/nix/store/dlwqlnbaj5vfm9aw20r1yxk8y56lmgif-repo/header.tmpl

Compare commits

base: faukah:06c8228d164b11176bd4fe3de8a4528d22e3bbcf
Branches Tags
faukah:main
faukah:website
..
compare: faukah:5e9b3aefd4582c31ad789efee8a6485c57fe1f9a
Branches Tags
faukah:main
faukah:website

No commits in common. "06c8228d164b11176bd4fe3de8a4528d22e3bbcf" and "5e9b3aefd4582c31ad789efee8a6485c57fe1f9a" have entirely different histories.
06c8228d16 ... 5e9b3aefd4

21 changed files with 336 additions and 152 deletions
Download patch file Download diff file Expand all files Collapse all files

1
default.nix
View file

@ -47,7 +47,6 @@ let
modules = [
{ networking.hostName = hostname; }
./hosts/${hostname}
inputs.agenix.nixosModules.age
]
++ ((listFilesRecursive ./modules) |> filter (hasSuffix ".mod.nix"));
lib = inputs.nixpkgs.lib.extend (

85
flake.lock generated
View file

@ -16,29 +16,6 @@
"url": "https://git.lix.systems/lix-project/flake-compat.git"
}
},
"agenix": {
"inputs": {
"darwin": [],
"home-manager": "home-manager",
"nixpkgs": [
"nixpkgs"
],
"systems": "systems"
},
"locked": {
"lastModified": 1754433428,
"narHash": "sha256-NA/FT2hVhKDftbHSwVnoRTFhes62+7dxZbxj5Gxvghs=",
"owner": "ryantm",
"repo": "agenix",
"rev": "9edb1787864c4f59ae5074ad498b6272b3ec308d",
"type": "github"
},
"original": {
"owner": "ryantm",
"repo": "agenix",
"type": "github"
}
},
"crane": {
"locked": {
"lastModified": 1754269165,
@ -124,7 +101,7 @@
},
"flake-utils": {
"inputs": {
"systems": "systems_2"
"systems": "systems"
},
"locked": {
"lastModified": 1731533236,
@ -207,27 +184,6 @@
"type": "github"
}
},
"home-manager": {
"inputs": {
"nixpkgs": [
"agenix",
"nixpkgs"
]
},
"locked": {
"lastModified": 1745494811,
"narHash": "sha256-YZCh2o9Ua1n9uCvrvi5pRxtuVNml8X2a03qIFfRKpFs=",
"owner": "nix-community",
"repo": "home-manager",
"rev": "abfad3d2958c9e6300a883bd443512c55dfeb1be",
"type": "github"
},
"original": {
"owner": "nix-community",
"repo": "home-manager",
"type": "github"
}
},
"impermanence": {
"locked": {
"lastModified": 1737831083,
@ -399,7 +355,6 @@
"root": {
"inputs": {
"__flake-compat": "__flake-compat",
"agenix": "agenix",
"ghostty": "ghostty",
"hjem": "hjem",
"impermanence": "impermanence",
@ -408,6 +363,7 @@
"nil": "nil",
"nixpkgs": "nixpkgs_2",
"quickshell": "quickshell",
"sops-nix": "sops-nix",
"watt": "watt",
"zedless": "zedless",
"zen-browser-flake": "zen-browser-flake"
@ -463,7 +419,7 @@
"nixpkgs"
],
"rust-overlay": "rust-overlay",
"systems": "systems_3"
"systems": "systems_2"
},
"locked": {
"lastModified": 1749906619,
@ -479,6 +435,26 @@
"type": "github"
}
},
"sops-nix": {
"inputs": {
"nixpkgs": [
"nixpkgs"
]
},
"locked": {
"lastModified": 1754988908,
"narHash": "sha256-t+voe2961vCgrzPFtZxha0/kmFSHFobzF00sT8p9h0U=",
"owner": "mic92",
"repo": "sops-nix",
"rev": "3223c7a92724b5d804e9988c6b447a0d09017d48",
"type": "github"
},
"original": {
"owner": "mic92",
"repo": "sops-nix",
"type": "github"
}
},
"systems": {
"locked": {
"lastModified": 1681028828,
@ -509,21 +485,6 @@
"type": "github"
}
},
"systems_3": {
"locked": {
"lastModified": 1681028828,
"narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
"owner": "nix-systems",
"repo": "default",
"rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
"type": "github"
},
"original": {
"owner": "nix-systems",
"repo": "default",
"type": "github"
}
},
"watt": {
"inputs": {
"nixpkgs": [

5
flake.nix
View file

@ -51,10 +51,9 @@
inputs.nixpkgs.follows = "nixpkgs";
};
agenix = {
url = "github:ryantm/agenix";
sops-nix = {
url = "github:mic92/sops-nix";
inputs.nixpkgs.follows = "nixpkgs";
inputs.darwin.follows = "";
};
__flake-compat = {

5
modules/home/dev/helix.hjem.nix
View file

@ -350,6 +350,7 @@ let
clipboard-provider = "wayland";
completion-trigger-len = 1;
completion-replace = true;
mouse = true;
bufferline = "multiple";
popup-border = "none";
@ -387,6 +388,10 @@ let
"diagnostics"
"line-numbers"
];
inline-diagnostics = {
cursor-line = "hint";
other-lines = "error";
};
};
keys = {
normal = {

