sourcephile / git / sourcephile-nix.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 51940d9)
creds: finish to migrate to systemd-creds.nix
authorJulien Moutinho <julm+sourcephile-nix@sourcephile.fr>
Wed, 2 Nov 2022 00:19:21 +0000 (01:19 +0100)
committerJulien Moutinho <julm+sourcephile-nix@sourcephile.fr>
Thu, 3 Nov 2022 15:21:54 +0000 (16:21 +0100)
52 files changed:
flake.nix patch | blob | history
hosts/losurdo/.gpg-id patch | blob | history
hosts/losurdo/acme/autogeree.net.nix patch | blob | history
hosts/losurdo/acme/autogeree.net.tsig.cred patch | blob | history
hosts/losurdo/acme/sourcephile.fr.nix patch | blob | history
hosts/losurdo/acme/sourcephile.fr.tsig.cred patch | blob | history
hosts/losurdo/networking/nsupdate.nix patch | blob | history
hosts/losurdo/networking/nsupdate/tsig.cred patch | blob | history
hosts/losurdo/networking/tor/5spcvlzbaxwo4knhwnrekjtnakxmvekmlc5qwsigi33rn45hd5gewlyd.hs_ed25519_secret_key.cred patch | blob | history
hosts/losurdo/networking/wireguard/wg-extra.nix patch | blob | history
hosts/losurdo/networking/wireguard/wg-extra/privateKey.cred patch | blob | history
hosts/losurdo/networking/wireguard/wg-intra/privateKey.cred patch | blob | history
hosts/losurdo/syncoid/sshKey.cred patch | blob | history
hosts/losurdo/transmission.nix patch | blob | history
hosts/losurdo/transmission/settings.json.cred patch | blob | history
hosts/mermet/coturn.nix patch | blob | history
hosts/mermet/croc/pass.clear [new file with mode: 0644] patch | blob
hosts/mermet/dovecot/dh4096.pem [new file with mode: 0644] patch | blob
hosts/mermet/gitolite patch | blob | history
hosts/mermet/gitolite.nix patch | blob | history
hosts/mermet/iodine.nix patch | blob | history
hosts/mermet/iodine/password.cred [new file with mode: 0644] patch | blob
hosts/mermet/knot/autogeree.net.nix patch | blob | history
hosts/mermet/knot/autogeree.net/acme.conf.cred [new file with mode: 0644] patch | blob
hosts/mermet/knot/autogeree.net/acme.conf.gpg [new file with mode: 0644] patch | blob
hosts/mermet/knot/sourcephile.fr.nix patch | blob | history
hosts/mermet/knot/sourcephile.fr/acme.conf.cred [new file with mode: 0644] patch | blob
hosts/mermet/knot/sourcephile.fr/acme.conf.gpg [new file with mode: 0644] patch | blob
hosts/mermet/knot/sourcephile.fr/losurdo.conf.cred [new file with mode: 0644] patch | blob
hosts/mermet/knot/sourcephile.fr/losurdo.conf.gpg [new file with mode: 0644] patch | blob
hosts/mermet/miniflux.nix patch | blob | history
hosts/mermet/miniflux/credentials.cred [new file with mode: 0644] patch | blob
hosts/mermet/miniflux/credentials.gpg [new file with mode: 0644] patch | blob
hosts/mermet/nginx/autogeree.net/www.nix patch | blob | history
hosts/mermet/nginx/autogeree.net/www/julm/PC/htpasswd.cred [new file with mode: 0644] patch | blob
hosts/mermet/nginx/autogeree.net/www/julm/PC/htpasswd.gpg [new file with mode: 0644] patch | blob
hosts/mermet/nginx/dh4096.pem [new file with mode: 0644] patch | blob
hosts/mermet/nginx/sourcephile.fr/www.nix patch | blob | history
hosts/mermet/prosody.nix patch | blob | history
hosts/mermet/rspamd.nix patch | blob | history
hosts/mermet/rspamd/autogeree.net.nix patch | blob | history
hosts/mermet/rspamd/autogeree.net/20200101.dkim.key.cred [new file with mode: 0644] patch | blob
hosts/mermet/rspamd/autogeree.net/20200101.dkim.key.gpg [new file with mode: 0644] patch | blob
hosts/mermet/rspamd/controller.inc.cred [new file with mode: 0644] patch | blob
hosts/mermet/rspamd/controller.inc.gpg [new file with mode: 0644] patch | blob
hosts/mermet/rspamd/sourcephile.fr.nix patch | blob | history
hosts/mermet/rspamd/sourcephile.fr/20200101.dkim.key.cred [new file with mode: 0644] patch | blob
hosts/mermet/rspamd/sourcephile.fr/20200101.dkim.key.gpg [new file with mode: 0644] patch | blob
hosts/mermet/sanoid.nix patch | blob | history
hosts/mermet/users.nix patch | blob | history
nixos/modules.nix patch | blob | history
users/root/ssh/losurdo.pub [new file with mode: 0644] patch | blob

diff --git a/flake.nix b/flake.nix
index 45e0dc3b65b4ad0700d8ae011808662ae21b447b..c2d721540b2a40afddd9f8544206ae00355534ba 100644 (file)
--- a/flake.nix
+++ b/flake.nix
@@ -71,8 +71,6 @@ outputs = inputs: let
           system.nixos.revision = lib.mkIf (inputs.self ? rev) inputs.self.rev;
