ringofstorms/dotfiles
ringofstorms/dotfiles
1
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

move secrets to its own module

Browse source
This commit is contained in:
RingOfStorms (Joshua Bell) 2025-01-09 00:51:53 -06:00
parent 3ba125799b
commit 3f1f13876e
9 changed files with 300 additions and 91 deletions
Download patch file Download diff file Expand all files Collapse all files

11
components/hm/ssh.nix
View file

@ -132,6 +132,17 @@ in
hostname = "10.20.40.1";
user = "luser";
};
"l003_" = {
identityFile = age.secrets.nix2l002.path;
hostname = "172.234.26.141";
user = "luser";
};
# TODO
# "l003" = {
# identityFile = age.secrets.nix2l002.path;
# hostname = "10.20.40.TODO";
# user = "luser";
# };
};
};
}

8
hosts/l003/configuration.nix Normal file
View file

@ -0,0 +1,8 @@
{
...
}:
{
networking.hostName = "l003";
boot.loader.grub.enable = true;
system.stateVersion = "24.11";
}

77
hosts/l003/flake.nix Normal file
View file

@ -0,0 +1,77 @@
{
inputs = {
nixpkgs.url = "github:nixos/nixpkgs/nixos-24.11";
mod_common.url = "git+https://git.joshuabell.xyz/dotfiles?ref=mod_common";
mod_common.inputs.nixpkgs.follows = "nixpkgs";
mod_common.inputs.ragenix.inputs.nixpkgs.follows = "nixpkgs";
};
outputs =
{
self,
nixpkgs,
...
}@inputs:
let
configuration_name = "l003";
lib = nixpkgs.lib;
in
{
nixosConfigurations = {
nixos = self.nixosConfigurations.${configuration_name};
"${configuration_name}" =
let
auto_modules = builtins.concatMap (
input:
lib.optionals
(builtins.hasAttr "nixosModules" input && builtins.hasAttr "default" input.nixosModules)
[
input.nixosModules.default
]
) (builtins.attrValues inputs);
in
(lib.nixosSystem {
modules = [
./configuration.nix
./hardware-configuration.nix
./linode.nix
./common.nix
(
{ pkgs, ... }:
{
users.users.root.openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJN2nsLmAlF6zj5dEBkNSJaqcCya+aB6I0imY8Q5Ew0S nix2lio"
];
mods = {
common = {
flakeLocationOverride = "/home/luser/.config/nixos-config";
disableRemoteBuildsOnLio = true;
systemName = configuration_name;
allowUnfree = true;
primaryUser = "luser";
docker = true;
users = {
luser = {
extraGroups = [
"wheel"
"networkmanager"
];
isNormalUser = true;
openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFLBVLiPbhVG+riNNpkvXnNtOioByV3CQwtY9gu8pstp nix2l002"
];
};
};
};
};
}
)
] ++ auto_modules;
specialArgs = {
inherit inputs;
};
});
};
};
}

34
hosts/l003/hardware-configuration.nix Normal file
View file

@ -0,0 +1,34 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, modulesPath, ... }:
{
imports =
[ (modulesPath + "/profiles/qemu-guest.nix")
];
boot.initrd.availableKernelModules = [ "virtio_pci" "virtio_scsi" "ahci" "sd_mod" ];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ ];
boot.extraModulePackages = [ ];
fileSystems."/" =
{ device = "/dev/disk/by-uuid/3612d65e-719c-4b33-af08-561b790d6d33";
fsType = "ext4";
};
swapDevices =
[ { device = "/dev/disk/by-uuid/f1408ea6-59a0-11ed-bc9d-525400000001"; }
];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's
# still possible to use this option, but it's recommended to use it in conjunction
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
networking.useDHCP = lib.mkDefault true;
# networking.interfaces.enp0s5.useDHCP = lib.mkDefault true;
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
}

33
hosts/l003/linode.nix Normal file
View file

@ -0,0 +1,33 @@
{ config, pkgs, ... }:
{
# https://www.linode.com/docs/guides/install-nixos-on-linode/#configure-nixos
boot.kernelParams = [ "console=ttyS0,19200n8" ];
boot.loader.grub.extraConfig = ''
serial --speed=19200 --unit=0 --word=8 --parity=no --stop=1;
terminal_input serial;
terminal_output serial
'';
boot.loader.grub.forceInstall = true;
boot.loader.grub.device = "nodev";
boot.loader.timeout = 10;
# TODO disable after first startup with ssh keys
services.openssh = {
enable = true;
settings.PermitRootLogin = "yes";
settings.PasswordAuthentication = false;
};
users.users.root.openssh.authorizedKeys.keys = config.users.users.luser.openssh.authorizedKeys.keys;
networking.usePredictableInterfaceNames = false;
networking.useDHCP = false; # Disable DHCP globally as we will not need it.
# required for ssh?
networking.interfaces.eth0.useDHCP = true;
environment.systemPackages = with pkgs; [
inetutils
mtr
sysstat
];
}