3
modules/packages/packages.mod.nix
View file

@ -6,8 +6,10 @@
...
}:
let
inherit (lib) getFlakePkg;
nil = getFlakePkg inputs.nil;
in
{
environment = {
@ -92,7 +94,6 @@ in
])
++ [
nil
inputs.agenix.packages.${pkgs.stdenv.system}.agenix
];
};
}

31
modules/programs/cli/jujutsu.mod.nix → modules/programs/cli/jj.mod.nix
View file

@ -2,17 +2,19 @@
config,
lib,
pkgs,
self,
...
}:
let
inherit (lib.meta) getExe;
inherit (lib.lists) singleton;
inherit (lib.modules) mkIf;
inherit (lib.strings) optionalString;
inherit (config.meta.mainUser) username;
inherit (config.meta.system) isWorkstation;
organizationScope = config.sops.secrets.organization_scope.path;
uniScope = config.sops.secrets.uni_scope.path;
toml = pkgs.formats.toml { };
jj-config = toml.generate "config.toml" {
user = {
@ -60,10 +62,7 @@ let
"@-"
];
};
git = {
# colocate = true;
push-new-bookmarks = true;
};
git.push-new-bookmarks = true;
revset-aliases."closest_bookmark(to)" = "heads(::to & bookmarks())";
signing = {
backend = "ssh";
@ -89,7 +88,6 @@ let
};
ui = {
default-command = "log";
diff-editor = ":builtin";
diff-formatter = [
"${getExe pkgs.difftastic}"
"--color"
@ -107,26 +105,17 @@ let
};
};
inherit (config.age.secrets) organizationScope uniScope;
jj-wrapped = pkgs.symlinkJoin {
name = "jj-wrapped";
paths = singleton [ pkgs.jujutsu ];
paths = [ pkgs.jujutsu ];
nativeBuildInputs = [ pkgs.makeWrapper ];
postBuild = ''
wrapProgram $out/bin/jj --add-flags " --config-file ${organizationScope.path} --config-file ${uniScope.path}"
postBuild = optionalString isWorkstation ''
wrapProgram $out/bin/jj --add-flags " --config-file ${uniScope} --config-file ${organizationScope}"
'';
};
in
{
hjem.users.${username}.xdg.config.files."jj/config.toml".source = jj-config;
age.secrets.organizationScope = mkIf isWorkstation {
file = "${self}/secrets/organization_scope.age";
owner = username;
};
age.secrets.uniScope = mkIf isWorkstation {
file = "${self}/secrets/uni_scope.age";
owner = username;
};
environment.systemPackages = singleton (if isWorkstation then jj-wrapped else pkgs.jujutsu);
environment.systemPackages = singleton jj-wrapped;
}

15
modules/programs/gui/bitwarden.mod.nix
View file

@ -2,13 +2,16 @@
config,
lib,
pkgs,
self,
...
}:
let
inherit (config.modules.system) isGraphical;
inherit (lib.modules) mkIf;
inherit (lib.meta) getExe;
inherit (builtins) readFile;
inherit (config.meta.mainUser) username;
realEmail = readFile config.sops.secrets.real_email.path;
bitwardenUrl = readFile config.sops.secrets.bitwarden_url.path;
fix_ssh_keys = pkgs.writeText "patch" ''
diff --git a/src/api.rs b/src/api.rs
@ -62,9 +65,13 @@ let
in
{
config = mkIf isGraphical {
age.secrets.rbwConfig.file = (self + "/secrets/rbw_config.age");
hjem.users.${username}.xdg.config.files."rbw/config.json".source = config.age.secrets.rbwConfig.path;
hjem.users.${username}.xdg.config.files."rbw/config.json".text =
builtins.toJSON
<| {
email = realEmail;
pinentry = getExe pkgs.pinentry-qt;
base_url = bitwardenUrl;
};
environment = {
systemPackages = lib.attrValues {
inherit (pkgs)

7
modules/services/matrix.mod.nix
View file

@ -2,7 +2,6 @@
config,
lib,
pkgs,
self,
...
}:
let
@ -13,6 +12,8 @@ let
cfg = config.modules.system.services.matrix;
registrationToken = config.sops.secrets.tuwunel_token_file.path;
port = 4926;
domain = "faukah.com";
@ -28,8 +29,6 @@ in
{
options.modules.system.services.matrix.enable = mkEnableOption "matrix";
config = mkIf cfg.enable {
age.secrets.registrationToken.file = "${self}/secrets/tuwunel_token_file.age";
services = {
nginx = {
enable = true;
@ -63,7 +62,7 @@ in
allow_federation = true;
allow_encryption = true;
new_user_displayname_suffix = "";
registration_token_file = config.age.secrets.registrationToken.path;
registration_token_file = registrationToken;
};
};
};

14
modules/style/gtk.mod.nix
View file

@ -96,18 +96,8 @@ in
"xdg/gtk-3.0/settings.ini".text = toGtk3Ini {
Settings = gtkIni;
};
"xdg/gtk-4.0/gtk.css".text = ''
${css}
window {
border-radius: 0 0;
}
'';
"xdg/gtk-3.0/gtk.css".text = ''
${css}
window {
border-radius: 0 0;
}
'';
"xdg/gtk-4.0/gtk.css".text = css;
"xdg/gtk-3.0/gtk.css".text = css;
"xdg/gtk-2.0/gtkrc".text = ''
gtk-cursor-theme-name = BreezeX-RosePine-Linux

