diff --git a/hosts/arumi/configuration.nix b/hosts/arumi/configuration.nix index c20e7d0..7f2a4ce 100644 --- a/hosts/arumi/configuration.nix +++ b/hosts/arumi/configuration.nix @@ -4,6 +4,7 @@ imports = [ (modulesPath + "/profiles/minimal.nix") (modulesPath + "/profiles/qemu-guest.nix") + (abs "lib/desu") ./disk-config.nix ./services/sing-box.nix diff --git a/hosts/arumi/services/mumble.nix b/hosts/arumi/services/mumble.nix index 9522ddf..98ed5df 100644 --- a/hosts/arumi/services/mumble.nix +++ b/hosts/arumi/services/mumble.nix @@ -1,16 +1,9 @@ -{ abs, config, ... }: +{ config, ... }: let - secrets = import (abs "lib/secrets.nix"); - UID = 1101; in { - imports = [ - (secrets.declare [{ - name = "arumi-mumble-env"; - owner = "mumble"; - }]) - ]; + desu.secrets.arumi-mumble-env.owner = "mumble"; users.users.mumble = { isNormalUser = true; @@ -33,7 +26,7 @@ in { "64738:64738/udp" ]; environmentFiles = [ - (secrets.file config "arumi-mumble-env") + config.desu.secrets.arumi-mumble-env.path ]; user = builtins.toString UID; }; diff --git a/hosts/arumi/services/sing-box.nix b/hosts/arumi/services/sing-box.nix index f2ee6b2..38d0744 100644 --- a/hosts/arumi/services/sing-box.nix +++ b/hosts/arumi/services/sing-box.nix @@ -1,15 +1,9 @@ -{ config, abs, pkgs, ... }: +{ config, pkgs, ... }: -let - secrets = import (abs "lib/secrets.nix"); -in { - imports = [ - (secrets.declare [ - "arumi-singbox-pk" - "arumi-singbox-sid" - "arumi-singbox-users" - ]) - ]; +{ + desu.secrets.arumi-singbox-pk = {}; + desu.secrets.arumi-singbox-sid = {}; + desu.secrets.arumi-singbox-users = {}; services.sing-box = { enable = true; @@ -31,9 +25,9 @@ in { reality = { enabled = true; handshake = { inherit server; server_port = 443; }; - private_key._secret = secrets.file config "arumi-singbox-pk"; + private_key._secret = config.desu.secrets.arumi-singbox-pk.path; short_id = [ - { _secret = secrets.file config "arumi-singbox-sid"; } + { _secret = config.desu.secrets.arumi-singbox-sid.path; } ]; }; }; @@ -49,7 +43,7 @@ in { systemd.services.sing-box.preStart = let file = "/etc/sing-box/config.json"; in '' - users=$(${pkgs.yaml2json}/bin/yaml2json < ${secrets.file config "arumi-singbox-users"}) + users=$(${pkgs.yaml2json}/bin/yaml2json < ${config.desu.secrets.arumi-singbox-users.path}) ${pkgs.jq}/bin/jq --arg users "$users" \ '.inbounds[0].users = ($users | fromjson | map({ "uuid": ., "flow": "xtls-rprx-vision" }))' \ ${file} > ${file}.tmp diff --git a/hosts/arumi/services/uptime-kuma.nix b/hosts/arumi/services/uptime-kuma.nix index 8b25365..9d43099 100644 --- a/hosts/arumi/services/uptime-kuma.nix +++ b/hosts/arumi/services/uptime-kuma.nix @@ -1,19 +1,12 @@ -{ abs, config, ... }: +{ config, ... }: let - secrets = import (abs "lib/secrets.nix"); - UID = 1100; in { # we use cf tunnels because 443 port is used by the proxy, - # and it's also generally easierbrew install cloudflared && + # and it's also generally easier - imports = [ - (secrets.declare [{ - name = "arumi-cf-token"; - owner = "uptime-kuma"; - }]) - ]; + desu.secrets.arumi-cf-token.owner = "uptime-kuma"; users.users.uptime-kuma = { isNormalUser = true; @@ -31,7 +24,7 @@ in { PGID = builtins.toString UID; }; environmentFiles = [ - (secrets.file config "arumi-cf-token") + config.desu.secrets.arumi-cf-token.path ]; }; diff --git a/hosts/koi/configuration.nix b/hosts/koi/configuration.nix index 52b80f6..e7c2f76 100755 --- a/hosts/koi/configuration.nix +++ b/hosts/koi/configuration.nix @@ -8,6 +8,7 @@ imports = [ (abs "hosts/nixos-common.nix") (abs "users/teidesu/server.nix") + (abs "lib/desu") ./hardware-configuration.nix ./partials/fde.nix diff --git a/hosts/koi/containers/bots/channel-logger-bot.nix b/hosts/koi/containers/bots/channel-logger-bot.nix index 149ebf0..6c5d823 100644 --- a/hosts/koi/containers/bots/channel-logger-bot.nix +++ b/hosts/koi/containers/bots/channel-logger-bot.nix @@ -1,16 +1,9 @@ -{ abs, config, ... }: +{ config, ... }: let - secrets = import (abs "lib/secrets.nix"); - UID = 1105; in { - imports = [ - (secrets.declare [{ - name = "channel-logger-bot-env"; - owner = "channel-logger-bot"; - }]) - ]; + desu.secrets.channel-logger-bot-env.owner = "channel-logger-bot"; users.groups.channel-logger-bot = {}; users.users.channel-logger-bot = { @@ -25,7 +18,7 @@ in { "/srv/channel-logger-bot:/app/bot-data" ]; environmentFiles = [ - (secrets.file config "channel-logger-bot-env") + config.desu.secrets.channel-logger-bot-env.path ]; environment.MTCUTE_LOG_LEVEL = "5"; user = builtins.toString UID; diff --git a/hosts/koi/containers/bots/pcre-sub-bot.nix b/hosts/koi/containers/bots/pcre-sub-bot.nix index f6311ca..ecb1572 100644 --- a/hosts/koi/containers/bots/pcre-sub-bot.nix +++ b/hosts/koi/containers/bots/pcre-sub-bot.nix @@ -1,16 +1,9 @@ -{ abs, config, ... }: +{ config, ... }: let - secrets = import (abs "lib/secrets.nix"); - UID = 1101; in { - imports = [ - (secrets.declare [{ - name = "pcresub-bot-env"; - owner = "pcre-sub-bot"; - }]) - ]; + desu.secrets.pcresub-bot-env.owner = "pcre-sub-bot"; users.groups.pcre-sub-bot = {}; users.users.pcre-sub-bot = { @@ -25,7 +18,7 @@ in { "/srv/pcre-sub-bot:/app/bot-data" ]; environmentFiles = [ - (secrets.file config "pcresub-bot-env") + config.desu.secrets.pcresub-bot-env.path ]; user = builtins.toString UID; }; diff --git a/hosts/koi/containers/conduwuit/bridges/telegram/default.nix b/hosts/koi/containers/conduwuit/bridges/telegram/default.nix index 67b35b6..b5fb774 100644 --- a/hosts/koi/containers/conduwuit/bridges/telegram/default.nix +++ b/hosts/koi/containers/conduwuit/bridges/telegram/default.nix @@ -1,20 +1,13 @@ { pkgs, abs, config, ... } @ inputs: let - secrets = import (abs "lib/secrets.nix"); - trivial = import (abs "lib/trivial.nix") inputs; env = import (abs "lib/env.nix") inputs; UID = 1108; bridgeConfig = pkgs.writeText "config.yaml" (builtins.toJSON (import ./config.nix)); in { - imports = [ - (secrets.declare [{ - name = "mautrix-tg-env"; - owner = "mautrix"; - }]) - ]; + desu.secrets.mautrix-tg-env.owner = "mautrix"; users.groups.mautrix = {}; users.users.mautrix = { @@ -41,7 +34,7 @@ in { }; entrypoint = "/entrypoint.sh"; environmentFiles = [ - (secrets.file config "mautrix-tg-env") + config.desu.secrets.mautrix-tg-env.path ]; user = builtins.toString UID; }; diff --git a/hosts/koi/containers/conduwuit/default.nix b/hosts/koi/containers/conduwuit/default.nix index 529945a..bcb5861 100644 --- a/hosts/koi/containers/conduwuit/default.nix +++ b/hosts/koi/containers/conduwuit/default.nix @@ -1,18 +1,14 @@ -{ abs, config, ... } @ inputs: +{ config, ... }: let - secrets = import (abs "lib/secrets.nix"); - UID = 1107; in { imports = [ - (secrets.declare [{ - name = "conduwuit-env"; - owner = "conduwuit"; - }]) ./bridges/telegram ]; + desu.secrets.conduwuit-env.owner = "conduwuit"; + users.groups.conduwuit = {}; users.users.conduwuit = { isNormalUser = true; @@ -29,7 +25,7 @@ in { CONDUWUIT_CONFIG = "/conduwuit.toml"; }; environmentFiles = [ - (secrets.file config "conduwuit-env") + config.desu.secrets.conduwuit-env.path ]; user = builtins.toString UID; }; diff --git a/hosts/koi/containers/kanidm/default.nix b/hosts/koi/containers/kanidm/default.nix index 98727f8..3c56f5f 100644 --- a/hosts/koi/containers/kanidm/default.nix +++ b/hosts/koi/containers/kanidm/default.nix @@ -1,23 +1,15 @@ -{ abs, pkgs, config, ... }@inputs: +{ config, ... }: let - secrets = import (abs "lib/secrets.nix"); - UID = 1111; in { imports = [ - (secrets.declare [ - { - name = "kanidm-tls-key"; - owner = "kanidm"; - } - { - name = "kanidm-tls-cert"; - owner = "kanidm"; - } - ]) ./proxy.nix ]; + + desu.secrets.kanidm-tls-key.owner = "kanidm"; + desu.secrets.kanidm-tls-cert.owner = "kanidm"; + users.users.kanidm = { isNormalUser = true; uid = UID; @@ -30,8 +22,8 @@ in { "${./server.toml}:/data/server.toml" "${./style.css}:/hpkg/style.css" "${./fish.png}:/hpkg/img/fish.png" - "${(secrets.file config "kanidm-tls-key")}:/data/key.pem" - "${(secrets.file config "kanidm-tls-cert")}:/data/chain.pem" + "${config.desu.secrets.kanidm-tls-key.path}:/data/key.pem" + "${config.desu.secrets.kanidm-tls-cert.path}:/data/chain.pem" ]; user = "${builtins.toString UID}"; diff --git a/hosts/koi/containers/navidrome/default.nix b/hosts/koi/containers/navidrome/default.nix index 37529e9..2e27fc8 100644 --- a/hosts/koi/containers/navidrome/default.nix +++ b/hosts/koi/containers/navidrome/default.nix @@ -1,16 +1,9 @@ -{ abs, config, ... } @ inputs: +{ config, ... }: let - secrets = import (abs "lib/secrets.nix"); - UID = 1102; in { - imports = [ - (secrets.declare [{ - name = "navidrome-env"; - owner = "navidrome"; - }]) - ]; + desu.secrets.navidrome-env.owner = "navidrome"; users.groups.navidrome = {}; users.users.navidrome = { @@ -29,7 +22,7 @@ in { ND_CONFIGFILE = "/navidrome.toml"; }; environmentFiles = [ - (secrets.file config "navidrome-env") + config.desu.secrets.navidrome-env.path ]; user = builtins.toString UID; }; diff --git a/hosts/koi/containers/pds/default.nix b/hosts/koi/containers/pds/default.nix index 144fc3e..76cb685 100644 --- a/hosts/koi/containers/pds/default.nix +++ b/hosts/koi/containers/pds/default.nix @@ -1,17 +1,10 @@ -{ abs, config, pkgs, ... }@inputs: +{ config, ... }: let - secrets = import (abs "lib/secrets.nix"); - UID = 1106; in { - imports = [ - (secrets.declare [{ - name = "bluesky-pds-secrets"; - owner = "bluesky-pds"; - }]) - ]; + desu.secrets.bluesky-pds-secrets.owner = "bluesky-pds"; users.groups.bluesky-pds = {}; users.users.bluesky-pds = { @@ -40,7 +33,7 @@ in { }; environmentFiles = [ # PDS_JWT_SECRET, PDS_ADMIN_PASSWORD, PDS_PLC_ROTATION_KEY_K256_PRIVATE_KEY_HEX - (secrets.file config "bluesky-pds-secrets") + config.desu.secrets.bluesky-pds-secrets.path ]; user = builtins.toString UID; }; diff --git a/hosts/koi/containers/sftpgo/default.nix b/hosts/koi/containers/sftpgo/default.nix index e48095d..474b2f6 100644 --- a/hosts/koi/containers/sftpgo/default.nix +++ b/hosts/koi/containers/sftpgo/default.nix @@ -1,19 +1,15 @@ -{ pkgs, abs, config, ... }@inputs: +{ config, ... }: let - secrets = import (abs "lib/secrets.nix"); - UID = 1112; WEBDAV_PORT = 16821; in { imports = [ - (secrets.declare [{ - name = "sftpgo-env"; - owner = "sftpgo"; - }]) ./samba.nix ]; + desu.secrets.sftpgo-env.owner = "sftpgo"; + users.users.sftpgo = { isNormalUser = true; uid = UID; @@ -44,7 +40,7 @@ in { SFTPGO_HTTPD__BINDINGS__0__OIDC__IMPLICIT_ROLES = "true"; }; environmentFiles = [ - (secrets.file config "sftpgo-env") + config.desu.secrets.sftpgo-env.path ]; ports = [ "${builtins.toString WEBDAV_PORT}:80" diff --git a/hosts/koi/containers/sharkey/default.nix b/hosts/koi/containers/sharkey/default.nix index b0bb363..d815dec 100644 --- a/hosts/koi/containers/sharkey/default.nix +++ b/hosts/koi/containers/sharkey/default.nix @@ -1,10 +1,8 @@ -{ abs, pkgs, ... }@inputs: +{ pkgs, ... }: let UID = 1104; - trivial = import (abs "lib/trivial.nix") inputs; - - context = trivial.storeDirectory ./.; + context = pkgs.copyPathToStore ./.; in { users.users.misskey = { isNormalUser = true; diff --git a/hosts/koi/containers/siyuan/default.nix b/hosts/koi/containers/siyuan/default.nix index 9235f74..e0d92be 100644 --- a/hosts/koi/containers/siyuan/default.nix +++ b/hosts/koi/containers/siyuan/default.nix @@ -1,18 +1,9 @@ -{ abs, pkgs, config, ... }@inputs: +{ pkgs, ... }: let - secrets = import (abs "lib/secrets.nix"); - trivial = import (abs "lib/trivial.nix") inputs; - UID = 1113; - context = trivial.storeDirectory ./image; + context = pkgs.copyPathToStore ./image; in { - imports = [ - (secrets.declare [{ - name = "siyuan-teidesu-proxy-env"; - owner = "siyuan-teidesu"; - }]) - ]; users.users.siyuan-teidesu = { isNormalUser = true; uid = UID; @@ -40,6 +31,7 @@ in { "d /srv/siyuan-teidesu 0700 ${builtins.toString UID} ${builtins.toString UID} -" ]; + desu.secrets.siyuan-teidesu-proxy-env.owner = "siyuan-teidesu"; desu.openid-proxy.services.siyuan-teidesu = { clientId = "teidesu-siyuan"; domain = "siyuan.tei.su"; diff --git a/hosts/koi/containers/teisu.nix b/hosts/koi/containers/teisu.nix index 8208e30..4b6f6e1 100644 --- a/hosts/koi/containers/teisu.nix +++ b/hosts/koi/containers/teisu.nix @@ -1,16 +1,9 @@ -{ abs, config, ... } @ inputs: +{ config, ... } @ inputs: let - secrets = import (abs "lib/secrets.nix"); - UID = 1103; in { - imports = [ - (secrets.declare [{ - name = "teisu-env"; - owner = "teisu"; - }]) - ]; + desu.secrets.teisu-env.owner = "teisu"; users.users.teisu = { isNormalUser = true; @@ -23,7 +16,7 @@ in { "/srv/teisu:/app/.runtime" ]; environmentFiles = [ - (secrets.file config "teisu-env") + config.desu.secrets.teisu-env.path ]; user = builtins.toString UID; }; diff --git a/hosts/koi/containers/torrent.nix b/hosts/koi/containers/torrent.nix index f5e4e46..95e92b2 100644 --- a/hosts/koi/containers/torrent.nix +++ b/hosts/koi/containers/torrent.nix @@ -1,16 +1,12 @@ -{ abs, lib, pkgs, config, ... }@inputs: +{ abs, pkgs, config, ... }@inputs: let containers = (import (abs "lib/containers.nix") inputs); - secrets = import (abs "lib/secrets.nix"); - - dlWebhook = secrets.mount config "qbt-dl-webhook"; in { + desu.secrets.qbt-dl-webhook.mode = "777"; + desu.secrets.torrent-proxy-env.mode = "777"; + imports = [ - (secrets.declare [ - { name = "qbt-dl-webhook"; mode = "777"; } - { name = "torrent-proxy-env"; mode = "777"; } - ]) (containers.mkNixosContainer { name = "torrent"; ephemeral = false; @@ -26,7 +22,7 @@ in }; setup = { config, ... }: '' mkdir -p /var/lib/qbittorrent/temp - dl_webhook=`cat ${dlWebhook.path}` + dl_webhook=`cat /mnt/secrets/qbt-dl-webhook` sed -i "s|%DL_WEBHOOK%|$dl_webhook|g" ${config} ''; config = { @@ -71,7 +67,11 @@ in hostPath = "/mnt/puffer/Downloads"; isReadOnly = false; }; - } // (dlWebhook.mounts); + "/mnt/secrets/qbt-dl-webhook" = { + hostPath = config.desu.secrets.qbt-dl-webhook.path; + isReadOnly = true; + }; + }; }) ]; diff --git a/hosts/koi/containers/vaultwarden.nix b/hosts/koi/containers/vaultwarden.nix index 5fb4d06..0ec21ef 100644 --- a/hosts/koi/containers/vaultwarden.nix +++ b/hosts/koi/containers/vaultwarden.nix @@ -1,16 +1,9 @@ -{ abs, pkgs, config, ... }@inputs: +{ config, ... }: let - secrets = import (abs "lib/secrets.nix"); - UID = 1109; in { - imports = [ - (secrets.declare [{ - name = "vaultwarden-env"; - owner = "vaultwarden"; - }]) - ]; + desu.secrets.vaultwarden-env.owner = "vaultwarden"; virtualisation.oci-containers.containers.vaultwarden = { image = "vaultwarden/server:1.32.5-alpine"; @@ -26,7 +19,7 @@ in { EXPERIMENTAL_CLIENT_FEATURE_FLAGS = "ssh-key-vault-item,ssh-agent,extension-refresh"; }; environmentFiles = [ - (secrets.file config "vaultwarden-env") + config.desu.secrets.vaultwarden-env.path ]; user = builtins.toString UID; }; diff --git a/hosts/koi/containers/verdaccio/config/config.yaml b/hosts/koi/containers/verdaccio/config.yaml similarity index 93% rename from hosts/koi/containers/verdaccio/config/config.yaml rename to hosts/koi/containers/verdaccio/config.yaml index add3a3d..a747ef5 100644 --- a/hosts/koi/containers/verdaccio/config/config.yaml +++ b/hosts/koi/containers/verdaccio/config.yaml @@ -3,7 +3,7 @@ storage: /verdaccio/storage web: enable: true - title: alina's personal registry + title: alina's personal registry meow primary_color: "#be15dc" uplinks: diff --git a/hosts/koi/containers/verdaccio/default.nix b/hosts/koi/containers/verdaccio/default.nix index c26b382..6b2c532 100644 --- a/hosts/koi/containers/verdaccio/default.nix +++ b/hosts/koi/containers/verdaccio/default.nix @@ -1,19 +1,9 @@ -{ abs, pkgs, config, ... } @ inputs: +{ config, ... }: let - secrets = import (abs "lib/secrets.nix"); - trivial = import (abs "lib/trivial.nix") inputs; - - configDrv = trivial.storeDirectory ./config; - UID = 1100; in { - imports = [ - (secrets.declare [{ - name = "verdaccio-htpasswd"; - owner = "verdaccio"; - }]) - ]; + desu.secrets.verdaccio-htpasswd.owner = "verdaccio"; users.users.verdaccio = { isNormalUser = true; @@ -23,8 +13,8 @@ in { virtualisation.oci-containers.containers.verdaccio = { image = "verdaccio/verdaccio:5.31@sha256:c77fec2127a1c3d17fc0795786f1e1bd88258e6d7af1835786ced4f7c7287da8"; volumes = [ - "${configDrv}:/verdaccio/conf" - "${secrets.file config "verdaccio-htpasswd"}:/verdaccio/htpasswd" + "${./config.yaml}:/verdaccio/conf/config.yaml" + "${config.desu.secrets.verdaccio-htpasswd.path}:/verdaccio/htpasswd" "/srv/verdaccio/storage:/verdaccio/storage" "/srv/verdaccio/plugins:/verdaccio/plugins" ]; diff --git a/hosts/koi/containers/wakapi/default.nix b/hosts/koi/containers/wakapi/default.nix index 21a5e2f..fa5527e 100644 --- a/hosts/koi/containers/wakapi/default.nix +++ b/hosts/koi/containers/wakapi/default.nix @@ -1,18 +1,9 @@ -{ abs, pkgs, config, ... }@inputs: +{ config, ... }: let - secrets = import (abs "lib/secrets.nix"); - UID = 1115; in { - imports = [ - (secrets.declare [ - { - name = "wakapi-env"; - owner = "wakapi"; - } - ]) - ]; + desu.secrets.wakapi-env.owner = "wakapi"; users.users.wakapi = { isNormalUser = true; @@ -55,7 +46,7 @@ in { }; environmentFiles = [ - (secrets.file config "wakapi-env") + config.desu.secrets.wakapi-env.path ]; user = "${builtins.toString UID}"; diff --git