diff --git a/flakes/common/nix_modules/remote_lio_builds.nix b/flakes/common/nix_modules/remote_lio_builds.nix index c4731e0..7a54d1c 100644 --- a/flakes/common/nix_modules/remote_lio_builds.nix +++ b/flakes/common/nix_modules/remote_lio_builds.nix @@ -1,17 +1,26 @@ { config, + lib, ... }: +let + hasSecret = + secret: + let + secrets = config.age.secrets or { }; + in + secrets ? ${secret} && secrets.${secret} != null; +in { # Remote build off home lio computer - programs.ssh.extraConfig = '' + programs.ssh.extraConfig = lib.mkIf (hasSecret "nix2lio") '' Host lio_ PubkeyAcceptedKeyTypes ssh-ed25519 ServerAliveInterval 60 IPQoS throughput IdentityFile ${config.age.secrets.nix2lio.path} ''; - nix = { + nix = lib.mkIf (hasSecret "nix2lio") { distributedBuilds = true; buildMachines = [ { diff --git a/flakes/common/nix_modules/tailnet.nix b/flakes/common/nix_modules/tailnet.nix index c7cef7f..8718b7e 100644 --- a/flakes/common/nix_modules/tailnet.nix +++ b/flakes/common/nix_modules/tailnet.nix @@ -1,11 +1,20 @@ { config, pkgs, + lib, ... }: +let + hasSecret = + secret: + let + secrets = config.age.secrets or { }; + in + secrets ? ${secret} && secrets.${secret} != null; +in { environment.systemPackages = with pkgs; [ tailscale ]; - services.tailscale = { + services.tailscale = lib.mkIf (hasSecret "headscale_auth") { enable = true; openFirewall = true; useRoutingFeatures = "client"; diff --git a/hosts/h001/containers/zitadel.nix b/hosts/h001/containers/zitadel.nix index 48435a3..7db46bd 100644 --- a/hosts/h001/containers/zitadel.nix +++ b/hosts/h001/containers/zitadel.nix @@ -13,6 +13,13 @@ let hostAddress6 = "fc00::1"; containerAddress6 = "fc00::3"; + hasSecret = + secret: + let + secrets = config.age.secrets or { }; + in + secrets ? ${secret} && secrets.${secret} != null; + binds = [ # Postgres data, must use postgres user in container and host { @@ -31,6 +38,7 @@ let uid = config.ids.uids.postgres; gid = config.ids.gids.postgres; } + ] ++ lib.optionals (hasSecret "zitadel_master_key") [ # secret { host = config.age.secrets.zitadel_master_key.path; diff --git a/hosts/h001/mods/nixarr.nix b/hosts/h001/mods/nixarr.nix index 54cf34d..80c760b 100644 --- a/hosts/h001/mods/nixarr.nix +++ b/hosts/h001/mods/nixarr.nix @@ -1,7 +1,16 @@ { config, + lib, ... }: +let + hasSecret = + secret: + let + secrets = config.age.secrets or { }; + in + secrets ? ${secret} && secrets.${secret} != null; +in { config = { nixarr = { @@ -9,7 +18,7 @@ mediaDir = "/drives/wd10/nixarr/media"; stateDir = "/var/lib/nixarr/state"; - vpn = { + vpn = lib.mkIf (hasSecret "us_chi_wg") { enable = true; wgConf = config.age.secrets.us_chi_wg.path; }; diff --git a/hosts/h001/mods/oauth2-proxy.nix b/hosts/h001/mods/oauth2-proxy.nix index 5f95f00..73d6f2f 100644 --- a/hosts/h001/mods/oauth2-proxy.nix +++ b/hosts/h001/mods/oauth2-proxy.nix @@ -1,6 +1,7 @@ { inputs, config, + lib, ... }: let @@ -10,11 +11,17 @@ let system = "x86_64-linux"; config.allowUnfree = true; }; + hasSecret = + secret: + let + secrets = config.age.secrets or { }; + in + secrets ? ${secret} && secrets.${secret} != null; in { disabledModules = [ declaration ]; imports = [ "${nixpkgs}/nixos/modules/${declaration}" ]; - config = { + config = lib.mkIf (hasSecret "oauth2_proxy_key_file") { services.oauth2-proxy = { enable = true; httpAddress = "http://127.0.0.1:4180"; diff --git a/hosts/h001/mods/openwebui.nix b/hosts/h001/mods/openwebui.nix index a1dd64c..f19f77e 100644 --- a/hosts/h001/mods/openwebui.nix +++ b/hosts/h001/mods/openwebui.nix @@ -1,6 +1,7 @@ { inputs, config, + lib, ... }: let @@ -10,12 +11,18 @@ let system = "x86_64-linux"; config.allowUnfree = true; }; + hasSecret = + secret: + let + secrets = config.age.secrets or { }; + in + secrets ? ${secret} && secrets.${secret} != null; in { disabledModules = [ declaration ]; imports = [ "${nixpkgs}/nixos/modules/${declaration}" ]; options = { }; - config = { + config = lib.mkIf (hasSecret "openwebui_env") { services.nginx.virtualHosts."chat.joshuabell.xyz" = { addSSL = true; sslCertificate = "/var/lib/acme/joshuabell.xyz/fullchain.pem"; diff --git a/hosts/h001/nginx.nix b/hosts/h001/nginx.nix index 788dfe6..a808ab2 100644 --- a/hosts/h001/nginx.nix +++ b/hosts/h001/nginx.nix @@ -1,5 +1,6 @@ { config, + lib, ... }: let @@ -7,10 +8,16 @@ let proxyWebsockets = true; proxyPass = "http://localhost:7575"; }; + hasSecret = + secret: + let + secrets = config.age.secrets or { }; + in + secrets ? ${secret} && secrets.${secret} != null; in { # TODO transfer these to o001 to use same certs? - security.acme = { + security.acme = lib.mkIf (hasSecret "linode_rw_domains") { acceptTerms = true; defaults.email = "admin@joshuabell.xyz"; certs."joshuabell.xyz" = { diff --git a/hosts/oracle/o001/containers/vaultwarden.nix b/hosts/oracle/o001/containers/vaultwarden.nix index d209402..3837d81 100644 --- a/hosts/oracle/o001/containers/vaultwarden.nix +++ b/hosts/oracle/o001/containers/vaultwarden.nix @@ -1,5 +1,6 @@ { config, + lib, ... }: let @@ -9,6 +10,13 @@ let hostDataDir = "/var/lib/${name}"; v_port = 8222; + + hasSecret = + secret: + let + secrets = config.age.secrets or { }; + in + secrets ? ${secret} && secrets.${secret} != null; in { users = { @@ -26,7 +34,7 @@ in chmod -R 750 ${hostDataDir} ''; - containers.${name} = { + containers.${name} = lib.mkIf (hasSecret "vaultwarden_env") { ephemeral = true; autoStart = true; privateNetwork = false; @@ -72,7 +80,7 @@ in }; }; - services.nginx.virtualHosts."vault.joshuabell.xyz" = { + services.nginx.virtualHosts."vault.joshuabell.xyz" = lib.mkIf (hasSecret "vaultwarden_env") { enableACME = true; forceSSL = true; locations = {