17
hosts/l003/readme.md Normal file
View file

@ -0,0 +1,17 @@
# Linode setup
https://www.linode.com/docs/guides/install-nixos-on-linode/#prepare-your-linode
https://nixos.org/download/
`export HOSTNAME=NAME && sudo nixos-rebuild switch --flake ~/.config/nixos-config`
# My config
```sh
rsync -e "ssh -i /run/agenix/nix2l002" -Pahz \
--delete-after \
--exclude 'flake.lock' \
~/.config/nixos-config/hosts/l003/ \
luser@172.234.26.141:~/.config/nixos-config/
```

6
hosts/lio/containers_test.nix
View file

@ -73,6 +73,7 @@
# librechat
librechat = {
user = "root";
image = "ghcr.io/danny-avila/librechat-dev:latest";
ports = [
"${toString config.services.librechat.port}:${toString config.services.librechat.port}"
@ -99,6 +100,7 @@
};
librechat_mongodb = {
user = "root";
image = "mongo";
volumes = [
"${config.services.librechat.dataDir}/data-node:/data/db"
@ -111,6 +113,7 @@
};
librechat_meilisearch = {
user = "root";
image = "getmeili/librechat_meilisearch:v1.7.3";
environment = {
MEILI_HOST = "http://librechat_meilisearch:7700";
@ -123,6 +126,7 @@
};
librechat_vectordb = {
user = "root";
image = "ankane/pgvector:latest";
environment = {
POSTGRES_DB = "mydatabase";
@ -136,6 +140,7 @@
};
librechat_rag_api = {
user = "root";
image = "ghcr.io/danny-avila/librechat-rag-api-dev-lite:latest";
environment = {
DB_HOST = "librechat_vectordb";
@ -149,6 +154,7 @@
# TODO revisit local whisper, for now I am using groq free for STT
# librechat_whisper = {
# user = "root";
# image = "onerahmet/openai-whisper-asr-webservice:latest";
# # ports = [ "8080:8080" ];
# environment = {