a/hosts/koi/containers/zond/default.nix b/hosts/koi/containers/zond/default.nix index 7081585..a057a81 100644 --- a/hosts/koi/containers/zond/default.nix +++ b/hosts/koi/containers/zond/default.nix @@ -1,20 +1,9 @@ -{ abs, config, ... }: +{ config, ... }: let - secrets = import (abs "lib/secrets.nix"); - UID = 1116; in { - # todo 2: update UMAMI_HOST in teisu-env - - imports = [ - (secrets.declare [ - { - name = "umami-env"; - owner = "umami"; - } - ]) - ]; + desu.secrets.umami-env.owner = "umami"; users.users.umami = { isNormalUser = true; @@ -39,7 +28,7 @@ in { }; environmentFiles = [ - (secrets.file config "umami-env") + config.desu.secrets.umami-env.path ]; user = "${builtins.toString UID}"; diff --git a/hosts/koi/services/landing/default.nix b/hosts/koi/services/landing/default.nix index dff76e0..07be517 100644 --- a/hosts/koi/services/landing/default.nix +++ b/hosts/koi/services/landing/default.nix @@ -1,11 +1,9 @@ -{ abs, pkgs, ... } @ inputs: +{ pkgs, ... }: -let - trivial = import (abs "lib/trivial.nix") inputs; -in { +{ services.nginx.virtualHosts."stupid.fish" = { forceSSL = true; useACMEHost = "stupid.fish"; - root = trivial.storeDirectory ./assets; + root = pkgs.copyPathToStore ./assets; }; } \ No newline at end of file diff --git a/hosts/koi/services/nginx.nix b/hosts/koi/services/nginx.nix index 273388f..c2303f9 100644 --- a/hosts/koi/services/nginx.nix +++ b/hosts/koi/services/nginx.nix @@ -1,13 +1,8 @@ -{ pkgs, abs, config, ... }@inputs: +{ config, ... }: -let - secrets = import (abs "lib/secrets.nix"); -in { - # sadly due to our network setup we cant properly extract this to a container - # not a big deal though, since we only need to run it once - imports = [ - (secrets.declare ["cloudflare-email" "cloudflare-token"]) - ]; +{ + desu.secrets.cloudflare-email.owner = "nginx"; + desu.secrets.cloudflare-token.owner = "nginx"; services.nginx = { enable = true; @@ -78,8 +73,8 @@ in { group = "nginx"; dnsProvider = "cloudflare"; credentialFiles = { - "CLOUDFLARE_EMAIL_FILE" = config.age.secrets.cloudflare-email.path; - "CLOUDFLARE_API_KEY_FILE" = config.age.secrets.cloudflare-token.path; + "CLOUDFLARE_EMAIL_FILE" = config.desu.secrets.cloudflare-email.path; + "CLOUDFLARE_API_KEY_FILE" = config.desu.secrets.cloudflare-token.path; }; }; in { diff --git a/hosts/koi/services/sing-box.nix b/hosts/koi/services/sing-box.nix index 9b3b8bf..f135fa8 100644 --- a/hosts/koi/services/sing-box.nix +++ b/hosts/koi/services/sing-box.nix @@ -1,20 +1,14 @@ -{ pkgs, abs, config, ... }: +{ config, ... }: -let - secrets = import (abs "lib/secrets.nix"); - secretsUnsafe = pkgs.callPackage (abs "lib/secrets-unsafe.nix") {}; -in { - imports = [ - (secrets.declare [ - "arumi-singbox-pub" - "arumi-singbox-sid" - "arumi-singbox-koi-uuid" - "vless-sakura-ip" - "vless-sakura-pk" - "vless-sakura-sid" - "vless-sakura-uuid" - ]) - ]; +{ + + desu.secrets.arumi-singbox-pub = {}; + desu.secrets.arumi-singbox-sid = {}; + desu.secrets.arumi-singbox-koi-uuid = {}; + desu.secrets.vless-sakura-ip = {}; + desu.secrets.vless-sakura-pk = {}; + desu.secrets.vless-sakura-sid = {}; + desu.secrets.vless-sakura-uuid = {}; services.sing-box = { enable = true; @@ -36,7 +30,7 @@ in { tag = "xtls-arumi"; type = "vless"; flow = "xtls-rprx-vision"; - server = secretsUnsafe.readUnsafe "arumi-ip"; + server = config.desu.readUnsafeSecret "arumi-ip"; server_port = 443; domain_strategy = ""; packet_encoding = ""; @@ -46,32 +40,32 @@ in { server_name = "updates.cdn-apple.com"; reality = { enabled = true; - public_key._secret = secrets.file config "arumi-singbox-pub"; - short_id._secret = secrets.file config "arumi-singbox-sid"; + public_key._secret = config.desu.secrets.arumi-singbox-pub.path; + short_id._secret = config.desu.secrets.arumi-singbox-sid.path; }; utls = { enabled = true; fingerprint = "edge"; }; }; - uuid._secret = secrets.file config "arumi-singbox-koi-uuid"; + uuid._secret = config.desu.secrets.arumi-singbox-koi-uuid.path; } { # thanks kamillaova tag = "xtls-sakura"; flow = "xtls-rprx-vision"; - server._secret = secrets.file config "vless-sakura-ip"; + server._secret = config.desu.secrets.vless-sakura-ip.path; server_port = 443; tls = { alpn = [ "h2" ]; enabled = true; reality = { enabled = true; - public_key._secret = secrets.file config "vless-sakura-pk"; - short_id._secret = secrets.file config "vless-sakura-sid"; + public_key._secret = config.desu.secrets.vless-sakura-pk.path; + short_id._secret = config.desu.secrets.vless-sakura-sid.path; }; server_name = "telegram.org"; utls = { enabled = true; fingerprint = "edge"; }; }; type = "vless"; - uuid._secret = secrets.file config "vless-sakura-uuid"; + uuid._secret = config.desu.secrets.vless-sakura-uuid.path; } { tag = "final"; diff --git a/lib/containers.nix b/lib/containers.nix index ebdcea0..28feb0d 100644 --- a/lib/containers.nix +++ b/lib/containers.nix @@ -1,7 +1,5 @@ -{ pkgs, lib, ... }@inputs: -let - trivial = import ./trivial.nix inputs; -in +{ ... }: + { # this function is quite deeply tied to my home network setup # i should make it more generic one day @@ -48,71 +46,4 @@ in localAddress = "${ip}/16"; }) // containerConfig; }; - - # nixos oci-containers fucking suck, so we just do a one-shot - # systemd service that invokes docker-compose - # - # not very reproducible nor declarative, but compatible with pretty much - # anything, which is (imo) more important for a home server - mkDockerComposeContainer = - { directory - , name ? builtins.baseNameOf directory - , autoStart ? true - , extraConfig ? { } - , env ? { } - , envFiles ? [ ] - , extraFlags ? [ ] - , after ? [ ] - }: - let - # referencing the file directly would make the service dependant - # on the entire flake, resulting in the container being restarted - # every time we change anything at all - storeDir = trivial.storeDirectory directory; - - inlineEnvNames = builtins.attrNames env; - inlineEnvDrv = lib.optionals (builtins.length inlineEnvNames != 0) [ - (pkgs.writeText "${name}.env" ( - builtins.concatStringsSep "\n" ( - map (name: "${name}=${builtins.toJSON env.${name}}") inlineEnvNames - ) - )) - ]; - allEnvFiles = envFiles ++ inlineEnvDrv; - - cmdline = builtins.concatStringsSep " " ( - [ - "--build" - "--remove-orphans" - ] ++ extraFlags - ); - cmdlineBeforeUp = builtins.concatStringsSep " " ( - map (env: "--env-file ${lib.escapeShellArg env}") allEnvFiles - ); - in - { - systemd.services."docker-compose-${name}" = { - wantedBy = if autoStart then [ "multi-user.target" ] else [ ]; - after = [ "docker.service" "docker.socket" ] ++ after; - serviceConfig = { - WorkingDirectory = storeDir; - ExecStart = "${pkgs.docker}/bin/docker compose ${cmdlineBeforeUp} up ${cmdline}"; - ExecStopPost = "${pkgs.docker}/bin/docker compose down"; - } // (extraConfig.serviceConfig or { }); - } // (builtins.removeAttrs extraConfig [ "serviceConfig" ]); - }; - - # buildDockerfile = { name, context }: builtins.derivation { - # name = "${name}-image"; - # # __noChroot = true; - # src = context; - # builder = pkgs.writeShellScript "builder.sh" (let - # docker = "${pkgs.docker}/bin/docker"; - # in '' - # ${docker} build -t ${name} $src - # ${docker} save -o $out ${name} - # ${docker} image rm ${name} - # ''); - # system = pkgs.system; - # }; } diff --git a/lib/desu/default.nix b/lib/desu/default.nix new file mode 100644 index 0000000..63da7dd --- /dev/null +++ b/lib/desu/default.nix @@ -0,0 +1,5 @@ +{ + imports = [ + ./secrets.nix + ]; +} \ No newline at end of file diff --git a/lib/desu/secrets-unsafe.nix b/lib/desu/secrets-unsafe.nix new file mode 100644 index 0000000..8f11d19 --- /dev/null +++ b/lib/desu/secrets-unsafe.nix @@ -0,0 +1,22 @@ +{ + age, + writeShellScript, + system, + ... +}: + +{ + readUnsafe = name: let + identityPath = ../secrets/unsafe.key; + + path = ../secrets + "/UNSAFE.${name}.age"; + drv = builtins.derivation { + system = system; + name = name; + src = path; + builder = writeShellScript "read-${name}.sh" '' + ${age}/bin/age --decrypt --identity ${identityPath} $src > $out + ''; + }; + in builtins.readFile drv; +} \ No newline at end of file diff --git a/lib/desu/secrets.nix b/lib/desu/secrets.nix new file mode 100644 index 0000000..b5a6782 --- /dev/null +++ b/lib/desu/secrets.nix @@ -0,0 +1,66 @@ +{ config, pkgs, lib, ... }: + +{ + options = with lib; { + desu.readUnsafeSecret = mkOption { type = types.anything; }; + desu.secrets = mkOption { + type = types.attrsOf (types.submodule ({ name, ... }: { + options = { + path = mkOption { + type = types.str; + default = config.age.secrets.${name}.path; + }; + + unsafe = mkOption { + type = types.bool; + default = false; + }; + + mode = mkOption { + type = types.str; + default = "0400"; + }; + owner = mkOption { + type = types.str; + default = "0"; + }; + group = mkOption { + type = types.str; + default = "0"; + }; + }; + })); + }; + }; + + config = { + desu.readUnsafeSecret = name: let + identityPath = ../../secrets/unsafe.key; + + path = ../../secrets + "/UNSAFE.${name}.age"; + drv = builtins.derivation { + system = pkgs.system; + name = name; + src = path; + builder = pkgs.writeShellScript "read-${name}.sh" '' + ${pkgs.age}/bin/age --decrypt --identity ${identityPath} $src > $out + ''; + }; + in builtins.readFile drv; + + age.secrets = builtins.listToAttrs ( + map (name: let + cfg = config.desu.secrets.${name}; + in { + # unsafe secrets are handled at build-time + name = if cfg.unsafe then null else name; + value = { + file = ../../secrets + "/${name}.age"; + owner = cfg.owner; + group = cfg.group; + mode = cfg.mode; + }; + }) (builtins.attrNames config.desu.secrets) + ); + }; +} \ No newline at end of file diff --git a/lib/trivial.nix b/lib/trivial.nix deleted file mode 100644 index 717957c..0000000 --- a/lib/trivial.nix +++ /dev/null @@ -1,24 +0,0 @@ -{ pkgs, ... }@inputs: - -{ - storeDirectory = dir: - let - dirName = builtins.baseNameOf dir; - drv = derivation { - name = dirName; - src = dir; - builder = pkgs.writeShellScript "builder.sh" '' - ${pkgs.coreutils}/bin/mkdir -p $out/${dirName} - for i in $(${pkgs.coreutils}/bin/ls -A $src); do - ${pkgs.coreutils}/bin/cp -rf $src/$i $out/${dirName} - done - ''; - system = pkgs.system; - }; - in - "${drv}/${dirName}"; - - yaml2json = file: pkgs.runCommand "yaml2json" { buildInputs = [ pkgs.yq ]; } '' - yq -j < ${file} > $out - ''; -}