           # Let 'nixos-version --json' know about the Git revision of this flake.
           system.configurationRevision = lib.mkIf (inputs.self ? rev) inputs.self.rev;
-          security.gnupg.agent.enable = true;
-          security.gnupg.store = inputs.pass + "/hosts/${hostName}";
           /*
           system.configurationRevision =
             if inputs.self ? rev
@@ -132,21 +130,35 @@ outputs = inputs: let
         program = (pkgs.writeShellScript "switch" (''
           set -eux
           set -o pipefail
+          shopt -s globstar
           nix-store --add-root hosts/${hostName}.nixpkgs --indirect --realise ${nixpkgsPath}
           nix-store --add-root hosts/${hostName}.root --indirect --realise ${build.toplevel}
+
           nix copy --to ssh://${target}${lib.optionalString config.install.substituteOnDestination " --substitute-on-destination"} ${build.toplevel}
-          ${sendkeys.program}
+
           '' + lib.optionalString config.boot.initrd.network.ssh.enable ''
           # Send the SSH key of the initrd
-          gpg --decrypt '${config.security.gnupg.store}/initrd/ssh.key.gpg' |
+          gpg --decrypt 'pass/hosts/${hostName}/initrd/ssh.key.gpg' |
           ssh ${target} install -D -m 400 -o root -g root /dev/stdin /root/initrd/ssh.key
           # Send the Wireguard key of the initrd
-          gpg --decrypt '${config.security.gnupg.store}/wireguard/wg-intra/privateKey.gpg' |
+          gpg --decrypt 'pass/hosts/${hostName}/wireguard/wg-intra/privateKey.gpg' |
           ssh ${target} install -D -m 400 -o root -g root /dev/stdin /root/initrd/wg-intra.key
           '' + ''
-          ssh ${target} \
-            nix-env --profile '${profile}' --set '${build.toplevel}' '&&' \
-            '${profile}'/bin/switch-to-configuration switch
+          ssh ${target} set -x ';' \
+            systemctl reset-failed nixos-fallback '2>/dev/null' ';' \
+            systemd-run -u nixos-fallback --description=nixos-fallback /bin/sh -xc '''\'''
+              PATH=${with pkgs; lib.makeBinPath [ coreutils nix systemd ]}
+              sleep $((10 * 60))
+              ${profile}/bin/switch-to-configuration switch
+              systemctl reboot
+            '\'''' '&&' \
+            ${build.toplevel}/bin/switch-to-configuration test
+
+          ssh ${target} -o ControlPath=none set -x ';' \
+            systemctl stop nixos-fallback.service ';' \
+            nix-env --profile ${profile} --set '${build.toplevel}' ';' \
+            ${build.toplevel}/bin/switch-to-configuration boot '&&' \
+            nix-env --delete-generations 7d --profile ${profile}
           ''
         )).outPath;
       };
@@ -162,19 +174,6 @@ outputs = inputs: let
           sudo -k dd conv=notrunc oflag=direct,sync status=progress of="''${1:-/dev/mmcblk0}"
         '').outPath;
       };
-      # Example: nix run .#losurdo.sendkeys
-      "sendkeys" = {
-        type = "app";
-        #program = config.security.gnupg.agent.sendKeys + "/bin/gnupg-agent-sendKeys";
-        program = (pkgs.writeShellScript "sendkeys" ''
-          set -eux
-          #chmod -R g-rwx,o-rwx "$PWD/secrets/hosts"
-          #rsync -ai --no-times --numeric-ids --usermap=:root --groupmap=:root --chmod=Du+rwx,Fu=r,go-rwx --delete "$PWD/secrets/hosts/${hostName}/root/" ${target}:/root/secrets
-          #trap 'git reset secrets/hosts' EXIT
-          #git rm -rf --cached --ignore-unmatch secrets/hosts # prevent copying to /nix/store
-          ${pkgs.bash}/bin/bash -eux ${config.security.gnupg.agent.sendKeys + "/bin/gnupg-agent-sendKeys"}
-        '').outPath;
-      };
     }) inputs.self.nixosConfigurations;}
   );
 }
diff --git a/hosts/losurdo/.gpg-id b/hosts/losurdo/.gpg-id
index 5ddcf140bddd57b8f0bcbdb60c154b3f3879ab53..41ac432730548801635441384a5f257c08fbfa73 100644 (file)
Binary files a/hosts/losurdo/.gpg-id and b/hosts/losurdo/.gpg-id differ
diff --git a/hosts/losurdo/acme/autogeree.net.nix b/hosts/losurdo/acme/autogeree.net.nix
index 9544cd0e184edde1ffcac2023ce74f701ca385e9..08be4abbb93ab308493abdf12995baef10870c64 100644 (file)
--- a/hosts/losurdo/acme/autogeree.net.nix
+++ b/hosts/losurdo/acme/autogeree.net.nix
@@ -1,4 +1,4 @@
-{ pkgs, lib, config, hosts, ... }:
+{ pkgs, lib, config, inputs, hosts, hostName, ... }:
 let
   domain = "autogeree.net";
   domainID = lib.replaceStrings ["."] ["_"] domain;
@@ -38,7 +38,8 @@ security.acme.certs."${domain}" = {
   validMinDays = 10;
 };
 systemd.services."acme-${domain}" = {
-  serviceConfig.LoadCredentialEncrypted = "${domain}.tsig:" + ./. + "/${domain}.tsig.cred";
+  serviceConfig.LoadCredentialEncrypted =
+    [ "${domain}.tsig:${inputs.self}/hosts/${hostName}/acme/${domain}.tsig.cred" ];
   environment = {
     RFC2136_TSIG_SECRET = "%d/${domain}.tsig";
     RFC2136_NAMESERVER = "ns.${domain}:53";
diff --git a/hosts/losurdo/acme/autogeree.net.tsig.cred b/hosts/losurdo/acme/autogeree.net.tsig.cred
index 2f520d9d7dc04f94022f878d3b3ded300cbc5a63..43694bffc80230d0d55d1f3d34f2150ffbc98ed6 100644 (file)
