diff --git a/.sops.yaml b/.sops.yaml new file mode 100644 index 0000000..5b5a57c --- /dev/null +++ b/.sops.yaml @@ -0,0 +1,7 @@ +keys: + - &primary age197d424aa7jpj2s735fl2h2s4c687y8vm44usx8wag0r2kh2v7ces4efdyn +creation_rules: + - path_regex: secrets/secrets.yaml$ + key_groups: + - age: + - *primary \ No newline at end of file diff --git a/configuration.nix b/configuration.nix index 8665922..3f4901d 100644 --- a/configuration.nix +++ b/configuration.nix @@ -1,4 +1,4 @@ -{ pkgs, lib, modulesPath, ... }: +{ pkgs, lib, userSettings, ... }: let stateVersion = "24.05"; unstable = import {}; @@ -10,19 +10,22 @@ let in { imports = [ - (modulesPath + "/virtualisation/proxmox-lxc.nix") - (import "${builtins.fetchTarball https://github.com/nix-community/home-manager/archive/release-24.05.tar.gz}/nixos") - (fetchTarball "https://github.com/nix-community/nixos-vscode-server/tarball/master") ./telegraf.nix ./promtail.nix ./portainer.nix ./watchtower.nix ]; + nix.settings.trusted-users = [ "root" "@wheel" ]; nix.settings.experimental-features = [ "nix-command" "flakes" ]; + sops.defaultSopsFile = ./secrets/secrets.yaml; + sops.defaultSopsFormat = "yaml"; + sops.age.keyFile = "${adHome}/.config/sops/age/keys.txt"; + environment.systemPackages = with pkgs; [ (pkgs.writeShellScriptBin "nrbs" "sudo nixos-rebuild switch") (pkgs.writeShellScriptBin "nrbsu" "sudo nix-channel --update && sudo nixos-rebuild switch") + (pkgs.writeShellScriptBin "nfs" "sudo nixos-rebuild switch --flake ${adNixPath} --impure") (pkgs.writeShellScriptBin "ads" '' cd ${adPath} nix develop --no-pure-eval ${adNixPath}/appdaemon @@ -40,6 +43,7 @@ in git eza gh + sops # appdaemon ]; @@ -72,14 +76,13 @@ in extraGroups = [ "wheel" "docker" ]; openssh.authorizedKeys.keyFiles = [ "/root/.ssh/authorized_keys" ]; }; - - nix.settings.trusted-users = [ "root" "@wheel" ]; - + home-manager = { useGlobalPkgs = true; users.appdaemon = { pkgs, ... }: { home.stateVersion = stateVersion; - imports = [ ./git.nix ]; + systemd.user.startServices = "sd-switch"; + imports = [ (import ./git.nix {inherit userSettings;}) ]; programs = { ssh.enable = true; git.extraConfig.safe.directory = "${adNixPath}"; diff --git a/flake.lock b/flake.lock new file mode 100644 index 0000000..cbb32d5 --- /dev/null +++ b/flake.lock @@ -0,0 +1,153 @@ +{ + "nodes": { + "flake-utils": { + "inputs": { + "systems": "systems" + }, + "locked": { + "lastModified": 1681202837, + "narHash": "sha256-H+Rh19JDwRtpVPAWp64F+rlEtxUWBAQW28eAi3SRSzg=", + "owner": "numtide", + "repo": "flake-utils", + "rev": "cfacdce06f30d2b68473a46042957675eebb3401", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "flake-utils", + "type": "github" + } + }, + "home-manager": { + "inputs": { + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1734344598, + "narHash": "sha256-wNX3hsScqDdqKWOO87wETUEi7a/QlPVgpC/Lh5rFOuA=", + "owner": "nix-community", + "repo": "home-manager", + "rev": "83ecd50915a09dca928971139d3a102377a8d242", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "home-manager", + "type": "github" + } + }, + "nixpkgs": { + "locked": { + "lastModified": 1734119587, + "narHash": "sha256-AKU6qqskl0yf2+JdRdD0cfxX4b9x3KKV5RqA6wijmPM=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "3566ab7246670a43abd2ffa913cc62dad9cdf7d5", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixos-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs-stable": { + "locked": { + "lastModified": 