 @@
|
||||
|
||||
# Git-crypt symmetric key for dotfiles repo
|
||||
git-crypt-key-dotfiles = {
|
||||
file = ../secrets/git-crypt-key-dotfiles.age;
|
||||
file = ../secrets/server/git-crypt-key-dotfiles.age;
|
||||
mode = "0400";
|
||||
owner = "gitea-runner";
|
||||
group = "gitea-runner";
|
||||
@@ -162,7 +162,7 @@
|
||||
|
||||
# Git-crypt symmetric key for server-config repo
|
||||
git-crypt-key-server-config = {
|
||||
file = ../secrets/git-crypt-key-server-config.age;
|
||||
file = ../secrets/server/git-crypt-key-server-config.age;
|
||||
mode = "0400";
|
||||
owner = "gitea-runner";
|
||||
group = "gitea-runner";
|
||||
@@ -170,7 +170,7 @@
|
||||
|
||||
# Gitea Actions runner registration token
|
||||
gitea-runner-token = {
|
||||
file = ../secrets/gitea-runner-token.age;
|
||||
file = ../secrets/server/gitea-runner-token.age;
|
||||
mode = "0400";
|
||||
owner = "gitea-runner";
|
||||
group = "gitea-runner";
|
||||
@@ -178,7 +178,7 @@
|
||||
|
||||
# llama-cpp API key for bearer token auth
|
||||
llama-cpp-api-key = {
|
||||
file = ../secrets/llama-cpp-api-key.age;
|
||||
file = ../secrets/server/llama-cpp-api-key.age;
|
||||
mode = "0400";
|
||||
owner = "root";
|
||||
group = "root";
|
||||
@@ -186,7 +186,7 @@
|
||||
|
||||
# Harmonia binary cache signing key
|
||||
harmonia-sign-key = {
|
||||
file = ../secrets/harmonia-sign-key.age;
|
||||
file = ../secrets/server/harmonia-sign-key.age;
|
||||
mode = "0400";
|
||||
owner = "harmonia";
|
||||
group = "harmonia";
|
||||
@@ -194,7 +194,7 @@
|
||||
|
||||
# Caddy basic auth for nix binary cache (separate from main caddy_auth)
|
||||
nix-cache-auth = {
|
||||
file = ../secrets/nix-cache-auth.age;
|
||||
file = ../secrets/server/nix-cache-auth.age;
|
||||
mode = "0400";
|
||||
owner = "caddy";
|
||||
group = "caddy";
|
||||
|
||||
Reference in New Issue
Block a user