Binary files a/hosts/losurdo/acme/autogeree.net.tsig.cred and b/hosts/losurdo/acme/autogeree.net.tsig.cred differ
diff --git a/hosts/losurdo/acme/sourcephile.fr.nix b/hosts/losurdo/acme/sourcephile.fr.nix
index 671364e1d02903b867ef5bc99b7ea88b426dde46..b211bd278bb35c04cf554232a259e655eed3180e 100644 (file)
--- a/hosts/losurdo/acme/sourcephile.fr.nix
+++ b/hosts/losurdo/acme/sourcephile.fr.nix
@@ -1,4 +1,4 @@
-{ pkgs, lib, config, hosts, ... }:
+{ pkgs, lib, config, inputs, hosts, hostName, ... }:
 let
   domain = "sourcephile.fr";
   domainID = lib.replaceStrings ["."] ["_"] domain;
@@ -35,7 +35,8 @@ security.acme.certs."${domain}" = {
   credentialsFile = "/dev/null";
 };
 systemd.services."acme-${domain}" = {
-  serviceConfig.LoadCredentialEncrypted = "${domain}.tsig:" + ./. + "/${domain}.tsig.cred";
+  serviceConfig.LoadCredentialEncrypted =
+    [ "${domain}.tsig:${inputs.self}/hosts/${hostName}/acme/${domain}.tsig.cred" ];
   environment = {
     RFC2136_TSIG_SECRET = "%d/${domain}.tsig";
     RFC2136_NAMESERVER = "ns.${domain}:53";
diff --git a/hosts/losurdo/acme/sourcephile.fr.tsig.cred b/hosts/losurdo/acme/sourcephile.fr.tsig.cred
index e0ef389bd1f76e19977ee972f91128cdfe1e2dc4..0bc99a5ef6ed989c068ff54c928feef122a97ae1 100644 (file)
Binary files a/hosts/losurdo/acme/sourcephile.fr.tsig.cred and b/hosts/losurdo/acme/sourcephile.fr.tsig.cred differ
diff --git a/hosts/losurdo/networking/nsupdate.nix b/hosts/losurdo/networking/nsupdate.nix
index 341cf567b423521ecea7fc32fa529cb7c534b564..fcbd42d58473f05bc701cca3f4f5b83d7f0fcbd9 100644 (file)
--- a/hosts/losurdo/networking/nsupdate.nix
+++ b/hosts/losurdo/networking/nsupdate.nix
@@ -1,4 +1,4 @@
-{ pkgs, lib, config, hosts, hostName, ... }:
+{ pkgs, lib, config, inputs, hosts, hostName, ... }:
 let
   inherit (config.users) users groups;
   inherit (config.networking) domain;
@@ -10,7 +10,7 @@ systemd.services.nsupdate = {
   startAt = "*:0/5"; # every 5 min
   serviceConfig = {
     Type = "simple";
-    LoadCredentialEncrypted = "${hostName}.tsig:" + ./nsupdate/tsig.cred;
+    LoadCredentialEncrypted = [ "${hostName}.tsig:${inputs.self}/hosts/${hostName}/networking/nsupdate/tsig.cred" ];
     ExecStart = pkgs.writeShellScript "nsupdate" ''
       set -eux
       publicIPv4=$(${pkgs.curl}/bin/curl -s4 https://whoami.sourcephile.fr/addr ||
diff --git a/hosts/losurdo/networking/nsupdate/tsig.cred b/hosts/losurdo/networking/nsupdate/tsig.cred
index 249c1c8780bb2f489236fbcaaecb7c8509c7afc0..07146d5a36e7a3430cce754fae47d9b64520b176 100644 (file)
Binary files a/hosts/losurdo/networking/nsupdate/tsig.cred and b/hosts/losurdo/networking/nsupdate/tsig.cred differ
diff --git a/hosts/losurdo/networking/tor/5spcvlzbaxwo4knhwnrekjtnakxmvekmlc5qwsigi33rn45hd5gewlyd.hs_ed25519_secret_key.cred b/hosts/losurdo/networking/tor/5spcvlzbaxwo4knhwnrekjtnakxmvekmlc5qwsigi33rn45hd5gewlyd.hs_ed25519_secret_key.cred
index 7f70b1c097b502e9e775eb8e73ba6c2cd41a45af..5f46411b76d130bc69fbfa90fa7731e504853295 100644 (file)
Binary files a/hosts/losurdo/networking/tor/5spcvlzbaxwo4knhwnrekjtnakxmvekmlc5qwsigi33rn45hd5gewlyd.hs_ed25519_secret_key.cred and b/hosts/losurdo/networking/tor/5spcvlzbaxwo4knhwnrekjtnakxmvekmlc5qwsigi33rn45hd5gewlyd.hs_ed25519_secret_key.cred differ
diff --git a/hosts/losurdo/networking/wireguard/wg-extra.nix b/hosts/losurdo/networking/wireguard/wg-extra.nix
index a5bd453062be5bc0f3013a3a4b55ad21a4120285..099e489e8c300b40447662134a7958b94969cf21 100644 (file)
--- a/hosts/losurdo/networking/wireguard/wg-extra.nix
+++ b/hosts/losurdo/networking/wireguard/wg-extra.nix
@@ -1,4 +1,4 @@
-{ pkgs, lib, config, hosts, hostName, ... }:
+{ pkgs, lib, config, inputs, hosts, hostName, ... }:
 let
   wgIface = "wg-extra";
   listenPort = 16843;
@@ -32,7 +32,8 @@ networking.nftables.ruleset = ''
   }
 '';
 #boot.kernel.sysctl."net.ipv4.ip_forward" = 1;
-systemd.services."wireguard-${wgIface}".serviceConfig.LoadCredentialEncrypted = "privateKey:" + ./. + "/${wgIface}/privateKey.cred";
+systemd.services."wireguard-${wgIface}".serviceConfig.LoadCredentialEncrypted =
+  [ "privateKey:${inputs.self}/hosts/${hostName}/networking/wireguard/${wgIface}/privateKey.cred" ];
 networking.wireguard.interfaces."${wgIface}" = {
   # publicKey: 1Iyq96rPHfyrt4B31NqKLgWzlglkMAWjA41aF279gjM=
   privateKeyFile = "$CREDENTIALS_DIRECTORY/privateKey";
diff --git a/hosts/losurdo/networking/wireguard/wg-extra/privateKey.cred b/hosts/losurdo/networking/wireguard/wg-extra/privateKey.cred
index 3f77b0a5b99337a5b62b3874f6623b0a00a17853..5f46411b76d130bc69fbfa90fa7731e504853295 100644 (file)
Binary files a/hosts/losurdo/networking/wireguard/wg-extra/privateKey.cred and b/hosts/losurdo/networking/wireguard/wg-extra/privateKey.cred differ
diff --git a/hosts/losurdo/networking/wireguard/wg-intra/privateKey.cred b/hosts/losurdo/networking/wireguard/wg-intra/privateKey.cred
index 086470a6bf3d6e566e0b0eb2fc83b6631210992c..5f46411b76d130bc69fbfa90fa7731e504853295 100644 (file)
