summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
Diffstat
-rw-r--r--modules/nixos/mixins/agenix.nix11
-rw-r--r--modules/nixos/mixins/default.nix1
-rw-r--r--modules/nixos/profiles/personal.nix11
-rw-r--r--modules/nixos/profiles/server.nix13
-rw-r--r--modules/nixos/traits/default.nix1
-rw-r--r--modules/nixos/traits/mac-builder.nix3
-rw-r--r--modules/nixos/traits/secrets.nix39
-rw-r--r--modules/nixos/users/seth.nix3
8 files changed, 25 insertions, 57 deletions
diff --git a/modules/nixos/mixins/agenix.nix b/modules/nixos/mixins/agenix.nix
new file mode 100644
index 0000000..8966c31
--- /dev/null
+++ b/modules/nixos/mixins/agenix.nix
@@ -0,0 +1,11 @@
+{ inputs, ... }:
+
+{
+ imports = [ inputs.agenix.nixosModules.default ];
+
+ config = {
+ age = {
+ identityPaths = [ "/etc/age/key" ];
+ };
+ };
+}
diff --git a/modules/nixos/mixins/default.nix b/modules/nixos/mixins/default.nix
index 946f790..8e77f34 100644
--- a/modules/nixos/mixins/default.nix
+++ b/modules/nixos/mixins/default.nix
@@ -1,6 +1,7 @@
{
imports = [
./acme.nix
+ ./agenix.nix
./budgie.nix
./catppuccin.nix
./comin.nix
diff --git a/modules/nixos/profiles/personal.nix b/modules/nixos/profiles/personal.nix
index 84697a5..9f3615f 100644
--- a/modules/nixos/profiles/personal.nix
+++ b/modules/nixos/profiles/personal.nix
@@ -15,6 +15,10 @@ in
};
config = lib.mkIf cfg.enable {
+ _module.args = {
+ secretsDir = inputs.self + "/secrets/personal";
+ };
+
borealis = {
users = {
seth.enable = true;
@@ -24,12 +28,5 @@ in
services = {
tailscale.enable = true;
};
-
- traits = {
- secrets = {
- enable = true;
- secretsDir = inputs.self + "/secrets/personal";
- };
- };
};
}
diff --git a/modules/nixos/profiles/server.nix b/modules/nixos/profiles/server.nix
index 8934863..09d1076 100644
--- a/modules/nixos/profiles/server.nix
+++ b/modules/nixos/profiles/server.nix
@@ -2,6 +2,7 @@
config,
lib,
secretsDir,
+ inputs,
inputs',
...
}:
@@ -23,8 +24,12 @@ in
config = lib.mkIf cfg.enable (
lib.mkMerge [
{
- # All servers are most likely on stable, so we want to pull in some newer packages from time to time
- _module.args.unstable = inputs'.nixpkgs.legacyPackages;
+ _module.args = {
+ # All servers are most likely on stable, so we want to pull in some newer packages from time to time
+ unstable = inputs'.nixpkgs.legacyPackages;
+
+ secretsDir = inputs.self + "/secrets/${config.networking.hostName}";
+ };
age.secrets = {
tailscaleAuthKey.file = "${secretsDir}/tailscaleAuthKey.age";
@@ -61,10 +66,6 @@ in
};
};
- traits = {
- secrets.enable = true;
- };
-
# I use exclusively Tailscale auth on some machines
users.allowNoPasswordLogin = true;
diff --git a/modules/nixos/traits/default.nix b/modules/nixos/traits/default.nix
index f4dbc3c..30e5331 100644
--- a/modules/nixos/traits/default.nix
+++ b/modules/nixos/traits/default.nix
@@ -4,6 +4,5 @@
./locale.nix
./mac-builder.nix
./nvd-diff.nix
- ./secrets.nix
];
}
diff --git a/modules/nixos/traits/mac-builder.nix b/modules/nixos/traits/mac-builder.nix
index e911864..cfafaf3 100644
--- a/modules/nixos/traits/mac-builder.nix
+++ b/modules/nixos/traits/mac-builder.nix
@@ -11,8 +11,7 @@ in
options.traits.mac-builder = {
enable = lib.mkEnableOption "macOS remote builders";
manageSecrets = lib.mkEnableOption "managing SSH keys for builders" // {
- default = config.traits.secrets.enable;
- defaultText = "traits.secrets.enable";
+ default = true;
};
};
diff --git a/modules/nixos/traits/secrets.nix b/modules/nixos/traits/secrets.nix
deleted file mode 100644
index 0423183..0000000
--- a/modules/nixos/traits/secrets.nix
+++ /dev/null
@@ -1,39 +0,0 @@
-{
- config,
- lib,
- inputs,
- ...
-}:
-
-let
- cfg = config.traits.secrets;
-in
-
-{
- options.traits.secrets = {
- enable = lib.mkEnableOption "secrets management";
-
- secretsDir = lib.mkOption {
- type = lib.types.path;
- default = inputs.self + "/secrets/${config.networking.hostName}";
- defaultText = lib.literalExample "inputs.self + \"/secrets/\${config.networking.hostName}\"";
- description = "Path to your `secrets.nix` subdirectory.";
- };
- };
-
- imports = [ inputs.agenix.nixosModules.default ];
-
- config = lib.mkIf cfg.enable (
- lib.mkMerge [
- {
- _module.args = {
- inherit (cfg) secretsDir;
- };
-
- age = {
- identityPaths = [ "/etc/age/key" ];
- };
- }
- ]
- );
-}
diff --git a/modules/nixos/users/seth.nix b/modules/nixos/users/seth.nix
index 34ec8ee..4cb5f19 100644
--- a/modules/nixos/users/seth.nix
+++ b/modules/nixos/users/seth.nix
@@ -12,8 +12,7 @@ in
{
options.borealis.users.seth = {
manageSecrets = lib.mkEnableOption "automatic management of secrets" // {
- default = config.traits.secrets.enable;
- defaultText = lib.literalExpression "config.traits.secrets.enable";
+ default = true;
};
};
generated by cgit v1.2.3 (git 2.25.1) at 2025-12-06 08:06:26 +0000