ringofstorms/dotfiles
ringofstorms/dotfiles
1
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Add secrets-bao with sec CLI; use in hosts; fix git helpers

Browse source
This commit is contained in:
RingOfStorms (Joshua Bell) 2026-01-06 20:05:14 -06:00
parent c223dedb70
commit f8f93a97dc
6 changed files with 192 additions and 33 deletions
Download patch file Download diff file Expand all files Collapse all files

32
hosts/lio/flake.lock generated
View file

@ -63,20 +63,14 @@
},
"common": {
"locked": {
"dir": "flakes/common",
"lastModified": 1767740224,
"narHash": "sha256-7yUQUw/7IMTBHy2EtuDggE8+NwUN3vDH5fwiTQDIrsI=",
"ref": "refs/heads/master",
"rev": "4bc645061b8c3108fdb3ee92a61dbe3e98ecdaea",
"revCount": 1082,
"type": "git",
"url": "https://git.joshuabell.xyz/ringofstorms/dotfiles"
"path": "../../flakes/common",
"type": "path"
},
"original": {
"dir": "flakes/common",
"type": "git",
"url": "https://git.joshuabell.xyz/ringofstorms/dotfiles"
}
"path": "../../flakes/common",
"type": "path"
},
"parent": []
},
"crane": {
"locked": {
@ -1321,7 +1315,8 @@
"nixpkgs-unstable": "nixpkgs-unstable",
"opencode": "opencode",
"ros_neovim": "ros_neovim",
"secrets": "secrets"
"secrets": "secrets",
"secrets-bao": "secrets-bao"
}
},
"ros_neovim": {
@ -1460,6 +1455,17 @@
"url": "https://git.joshuabell.xyz/ringofstorms/dotfiles"
}
},
"secrets-bao": {
"locked": {
"path": "../../flakes/secrets-bao",
"type": "path"
},
"original": {
"path": "../../flakes/secrets-bao",
"type": "path"
},
"parent": []
},
"systems": {
"locked": {
"lastModified": 1681028828,

36
hosts/lio/flake.nix
View file

@ -6,10 +6,12 @@
nixpkgs-unstable.url = "github:nixos/nixpkgs/nixos-unstable";
# Use relative to get current version for testing
# common.url = "path:../../flakes/common";
common.url = "git+https://git.joshuabell.xyz/ringofstorms/dotfiles?dir=flakes/common";
common.url = "path:../../flakes/common";
# common.url = "git+https://git.joshuabell.xyz/ringofstorms/dotfiles?dir=flakes/common";
# secrets.url = "path:../../flakes/secrets";
secrets.url = "git+https://git.joshuabell.xyz/ringofstorms/dotfiles?dir=flakes/secrets";
secrets-bao.url = "path:../../flakes/secrets-bao";
# secrets-bao.url = "git+https://git.joshuabell.xyz/ringofstorms/dotfiles?dir=flakes/secrets-bao";
# flatpaks.url = "path:../../flakes/flatpaks";
flatpaks.url = "git+https://git.joshuabell.xyz/ringofstorms/dotfiles?dir=flakes/flatpaks";
# beszel.url = "path:../../flakes/beszel";
@ -95,6 +97,36 @@
common.nixosModules.zsh
common.nixosModules.more_filesystems
inputs.secrets-bao.nixosModules.default
(
{ inputs, lib, ... }:
let
secrets = {
headscale_auth = {
kvPath = "kv/data/machines/home_roaming/headscale_auth";
# dependencies = [ "tailscaled" ];
# configChanges.services.tailscale.authKeyFile = "$SECRET_PATH"; # TODO remove secrets and enable this
};
};
in
lib.mkMerge [
{
ringofstorms.secretsBao = {
enable = true;
zitadelKeyPath = "/machine-key.json";
openBaoAddr = "https://sec.joshuabell.xyz";
jwtAuthMountPath = "auth/zitadel-jwt";
openBaoRole = "machines";
zitadelIssuer = "https://sso.joshuabell.xyz";
zitadelProjectId = "344379162166820867";
inherit secrets;
};
}
(inputs.secrets-bao.lib.applyConfigChanges secrets)
(inputs.secrets-bao.lib.applyHmChanges secrets)
]
)
beszel.nixosModules.agent
({
beszelAgent = {