184
hosts/lio/flake.lock generated
View file

@ -3,9 +3,9 @@
"agenix": {
"inputs": {
"darwin": "darwin",
"home-manager": "home-manager",
"home-manager": "home-manager_2",
"nixpkgs": [
"mod_common",
"mod_secrets",
"ragenix",
"nixpkgs"
],
@ -36,14 +36,14 @@
"mod_de_cosmic",
"nixpkgs-stable"
],
"rust-overlay": "rust-overlay_2"
"rust-overlay": "rust-overlay"
},
"locked": {
"lastModified": 1735868220,
"narHash": "sha256-/2fV5/nf+v/7IY3N/hvVmnfwDmLbqRLNqKTB0954EW0=",
"lastModified": 1736188510,
"narHash": "sha256-9gUz9t43aPHHPNfSnqqb5R1ZLs4nd5DWFeJwJS4Y+L0=",
"owner": "lilyinstarlight",
"repo": "nixos-cosmic",
"rev": "ee7f797d293e1956e3df90b748d9992dbb3c82ad",
"rev": "e127ad3374836982730aa094d2b3f7268c025b02",
"type": "github"
},
"original": {
@ -70,7 +70,7 @@
"darwin": {
"inputs": {
"nixpkgs": [
"mod_common",
"mod_secrets",
"ragenix",
"agenix",
"nixpkgs"
@ -126,29 +126,6 @@
}
},
"home-manager": {
"inputs": {
"nixpkgs": [
"mod_common",
"ragenix",
"agenix",
"nixpkgs"
]
},
"locked": {
"lastModified": 1703113217,
"narHash": "sha256-7ulcXOk63TIT2lVDSExj7XzFx09LpdSAPtvgtM7yQPE=",
"owner": "nix-community",
"repo": "home-manager",
"rev": "3bfaacf46133c037bb356193bd2f1765d9dc82c1",
"type": "github"
},
"original": {
"owner": "nix-community",
"repo": "home-manager",
"type": "github"
}
},
"home-manager_2": {
"inputs": {
"nixpkgs": [
"mod_home-manager",
@ -170,6 +147,29 @@
"type": "github"
}
},
"home-manager_2": {
"inputs": {
"nixpkgs": [
"mod_secrets",
"ragenix",
"agenix",
"nixpkgs"
]
},
"locked": {
"lastModified": 1703113217,
"narHash": "sha256-7ulcXOk63TIT2lVDSExj7XzFx09LpdSAPtvgtM7yQPE=",
"owner": "nix-community",
"repo": "home-manager",
"rev": "3bfaacf46133c037bb356193bd2f1765d9dc82c1",
"type": "github"
},
"original": {
"owner": "nix-community",
"repo": "home-manager",
"type": "github"
}
},
"mod_boot_systemd": {
"locked": {
"lastModified": 1735793935,
@ -190,15 +190,14 @@
"inputs": {
"nixpkgs": [
"nixpkgs"
],
"ragenix": "ragenix"
]
},
"locked": {
"lastModified": 1735934181,
"narHash": "sha256-FuIaDsoyBOU8L0842gU9VKGs2wQ3ATRXAZe8LY/HEtY=",
"lastModified": 1736191002,
"narHash": "sha256-t39PCeJFgIXzniqjUIIFnbv6AE15WyoPTCE3k3Xuyz0=",
"ref": "mod_common",
"rev": "f10210d958d9d27bbd61fda8b72fe10106a1b8c0",
"revCount": 2,
"rev": "ac3c0c2422842edba1887279bddd02b895ec5ed2",
"revCount": 4,
"type": "git",
"url": "https://git.joshuabell.xyz/dotfiles"
},
@ -235,7 +234,7 @@
},
"mod_home-manager": {
"inputs": {
"home-manager": "home-manager_2",
"home-manager": "home-manager",
"nixpkgs": [
"nixpkgs"
]
@ -290,6 +289,25 @@
"url": "https://git.joshuabell.xyz/dotfiles"
}
},
"mod_secrets": {
"inputs": {
"ragenix": "ragenix"
},
"locked": {
"lastModified": 1736190878,
"narHash": "sha256-Unmqhmyn4z4a5za2jH0hfedpIDNdY2ndSHFLfDUGQgg=",
"ref": "mod_secrets",
"rev": "ced4cfd2fa2f18b32e59cfb0df4a964c8c388588",
"revCount": 6,
"type": "git",
"url": "https://git.joshuabell.xyz/dotfiles"
},
"original": {
"ref": "mod_secrets",
"type": "git",
"url": "https://git.joshuabell.xyz/dotfiles"
}
},
"nix-filter": {
"locked": {
"lastModified": 1710156097,
@ -323,11 +341,27 @@
},
"nixpkgs_2": {
"locked": {
"lastModified": 1735669367,
"narHash": "sha256-tfYRbFhMOnYaM4ippqqid3BaLOXoFNdImrfBfCp4zn0=",
"lastModified": 1725634671,
"narHash": "sha256-v3rIhsJBOMLR8e/RNWxr828tB+WywYIoajrZKFM+0Gg=",
"owner": "nixos",
"repo": "nixpkgs",
"rev": "edf04b75c13c2ac0e54df5ec5c543e300f76f1c9",
"rev": "574d1eac1c200690e27b8eb4e24887f8df7ac27c",
"type": "github"
},
"original": {
"owner": "nixos",
"ref": "nixos-unstable",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs_3": {
"locked": {
"lastModified": 1736061677,
"narHash": "sha256-DjkQPnkAfd7eB522PwnkGhOMuT9QVCZspDpJJYyOj60=",
"owner": "nixos",
"repo": "nixpkgs",
"rev": "cbd8ec4de4469333c82ff40d057350c30e9f7d36",
"type": "github"
},
"original": {
@ -337,7 +371,7 @@
"type": "github"
}
},
"nixpkgs_3": {
"nixpkgs_4": {
"locked": {
"lastModified": 1735854365,
"narHash": "sha256-pNb03vdsQmn0jS5dKAdx2DFZ2QH4RRvrIzZxqpfMcS8=",
@ -1269,11 +1303,8 @@
"agenix": "agenix",
"crane": "crane",
"flake-utils": "flake-utils",
"nixpkgs": [
"mod_common",
"nixpkgs"
],
"rust-overlay": "rust-overlay"
"nixpkgs": "nixpkgs_2",
"rust-overlay": "rust-overlay_3"
},
"locked": {
"lastModified": 1726755133,
@ -1293,7 +1324,7 @@
"inputs": {
"nix-filter": "nix-filter",
"nixpkgs": "nixpkgs",
"rust-overlay": "rust-overlay_3"
"rust-overlay": "rust-overlay_2"
},
"locked": {
"lastModified": 1735420577,
@ -1317,13 +1348,14 @@
"mod_home-manager": "mod_home-manager",
"mod_nebula": "mod_nebula",
"mod_ros_stormd": "mod_ros_stormd",
"nixpkgs": "nixpkgs_2",
"mod_secrets": "mod_secrets",
"nixpkgs": "nixpkgs_3",
"ros_neovim": "ros_neovim"
}
},
"ros_neovim": {
"inputs": {
"nixpkgs": "nixpkgs_3",
"nixpkgs": "nixpkgs_4",
"nvim_plugin-Almo7aya/openingh.nvim": "nvim_plugin-Almo7aya/openingh.nvim",
"nvim_plugin-CopilotC-Nvim/CopilotChat.nvim": "nvim_plugin-CopilotC-Nvim/CopilotChat.nvim",
"nvim_plugin-JoosepAlviste/nvim-ts-context-commentstring": "nvim_plugin-JoosepAlviste/nvim-ts-context-commentstring",
@ -1400,17 +1432,17 @@
"rust-overlay": {
"inputs": {
"nixpkgs": [
"mod_common",
"ragenix",
"mod_de_cosmic",
"cosmic",
"nixpkgs"
]
},
"locked": {
"lastModified": 1725675754,
"narHash": "sha256-hXW3csqePOcF2e/PYnpXj72KEYyNj2HzTrVNmS/F7Ug=",
"lastModified": 1736044260,
"narHash": "sha256-DTAr0mAd8AZwWgRtU9ZZFPz3DwNeoH/Oi/1QMSqc9YQ=",
"owner": "oxalica",
"repo": "rust-overlay",
"rev": "8cc45e678e914a16c8e224c3237fb07cf21e5e54",
"rev": "c8ed24cc104ebbc218d992e208131e9f024b69f0",
"type": "github"
},
"original": {
@ -1420,28 +1452,6 @@
}
},
"rust-overlay_2": {
"inputs": {
"nixpkgs": [
"mod_de_cosmic",
"cosmic",
"nixpkgs"
]
},
"locked": {
"lastModified": 1735784864,
"narHash": "sha256-tIl5p3ueaPw7T5T1UXkLc8ISMk6Y8CI/D/rd0msf73I=",
"owner": "oxalica",
"repo": "rust-overlay",
"rev": "04d5f1836721461b256ec452883362c5edc5288e",
"type": "github"
},
"original": {
"owner": "oxalica",
"repo": "rust-overlay",
"type": "github"
}
},
"rust-overlay_3": {
"inputs": {
"nixpkgs": [
"mod_ros_stormd",
@ -1463,6 +1473,28 @@
"type": "github"
}
},
"rust-overlay_3": {
"inputs": {
"nixpkgs": [
"mod_secrets",
"ragenix",
"nixpkgs"
]
},
"locked": {
"lastModified": 1725675754,
"narHash": "sha256-hXW3csqePOcF2e/PYnpXj72KEYyNj2HzTrVNmS/F7Ug=",
"owner": "oxalica",
"repo": "rust-overlay",
"rev": "8cc45e678e914a16c8e224c3237fb07cf21e5e54",
"type": "github"
},
"original": {
"owner": "oxalica",
"repo": "rust-overlay",
"type": "github"
}
},
"rust-overlay_4": {
"inputs": {
"nixpkgs": [