Binary files a/hosts/losurdo/networking/wireguard/wg-intra/privateKey.cred and b/hosts/losurdo/networking/wireguard/wg-intra/privateKey.cred differ
diff --git a/hosts/losurdo/syncoid/sshKey.cred b/hosts/losurdo/syncoid/sshKey.cred
index 280db193e93dbf6cb67c878799de10d5871661b1..5f46411b76d130bc69fbfa90fa7731e504853295 100644 (file)
Binary files a/hosts/losurdo/syncoid/sshKey.cred and b/hosts/losurdo/syncoid/sshKey.cred differ
diff --git a/hosts/losurdo/transmission.nix b/hosts/losurdo/transmission.nix
index 262a5e1dee35da919dcaef12e40ff5923e0ca6dc..9179015f5cc4dc29e480d9b234d3e5cd03472ca4 100644 (file)
--- a/hosts/losurdo/transmission.nix
+++ b/hosts/losurdo/transmission.nix
@@ -1,4 +1,4 @@
-{ pkgs, lib, config, hostName, inputs, ... }:
+{ pkgs, lib, config, inputs, hostName, ... }:
 let
   inherit (config.services) transmission;
   inherit (config.users) users;
@@ -70,7 +70,8 @@ systemd.services.stop-transmission = {
   startAt = "06..19:0,15,30,45:00";
   script = "true";
 };
-systemd.services.transmission.serviceConfig.LoadCredentialEncrypted = "settings.json:" + transmission/settings.json.cred;
+systemd.services.transmission.serviceConfig.LoadCredentialEncrypted =
+  [ "settings.json:${inputs.self}/hosts/${hostName}/transmission/settings.json.cred" ];
 services.transmission = {
   enable = true;
   performanceNetParameters = true;
diff --git a/hosts/losurdo/transmission/settings.json.cred b/hosts/losurdo/transmission/settings.json.cred
index f96485aadabd0b3f09056378eaab222f55327e64..5f46411b76d130bc69fbfa90fa7731e504853295 100644 (file)
Binary files a/hosts/losurdo/transmission/settings.json.cred and b/hosts/losurdo/transmission/settings.json.cred differ
diff --git a/hosts/mermet/coturn.nix b/hosts/mermet/coturn.nix
index 74ee344df40dd7bf9a5187f4d9f79439d1b26d6f..a6eaa3e47bb1c95b84d95fe255d8ae2def335091 100644 (file)
--- a/hosts/mermet/coturn.nix
+++ b/hosts/mermet/coturn.nix
@@ -31,10 +31,10 @@ services.coturn = {
   enable = true;
   realm = "turn.${domain}";
   use-auth-secret = true;
-  static-auth-secret = builtins.readFile coturn/static-auth-secret.clear;
+  static-auth-secret = lib.readFile coturn/static-auth-secret.clear;
   pkey = "/var/lib/acme/${domain}/key.pem";
   cert = "/var/lib/acme/${domain}/fullchain.pem";
-  dh-file = coturn/dh4096.pem;
+  dh-file = lib.readFile coturn/dh4096.pem;
   listening-ips = [ipv4];
   relay-ips = [ipv4];
   secure-stun = false;
diff --git a/hosts/mermet/croc/pass.clear b/hosts/mermet/croc/pass.clear
new file mode 100644 (file)
index 0000000..2760b82
Binary files /dev/null and b/hosts/mermet/croc/pass.clear differ
diff --git a/hosts/mermet/dovecot/dh4096.pem b/hosts/mermet/dovecot/dh4096.pem
new file mode 100644 (file)
index 0000000..a4c2df9
Binary files /dev/null and b/hosts/mermet/dovecot/dh4096.pem differ
diff --git a/hosts/mermet/gitolite b/hosts/mermet/gitolite
index 3b441579dd52096501089d6801c245fd5ef985b5..39df25065cd861586a3e7568b924955734f8d837 160000 (submodule)
--- a/hosts/mermet/gitolite
+++ b/hosts/mermet/gitolite
@@ -1 +1 @@
-Subproject commit 3b441579dd52096501089d6801c245fd5ef985b5
+Subproject commit 39df25065cd861586a3e7568b924955734f8d837
diff --git a/hosts/mermet/gitolite.nix b/hosts/mermet/gitolite.nix
index e14dddbba2eebaec1fc11742d3844153d070dcd9..db554edbc7a1ea5dda2f76a518ea6be17de9e3f4 100644 (file)
--- a/hosts/mermet/gitolite.nix
+++ b/hosts/mermet/gitolite.nix
@@ -15,7 +15,7 @@ services.gitolite = {
   enable = true;
   user   = "git";
   group  = users."git-daemon".name;
-  adminPubkey = ../../users/julm/ssh/gnupg.pub;
+  adminPubkey = lib.readFile ../../users/julm/ssh/gnupg.pub;
   extraGitoliteRc = ''
     $RC{UMASK}           = 0027; # NOTE: no quote around in Perl, so it's octal
     $RC{LOG_DEST}        = 'repo-log,syslog';
diff --git a/hosts/mermet/iodine.nix b/hosts/mermet/iodine.nix
index 9ecc7770f1a8f493d48631ae84ee6fc72a013216..0ac7985f9b561444389a9d4645d4ad98774930fd 100644 (file)
--- a/hosts/mermet/iodine.nix
+++ b/hosts/mermet/iodine.nix
@@ -1,11 +1,12 @@
-{ pkgs, lib, config, credentials, host, ... }:
+{ pkgs, lib, config, inputs, hostName, host, ... }:
 let
   domain = "i.sourcephile.fr";
   dnsIface = "iode";
   gwIface = config.networking.defaultGateway.interface;
 in
 {
-systemd.services.iodined.serviceConfig.LoadCredentialEncrypted = "password:${credentials}/iodine/password.secret";
+systemd.services.iodined.serviceConfig.LoadCredentialEncrypted =
+  [ "password:${inputs.self}/hosts/${hostName}/iodine/password.cred" ];
 systemd.sockets.iodined = {
   enable = true;
   listenDatagrams = [ "127.0.0.1:1053" ];
diff --git a/hosts/mermet/iodine/password.cred b/hosts/mermet/iodine/password.cred
new file mode 100644 (file)
index 0000000..fc6fd45
Binary files /dev/null and b/hosts/mermet/iodine/password.cred differ
diff --git a/hosts/mermet/knot/autogeree.net.nix b/hosts/mermet/knot/autogeree.net.nix
index f5fdf726d8087248cb3928b581fe138535225cd8..4a0b15c7afd3380157a07922d34895a55550e536 100644 (file)