1
modules/system/os/impermanence.mod.nix
View file

@ -40,7 +40,6 @@ in
"/var/lib/pipewire"
"/var/lib/systemd/coredump"
"/etc/secureboot"
"/run/secrets"
];
users.cr = {

23
modules/system/secrets/organization_scope.toml Normal file
View file

@ -0,0 +1,23 @@
{
"data": "ENC[AES256_GCM,data:vwfjHpLbHG8g79CpMpsDzYAk0vlfwKuWUTSZnKzGwCZW5rrFFBLamQoZLt5HpvvsGqBrqRditj+GSsHsZAzxz25Vfv7dcyvz1AdaFI56zmU1NzSK+RAyucPZfnjV98vJUqFgVmOFQBkv0o1ThrzXmE8jd1Osz7qKIoy/+rHCzqsBw8wFD3tMe4UjGtkI9DYFSJUh1Ym9PjBE,iv:JeLgCfQXvjWNk8BypNbqJw1+OHawEDQSCdamq0C+lis=,tag:XZUy4g3W4O9L/c1PXlooKA==,type:str]",
"sops": {
"age": [
{
"recipient": "age1a4jv2avdlj5zzq9p7ss9958t4wt3an95c3j86eclge7q2qc6n3wq4ucymc",
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSArSy9XdnBQbld5Ly9ET3ZR\nb0U3aW16LytkOUdxNmNVUU40V3NZTWNnNEJjClA2WE5XS0xjdUN3TENoRWlaR2Vn\nQ0MzTnBzME42TVY0cFRQNk4xcng1dkEKLS0tIFJOSC9OT01TNTZTWERjRXFCZFVq\nbEpFRHpVYXI0YXJYcjVxN3hkWEpZM0kKynHKxZwBUWiCdUx/fqYsWWHmIJLrYGTC\naXQXbjR2fprPsyZb7tTZ4L8DtxdjKgmxsbgi+8QYumy/S/ivH4Gipw==\n-----END AGE ENCRYPTED FILE-----\n"
},
{
"recipient": "age12neldqxts6h3zstmk5hvmn2pq8s9qfhkt7cjcdd9wygekqrmparq6djsff",
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBiYVU3V2xkNm9qRGd5enBB\nK3YyRjN1YjhDbjRsbEdteVRFa3Q2QkNPZDNNCkI4Qk1kcU9XUlo2eXpDdnl0WFdN\nSnZweHFIZmQ0UjBoRmxzekxoRDhNRVEKLS0tIGE2d1o2czVMbXFzODl4NjZib2Nv\nNnVZMVJScGc0cTRlYzVocHpPdmlsekUKlsFnd1aNCDBBlCto+vBdchtaRBJ/7LJT\nrW4h5YE9RbbMF1TEJOJf+Pkeikgkv3EPOHdH3eJPJ5yckNA4tc67ag==\n-----END AGE ENCRYPTED FILE-----\n"
},
{
"recipient": "age16p3h2xu69lpy3f2msfs69q4uhu2hytkqk2p80ss9hxqcwky4cc6ss38x85",
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBneUFoZ1FtYmJuRnppRHMx\nQWZQK2xGWmNFMXQvNldNSFVLMUVka1p2MmpNCkFWSHozVGQxeVRiZFVwRnU3RkEv\ncDYxRE1ESVNrcW45c0IxQWwwSlJ2aEUKLS0tIG0veVU3YXJuZURCS2JkOXptV09J\nQzlpNVBqSC9sQVh5dDJpb3c2M3dlOTQKu3PufhYt42QwB1ncc2QjBSdTbJ5EYu2z\nRFrAz2nq0rRDIjL4EFHdlSFWgI2amQwpbgZxy/+YeEpWO/Zd7uGX3w==\n-----END AGE ENCRYPTED FILE-----\n"
}
],
"lastmodified": "2025-09-03T16:39:42Z",
"mac": "ENC[AES256_GCM,data:DkWLyVJQIhQDOqUD2W61E+dxQVgxwqqJAVuKh6LPMOihj1MbjFDgU1YEf+CJG3sN5iQt9LtshqFZMOpy8NYMBT+8korofuaa3DeAulg3UAb29lkiXNAkrysMFUmtWUEjvKzWNuo7fGzJj0IUzIGi+HRdZXrK8y25XnVv+6bxcmE=,iv:fJjHxGmBvSPMTqwRuP2JJUEdzVPfEvnNbSZgYHTy47E=,tag:HxA6t69e/l7xYBbEiDJ0Xw==,type:str]",
"unencrypted_suffix": "_unencrypted",
"version": "3.10.2"
}
}