13
hosts/lio/flake.nix
View file

@ -5,6 +5,7 @@
ros_neovim.url = "git+https://git.joshuabell.xyz/nvim";
mod_common.url = "git+https://git.joshuabell.xyz/dotfiles?ref=mod_common";
mod_common.inputs.nixpkgs.follows = "nixpkgs";
mod_secrets.url = "git+https://git.joshuabell.xyz/dotfiles?ref=mod_secrets";
mod_boot_systemd.url = "git+https://git.joshuabell.xyz/dotfiles?ref=mod_boot_systemd";
mod_de_cosmic.url = "git+https://git.joshuabell.xyz/dotfiles?ref=mod_de_cosmic";
mod_de_cosmic.inputs.nixpkgs-stable.follows = "nixpkgs";
@ -61,6 +62,7 @@
mods = {
common = {
disableRemoteBuildsOnLio = true;
systemName = configuration_name;
allowUnfree = true;
primaryUser = "josh";
@ -87,7 +89,6 @@
google-chrome
discordo
discord
# nautilus qimgv # file browsing (not needed in cosmic)
firefox-esr
# freecad
# openscad
@ -107,7 +108,6 @@
../../components/hm/atuin.nix
../../components/hm/direnv.nix
../../components/hm/git.nix
# ../../components/hm/launcher_rofi.nix # not needed in cosmic
../../components/hm/nix_deprecations.nix
../../components/hm/obs.nix
../../components/hm/postgres.nix
@ -118,15 +118,6 @@
../../components/hm/zsh.nix
];
};
# root = {
# imports = [
# ../../components/hm/nix_deprecations.nix
# ../../components/hm/postgres.nix
# ../../components/hm/starship.nix
# ../../components/hm/zoxide.nix
# ../../components/hm/zsh.nix
# ];
# };
};
};
};