1734083684, + "narHash": "sha256-5fNndbndxSx5d+C/D0p/VF32xDiJCJzyOqorOYW4JEo=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "314e12ba369ccdb9b352a4db26ff419f7c49fa84", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixos-24.11", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs_2": { + "locked": { + "lastModified": 1682134069, + "narHash": "sha256-TnI/ZXSmRxQDt2sjRYK/8j8iha4B4zP2cnQCZZ3vp7k=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "fd901ef4bf93499374c5af385b2943f5801c0833", + "type": "github" + }, + "original": { + "id": "nixpkgs", + "type": "indirect" + } + }, + "root": { + "inputs": { + "home-manager": "home-manager", + "nixpkgs": "nixpkgs", + "nixpkgs-stable": "nixpkgs-stable", + "sops-nix": "sops-nix", + "vscode-server": "vscode-server" + } + }, + "sops-nix": { + "inputs": { + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1733965552, + "narHash": "sha256-GZ4YtqkfyTjJFVCub5yAFWsHknG1nS/zfk7MuHht4Fs=", + "owner": "Mic92", + "repo": "sops-nix", + "rev": "2d73fc6ac4eba4b9a83d3cb8275096fbb7ab4004", + "type": "github" + }, + "original": { + "owner": "Mic92", + "repo": "sops-nix", + "type": "github" + } + }, + "systems": { + "locked": { + "lastModified": 1681028828, + "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", + "owner": "nix-systems", + "repo": "default", + "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", + "type": "github" + }, + "original": { + "owner": "nix-systems", + "repo": "default", + "type": "github" + } + }, + "vscode-server": { + "inputs": { + "flake-utils": "flake-utils", + "nixpkgs": "nixpkgs_2" + }, + "locked": { + "lastModified": 1729422940, + "narHash": "sha256-DlvJv33ml5UTKgu4b0HauOfFIoDx6QXtbqUF3vWeRCY=", + "owner": "nix-community", + "repo": "nixos-vscode-server", + "rev": "8b6db451de46ecf9b4ab3d01ef76e59957ff549f", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "nixos-vscode-server", + "type": "github" + } + } + }, + "root": "root", + "version": 7 +} diff --git a/flake.nix b/flake.nix new file mode 100644 index 0000000..bbebb2f --- /dev/null +++ b/flake.nix @@ -0,0 +1,67 @@ +{ + inputs = { + nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable"; + nixpkgs-stable.url = "github:NixOS/nixpkgs/nixos-24.11"; + home-manager = { + url = "github:nix-community/home-manager"; + inputs.nixpkgs.follows = "nixpkgs"; + }; + vscode-server.url = "github:nix-community/nixos-vscode-server"; + sops-nix = { + url = "github:Mic92/sops-nix"; + inputs.nixpkgs.follows = "nixpkgs"; + }; + }; + + outputs = { self, ... }@args: + let + inherit (self) outputs; + nixosSystem = args.nixpkgs.lib.nixosSystem; + + userSettings = { + username = "panoptes"; + gitUserName = "John Lancaster"; + gitUserEmail = "32917998+jsl12@users.noreply.github.com"; + }; + + systemSettings = { + hostName = "ad-nix"; + stateVersion = "24.11"; + system = "x86_64-linux"; + timeZone = "America/Chicago"; + locale = "en_US.UTF-8"; + }; + + pkgs = args.nixpkgs.legacyPackages.${systemSettings.system}; + + in + { + nixosConfigurations.${systemSettings.hostName} = nixosSystem { + system = systemSettings.system; + specialArgs = { + inherit systemSettings; + inherit userSettings; + }; + modules = [ + (args.nixpkgs + "/nixos/modules/virtualisation/proxmox-lxc.nix") + ./configuration.nix + args.home-manager.nixosModules.default + args.vscode-server.nixosModules.default + args.sops-nix.nixosModules.sops + ({ ... }: { services.vscode-server.enable = true; }) + ]; + }; + + # homeConfigurations = { + # useGlobalPkgs = true; + # ${userSettings.username} = args.home-manager.lib.homeManagerConfiguration { + # inherit pkgs; + # extraSpecialArgs = { + # inherit systemSettings; + # inherit userSettings; + # }; + # modules = [ ./home.nix ]; + # }; + # }; + }; +} \ No newline at end of file diff --git a/git.nix b/git.nix new file mode 100644 index 0000000..a935816 --- /dev/null +++ b/git.nix @@ -0,0 +1,9 @@ +{ userSettings, ... }: +{ + programs.git = { + enable = true; + extraConfig.credential.helper = "store --file ~/.git-credentials"; + userName = "${userSettings.gitUserName}"; + userEmail = "${userSettings.gitUserEmail}"; + }; +} \ No newline at end of file diff --git a/secrets/secrets.yaml b/secrets/secrets.yaml new file mode 100644 index 0000000..166f6f5 --- /dev/null +++ b/secrets/secrets.yaml @@ -0,0 +1,31 @@ +hello: ENC[AES256_GCM,data:NZlG+HRn4A+N84Cesba5rxqxEmhXFpGFv5g/LrIxUnFF69wMXhqK5mDHQ2ZIhg==,iv:YTwRm3ZlAX8LD/1OJJkPUvCjZlbN2TqXbXIcZ3DE+/A=,tag:UOgKZJ1wbNI/mRaXR8xugw==,type:str] +example_key: ENC[AES256_GCM,data:KaQoqEs4agPDp9hI4A==,iv:KWbMvC/Ktnu7M6YIXGMMS8BOvlXDD+7Jr4wTc4vB8aQ=,tag:83NQ42Ohq4Gt0bk9NG0nkQ==,type:str] +telegraf_influx_token: ENC[AES256_GCM,data:XHT7lvRrw9MeC0Jxe2EYTTa/iB5QLVTzp9TDJaljssRR+kGdK3va1u14NX5b6jFrHnAXLiMdMQ5UTdbsnYH43TnRkY29mcVHxwaQv+rbCgEIKOAYFeIw0g==,iv:uzBYXWYRDH6bHZ3pubWh5Qn/2dN2Rz+sjEmrqpKhA4o=,tag:wemgU05aTl9S1rwt+fVQug==,type:str] +#ENC[AES256_GCM,data:elDbVD1GEFak71Lfz0m4Mg==,iv:WpDWGBJvHtujHl1JMjCXMF+9IIHBLxnjdgJiPlPhl/g=,tag:aCc458Ljc3o7baElkfuhFQ==,type:comment] +example_array: + - ENC[AES256_GCM,data:20u0gnNpsgWohIv8ibQ=,iv:7RMJvEY9bwQKO95b/CM5mHwZGeiCRtQMSd01Lye0h/E=,tag:xxCbM8x/ykevvwINsUUK/Q==,type:str] + - ENC[AES256_GCM,data:dHCk/rralLgfxQAtXYs=,iv:ceCXVfD7iRJvklgpnoRbAMWUlCDZccYhWF1KEXmcoiw=,tag:uxv4vDMSwrWbObi5BXEZuA==,type:str] +example_number: ENC[AES256_GCM,data:hLeRQrKMhCDt0Q==,iv:zEtWhqedCtOvjvJZa1Gupb6kSowQgaonCQpOrq/r0SE=,tag:5GNb2qxiD4LetM3yah2fKg==,type:float] +example_booleans: + - ENC[AES256_GCM,data:u8WpJg==,iv:JeleHpPCfuehakS3jGFL9zPCYXEZxMPYdEP5wJK9Jaw=,tag:MCADWSWRidGxLZraCI7GRQ==,type:bool] + - ENC[AES256_GCM,data:czMA+n4=,iv:O3p7ONcVzuTcOT2eQ5CeycOk352pTej95ouxuaffPDI=,tag:JikG1qmJJo+Mom7mQL0fPQ==,type:bool] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age197d424aa7jpj2s735fl2h2s4c687y8vm44usx8wag0r2kh2v7ces4efdyn + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA2Tkc4Yml1R28zdlppY1dN + dnJMS0tLZTZQSWtNVGZDbHBKaUJ5RjJhdkZRClQ4K08rbUVoRm5jTGV0M3RzdUZv + T0tWbnFrYnNOQ1dXV21ka0dZZ0QyNk0KLS0tIC9FLzBHSVhXT0FYalc4L3VSVXNa + dmR2a2QvZVRPc3ZFc1EvVWZqMTdQcncKTc4D3riTbEcv3eeREFMIZYQk7aDvDZEt + xBCoMNVjYaLIy9ljNfLGKh0J/wed0MC6wBIfABuH6eanEvV4ob+xnw== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-12-17T06:10:44Z" + mac: ENC[AES256_GCM,data:fMFAvBWUoZ0Mfw5IP2Tt4fD6eO/mbuPICIH5WKjSu0a0U6OU+D+9vy8Rip5FFanf5QpPcE0w4sh7P5Rv4vfi3X/3H1sUZ3lkp7XiQc1bZx4+76Q3s1jpTr8HDo5G8Wl3yQItdzQzAT6gC9yPbL3CYANl6Cik6ueV+564rq6dpqA=,iv:piYkRFlFUTTNSMDfWDMYQGq8Stt8HXKvoKfBToPEzNU=,tag:WjVydfnpneY+Im8pDOKWsA==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.9.2 diff --git a/telegraf.nix b/telegraf.nix index cc1df2b..2c23854 100644 --- a/telegraf.nix +++ b/telegraf.nix @@ -1,18 +1,22 @@ -{ ... }: +{ config, ... }: let influxURL = "http://panoptes.john-stream.com:8086"; organization = "homelab"; bucket = "docker"; - envFile = ./telegraf.env; + token = "${builtins.readFile config.sops.secrets."telegraf_influx_token".path}"; in { - systemd.services.telegraf.serviceConfig = { - SupplementaryGroups = [ "docker" ]; + sops.secrets."telegraf_influx_token" = { }; + + systemd.services.telegraf = { + environment = { + INFLUX_WRITE_TOKEN = token; + }; + serviceConfig.SupplementaryGroups = [ "docker" ]; }; services.telegraf = { enable = true; - environmentFiles = [ "${envFile}" ]; extraConfig = { agent = { interval = "10s";