32
modules/system/secrets/personal_info.json Normal file
View file

@ -0,0 +1,32 @@
{
"real_name": "ENC[AES256_GCM,data:R7Kac0dwMbxmCw4hpw==,iv:CijNtk8WiPlEwIg0OLu4ILLE2wh0W9HXm9OK9/Da+ng=,tag:NK2N6faooEknURwLuVP7OQ==,type:str]",
"real_email": "ENC[AES256_GCM,data:wwXcdxZQDxt2gnWP1qf9cw==,iv:fkx0m72FF7pB15fHRxObsTaLdnkOsexCgzOyfpoGFmE=,tag:mj2/4cofrJSIOqdAWiWstg==,type:str]",
"university_email": "ENC[AES256_GCM,data:WPy2AckQPWn+1OHJuTM=,iv:o2AT+RMUfCFVWaoD5D/GV5aq9kOgD/rCaHzwqYFIjig=,tag:KprTGSH2NvsrOCvhxLL/9w==,type:str]",
"organization_short_name": "ENC[AES256_GCM,data:dTVFz51V,iv:5sUc4qUIu+QNzmWihAXgyfRwZAdjEq9/prJCxpB2jbg=,tag:r91kaPi6p4heizRy5duFrw==,type:str]",
"organization_email": "ENC[AES256_GCM,data:GNBt9fXxBkh3z8L+DeD/mhBz14mJjkeX1wk9rHkUTg==,iv:7/VLeL3s9/CL2VtDiWFJNx+VJuGsGamWbcIG/MxNlC8=,tag:/KOXA6gII3Wrmgd9wjhD+g==,type:str]",
"bitwarden_url": "ENC[AES256_GCM,data:vhEVMZwDyQhQtXYR1diLQIDf6urqu03VC+M=,iv:icG6ieX9WjAj5Y4DpmSJaBvcqjksll3tWtWE5psaK08=,tag:+tIURDxZxv6qXR8B/eVyfg==,type:str]",
"sops": {
"age": [
{
"recipient": "age1a4jv2avdlj5zzq9p7ss9958t4wt3an95c3j86eclge7q2qc6n3wq4ucymc",
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA5WUlpSkI5dElCVmpzNEw5\nc2pTaFBxWWNoOVJsb0NBWkw4VFQ4aDN4WFU0CjBSKy9oc2pJVzl0M0Z3bUpvNzB4\neU1RT2JWMndHUUFITE03aDBDU1BoUVEKLS0tIC9DNE9ZUnJMb0V0dlpkSUFYNk1K\nTnhRMTl0eENpRmhhYlhKTVg4MGlSS3MKMWY+ezH2HjRd5p/KqUBCFU8sn+FmYd/f\nrHQZhPo481+U6zMyiiu35lcujNRcEtJfcIAL2tobiTDNLQs94re5fg==\n-----END AGE ENCRYPTED FILE-----\n"
},
{
"recipient": "age12neldqxts6h3zstmk5hvmn2pq8s9qfhkt7cjcdd9wygekqrmparq6djsff",
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBqYVZ4THhxVlkzRi9ETTht\nOWtINWUxU0R1SGZhK3FqbHdSWmlhaGc1WGpZCklqL2Jpb2F0bzJqYXZHZVZHS25L\nZVc0dnRBOG9lVTZYQkpkQTVKY04zTjQKLS0tIGdVK1Y2VFFMbTVmVWo2eFpKbFY1\nYU5LaW90eWxDNUlhMmRnTTEvRTA1ZkEKFnX/HzVMIK9XT+cO80cCzVJxIj3dicjG\nbvxz/o7/dVmmx0bUusWIiR/SA5JXPkbi0C8F+llkPoYV3idWUOvnKA==\n-----END AGE ENCRYPTED FILE-----\n"
},
{
"recipient": "age18ga6m08fjs2azav73sl8y4xudhld9ger3zwpnc5euy2j3cjam35sstud9w",
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAwbFBXZFdFQjREeVpaelhQ\nWGVBOWNnNERYT0JGSDNsWDYzcFA1Q1R0ZlVRCjJ4V3R5UU1zT0FJTU5taEgrRmht\nY3J5OG1qREV1a3FTSy9hMmZubXVDMFEKLS0tIFplOHpkTmZkWDBYSUxQVkxjZ215\naS83dUdUMFVhVkZaWW55akxiM2dPaU0KTVp2Bwt9/UD42HJ9UJRYwWQrmbxxXdKF\ngjKHvWNiASiPczj/DDuGDR0tjbYvtS2DTqDLECr3EQYqRIiPW8Lq9g==\n-----END AGE ENCRYPTED FILE-----\n"
},
{
"recipient": "age16p3h2xu69lpy3f2msfs69q4uhu2hytkqk2p80ss9hxqcwky4cc6ss38x85",
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB3SStPblpVVFRpbk9FWGxl\nY25yUXpkUFlxV1lkSjlpZUZlY212L0prN21vCmtlVDJQcWV4TjlYNnFUSmI2Tkxp\nMHYrTi9aMmNlY25penJKR1NQN1VJWW8KLS0tIDNvVUcyUXdCR2xPTkZjWTRqenhm\nMk5oU0tOUHVmbmhUSklHQ2s5dVlLbVkKoRvSoy2BsJaOdCuOW1lD1vGpu8czakmA\nWztrXYqwo57E6z2dPjb0Fo/RJlo4OWQ2/bYOYYpq8aS1HvuRV5096w==\n-----END AGE ENCRYPTED FILE-----\n"
}
],
"lastmodified": "2025-09-01T21:25:00Z",
"mac": "ENC[AES256_GCM,data:CUMEpOwIw+/RIOyr6aE2YVZiJLGY8FhMv0IOUIFV1kHveOEtAkNWbRzOV1o1cq9pA9ot0dKn4KZRLuUZ+uJzCrxwBHILBZMFksS0czSPgLfg0uz9mJ2u1pPjvoUcQRuIOUN1Id32zQ/W36nPEpR3J/Jomx5nCVNiFmZSteZCx+E=,iv:wGzjsGMJ72ejDCiHN6Xo1ZP5ho1F++WZrwE2YwCN8ns=,tag:Ev1xjuwta6KL8lnPbhliyw==,type:str]",
"unencrypted_suffix": "_unencrypted",
"version": "3.10.2"
}
}

