From aef5e24b1245a37df103ea747d1feb75af1589dd Mon Sep 17 00:00:00 2001 From: "RingOfStorms (Joshua Bell)" Date: Tue, 6 Jan 2026 16:09:54 -0600 Subject: [PATCH] Use secret path for SSH identity files and refresh juni flake lock --- hosts/juni/flake.lock | 42 ++++++------- hosts/juni/flake.nix | 140 ++++++++++++++++++++++++------------------ 2 files changed, 97 insertions(+), 85 deletions(-) diff --git a/hosts/juni/flake.lock b/hosts/juni/flake.lock index fb8036e5..3f8b4fa4 100644 --- a/hosts/juni/flake.lock +++ b/hosts/juni/flake.lock @@ -6,11 +6,11 @@ }, "locked": { "dir": "flakes/beszel", - "lastModified": 1767719747, - "narHash": "sha256-1ISVytokGTCP7MvZPpMBO2bT+/VY3mxjZdWx9BcdzlE=", + "lastModified": 1767732316, + "narHash": "sha256-9I401qLCTPogmoPDe5h4UdiIsT1XIX42jl5ICIUXfE8=", "ref": "refs/heads/master", - "rev": "c90766c206e859d3eb2b273b43ef713426849d48", - "revCount": 1067, + "rev": "200fe2b85ed48c13a74d812038faa2274a843a69", + "revCount": 1075, "type": "git", "url": "https://git.joshuabell.xyz/ringofstorms/dotfiles" }, @@ -39,11 +39,11 @@ "common": { "locked": { "dir": "flakes/common", - "lastModified": 1767719747, - "narHash": "sha256-1ISVytokGTCP7MvZPpMBO2bT+/VY3mxjZdWx9BcdzlE=", + "lastModified": 1767732316, + "narHash": "sha256-9I401qLCTPogmoPDe5h4UdiIsT1XIX42jl5ICIUXfE8=", "ref": "refs/heads/master", - "rev": "c90766c206e859d3eb2b273b43ef713426849d48", - "revCount": 1067, + "rev": "200fe2b85ed48c13a74d812038faa2274a843a69", + "revCount": 1075, "type": "git", "url": "https://git.joshuabell.xyz/ringofstorms/dotfiles" }, @@ -58,20 +58,14 @@ "plasma-manager": "plasma-manager" }, "locked": { - "dir": "flakes/de_plasma", - "lastModified": 1767719747, - "narHash": "sha256-1ISVytokGTCP7MvZPpMBO2bT+/VY3mxjZdWx9BcdzlE=", - "ref": "refs/heads/master", - "rev": "c90766c206e859d3eb2b273b43ef713426849d48", - "revCount": 1067, - "type": "git", - "url": "https://git.joshuabell.xyz/ringofstorms/dotfiles" + "path": "../../flakes/de_plasma", + "type": "path" }, "original": { - "dir": "flakes/de_plasma", - "type": "git", - "url": "https://git.joshuabell.xyz/ringofstorms/dotfiles" - } + "path": "../../flakes/de_plasma", + "type": "path" + }, + "parent": [] }, "flatpaks": { "inputs": { @@ -79,11 +73,11 @@ }, "locked": { "dir": "flakes/flatpaks", - "lastModified": 1767719747, - "narHash": "sha256-1ISVytokGTCP7MvZPpMBO2bT+/VY3mxjZdWx9BcdzlE=", + "lastModified": 1767732316, + "narHash": "sha256-9I401qLCTPogmoPDe5h4UdiIsT1XIX42jl5ICIUXfE8=", "ref": "refs/heads/master", - "rev": "c90766c206e859d3eb2b273b43ef713426849d48", - "revCount": 1067, + "rev": "200fe2b85ed48c13a74d812038faa2274a843a69", + "revCount": 1075, "type": "git", "url": "https://git.joshuabell.xyz/ringofstorms/dotfiles" }, diff --git a/hosts/juni/flake.nix b/hosts/juni/flake.nix index 194790ed..31dd8f0e 100644 --- a/hosts/juni/flake.nix +++ b/hosts/juni/flake.nix @@ -43,9 +43,9 @@ { nixosConfigurations = { "${configuration_name}" = ( - lib.nixosSystem { - specialArgs = { inherit inputs; }; - modules = [ + lib.nixosSystem { + specialArgs = { inherit inputs; }; + modules = [ inputs.nixos-hardware.nixosModules.framework-12-13th-gen-intel inputs.impermanence.nixosModules.impermanence ({ @@ -69,7 +69,7 @@ }) inputs.common.nixosModules.jetbrains_font - inputs.secrets-bao.nixosModules.default + inputs.secrets-bao.nixosModules.default inputs.ros_neovim.nixosModules.default ({ ringofstorms-nvim.includeAllRuntimeDependencies = true; @@ -90,63 +90,81 @@ inputs.common.nixosModules.tailnet inputs.common.nixosModules.remote_lio_builds - ( - { inputs, lib, ... }: - let - secrets = { - headscale_auth = { - kvPath = "kv/data/machines/home_roaming/headscale_auth"; - dependencies = [ "tailscaled" ]; - configChanges = { - services.tailscale.authKeyFile = "$SECRET_PATH"; - }; - }; - nix2github = { - owner = "josh"; - group = "users"; - kvPath = "kv/data/machines/home_roaming/nix2github"; - }; - nix2bitbucket = { - owner = "josh"; - group = "users"; - kvPath = "kv/data/machines/home_roaming/nix2bitbucket"; - }; - nix2gitforgejo = { - owner = "josh"; - group = "users"; - kvPath = "kv/data/machines/home_roaming/nix2gitforgejo"; - }; - nix2lio = { - owner = "josh"; - group = "users"; - kvPath = "kv/data/machines/home_roaming/nix2lio"; - }; - }; - in - lib.mkMerge [ - { - ringofstorms.secretsBao = { - enable = true; - zitadelKeyPath = "/machine-key.json"; - openBaoAddr = "https://sec.joshuabell.xyz"; - jwtAuthMountPath = "auth/zitadel-jwt"; - openBaoRole = "machines"; - zitadelIssuer = "https://sso.joshuabell.xyz"; - zitadelProjectId = "344379162166820867"; - inherit secrets; - }; - } - (inputs.secrets-bao.lib.applyConfigChanges secrets) - ] - ) + ( + { inputs, lib, ... }: + let + secrets = { + headscale_auth = { + kvPath = "kv/data/machines/home_roaming/headscale_auth"; + dependencies = [ "tailscaled" ]; + configChanges.services.tailscale.authKeyFile = "$SECRET_PATH"; + }; + nix2github = { + owner = "josh"; + group = "users"; + hmChanges.programs.ssh.matchBlocks."github.com".identityFile = "$SECRET_PATH"; + }; + nix2bitbucket = { + owner = "josh"; + group = "users"; + hmChanges.programs.ssh.matchBlocks."bitbucket.com".identityFile = "$SECRET_PATH"; + }; + nix2gitforgejo = { + owner = "josh"; + group = "users"; + hmChanges.programs.ssh.matchBlocks."git.joshuabell.xyz".identityFile = "$SECRET_PATH"; + }; + nix2lio = { + owner = "josh"; + group = "users"; + hmChanges.programs.ssh.matchBlocks = lib.genAttrs [ "lio" "lio_" ] (_: { + identityFile = "$SECRET_PATH"; + }); + }; + nix2oren = { + owner = "josh"; + group = "users"; + hmChanges.programs.ssh.matchBlocks.oren.identityFile = "$SECRET_PATH"; + }; + nix2gpdPocket3 = { + owner = "josh"; + group = "users"; + hmChanges.programs.ssh.matchBlocks.gp3.identityFile = "$SECRET_PATH"; + }; + nix2t = { + owner = "josh"; + group = "users"; + hmChanges.programs.ssh.matchBlocks = lib.genAttrs [ "t" "t_" ] (_: { + identityFile = "$SECRET_PATH"; + }); + }; + }; + in + lib.mkMerge [ + { + ringofstorms.secretsBao = { + enable = true; + zitadelKeyPath = "/machine-key.json"; + openBaoAddr = "https://sec.joshuabell.xyz"; + jwtAuthMountPath = "auth/zitadel-jwt"; + openBaoRole = "machines"; + zitadelIssuer = "https://sso.joshuabell.xyz"; + zitadelProjectId = "344379162166820867"; + inherit secrets; + }; + } + (inputs.secrets-bao.lib.applyConfigChanges secrets) + (inputs.secrets-bao.lib.applyHmChanges secrets) + ] + ) - # inputs.beszel.nixosModules.agent - # ({ - # beszelAgent = { - # token = "2fb5f0a0-24aa-4044-a893-6d0f916cd063"; - # }; - # } - # ) + inputs.beszel.nixosModules.agent + ({ + beszelAgent = { + token = "2fb5f0a0-24aa-4044-a893-6d0f916cd063"; + }; + } + ) ./hardware-configuration.nix ./hardware-mounts.nix @@ -176,7 +194,7 @@ inputs.common.homeManagerModules.starship inputs.common.homeManagerModules.zoxide inputs.common.homeManagerModules.zsh - # inputs.common.homeManagerModules.ssh + inputs.common.homeManagerModules.ssh ( { ... }: {