Merge branch 'main' of https://git.syzygial.cc/Syzygial/NixMachines

.sops.yaml

@@ -1,7 +1,12 @@
 keys:
   - &hippocampus age1crymppz88etsdjpckmtdhr397x5xg5wv8jt6tcj23gt2snq73pzs04fuve
+  - &desktop age1p3958zac2e5t35dpdeysqxtc9q76zd6dyswg9y7uqt3688yphp9q6r2hdp
 creation_rules:
   - path_regex: machines/hippocampus/secrets/[^/]+\.(yaml|json|env|ini)$
     key_groups:
     - age:
       - *hippocampus
+  - path_regex: machines/universedesktop/secrets/[^/]+\.(yaml|json|env|ini)$
+    key_groups:
+    - age:
+      - *desktop

flake.lock

@@ -66,11 +66,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1702937117,
+        "lastModified": 1705104164,
-        "narHash": "sha256-4GjkL2D01bDg00UZN/SeGrnBZrDVOFeZTbQx6U702Vc=",
+        "narHash": "sha256-pllCu3Hcm1wP/B0SUxgUXvHeEd4w8s2aVrEQRdIL1yo=",
         "owner": "nix-community",
         "repo": "home-manager",
-        "rev": "e8aaced73ebaf6bfa8e3c6ab0a19cb184bc4d798",
+        "rev": "0912d26b30332ae6a90e1b321ff88e80492127dd",
         "type": "github"
       },
       "original": {
@@ -108,11 +108,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1700795494,
+        "lastModified": 1704277720,
-        "narHash": "sha256-gzGLZSiOhf155FW7262kdHo2YDeugp3VuIFb4/GGng0=",
+        "narHash": "sha256-meAKNgmh3goankLGWqqpw73pm9IvXjEENJloF0coskE=",
         "owner": "LnL7",
         "repo": "nix-darwin",
-        "rev": "4b9b83d5a92e8c1fbfd8eb27eda375908c11ec4d",
+        "rev": "0dd382b70c351f528561f71a0a7df82c9d2be9a4",
         "type": "github"
       },
       "original": {
@@ -124,11 +124,11 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1702830618,
+        "lastModified": 1704722960,
-        "narHash": "sha256-lvhwIvRwhOLgzbRuYkqHy4M5cQHYs4ktL6/hyuBS6II=",
+        "narHash": "sha256-mKGJ3sPsT6//s+Knglai5YflJUF2DGj7Ai6Ynopz0kI=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "91a00709aebb3602f172a0bf47ba1ef013e34835",
+        "rev": "317484b1ead87b9c1b8ac5261a8d2dd748a0492d",
         "type": "github"
       },
       "original": {
@@ -156,11 +156,11 @@
     },
     "nixpkgs-stable_2": {
       "locked": {
-        "lastModified": 1702777222,
+        "lastModified": 1704290814,
-        "narHash": "sha256-/SYmqgxTYzqZnQEfbOCHCN4GzqB9uAIsR9IWLzo0/8I=",
+        "narHash": "sha256-LWvKHp7kGxk/GEtlrGYV68qIvPHkU9iToomNFGagixU=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "a19a71d1ee93226fd71984359552affbc1cd3dc3",
+        "rev": "70bdadeb94ffc8806c0570eb5c2695ad29f0e421",
         "type": "github"
       },
       "original": {
@@ -172,11 +172,11 @@
     },
     "nixpkgs_2": {
       "locked": {
-        "lastModified": 1702539185,
+        "lastModified": 1704161960,
-        "narHash": "sha256-KnIRG5NMdLIpEkZTnN5zovNYc0hhXjAgv6pfd5Z4c7U=",
+        "narHash": "sha256-QGua89Pmq+FBAro8NriTuoO/wNaUtugt29/qqA8zeeM=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "aa9d4729cbc99dabacb50e3994dcefb3ea0f7447",
+        "rev": "63143ac2c9186be6d9da6035fa22620018c85932",
         "type": "github"
       },
       "original": {
@@ -201,11 +201,11 @@
         "nixpkgs-stable": "nixpkgs-stable_2"
       },
       "locked": {
-        "lastModified": 1702937567,
+        "lastModified": 1704908274,
-        "narHash": "sha256-bUNl3GPqRgTGp13+oV1DrYa1/NHuGHo5SKmr+RqC/2g=",
+        "narHash": "sha256-74W9Yyomv3COGRmKi8zvyA5tL2KLiVkBeaYmYLjXyOw=",
         "owner": "Mic92",
         "repo": "sops-nix",
-        "rev": "f7db64b88dabc95e4f7bee20455f418e7ab805d4",
+        "rev": "c0b3a5af90fae3ba95645bbf85d2b64880addd76",
         "type": "github"
       },
       "original": {

flake.nix

@@ -57,6 +57,7 @@
             nixpkgs.overlays = [ me-emacs-overlay ];
           })
           ./machines/universedesktop/configuration.nix
+          sops-nix.nixosModules.sops
         ];
     };
     darwinConfigurations."Universe-MacBook-Air" = nix-darwin.lib.darwinSystem {

machines/hippocampus/servers/public/anki.nix

@@ -1,24 +1,18 @@
 {config, pkgs, ...}:
 
