From 3f5e7b952916a9198afa6bcb85f9ad15187b0a80 Mon Sep 17 00:00:00 2001 From: Soispha Date: Sat, 29 Jul 2023 21:58:49 +0200 Subject: Feat(treewide): Add enable options for secrets and impermanence --- home-manager/config/nheko/default.nix | 11 ++++-- home-manager/impermanence/default.nix | 42 ++++++++++++--------- hosts/isimud/default.nix | 2 + secrets/default.nix | 46 +++++++++++++---------- system/impermanence/default.nix | 34 ++++++++++++----- system/options/default.nix | 8 ++++ system/services/serverphone/default.nix | 65 +++++++++++++++++---------------- 7 files changed, 125 insertions(+), 83 deletions(-) diff --git a/home-manager/config/nheko/default.nix b/home-manager/config/nheko/default.nix index 7e39352b..fd147c0b 100644 --- a/home-manager/config/nheko/default.nix +++ b/home-manager/config/nheko/default.nix @@ -1,10 +1,13 @@ { config, - osConfig, + nixosConfig, + lib, ... }: { - xdg.configFile."nheko/nheko.conf".source = config.lib.file.mkOutOfStoreSymlink osConfig.age.secrets.nheko.path; - programs.nheko = { - enable = true; + config = lib.mkIf nixosConfig.soispha.secrets.enable { + xdg.configFile."nheko/nheko.conf".source = config.lib.file.mkOutOfStoreSymlink nixosConfig.age.secrets.nheko.path; + programs.nheko = { + enable = true; + }; }; } diff --git a/home-manager/impermanence/default.nix b/home-manager/impermanence/default.nix index 59cea605..90b2152b 100644 --- a/home-manager/impermanence/default.nix +++ b/home-manager/impermanence/default.nix @@ -1,24 +1,30 @@ -{...}: { - home.persistence."/srv/home/soispha" = { - allowOther = true; - directories = [ - ".local/share" +{ + lib, + nixosConfig, + ... +}: { + config = lib.mkIf nixosConfig.soispha.impermanence.enable { + home.persistence."/srv/home/soispha" = { + allowOther = true; + directories = [ + ".local/share" - ".local/state/nvim" - ".local/state/wireplumber" + ".local/state/nvim" + ".local/state/wireplumber" - ".config/Signal" - ".config/Element" + ".config/Signal" + ".config/Element" - ".cache" - ".mozilla" + ".cache" + ".mozilla" - "media" - "repos" - "school" - ]; - files = [ - ".local/state/lesshst" - ]; + "media" + "repos" + "school" + ]; + files = [ + ".local/state/lesshst" + ]; + }; }; } diff --git a/hosts/isimud/default.nix b/hosts/isimud/default.nix index ec4e623c..8b772fef 100644 --- a/hosts/isimud/default.nix +++ b/hosts/isimud/default.nix @@ -6,6 +6,8 @@ ]; soispha = { + secrets.enable = false; + impermanence.enable = false; locale = { enable = true; keyMap = "dvorak"; diff --git a/secrets/default.nix b/secrets/default.nix index 1807fb8d..d1fc1714 100644 --- a/secrets/default.nix +++ b/secrets/default.nix @@ -1,25 +1,31 @@ -{config, ...}: let +{ + config, + lib, + ... +}: let name = config.networking.hostName; in { - age = { - secrets = { - nheko = { - file = ./nheko/conf. + name; - mode = "700"; - owner = "soispha"; - group = "users"; - }; - serverphoneCa = { - file = ./serverphone/ca.key; - mode = "700"; - owner = "serverphone"; - group = "serverphone"; - }; - serverphoneServer = { - file = ./serverphone/server.key; - mode = "700"; - owner = "serverphone"; - group = "serverphone"; + config = lib.mkIf config.soispha.secrets.enable { + age = { + secrets = { + nheko = { + file = ./nheko/conf. + name; + mode = "700"; + owner = "soispha"; + group = "users"; + }; + serverphoneCa = { + file = ./serverphone/ca.key; + mode = "700"; + owner = "serverphone"; + group = "serverphone"; + }; + serverphoneServer = { + file = ./serverphone/server.key; + mode = "700"; + owner = "serverphone"; + group = "serverphone"; + }; }; }; }; diff --git a/system/impermanence/default.nix b/system/impermanence/default.nix index 8e6d81fb..adbdfce2 100644 --- a/system/impermanence/default.nix +++ b/system/impermanence/default.nix @@ -1,4 +1,9 @@ -{config, ...