27
modules/system/secrets/secrets.json Normal file
View file

@ -0,0 +1,27 @@
{
"factorio_token": "ENC[AES256_GCM,data:l6o2LzFRcY43lieDBaFOk5ACqmp408AZNinfF2c7,iv:AiXRw30CZ9dJYP2jBvK89LiwG+d8sbQmyWVMDDUpxYU=,tag:/oHfsW6NFmr2bnH0WXMQWw==,type:str]",
"sops": {
"age": [
{
"recipient": "age1a4jv2avdlj5zzq9p7ss9958t4wt3an95c3j86eclge7q2qc6n3wq4ucymc",
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBCWU56Y2ZRaW9BU1Z6ZmFl\nckxqTllsOGl5Rmp0bTNIR0lCWlpDZjlnQnkwCkJzbVJqbUlaUkNINWpuMlNweUJa\nT0FhNFNMMi9OcnBVT0dOM0g2bS9aQTAKLS0tIDN2NXQ4VlFRNjUxRDZkeVNYY3Zo\nSDF2M2dCZGQ3am9MTTErWVlrQVBUM1UKME4+7N01byHhzcH4p1js4RazQtI38bm7\nlSUztxOz/d4g4zt9DcyFQ0z1XobiGPjij7TM5BHkK37c1u2uKdnVwg==\n-----END AGE ENCRYPTED FILE-----\n"
},
{
"recipient": "age12neldqxts6h3zstmk5hvmn2pq8s9qfhkt7cjcdd9wygekqrmparq6djsff",
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBWbUkvMmtWcFhsT3hqOTZi\nMGVER0xCRFNrTUJMYm1ud0JwcGVsSXdEd25JCmV6NVJOQ25CbHJybnREZFZlbXd1\nMDBqTXJ6WmVUSlBCMFRQdUVPYml6dWMKLS0tIE9Nd2NFbSttTkZXYUVERzhsL2pn\nai90U0xLYkpNTTBNdW5SOVcxaDlFblEKZ4/9KzcB/z54IUTve3sD7vCV9fzxrNfb\nimtHIsDMS1QAOo/o5B7gqR0OAobQTi34LJmLNKC/b21syo6CUXnbsg==\n-----END AGE ENCRYPTED FILE-----\n"
},
{
"recipient": "age16p3h2xu69lpy3f2msfs69q4uhu2hytkqk2p80ss9hxqcwky4cc6ss38x85",
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBVem9QL3VMSTZDN3VrQ3NN\nZG4wam50Zk1pZGZYOStlZWxwU1B2eEhWMWlrCkcvMU1rUnhJRFdodVkwcTB1MFVI\nZWM3NDJoYTMwamZYdTRXMW5VTE9Xak0KLS0tIHBmVWI2eHdvOFJnSXhYVzFlbUR5\nenFoVTc5SDJJb3hFemlqbGxEVnpLMTQKXOi7TnhFbY2c5yD6UM0be5YhSgmplmgr\nQxXYsqjyPQBRsg7L+R5ZWc1VbtYZpGfsq7z3uaCnLKpJceKyEuVjOg==\n-----END AGE ENCRYPTED FILE-----\n"
},
{
"recipient": "age18ga6m08fjs2azav73sl8y4xudhld9ger3zwpnc5euy2j3cjam35sstud9w",
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA0TjVhaXA4b3RyUWRmVnox\nYVVTbDdzY2wxNDdIb1JBNFFLUVJBQ2RQU2xFCjJvRC9BenJTTFpIL2dSaGxTRXVt\neDhJbHR1WXRlYlVOQmt5Zlk2Z0V1TFUKLS0tIG1DWXFFWDE3ZVgzcEwraVFMNlZB\nQ2VxMnBDazUzUDRtYW5CdnZqUGQzeTQKo8iUBT5Me74N2jtXlZ+/ENwn/sOeOAOi\nyAX0p2M8YOPeQGRFpUGFcL4ww5PP+1VP01i6biJHwG1F90KXH0MLVg==\n-----END AGE ENCRYPTED FILE-----\n"
}
],
"lastmodified": "2025-09-04T19:38:09Z",
"mac": "ENC[AES256_GCM,data:2QT0gRTp1eiu+ugKJXeLWcw1O+9RElL5R8zl0vUu8gBpR381xW7anQIwpZ1A/3rKnaosD4g/yvsoXioMv6ueeZ66A4HX8gXhQbGt2o4In2rY2/LpXMIG4xS3u380kvaCfU83Aib+rkOKfOyeNaOtN8nNiyIWwZeHzj7AObng+6o=,iv:wZVGSFiFU5ddjw5HMZwYc2khKyTYHVYQD6WOWGcoFxM=,tag:ZDkJsTKQzzb8PyaVOr+TrA==,type:str]",
"unencrypted_suffix": "_unencrypted",
"version": "3.10.2"
}
}