 {
-  systemd.services.ankisync = {
+  sops.secrets.anki = { };
-    enable = false;
+  services.anki-sync-server = {
-    wantedBy = ["network-online.target"];
+    enable = true;
-    script = ''
+    users.david = {
-      ${pkgs.anki-bin}/bin/anki --syncserver
+      username = "David";
-    '';
+      passwordFile = config.sops.secrets.anki.path;
-    serviceConfig = {
-      Type = "simple";
-      DynamicUser = true;
-      PrivateTmp = true;
-      StateDirectory = "foo";
-      StateDirectoryMode = "0750";
     };
   };
   services.caddy.virtualHosts = {
     "anki.syzygial.cc" = {
       extraConfig = ''
-        reverse_proxy 127.0.0.1:4000
+        reverse_proxy 127.0.0.1:${config.services.anki-sync-server.port}
       '';
     };
   };

machines/universedesktop/configuration.nix

@@ -13,6 +13,9 @@
       [ # Include the results of the hardware scan.
         ./hardware-configuration.nix
 
+        # Secrets specified via:
+        ./secrets.nix
+
         ./programs/art.nix
         ./programs/audio.nix
         ./programs/cad.nix
@@ -43,21 +46,19 @@
     ## Bridged Network Config
 
     networking.hostName = "universedesktop";
-    networking.useDHCP  = false;
+ 
-    networking.bridges = {
+    networking.useDHCP = false;
-      "br0" = {
+    networking.interfaces.wlp6s0.useDHCP = true;
-        interfaces = [ "enp9s0" ];
+    # Fixes DNS issue with tailscale: https://github.com/tailscale/tailscale/issues/4254
-      };
+    services.resolved.enable = true;
+
+    sops.secrets.wireless = { };
+    networking.wireless.environmentFile = config.sops.secrets.wireless.path;
+
+    networking.wireless.enable = true;
+    networking.wireless.networks = {
+      "@SSID_HOME@".psk = "@PSK_HOME@";
     };
-    networking.interfaces.br0.ipv4.addresses = [
-      {
-        address = "192.168.1.21";
-        prefixLength = 24;
-      }
-    ];
-    networking.defaultGateway = "192.168.1.1";
-    networking.nameservers = [ "192.168.1.1" ];
-    networking.interfaces.tap0.virtual = true;
 
     hardware.bluetooth.enable = true;
 

machines/universedesktop/printing.nix

@@ -1,7 +1,7 @@
 {
   services.printing.enable = true;
   services.avahi.enable = true;
-  services.avahi.nssmdns = true;
+  services.avahi.nssmdns4 = true;
   # for a WiFi printer
   services.avahi.openFirewall = true;
 }

machines/universedesktop/programs/remote.nix

@@ -11,9 +11,9 @@
 in {
   environment.systemPackages = with pkgs; [
     # Hardware accel
-    virtualgl
+    # virtualgl
     # Remote connectivity
-    xpra
+    # xpra
-    xpra-web
+    # xpra-web
   ];
 }

machines/universedesktop/secrets.nix

@@ -0,0 +1,8 @@
+{config, pkgs, ...}: let
+in {
+  sops = {
+    age.keyFile = "/root/.config/sops/age/keys.txt";
+    defaultSopsFile = "/etc/nixos/machines/universedesktop/secrets/secrets.yaml";
+    validateSopsFiles = false;
+  };
+}

machines/universedesktop/secrets/secrets.yaml

@@ -0,0 +1,21 @@
+wireless: ENC[AES256_GCM,data:VS8XBhc2DfqDdOeUvwnMYy8R1x/Qbr7lSuCb3l+X1xFdK7gni5aGm71pZk4=,iv:3I/GMA6KbYyD4fOkdLrW99JoIbUPA111fpZ4mlpgA8c=,tag:fAZyTM4AhNX3SENKpJxnsw==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1p3958zac2e5t35dpdeysqxtc9q76zd6dyswg9y7uqt3688yphp9q6r2hdp
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBIMC9semtyMXZmeXUxVmxC
+            UzNqN0V5M2xpd0h3WE1mOGJHeWYwWnd1UFNNClNDT1gxTEF0WWRHWldENmpaYjcv
+            R3ZNV05XZWlnOEpXTkJVWWZaU1lxRncKLS0tIFNDMFZrWWt2V2daK2xxMXF2bU9Y
+            WS93Uzg1UkFSSGM1eUR1UG9WRFVCYVEKbnE6DuVqtkynqphNIybtVgfVFJtgm6vI
+            XywmFg8F1dOq1xDz97oFBbzbJa1J9qsMjNlPxZkC04snM9msZm9v2g==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2024-01-02T02:01:25Z"
+    mac: ENC[AES256_GCM,data:oZCQ9G7C7cqmuK/oXK0zo/siUvKMlKNArP39w9imAwWRSeLy1Vazu/oFH2F1Kzmq7B5iukBXID7T4kGB8vgLINa0T9qKP8s5GfxbcKadY3e6BqcMjXUXy5+UayQ+S/KxDFr4ftoJ4khwmVR8sW8Gpfo4y3VJgDBQTcrRNf8TAq0=,iv:jRMxlw+FDigIN1ZOLXQotqI+hRM6Fgi/DXWjPKKW5TQ=,tag:y7kl2Cjan+w3MqIwLW5dGA==,type:str]
+    pgp: []
+    unencrypted_suffix: _unencrypted
+    version: 3.8.1