}: let +{ + config, + lib, + ... +}: let + cfg = config.soispha.impermanence; networkmanager = if config.networking.networkmanager.enable then [ @@ -23,16 +28,25 @@ ++ networkmanager ++ secureboot; in { - # needed for the hm impermanence config - programs.fuse.userAllowOther = true; + options.soispha.impermanence = { + enable = lib.mkOption { + type = lib.types.bool; + default = true; + description = lib.mdDoc "Disk setup with disko"; + }; + }; + config = lib.mkIf cfg.enable { + # needed for the hm impermanence config + programs.fuse.userAllowOther = true; - environment.persistence = { - "/srv" = { - hideMounts = true; - inherit directories; - files = [ - "/etc/machine-id" - ]; + environment.persistence = { + "/srv" = { + hideMounts = true; + inherit directories; + files = [ + "/etc/machine-id" + ]; + }; }; }; } diff --git a/system/options/default.nix b/system/options/default.nix index 13861199..72ebc4fb 100644 --- a/system/options/default.nix +++ b/system/options/default.nix @@ -14,5 +14,13 @@ in { description = lib.mdDoc "Which backlight to query for the screen brightness"; }; }; + secrets = { + #enable = lib.mkEnableOption "Secrets through agenix"; + enable = lib.mkOption { + type = lib.types.bool; + default = true; + description = lib.mdDoc "Enable secrets through agenix"; + }; + }; }; } diff --git a/system/services/serverphone/default.nix b/system/services/serverphone/default.nix index d07d3809..1684f92d 100644 --- a/system/services/serverphone/default.nix +++ b/system/services/serverphone/default.nix @@ -2,41 +2,44 @@ config, serverphone, system, + lib, ... }: { - services.serverphone = { - package = "${serverphone.packages.${system}.default}"; - enable = true; - domain = "localhost"; - configureDoas = true; - acceptedSshKeys = [ - "AAAAC3NzaC1lZDI1NTE5AAAAIGBFuTNNn71Rhfnop2cdz3r/RhWWlCePnSBOhTBbu2ME" - ]; - authorized = { - acceptedGpgKeys = [ - { - source = ./keys/soispha_at_vhack.eu; - trust = "ultimate"; - } + config = lib.mkIf config.soispha.secrets.enable { + services.serverphone = { + package = "${serverphone.packages.${system}.default}"; + enable = true; + domain = "localhost"; + configureDoas = true; + acceptedSshKeys = [ + "AAAAC3NzaC1lZDI1NTE5AAAAIGBFuTNNn71Rhfnop2cdz3r/RhWWlCePnSBOhTBbu2ME" ]; + authorized = { + acceptedGpgKeys = [ + { + source = ./keys/soispha_at_vhack.eu; + trust = "ultimate"; + } + ]; + }; + caCertificate = "${./certificates/ca.crt}"; + certificate = "${./certificates/server.crt}"; + privateKey = config.age.secrets.serverphoneServer.path; + certificateRequest = { + acceptedUsers = [ + "soispha $argon2id$v=19$m=19456,t=2,p=1$EvhPENIBqL5b1RO5waNMWA$pJ8vDrCNJKDlqwB5bVDLjHVPEXm9McQhtt9OXSD8Zkc" + ]; + caPrivateKey = config.age.secrets.serverphoneCa.path; + }; }; - caCertificate = "${./certificates/ca.crt}"; - certificate = "${./certificates/server.crt}"; - privateKey = config.age.secrets.serverphoneServer.path; - certificateRequest = { - acceptedUsers = [ - "soispha $argon2id$v=19$m=19456,t=2,p=1$EvhPENIBqL5b1RO5waNMWA$pJ8vDrCNJKDlqwB5bVDLjHVPEXm9McQhtt9OXSD8Zkc" - ]; - caPrivateKey = config.age.secrets.serverphoneCa.path; - }; - }; - users.users.serverphone = { - group = "serverphone"; - isSystemUser = true; - home = "/run/serverphone"; - }; - users.groups.serverphone = { - members = ["serverphone"]; + users.users.serverphone = { + group = "serverphone"; + isSystemUser = true; + home = "/run/serverphone"; + }; + users.groups.serverphone = { + members = ["serverphone"]; + }; }; } -- cgit 1.4.1