--- a/hosts/mermet/knot/autogeree.net.nix
+++ b/hosts/mermet/knot/autogeree.net.nix
@@ -1,15 +1,14 @@
-{ inputs, pkgs, lib, config, hosts, ... }:
+{ pkgs, lib, config, inputs, hostName, hosts, ... }:
 let
   domain = "autogeree.net";
   domainID = lib.replaceStrings ["."] ["_"] domain;
   inherit (builtins) attrValues;
   inherit (config) networking;
-  inherit (config.security) gnupg;
   inherit (config.services) knot;
   inherit (config.users) users;
 in
 {
-services.knot.zones."${domain}" = {
+services.knot.zones.${domain} = {
   conf = ''
     acl:
       - id: acl_localhost_acme_${domainID}
@@ -98,17 +97,15 @@ networking.nftables.ruleset = ''
     set output-net-knot-ipv6 { type ipv6_addr; elements = { 2001:4b98:d:1::40 }; }
   }
 '';
-users.groups.keys.members = [ users.knot.name ];
 services.knot = {
-  keyFiles = [ gnupg.secrets."knot/tsig/${domain}/acme.conf".path ];
+  keyFiles = [
+    "/run/credentials/knot.service/${domain}.acme.conf"
+  ];
 };
-security.gnupg.secrets."knot/tsig/${domain}/acme.conf" = {
-  # Generated with: keymgr -t acme_${domainID}
-  user = users.knot.name;
-};
-systemd.services.knot = {
-  after = [ gnupg.secrets."knot/tsig/${domain}/acme.conf".service ];
-  wants = [ gnupg.secrets."knot/tsig/${domain}/acme.conf".service ];
+systemd.services.knot.serviceConfig = {
+  LoadCredentialEncrypted = [
+    "${domain}.acme.conf:${inputs.self}/hosts/${hostName}/${domain}/acme.conf.cred"
+  ];
 };
 /* Useless since the zone is public
 services.unbound.settings = {
diff --git a/hosts/mermet/knot/autogeree.net/acme.conf.cred b/hosts/mermet/knot/autogeree.net/acme.conf.cred
new file mode 100644 (file)
index 0000000..af9321c
Binary files /dev/null and b/hosts/mermet/knot/autogeree.net/acme.conf.cred differ
diff --git a/hosts/mermet/knot/autogeree.net/acme.conf.gpg b/hosts/mermet/knot/autogeree.net/acme.conf.gpg
new file mode 100644 (file)
index 0000000..851dd34
Binary files /dev/null and b/hosts/mermet/knot/autogeree.net/acme.conf.gpg differ
diff --git a/hosts/mermet/knot/sourcephile.fr.nix b/hosts/mermet/knot/sourcephile.fr.nix
index 17eb864ea0bc2ff66a1807175a2dd53693a1d252..489005ce8f4303d79d176ef350485b2bc52e8e50 100644 (file)
--- a/hosts/mermet/knot/sourcephile.fr.nix
+++ b/hosts/mermet/knot/sourcephile.fr.nix
@@ -1,9 +1,8 @@
-{ inputs, pkgs, lib, config, hosts, credentials, ... }:
+{ pkgs, lib, config, inputs, hostName, hosts, ... }:
 let
   domain = "sourcephile.fr";
   domainID = lib.replaceStrings ["."] ["_"] domain;
   inherit (config) networking;
-  inherit (config.security) gnupg;
   inherit (config.services) knot;
   inherit (config.users) users;
 in
@@ -181,14 +180,21 @@ services.knot.zones."${domain}" = {
     @ CAA 128 issue "letsencrypt.org"
   '';
 };
-users.groups.keys.members = [ users.knot.name ];
 services.knot = {
   keyFiles = [
-    gnupg.secrets."knot/tsig/${domain}/acme.conf".path
+    "/run/credentials/knot.service/${domain}.acme.conf"
     # Generated with: keymgr -t losurdo_${domainID}
     "/run/credentials/knot.service/losurdo.conf"
   ];
 };
+systemd.services.knot = {
+  serviceConfig = {
+    LoadCredentialEncrypted = [
+      "${domain}.acme.conf:${inputs.self}/hosts/${hostName}/${domain}/acme.conf.cred"
+      "losurdo.conf:${inputs.self}/hosts/${hostName}/${domain}/losurdo.conf.cred"
+    ];
+  };
+};
 networking.nftables.ruleset = ''
   table inet filter {
     # Gandi DNS
@@ -202,29 +208,6 @@ networking.nftables.ruleset = ''
     }
   }
 '';
-security.gnupg.secrets = {
-  "knot/tsig/${domain}/acme.conf" = {
-    # Generated with: keymgr -t acme_${domainID}
-    user = users.knot.name;
-  };
-};
-systemd.services.knot = {
-  serviceConfig = {
-    LoadCredentialEncrypted = "losurdo.conf:${credentials}/knot/tsig/losurdo.conf.secret";
-  };
-  /*
-  preStart = ''
-    test ! -d "$CREDENTIALS_DIRECTORY" ||
-    ln -fns "$CREDENTIALS_DIRECTORY" /var/lib/knot/credentials
-  '';
-  */
-  after = [
-    gnupg.secrets."knot/tsig/${domain}/acme.conf".service
-  ];
-  wants = [
-    gnupg.secrets."knot/tsig/${domain}/acme.conf".service
-  ];
-};
 /* Useless since the zone is public
 services.unbound.settings = {
   stub-zone = {
diff --git a/hosts/mermet/knot/sourcephile.fr/acme.conf.cred b/hosts/mermet/knot/sourcephile.fr/acme.conf.cred
new file mode 100644 (file)
index 0000000..af9321c
Binary files /dev/null and b/hosts/mermet/knot/sourcephile.fr/acme.conf.cred differ
diff --git a/hosts/mermet/knot/sourcephile.fr/acme.conf.gpg b/hosts/mermet/knot/sourcephile.fr/acme.conf.gpg
new file mode 100644 (file)
index 0000000..824db95
Binary files /dev/null and b/hosts/mermet/knot/sourcephile.fr/acme.conf.gpg differ
diff --git a/hosts/mermet/knot/sourcephile.fr/losurdo.conf.cred b/hosts/mermet/knot/sourcephile.fr/losurdo.conf.cred
new file mode 100644 (file)
index 0000000..dd4b319
Binary files /dev/null and b/hosts/mermet/knot/sourcephile.fr/losurdo.conf.cred differ
diff --git a/hosts/mermet/knot/sourcephile.fr/losurdo.conf.gpg b/hosts/mermet/knot/sourcephile.fr/losurdo.conf.gpg
