converted to flakes and implemented sops-nix for the telegraf token

.sops.yaml

@@ -0,0 +1,7 @@
+keys:
+  - &primary age197d424aa7jpj2s735fl2h2s4c687y8vm44usx8wag0r2kh2v7ces4efdyn
+creation_rules:
+  - path_regex: secrets/secrets.yaml$
+    key_groups:
+    - age:
+      - *primary

configuration.nix

@@ -1,4 +1,4 @@
-{ pkgs, lib, modulesPath, ... }:
+{ pkgs, lib, userSettings, ... }:
 let
   stateVersion = "24.05";
   unstable = import <nixos-unstable> {};
@@ -10,19 +10,22 @@ let
 in
 {
   imports = [
-    (modulesPath + "/virtualisation/proxmox-lxc.nix")
-    (import "${builtins.fetchTarball https://github.com/nix-community/home-manager/archive/release-24.05.tar.gz}/nixos")
-    (fetchTarball "https://github.com/nix-community/nixos-vscode-server/tarball/master")
     ./telegraf.nix
     ./promtail.nix
     ./portainer.nix
     ./watchtower.nix
   ];
+  nix.settings.trusted-users = [ "root" "@wheel" ];
   nix.settings.experimental-features = [ "nix-command" "flakes" ];
 
+  sops.defaultSopsFile = ./secrets/secrets.yaml;
+  sops.defaultSopsFormat = "yaml";
+  sops.age.keyFile = "${adHome}/.config/sops/age/keys.txt";
+
   environment.systemPackages = with pkgs; [
     (pkgs.writeShellScriptBin "nrbs" "sudo nixos-rebuild switch")
     (pkgs.writeShellScriptBin "nrbsu" "sudo nix-channel --update && sudo nixos-rebuild switch")
+    (pkgs.writeShellScriptBin "nfs" "sudo nixos-rebuild switch --flake ${adNixPath} --impure")
     (pkgs.writeShellScriptBin "ads" ''
       cd ${adPath}
       nix develop --no-pure-eval ${adNixPath}/appdaemon
@@ -40,6 +43,7 @@ in
     git
     eza
     gh
+    sops
     # appdaemon
   ];
 
@@ -72,14 +76,13 @@ in
     extraGroups = [ "wheel" "docker" ];
     openssh.authorizedKeys.keyFiles = [ "/root/.ssh/authorized_keys" ];
   };
-
+  
-  nix.settings.trusted-users = [ "root" "@wheel" ];
-
   home-manager = {
     useGlobalPkgs = true;
     users.appdaemon = { pkgs, ... }: {
       home.stateVersion = stateVersion;
-      imports = [ ./git.nix ];
+      systemd.user.startServices = "sd-switch";
+      imports = [ (import ./git.nix {inherit userSettings;}) ];
       programs = { 
         ssh.enable = true;
         git.extraConfig.safe.directory = "${adNixPath}";

flake.lock

@@ -0,0 +1,153 @@
+{
+  "nodes": {
+    "flake-utils": {
+      "inputs": {
+        "systems": "systems"
+      },
+      "locked": {
+        "lastModified": 1681202837,
+        "narHash": "sha256-H+Rh19JDwRtpVPAWp64F+rlEtxUWBAQW28eAi3SRSzg=",
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "rev": "cfacdce06f30d2b68473a46042957675eebb3401",
+        "type": "github"
+      },
+      "original": {
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "type": "github"
+      }
+    },
+    "home-manager": {
+      "inputs": {
+        "nixpkgs": [
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1734344598,
+        "narHash": "sha256-wNX3hsScqDdqKWOO87wETUEi7a/QlPVgpC/Lh5rFOuA=",
+        "owner": "nix-community",
+        "repo": "home-manager",
+        "rev": "83ecd50915a09dca928971139d3a102377a8d242",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-community",
+        "repo": "home-manager",
+        "type": "github"
+      }
+    },
+    "nixpkgs": {
+      "locked": {
+        "lastModified": 1734119587,
+        "narHash": "sha256-AKU6qqskl0yf2+JdRdD0cfxX4b9x3KKV5RqA6wijmPM=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "3566ab7246670a43abd2ffa913cc62dad9cdf7d5",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "ref": "nixos-unstable",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
+    "nixpkgs-stable": {
+      "locked": {
+        "lastModified": 1734083684,
+        "narHash": "sha256-5fNndbndxSx5d+C/D0p/VF32xDiJCJzyOqorOYW4JEo=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "314e12ba369ccdb9b352a4db26ff419f7c49fa84",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "ref": "nixos-24.11",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
+    "nixpkgs_2": {
+      "locked": {
+        "lastModified": 1682134069,
+        "narHash": "sha256-TnI/ZXSmRxQDt2sjRYK/8j8iha4B4zP2cnQCZZ3vp7k=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "fd901ef4bf93499374c5af385b2943f5801c0833",
+        "type": "github"
+      },
+      "original": {
+        "id": "nixpkgs",
+        "type": "indirect"
+      }
+    },
+    "root": {
+      "inputs": {
+        "home-manager": "home-manager",
+        "nixpkgs": "nixpkgs",
+        "nixpkgs-stable": "nixpkgs-stable",
+        "sops-nix": "sops-nix",
+        "vscode-server": "vscode-server"
+      }
+    },
+    "sops-nix": {
+      "inputs": {
+        "nixpkgs": [
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1733965552,
+        "narHash": "sha256-GZ4YtqkfyTjJFVCub5yAFWsHknG1nS/zfk7MuHht4Fs=",
+        "owner": "Mic92",
+        "repo": "sops-nix",
+        "rev": "2d73fc6ac4eba4b9a83d3cb8275096fbb7ab4004",
+        "type": "github"
+      },
+      "original": {
+        "owner": "Mic92",
+        "repo": "sops-nix",
+        "type": "github"
+      }
+    },
+    "systems": {
+      "locked": {
+        "lastModified": 1681028828,
+        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
+        "owner": "nix-systems",
+        "repo": "default",
+        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-systems",
+        "repo": "default",
+        "type": "github"
+      }
+    },
+    "vscode-server": {
+      "inputs": {
+        "flake-utils": "flake-utils",
+        "nixpkgs": "nixpkgs_2"
+      },
+      "locked": {
+        "lastModified": 1729422940,
+        "narHash": "sha256-DlvJv33ml5UTKgu4b0HauOfFIoDx6QXtbqUF3vWeRCY=",
+        "owner": "nix-community",
+        "repo": "nixos-vscode-server",
+        "rev": "8b6db451de46ecf9b4ab3d01ef76e59957ff549f",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-community",
+        "repo": "nixos-vscode-server",
+        "type": "github"
+      }
+    }
+  },
+  "root": "root",
+  "version": 7
+}