27
modules/system/secrets/server_secrets.json Normal file
View file

@ -0,0 +1,27 @@
{
"tuwunel_token_file": "ENC[AES256_GCM,data:U4zCJdLb2k9Lz4blu0PJnEThODSMr4q8CfxJfV3MnRHzTMBTnUrsoIGe9OLdXKUClbwh,iv:RLJNK2onDbjndnV1dxZP4kDi/4uG+vpJXJEwFfXgX0k=,tag:LnYm++1RRyA6pOgwt3uKnQ==,type:str]",
"sops": {
"age": [
{
"recipient": "age1a4jv2avdlj5zzq9p7ss9958t4wt3an95c3j86eclge7q2qc6n3wq4ucymc",
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB6ck51OThhMTdZTU82ZGp1\najZUMGIxcUV1ZG5NNmlPdnhpYU1MVzNkTUFnCmpvcXZhejN6cUFjUFQ4algySWtS\nVjlmbVlqTzdneFU3a1cyb1JaNjNIOFEKLS0tIEh0U1Z4OE1sRjhjSkU0Ymo2NWpm\nbDFkTnlsZG1wWVJxZVE5SlNJK3N0d1EKRofs4HxDqnlNMQ9tSsioL2WBpGkHFGyd\n0PmS3EMzaoC1i+c7iCA4Loa9MboXAaptusU9RwGNNH2brEr/VveyHA==\n-----END AGE ENCRYPTED FILE-----\n"
},
{
"recipient": "age12neldqxts6h3zstmk5hvmn2pq8s9qfhkt7cjcdd9wygekqrmparq6djsff",
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBKa2ZOa1JOM1dwV3RyZGFV\nTWcxdDhVOFN4WXJFWHVGU3lWOUJPTTR6RWlnCjA2ekpjd3Z5QnZRRUJ6NDB6WERw\nV2ZzdnE1OWRrZEJKMWJMK3Yvek9HM3MKLS0tIDdJTVd6NTdsU1EzbmN4ckFNcDhh\ndFoxSXlodkd0eU16TGE1eFMrbUpQaDgKHomclyqK1IfRGC0A22VfSPtL8sgAsgCb\nGyaeimbU+PbJ+ccgOlqHrEFDmvNPoUX4BQpJnNtmRE/0b9vWdmImqA==\n-----END AGE ENCRYPTED FILE-----\n"
},
{
"recipient": "age16p3h2xu69lpy3f2msfs69q4uhu2hytkqk2p80ss9hxqcwky4cc6ss38x85",
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAvaCswRUltdmJGVlJ1bW1Q\nb29OVDAvbTNpTTlmNE9CS0VVRG1tZFdlL1NJCmRMaEpyTnRjWElURk9KdExWL1lj\nRWx1L2szYUNTTkpPL2xUSlVTYjdFYmMKLS0tIHk4eE1WQ0xkanRwN0VHVXZSakd0\nTGt2R01iSWFTQkd3WGZqVlR1TXNTZVUKC37r0ncK4QVlRpdsbY/B4p7dv4pLpU62\nwybk8LbRtnnWClMgnfOqwxf3hmpLPfZbq6frEaxAiJNJ2Im3FDv2EQ==\n-----END AGE ENCRYPTED FILE-----\n"
},
{
"recipient": "age18ga6m08fjs2azav73sl8y4xudhld9ger3zwpnc5euy2j3cjam35sstud9w",
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBWK2F4NzIvTVNTSnFpaDdr\nSXhOL0VuUStTakhlalk5dDNrTjE4OUU5ckFrCmJ5ZzEySHMvT3lEd090bmZKOTBi\nQ0VuS2M2L29pK0tTbzF5NWZQWEVma2MKLS0tIEhFV1ZUNU5YWTliR09mS1FaUmNB\nRlFwbTZGUWh1VXhPU3hOT0N4U2s2RVEK6hlPy0ir3hf9JZ9ZPID3r6W3eewrzLNz\nDFhoK2cH6/2FtcBPLRxQkVRAimeFJrdalv1TJ6BZHUT6bkt7PTlkZQ==\n-----END AGE ENCRYPTED FILE-----\n"
}
],
"lastmodified": "2025-09-05T14:59:59Z",
"mac": "ENC[AES256_GCM,data:rJpbVc3WQSW9KzxX6fPZoKXf0Gg/nyS5UPRL505tBkzXWvL29K/Q+of5+139Y2vcvLPbWCF8FoOd+BQ0dAh7R3QCUuObjkt6eBqNZN1gxqG1me0NttZxmu3K4doI1uHrN8wSL4frgpMSFS2pAtxivd8Uqs/a32HieQcf1eshqEw=,iv:5vzhK2CucHXrTeux52+8tjaLbL2fvsB1StLHRLDpYuk=,tag:XFSVY6GbCwxxqljYAM8l8Q==,type:str]",
"unencrypted_suffix": "_unencrypted",
"version": "3.10.2"
}
}