new file mode 100644 (file)
index 0000000..1567fab
Binary files /dev/null and b/hosts/mermet/knot/sourcephile.fr/losurdo.conf.gpg differ
diff --git a/hosts/mermet/miniflux.nix b/hosts/mermet/miniflux.nix
index 21c9abaf4f021b3d690bee5739db853be09fa270..b9871949054cb94122ee84b2fb5fdf71f29fcdf7 100644 (file)
--- a/hosts/mermet/miniflux.nix
+++ b/hosts/mermet/miniflux.nix
@@ -1,7 +1,6 @@
-{ pkgs, lib, config, hostName, ... }:
+{ pkgs, lib, config, inputs, hostName, ... }:
 let
   inherit (config.networking) domain;
-  inherit (config.security) gnupg;
   inherit (config.services) nginx postgresql;
   inherit (config.users) users groups;
   srv = "miniflux";
@@ -29,12 +28,9 @@ services.miniflux = {
     WATCHDOG = "1";
     WORKER_POOL_SIZE = "2";
   };
-  adminCredentialsFile = gnupg.secrets."miniflux/credentials".path;
+  adminCredentialsFile = "/run/credentials/miniflux.service/credentials";
 };
-security.gnupg.secrets."miniflux/credentials" = {};
 systemd.services.miniflux = {
-  after = [ gnupg.secrets."miniflux/credentials".service ];
-  wants = [ gnupg.secrets."miniflux/credentials".service ];
   partOf = [ "postgresql.service" ];
   # For the socket-activation
   wantedBy = lib.mkForce [ ];
@@ -42,6 +38,9 @@ systemd.services.miniflux = {
     RefuseManualStart = true;
   };
   serviceConfig = {
+    LoadCredentialEncrypted = [
+      "credentials:${inputs.self}/hosts/${hostName}/miniflux/credentials.cred"
+    ];
     # For postgres auth
     User = users."miniflux".name;
     Group = groups."postgres".name;
@@ -86,5 +85,6 @@ services.nginx.virtualHosts."${srv}.${domain}" = {
     proxyPass = "http://unix:/run/miniflux.sock:/";
   };
 };
-systemd.services.nginx.serviceConfig.LogsDirectory = lib.mkForce ["nginx/${domain}/${srv}"];
+systemd.services.nginx.serviceConfig.LogsDirectory =
+  lib.mkForce ["nginx/${domain}/${srv}"];
 }
diff --git a/hosts/mermet/miniflux/credentials.cred b/hosts/mermet/miniflux/credentials.cred
new file mode 100644 (file)
index 0000000..17502ee
Binary files /dev/null and b/hosts/mermet/miniflux/credentials.cred differ
diff --git a/hosts/mermet/miniflux/credentials.gpg b/hosts/mermet/miniflux/credentials.gpg
new file mode 100644 (file)
index 0000000..d32ad05
Binary files /dev/null and b/hosts/mermet/miniflux/credentials.gpg differ
diff --git a/hosts/mermet/nginx/autogeree.net/www.nix b/hosts/mermet/nginx/autogeree.net/www.nix
index afdec9390bbbf532b5deaefbb86e8a5c8fc33a93..431f3cb1234e85f7b1a60c10b9f9537f44e9b9ad 100644 (file)
--- a/hosts/mermet/nginx/autogeree.net/www.nix
+++ b/hosts/mermet/nginx/autogeree.net/www.nix
@@ -1,8 +1,7 @@
 { domain, ... }:
-{ pkgs, lib, config, ... }:
+{ pkgs, lib, config, inputs, hostName, ... }:
 let
   inherit (config) networking;
-  inherit (config.security) gnupg;
   inherit (config.services) nginx;
   srv = "www";
   root = "/var/lib/nginx/${domain}";
@@ -18,6 +17,9 @@ systemd.services.nginx.serviceConfig = {
   LogsDirectory = lib.mkForce [
     "nginx/${domain}/${srv}"
   ];
+  LoadCredentialEncrypted = [
+    "${domain}.${srv}.julm.PC.htpasswd:${inputs.self}/hosts/${hostName}/nginx/${domain}/${srv}/julm/PC/htpasswd.cred"
+  ];
 };
 services.nginx = {
   virtualHosts."${domain}.${srv}" = {
@@ -43,7 +45,7 @@ services.nginx = {
     };
     locations."/julm/PC/" = {
       alias = "${root}/julm/PC/";
-      basicAuthFile = gnupg.secrets."nginx/${domain}/${srv}/julm/PC/htpasswd".path;
+      basicAuthFile = "/run/credentials/nginx.service/${domain}.${srv}.julm.PC.htpasswd";
       extraConfig = ''
         fancyindex on;
         fancyindex_name_length 255;
@@ -52,13 +54,4 @@ services.nginx = {
     };
   };
 };
-security.gnupg.secrets = {
-  "nginx/${domain}/${srv}/julm/PC/htpasswd" = {
-    # Generated with: echo "$user:$(openssl passwd -apr1)"
-    systemdConfig.before = [ "nginx.service" ];
-    systemdConfig.wantedBy = [ "nginx.service" ];
-    user = nginx.user;
-    group = nginx.group;
-  };
-};
 }
diff --git a/hosts/mermet/nginx/autogeree.net/www/julm/PC/htpasswd.cred b/hosts/mermet/nginx/autogeree.net/www/julm/PC/htpasswd.cred
new file mode 100644 (file)
index 0000000..783d4fb
Binary files /dev/null and b/hosts/mermet/nginx/autogeree.net/www/julm/PC/htpasswd.cred differ
diff --git a/hosts/mermet/nginx/autogeree.net/www/julm/PC/htpasswd.gpg b/hosts/mermet/nginx/autogeree.net/www/julm/PC/htpasswd.gpg
new file mode 100644 (file)
index 0000000..1f8019c
Binary files /dev/null and b/hosts/mermet/nginx/autogeree.net/www/julm/PC/htpasswd.gpg differ
diff --git a/hosts/mermet/nginx/dh4096.pem b/hosts/mermet/nginx/dh4096.pem
new file mode 100644 (file)
index 0000000..1a5fe00
Binary files /dev/null and b/hosts/mermet/nginx/dh4096.pem differ
diff --git a/hosts/mermet/nginx/sourcephile.fr/www.nix b/hosts/mermet/nginx/sourcephile.fr/www.nix
index 0eb09bfb0338d770d5bd85af7cd097cfbefa8f03..73300c9a5e01d4ac6fdb57e08c8e82524ecc0bb6 100644 (file)
--- a/hosts/mermet/nginx/sourcephile.fr/www.nix
+++ b/hosts/mermet/nginx/sourcephile.fr/www.nix