flake.nix

@@ -0,0 +1,67 @@
+{
+  inputs = {
+    nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable";
+    nixpkgs-stable.url = "github:NixOS/nixpkgs/nixos-24.11";
+    home-manager = {
+      url = "github:nix-community/home-manager";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
+    vscode-server.url = "github:nix-community/nixos-vscode-server";
+    sops-nix = {
+      url = "github:Mic92/sops-nix";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
+  };
+
+  outputs = { self, ... }@args:
+  let
+    inherit (self) outputs;
+    nixosSystem = args.nixpkgs.lib.nixosSystem;
+    
+    userSettings = {
+      username = "panoptes";
+      gitUserName = "John Lancaster";
+      gitUserEmail = "32917998+jsl12@users.noreply.github.com";
+    };
+
+    systemSettings = {
+      hostName = "ad-nix";
+      stateVersion = "24.11";
+      system = "x86_64-linux";
+      timeZone = "America/Chicago";
+      locale = "en_US.UTF-8";
+    };
+
+    pkgs = args.nixpkgs.legacyPackages.${systemSettings.system};
+
+  in
+  {
+    nixosConfigurations.${systemSettings.hostName} = nixosSystem {
+      system = systemSettings.system;
+      specialArgs = {
+        inherit systemSettings;
+        inherit userSettings;
+      };
+      modules = [
+        (args.nixpkgs + "/nixos/modules/virtualisation/proxmox-lxc.nix")
+        ./configuration.nix
+        args.home-manager.nixosModules.default
+        args.vscode-server.nixosModules.default
+        args.sops-nix.nixosModules.sops
+        ({ ... }: { services.vscode-server.enable = true; })
+      ];
+    };
+
+    # homeConfigurations = {
+    #   useGlobalPkgs = true;
+    #   ${userSettings.username} = args.home-manager.lib.homeManagerConfiguration {
+    #     inherit pkgs;
+    #     extraSpecialArgs = {
+    #       inherit systemSettings;
+    #       inherit userSettings;
+    #     };
+    #     modules = [ ./home.nix ];
+    #   };
+    # };
+  };
+}

git.nix

@@ -0,0 +1,9 @@
+{ userSettings, ... }:
+{
+  programs.git = {
+    enable = true;
+    extraConfig.credential.helper = "store --file ~/.git-credentials";
+    userName = "${userSettings.gitUserName}";
+    userEmail = "${userSettings.gitUserEmail}";
+  };
+}