146
modules/system/secrets/sops.mod.nix Normal file
View file

@ -0,0 +1,146 @@
{
config,
inputs,
lib,
pkgs,
...
}:
let
inherit (lib.attrsets) attrValues attrNames;
inherit (lib.strings) concatStringsSep hasSuffix;
inherit (lib.lists) flatten remove;
inherit (builtins)
fromJSON
listToAttrs
map
readFile
filter
readDir
;
fromYAML = (pkgs.formats.yaml { }).generate;
# get the age key for a machine using
# nix-shell -p ssh-to-age --run 'cat /etc/ssh/ssh_host_ed25519_key.pub | ssh-to-age'.
# sops_master_key
master_key = "age1a4jv2avdlj5zzq9p7ss9958t4wt3an95c3j86eclge7q2qc6n3wq4ucymc";
# tempeance /persist/etc/ssh/ssh_host_ed25519_key
temperance_host_key = "age16p3h2xu69lpy3f2msfs69q4uhu2hytkqk2p80ss9hxqcwky4cc6ss38x85";
# hermit /etc/ssh/ssh_host_ed25519_key
hermit_host_key = "age12neldqxts6h3zstmk5hvmn2pq8s9qfhkt7cjcdd9wygekqrmparq6djsff";
# tower /etc/ssh/ssh_host_ed25519_key
tower_host_key = "age18ga6m08fjs2azav73sl8y4xudhld9ger3zwpnc5euy2j3cjam35sstud9w";
sops = pkgs.symlinkJoin {
name = "sops-wrapped";
paths = [ pkgs.sops ];
nativeBuildInputs = [ pkgs.makeWrapper ];
postBuild = ''
wrapProgram $out/bin/sops --add-flags " --config ${sopsConfig}"
'';
# --age ${keys}
};
mkRecipients = list: [ { age = list; } ];
sopsConfig = fromYAML ".sops.yaml" {
keys = [
master_key
hermit_host_key
];
creation_rules = [
{
path_regex = "secrets.json";
key_groups = mkRecipients [
master_key
hermit_host_key
temperance_host_key
tower_host_key
];
}
{
path_regex = "personal_info.json";
key_groups = mkRecipients [
master_key
hermit_host_key
tower_host_key
temperance_host_key
];
}
{
path_regex = "server_secrets.json";
key_groups = mkRecipients [
master_key
tower_host_key
hermit_host_key
temperance_host_key
];
}
{
path_regex = "uni_scope.toml";
key_groups = mkRecipients [
master_key
hermit_host_key
temperance_host_key
];
}
{
path_regex = "organization_scope.toml";
key_groups = mkRecipients [
master_key
hermit_host_key
temperance_host_key
];
}
];
};
secretFiles = filter (file: hasSuffix "json" file) <| attrNames <| readDir ./.;
secretNames = file: remove "sops" <| attrNames <| fromJSON <| readFile <| ./. + "/${file}";
fileModes = {
"personal_info.json" = "0444";
"factorio_token" = "0444";
};
generateSecrets =
file:
map (n: {
name = n;
value = {
sopsFile = ./. + "/${file}";
mode = fileModes.${file} or "0400";
};
})
<| secretNames file;
in
{
imports = [
inputs.sops-nix.nixosModules.sops
];
config = {
sops = {
defaultSopsFile = ./secrets.json;
defaultSopsFormat = "json";
age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
secrets = (listToAttrs <| filter (x: x != [ ]) <| flatten <| map generateSecrets secretFiles) // {
uni_scope = {
sopsFile = ./uni_scope.toml;
format = "binary";
mode = "0444";
};
organization_scope = {
sopsFile = ./organization_scope.toml;
format = "binary";
mode = "0444";
};
};
};
environment.systemPackages = attrValues {
inherit sops;
};
};
}

23
modules/system/secrets/uni_scope.toml Normal file
View file

@ -0,0 +1,23 @@
{
"data": "ENC[AES256_GCM,data:l4IvlpDrDVnlArtnixJqwI0Ai3xG5jF5clhLGWOrqywd0lnKFjNDuEMcHlKN6cGmeFwX6i/6qkXcKT//pKNQDUvALzDY8PNp9AKV9/NmnQ7ZWzpyScXNqMnNwgs9+TA5SpKAZseVpEk3Nle29Jbene9BTYL614tlkL/uXO5KLLQAPZ4GGQ==,iv:qmrKAfdaDh3dVY95oKo666Knw7F29hi3O7zDIZFyYbc=,tag:Db54A+7rW7Amctx9lL9yBA==,type:str]",
"sops": {
"age": [
{
"recipient": "age1a4jv2avdlj5zzq9p7ss9958t4wt3an95c3j86eclge7q2qc6n3wq4ucymc",
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBlLzZCMVNkcmRMQTIvdk5N\nUVZ6TUVBT2s3RTYxMVlJZHU4RzFjVUdIckVZCks2MDRJSDdYVkpHN3llUXNnZDc5\nV29zMm12TmN6K0t3VmY2MmFBVVdZd1EKLS0tIFNXREFUOUoyZTNuWFdNdXBYY3FT\naTBickFBOUhBUTFvZXhMVHNGRmR0T3MKdSUtmD9xB5qypB+hj62/U57VyOzj5yt7\nhOoNvkOyVJuRWwtwEo8SBMKvFs+mzULqHJh7slFamM6VjEokhDE+zw==\n-----END AGE ENCRYPTED FILE-----\n"
},
{
"recipient": "age12neldqxts6h3zstmk5hvmn2pq8s9qfhkt7cjcdd9wygekqrmparq6djsff",
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBsaXRGOXp5ZEVFcGN5V1JL\nM1NIcEhMUEFOZUJxRi9iYXJSRXhEZHVWZUdBCmxtN00yRXV2U0RlOUhiVU5PS2xz\nUWRYdHltTnlaQmR3SnJpY2VTbThKOGMKLS0tIEZiQlJLRDhvL2pMaEx5ZEpoS2xi\nQmdxcG9lTHVVYUlnY3JyOW1ybnEwc2sKqi80VUMu5lgXPbkQDGp4C7JuWSwESSqy\nVbm4TdvAXEn69t03O4+Vff+Bx5HsAzcWerA1+ZvlLBdkAYcGC2YKIw==\n-----END AGE ENCRYPTED FILE-----\n"
},
{
"recipient": "age16p3h2xu69lpy3f2msfs69q4uhu2hytkqk2p80ss9hxqcwky4cc6ss38x85",
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBkMjJBb3RROUFkWURZejlv\nYXVXK0pkK2ZPTHpSZEJoaTlFY2hYMm1xREQ4Clh1VFFWVkRqTnJoT01EZkg3VytX\nakZ4UUJ4MSt4WVg3R2ZRRXJraUtxWFEKLS0tIHRWNjJYU1QydFZUZ0UzWmoyeU9t\nZ0gyMzRkOEt6TVZQMTZmdGpaUU9rTVkKct5ZlfiPrEJWC3hZsESbEr5ewUWgFL7r\n5WESkGmeA1coph5XzbO+asEfPcs2kRCZcOzRSsU55SNTwloDyCtuWg==\n-----END AGE ENCRYPTED FILE-----\n"
}
],
"lastmodified": "2025-09-03T16:39:27Z",
"mac": "ENC[AES256_GCM,data:awRHWYorrKxyF1qUIXO6JZ6mVI3iCOSK9eVbltvaO2xCqdlyDEzRR5gvj2IZuK+I9rubPmlgB3/VfIeK/Kn1VbHGuKfRoHId9mwL27VgnOeD6UPQFMkqs0n/vYBydZUcy/U6QUnQnrqTt6V28yzgaqRaj2pR/ipPm7NMDjj1JkI=,iv:6+dmOJOMfkQu44b4T7oYQxh/NnpBTEtgXGnBh+3CpxI=,tag:jdzLQ+74sH6s/Lc2iT5V9g==,type:str]",
"unencrypted_suffix": "_unencrypted",
"version": "3.10.2"
}
}