@@ -1,8 +1,7 @@
 { domain, ... }:
-{ pkgs, lib, config, ... }:
+{ pkgs, lib, config, inputs, hostName, ... }:
 let
   inherit (config) networking;
-  inherit (config.security) gnupg;
   inherit (config.services) nginx;
   srv = "www";
   root = "/var/lib/nginx/${domain}";
diff --git a/hosts/mermet/prosody.nix b/hosts/mermet/prosody.nix
index 7ad8a9348debd8bb1b3106ae807560d1e48d6f53..c471140028e047afac5c4f64ca166ea251880ed3 100644 (file)
--- a/hosts/mermet/prosody.nix
+++ b/hosts/mermet/prosody.nix
@@ -116,9 +116,9 @@ services.prosody = {
 
     -- turncredentials_host = "turn.${domain}"
     -- turncredentials_port = 3478
-    -- turncredentials_secret = "${coturn.settings.static-auth-secret}";
+    -- turncredentials_secret = "${coturn.static-auth-secret}";
 
-    turn_external_secret = "${coturn.settings.static-auth-secret}"
+    turn_external_secret = "${coturn.static-auth-secret}"
     turn_external_host = "turn.${domain}"
     turn_external_port = 3478
     turn_external_ttl = 86400
diff --git a/hosts/mermet/rspamd.nix b/hosts/mermet/rspamd.nix
index 6595e1c6ea5616618c942ab4b4fce3cd6abb1688..45c19722616746adfcb8f9c114a503d4bd09a7ef 100644 (file)
--- a/hosts/mermet/rspamd.nix
+++ b/hosts/mermet/rspamd.nix
@@ -1,9 +1,8 @@
-{ pkgs, lib, config, ... }:
+{ pkgs, lib, config, inputs, hostName, ... }:
 let
   inherit (builtins) attrNames listToAttrs readFile;
   inherit (lib) types;
   inherit (pkgs.lib) unlinesAttrs;
-  inherit (config.security) gnupg;
   inherit (config.services) postfix rspamd dovecot2;
   redis = config.services.redis.servers.rspamd;
   inherit (config.users) users groups;
@@ -23,7 +22,6 @@ options = {
 };
 config = {
 users.groups.redis-rspamd.members = [ rspamd.user ];
-users.groups.keys.members = [ rspamd.user ];
 services.rspamd = {
   enable = true;
   debug = false;
@@ -31,12 +29,12 @@ services.rspamd = {
   locals = {
     "dkim_signing.conf".text = ''
       selector_map = ${rspamd.dkimSelectorMap};
-      path = "/run/keys/gnupg/rspamd/dkim/$domain/$selector.key/file";
+      path = "/run/credentials/rspamd.service/$domain.$selector.key";
       allow_username_mismatch = true;
     '';
     "arc.conf".text = ''
       selector_map = ${rspamd.dkimSelectorMap};
-      path = "/run/keys/gnupg/rspamd/dkim/$domain/$selector.key/file";
+      path = "/run/credentials/rspamd.service/$domain.$selector.key";
       allow_username_mismatch = true;
     '';
     "redis.conf".text = ''
@@ -97,7 +95,7 @@ services.rspamd = {
     controller = {
       includes = [
         "$CONFDIR/worker-controller.inc"
-        gnupg.secrets."rspamd/controller/hashedPassword".path
+        "/run/credentials/rspamd.service/controller.inc"
       ];
       bindSockets = [
         "127.0.0.1:11334"
@@ -109,15 +107,12 @@ services.rspamd = {
     };
   };
 };
-security.gnupg.secrets."rspamd/controller/hashedPassword" = {
-  # Generated with: rspamadm pw
-  user = rspamd.user;
-  pipe = ''${pkgs.gnused}/bin/sed -e 's/.*/password = "\0";/' '';
-  systemdConfig.postStart = "systemctl try-restart --no-block rspamd"; # rspamd does not support reloading so far
-};
 systemd.services.rspamd = {
-  wants = [ gnupg.secrets."rspamd/controller/hashedPassword".service ];
-  after = [ gnupg.secrets."rspamd/controller/hashedPassword".service ];
+  serviceConfig = {
+    LoadCredentialEncrypted = [
+      "controller.inc:${inputs.self}/hosts/${hostName}/rspamd/controller.inc.cred"
+    ];
+  };
 };
 
 fileSystems."/var/lib/redis-rspamd" = {
diff --git a/hosts/mermet/rspamd/autogeree.net.nix b/hosts/mermet/rspamd/autogeree.net.nix
index 8fe9907ccfc4fa96c0732bea8b956ed064ce6502..0ed4da3308fc88fb275db56bb876deb8a30aeaac 100644 (file)
--- a/hosts/mermet/rspamd/autogeree.net.nix
+++ b/hosts/mermet/rspamd/autogeree.net.nix
@@ -1,6 +1,5 @@
-{ pkgs, lib, config, ... }:
+{ pkgs, lib, config, inputs, hostName, ... }:
 let
-  inherit (config.security) gnupg;
   inherit (config.services) rspamd;
   domain = "autogeree.net";
   selector = "20200101";
@@ -18,12 +17,9 @@ services.knot.zones."${domain}".data = ''
     "+hH+Mr/4V1wnKtdosk/7+3VIQ6clTIfWhD6PlnWd78Uo5lfWnYxTem7EMc2q7j6tzGwj+Q+b4Li9fdhLqxGuD0V64/nVZit90b0HyfiV5srln2lK6Hczrwqr0gOEBGQ4YeLjOF6ldaV01mFWR9ddr9a5/gVCqw8vw7vhqXvU7yK8VHW2rdsvkNZ0bDOa66MCveD7pH2vyljrfZq9k0T/NLHrsu8CAwEAAQ=="
   )
 '';
-security.gnupg.secrets."rspamd/dkim/${domain}/${selector}.key" = {
-  user = rspamd.user;
-  systemdConfig.postStart = "systemctl try-restart --no-block rspamd";
-};
-systemd.services.rspamd = {
-  wants = [ gnupg.secrets."rspamd/dkim/${domain}/${selector}.key".service ];
-  after = [ gnupg.secrets."rspamd/dkim/${domain}/${selector}.key".service ];
+systemd.services.rspamd.serviceConfig = {
+  LoadCredentialEncrypted = [
+    "${domain}.${selector}.key:${inputs.self}/hosts/${hostName}/rspamd/${domain}/${selector}.dkim.key.cred"
+  ];
 };
 }
diff --git a/hosts/mermet/rspamd/autogeree.net/20200101.dkim.key.cred b/hosts/mermet/rspamd/autogeree.net/20200101.dkim.key.cred
