diff --git a/flake.lock b/flake.lock index 357aa75..6c92b7f 100644 --- a/flake.lock +++ b/flake.lock @@ -7,11 +7,11 @@ ] }, "locked": { - "lastModified": 1746040799, - "narHash": "sha256-osgPX/SzIpkR50vev/rqoTEAVkEcOWXoQXmbzsaI4KU=", + "lastModified": 1747009742, + "narHash": "sha256-TNhbM7R45fpq2cdWzvFj+H5ZTcE//I5XSe78GFh0cDY=", "owner": "nix-community", "repo": "home-manager", - "rev": "5f217e5a319f6c186283b530f8c975e66c028433", + "rev": "c74665abd6e4e37d3140e68885bc49a994ffa53c", "type": "github" }, "original": { @@ -58,11 +58,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1745930157, - "narHash": "sha256-y3h3NLnzRSiUkYpnfvnS669zWZLoqqI6NprtLQ+5dck=", + "lastModified": 1746904237, + "narHash": "sha256-3e+AVBczosP5dCLQmMoMEogM57gmZ2qrVSrmq9aResQ=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "46e634be05ce9dc6d4db8e664515ba10b78151ae", + "rev": "d89fc19e405cb2d55ce7cc114356846a0ee5e956", "type": "github" }, "original": { @@ -100,7 +100,28 @@ "home-manager": "home-manager", "nixos-generators": "nixos-generators", "nixpkgs": "nixpkgs", - "plasma-manager": "plasma-manager" + "plasma-manager": "plasma-manager", + "secrix": "secrix" + } + }, + "secrix": { + "inputs": { + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1746643487, + "narHash": "sha256-dcB/DArJObCvqE/ZEdQSDW2BZMeDyF83Se5KPfJvz60=", + "owner": "Platonic-Systems", + "repo": "secrix", + "rev": "4c64203fa5b377953b1fb6d5388187df8b60c6d5", + "type": "github" + }, + "original": { + "owner": "Platonic-Systems", + "repo": "secrix", + "type": "github" } } }, diff --git a/flake.nix b/flake.nix index 0109d59..b9ec5f8 100644 --- a/flake.nix +++ b/flake.nix @@ -18,9 +18,15 @@ url = "github:nix-community/nixos-generators"; inputs.nixpkgs.follows = "nixpkgs"; }; + secrix = { + url = "github:Platonic-Systems/secrix"; + inputs.nixpkgs.follows = "nixpkgs"; + }; }; - outputs = { self, nixpkgs, home-manager, plasma-manager, nixos-generators }: { + outputs = { self, nixpkgs, home-manager, plasma-manager, nixos-generators, secrix }: { + apps.x86_64-linux.secrix = secrix.secrix self; + nixosConfigurations = { Yura-PC = nixpkgs.lib.nixosSystem { system = "x86_64-linux"; @@ -52,6 +58,7 @@ router = nixpkgs.lib.nixosSystem { system = "x86_64-linux"; modules = [ + secrix.nixosModules.default ./modules ./hosts/common.nix ./hosts/router diff --git a/hosts/router/default.nix b/hosts/router/default.nix index a592f7b..c3a58dd 100644 --- a/hosts/router/default.nix +++ b/hosts/router/default.nix @@ -1,5 +1,7 @@ { config, lib, pkgs, ... }: - +let + vars = import ./vars.nix; +in { imports = [ # Include the results of the hardware scan. @@ -10,6 +12,8 @@ ./kea.nix ./services.nix ]; + # Secrix for secrets management + secrix.hostPubKey = vars.pubkey; # Bootloader. boot.loader.systemd-boot.enable = true; diff --git a/hosts/router/services.nix b/hosts/router/services.nix index 060ecc2..a380f01 100644 --- a/hosts/router/services.nix +++ b/hosts/router/services.nix @@ -47,6 +47,8 @@ in }; }; + secrix.system.secrets.cf-api-key.encrypted.file = ../../secrets/cf_api_key.age; + systemd.services.caddy.serviceConfig.EnvironmentFile = config.secrix.system.secrets.cf-api-key.decrypted.path; services.caddy = { enable = true; package = pkgs.caddy.withPlugins { @@ -55,7 +57,7 @@ in }; virtualHosts."grouter.${domain}".extraConfig = '' tls { - dns cloudflare xx + dns cloudflare {env.CF_API_KEY} resolvers 1.1.1.1 } @grafana path /grafana /grafana/* diff --git a/hosts/router/vars.nix b/hosts/router/vars.nix index 3961ab9..10b4237 100644 --- a/hosts/router/vars.nix +++ b/hosts/router/vars.nix @@ -31,6 +31,7 @@ let }; in rec { + pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFobB87yYVwhuYrA+tfztLuks3s9jZOqEFktwGw1mo83 root@grouter"; domain = "cazzzer.com"; ldomain = "l.${domain}"; sysdomain = "sys.${domain}"; diff --git a/secrets/cf_api_key.age b/secrets/cf_api_key.age new file mode 100644 index 0000000..34939bb --- /dev/null +++ b/secrets/cf_api_key.age @@ -0,0 +1,5 @@ +age-encryption.org/v1 +-> ssh-ed25519 D2MY/A Kj69kavxx+ATNHP5pX0JtGggU76f9uRwkZp2HbjwiWc +SbU3jIcQzUzaQjRHzVSoW1WKiUj+1ijbkUKqVb406fY +--- vMV0TcchFvxw1xetQQZ0xVi2KwjLFRfZBM1gl7BGbGI +Âä1£ÃéKò<¯ –fNGL½ÍÉ­ ¶ Ké5c‰éuǶ6Ï-¢,!H'¹Ð¦Î™4Y»‹c ]<%”ßÞ˜Î;B¹ÛÎnŒRb— Œ \ No newline at end of file