secrets/secrets.yaml

@@ -0,0 +1,31 @@
+hello: ENC[AES256_GCM,data:NZlG+HRn4A+N84Cesba5rxqxEmhXFpGFv5g/LrIxUnFF69wMXhqK5mDHQ2ZIhg==,iv:YTwRm3ZlAX8LD/1OJJkPUvCjZlbN2TqXbXIcZ3DE+/A=,tag:UOgKZJ1wbNI/mRaXR8xugw==,type:str]
+example_key: ENC[AES256_GCM,data:KaQoqEs4agPDp9hI4A==,iv:KWbMvC/Ktnu7M6YIXGMMS8BOvlXDD+7Jr4wTc4vB8aQ=,tag:83NQ42Ohq4Gt0bk9NG0nkQ==,type:str]
+telegraf_influx_token: ENC[AES256_GCM,data:XHT7lvRrw9MeC0Jxe2EYTTa/iB5QLVTzp9TDJaljssRR+kGdK3va1u14NX5b6jFrHnAXLiMdMQ5UTdbsnYH43TnRkY29mcVHxwaQv+rbCgEIKOAYFeIw0g==,iv:uzBYXWYRDH6bHZ3pubWh5Qn/2dN2Rz+sjEmrqpKhA4o=,tag:wemgU05aTl9S1rwt+fVQug==,type:str]
+#ENC[AES256_GCM,data:elDbVD1GEFak71Lfz0m4Mg==,iv:WpDWGBJvHtujHl1JMjCXMF+9IIHBLxnjdgJiPlPhl/g=,tag:aCc458Ljc3o7baElkfuhFQ==,type:comment]
+example_array:
+    - ENC[AES256_GCM,data:20u0gnNpsgWohIv8ibQ=,iv:7RMJvEY9bwQKO95b/CM5mHwZGeiCRtQMSd01Lye0h/E=,tag:xxCbM8x/ykevvwINsUUK/Q==,type:str]
+    - ENC[AES256_GCM,data:dHCk/rralLgfxQAtXYs=,iv:ceCXVfD7iRJvklgpnoRbAMWUlCDZccYhWF1KEXmcoiw=,tag:uxv4vDMSwrWbObi5BXEZuA==,type:str]
+example_number: ENC[AES256_GCM,data:hLeRQrKMhCDt0Q==,iv:zEtWhqedCtOvjvJZa1Gupb6kSowQgaonCQpOrq/r0SE=,tag:5GNb2qxiD4LetM3yah2fKg==,type:float]
+example_booleans:
+    - ENC[AES256_GCM,data:u8WpJg==,iv:JeleHpPCfuehakS3jGFL9zPCYXEZxMPYdEP5wJK9Jaw=,tag:MCADWSWRidGxLZraCI7GRQ==,type:bool]
+    - ENC[AES256_GCM,data:czMA+n4=,iv:O3p7ONcVzuTcOT2eQ5CeycOk352pTej95ouxuaffPDI=,tag:JikG1qmJJo+Mom7mQL0fPQ==,type:bool]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age197d424aa7jpj2s735fl2h2s4c687y8vm44usx8wag0r2kh2v7ces4efdyn
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA2Tkc4Yml1R28zdlppY1dN
+            dnJMS0tLZTZQSWtNVGZDbHBKaUJ5RjJhdkZRClQ4K08rbUVoRm5jTGV0M3RzdUZv
+            T0tWbnFrYnNOQ1dXV21ka0dZZ0QyNk0KLS0tIC9FLzBHSVhXT0FYalc4L3VSVXNa
+            dmR2a2QvZVRPc3ZFc1EvVWZqMTdQcncKTc4D3riTbEcv3eeREFMIZYQk7aDvDZEt
+            xBCoMNVjYaLIy9ljNfLGKh0J/wed0MC6wBIfABuH6eanEvV4ob+xnw==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2024-12-17T06:10:44Z"
+    mac: ENC[AES256_GCM,data:fMFAvBWUoZ0Mfw5IP2Tt4fD6eO/mbuPICIH5WKjSu0a0U6OU+D+9vy8Rip5FFanf5QpPcE0w4sh7P5Rv4vfi3X/3H1sUZ3lkp7XiQc1bZx4+76Q3s1jpTr8HDo5G8Wl3yQItdzQzAT6gC9yPbL3CYANl6Cik6ueV+564rq6dpqA=,iv:piYkRFlFUTTNSMDfWDMYQGq8Stt8HXKvoKfBToPEzNU=,tag:WjVydfnpneY+Im8pDOKWsA==,type:str]
+    pgp: []
+    unencrypted_suffix: _unencrypted
+    version: 3.9.2

telegraf.nix

@@ -1,18 +1,22 @@
-{ ... }:
+{ config, ... }:
 let
   influxURL = "http://panoptes.john-stream.com:8086";
   organization = "homelab";
   bucket = "docker";
-  envFile = ./telegraf.env;
+  token = "${builtins.readFile config.sops.secrets."telegraf_influx_token".path}";
 in
 {
-  systemd.services.telegraf.serviceConfig = {
+  sops.secrets."telegraf_influx_token" = { };
-    SupplementaryGroups = [ "docker" ];
+
+  systemd.services.telegraf = {
+    environment = {
+      INFLUX_WRITE_TOKEN = token;
+    };
+    serviceConfig.SupplementaryGroups = [ "docker" ];
   };
 
   services.telegraf = {
     enable = true;
-    environmentFiles = [ "${envFile}" ];
     extraConfig = {
       agent = {
         interval = "10s";