BIN
secrets/organization_scope.age
View file

Binary file not shown.

BIN
secrets/rbw_config.age
View file

Binary file not shown.

29
secrets/secrets.nix
View file

@ -1,29 +0,0 @@
let
faukah = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGGeejxEV2IZyiXKnh4EqfplfBHAAHrfYo7nXqr2MMlZ" ];
hermit = "";
temperance = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJkxWaadx+19Zm4T5ScuNnrBcDvNNke6dUUAdTTJs0wF";
tower = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBWgQaeT0AVdfDWbOBfjHNW1XVmRbnrJ4SdrDV52LJcZ";
systems = [
hermit
temperance
tower
];
in
{
"organization_scope.age".publicKeys = faukah ++ [
hermit
temperance
];
"uni_scope.age".publicKeys = faukah ++ [
hermit
temperance
];
"rbw_config.age".publicKeys = faukah ++ [
hermit
temperance
];
"tuwunel_token_file.age".publicKeys = faukah ++ [ tower ];
}

7
secrets/tuwunel_token_file.age
View file

@ -1,7 +0,0 @@
age-encryption.org/v1
-> ssh-ed25519 esTGig oxyT3fMRR7TqPGq4sl0OqeaqTlzAxCCeHMsipCUfXkY
IVPz6CQ8QGZcrW/GWdi5AwTL2OCDBgZ6YTOd0RndLxU
-> ssh-ed25519 1m6k0Q XV1LqwhxumepyWsPFaql0KMD69T4HjGSips8VDZaL2o
0M/f1mfyOVt/qzutsKPAyfRDQ+zcGmeRkaMZqo/Yfzw
--- hlUxkTa5TKDRqiJYwHEUIKT5daWAx+cIsGVh952jtDA
Uîò±ž>v6ÛæGÁ#û<b¡Œkáú«É4]ɽ⌬æ<â@}SÁLÖ²¥lÎöÅ{nföÁžœ Ü[ñ+ŒSŽ¾ãïk2¯¶þûQ<C3BB>_

7
secrets/uni_scope.age
View file

@ -1,7 +0,0 @@
age-encryption.org/v1
-> ssh-ed25519 esTGig hQGR8v46uXOg6dL7STwden7O6OosaehUZ6J2jFOXRDk
MDRxJNWL9SHT5lW2CTJS4m96Xl9Z6HXQ0xtPcBcqdPY
-> ssh-ed25519 wOh7DA W9VB99g0YQT6HeSiSf79qbL8rxp9hkEPJJJvXfxesxo
vkK+7+/H6GxabsDT3jUMzl6lgUXVfzwXFPGAmoRJ5PI
--- JA3McSNaH9i3nkz/C6TQEW4Stl1UKk2PKufQAp6dWaI
?ÖûÏó[kŒ`“U ¾c*ŸFËß2àãšs<C5A1>ÀåSw0šÉ_²ä.¥êWÛîgã+ ¾½{èJIîMx%Þ©a <0B>æð{#och0Iq«¸ôéQ ®éé,A¡Î#wžÕ¼¾Ê"—È_ ØL`ð_ÞªÚæ72…å{»k˜Šõ9©3<C2A9>ãõX¦ŸLëõbÔ?ø%ÓäxN¶|r‡cKe ÉÎF