new file mode 100644 (file)
index 0000000..af9321c
Binary files /dev/null and b/hosts/mermet/rspamd/autogeree.net/20200101.dkim.key.cred differ
diff --git a/hosts/mermet/rspamd/autogeree.net/20200101.dkim.key.gpg b/hosts/mermet/rspamd/autogeree.net/20200101.dkim.key.gpg
new file mode 100644 (file)
index 0000000..409bdbc
Binary files /dev/null and b/hosts/mermet/rspamd/autogeree.net/20200101.dkim.key.gpg differ
diff --git a/hosts/mermet/rspamd/controller.inc.cred b/hosts/mermet/rspamd/controller.inc.cred
new file mode 100644 (file)
index 0000000..448ce4f
Binary files /dev/null and b/hosts/mermet/rspamd/controller.inc.cred differ
diff --git a/hosts/mermet/rspamd/controller.inc.gpg b/hosts/mermet/rspamd/controller.inc.gpg
new file mode 100644 (file)
index 0000000..058a023
Binary files /dev/null and b/hosts/mermet/rspamd/controller.inc.gpg differ
diff --git a/hosts/mermet/rspamd/sourcephile.fr.nix b/hosts/mermet/rspamd/sourcephile.fr.nix
index 4f16b2067666a1f59aaa86c39f1690d7ed9f44a4..f126c939e4861660fab91c06ff996156b4daf2ce 100644 (file)
--- a/hosts/mermet/rspamd/sourcephile.fr.nix
+++ b/hosts/mermet/rspamd/sourcephile.fr.nix
@@ -1,6 +1,5 @@
-{ pkgs, lib, config, ... }:
+{ pkgs, lib, config, inputs, hostName, ... }:
 let
-  inherit (config.security) gnupg;
   inherit (config.services) rspamd;
   domain = "sourcephile.fr";
   selector = "20200101";
@@ -22,12 +21,9 @@ services.knot.zones."${domain}".data = ''
     "rWWtSTdO8DilDqN8CAwEAAQ=="
   )
 '';
-security.gnupg.secrets."rspamd/dkim/${domain}/${selector}.key" = {
-  user = rspamd.user;
-  systemdConfig.postStart = "systemctl try-restart --no-block rspamd";
-};
-systemd.services.rspamd = {
-  after = [ gnupg.secrets."rspamd/dkim/${domain}/${selector}.key".service ];
-  wants = [ gnupg.secrets."rspamd/dkim/${domain}/${selector}.key".service ];
+systemd.services.rspamd.serviceConfig = {
+  LoadCredentialEncrypted = [
+    "${domain}.${selector}.key:${inputs.self}/hosts/${hostName}/rspamd/${domain}/${selector}.dkim.key.cred"
+  ];
 };
 }
diff --git a/hosts/mermet/rspamd/sourcephile.fr/20200101.dkim.key.cred b/hosts/mermet/rspamd/sourcephile.fr/20200101.dkim.key.cred
new file mode 100644 (file)
index 0000000..7108cd7
Binary files /dev/null and b/hosts/mermet/rspamd/sourcephile.fr/20200101.dkim.key.cred differ
diff --git a/hosts/mermet/rspamd/sourcephile.fr/20200101.dkim.key.gpg b/hosts/mermet/rspamd/sourcephile.fr/20200101.dkim.key.gpg
new file mode 100644 (file)
index 0000000..7db3947
Binary files /dev/null and b/hosts/mermet/rspamd/sourcephile.fr/20200101.dkim.key.gpg differ
diff --git a/hosts/mermet/sanoid.nix b/hosts/mermet/sanoid.nix
index 2c6afdf000b555f78d0223106bf250ba766c531a..9607894face828d6dd8bc6ba75ff306251683380 100644 (file)
--- a/hosts/mermet/sanoid.nix
+++ b/hosts/mermet/sanoid.nix
@@ -1,4 +1,4 @@
-{ pkgs, lib, config, shared, ... }:
+{ pkgs, lib, config, ... }:
 let
   inherit (builtins) readFile;
   inherit (config.users) users groups;
@@ -9,7 +9,7 @@ users.users.backup = {
   shell = users.root.shell;
   group = groups.disk.name;
   openssh.authorizedKeys.keys = [
-    (readFile (shared + "/hosts/losurdo/syncoid/sshKey.pub"))
+    (readFile ../losurdo/syncoid/sshKey.pub)
   ] ++ users."julm".openssh.authorizedKeys.keys;
 };
 systemd.tmpfiles.rules = [
diff --git a/hosts/mermet/users.nix b/hosts/mermet/users.nix
index 5a48b65345865608aa68a119165c5fcfc4b9968a..253e3ce6b6b6820496f822fe6598af85b68c7191 100644 (file)
--- a/hosts/mermet/users.nix
+++ b/hosts/mermet/users.nix
@@ -1,4 +1,4 @@
-{ pkgs, lib, config, shared, ... }:
+{ pkgs, lib, config, ... }:
 let
   inherit (builtins) readFile;
   inherit (config.users) users;
@@ -18,7 +18,7 @@ users = {
     root = {
       openssh.authorizedKeys.keys =
         users."julm".openssh.authorizedKeys.keys ++
-        [ (readFile (shared + "/hosts/losurdo/users/root/ssh/ed25519.pub")) ];
+        [ (readFile ../../users/root/ssh/losurdo.pub) ];
       hashedPassword = "!";
     };
   };
diff --git a/nixos/modules.nix b/nixos/modules.nix
index 07389fcc954a9cb6da13b7682ec85a1c5e4122c5..c85fe310d09ac83eba5a3f4d6ac7bb50320732ac 100644 (file)
--- a/nixos/modules.nix
+++ b/nixos/modules.nix
@@ -1,4 +1,4 @@
-{ pkgs, lib, config, ... }:
+{ pkgs, lib, config, inputs, ... }:
 # NOTE: list explicitely the modules loaded by defaults.nix,
 # its clearer, safer and more flexible if not quicker.
 {
@@ -29,6 +29,7 @@ imports = [
   #modules/config/console.nix
   #modules/services/x11/display-managers/default.nix
   modules/services/networking/prosody.nix
+  (inputs.julm-nix + "/nixos/modules/security/systemd-creds.nix")
 ];
 disabledModules = [
   #"config/console.nix"
diff --git a/users/root/ssh/losurdo.pub b/users/root/ssh/losurdo.pub
new file mode 100644 (file)
index 0000000..0b8003f
--- /dev/null
+++ b/users/root/ssh/losurdo.pub
@@ -0,0 +1 @@
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHJkAq1T0Dxozt4RPylvWrUmeuejiG+n/owb3ucnWP9F root@losurdo
NixOS configurations for Sourcephile's infrastructure