magic_rb/dotfiles
1
0
Fork 0
mirror of https://git.sr.ht/~magic_rb/dotfiles synced 2024-11-22 08:04:20 +01:00
Code Issues Packages Projects Releases Wiki Activity

Fix evaluation without secrets

Browse source 
Signed-off-by: magic_rb <richard@brezak.sk>
This commit is contained in:
magic_rb 2023-10-21 17:46:17 +02:00
parent 7968f1a15c
commit 880ffeec87
No known key found for this signature in database
GPG key ID: 08D5287CC5DDCA0E
7 changed files with 31 additions and 22 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

15
flake-secret.lock
View file

@ -868,14 +868,17 @@
}, },
"impermenance": { "impermenance": {
"locked": { "locked": {
"lastModified": 1696322197, "lastModified": 1697902518,
"narHash": "sha256-WvxAZaeefq88RpXGKwGPekvqcITK7jIB38ow6ULHCTQ=", "narHash": "sha256-L0wNEjROZFZS/2DxH3LkRYxgKAtVwNRcMab41jK9MDE=",
"path": "/nix/persist/home/main/repos/impermanence", "owner": "MagicRB",
"type": "path" "repo": "impermanence",
"rev": "1e7f9def3b0d74dccb9f3876ba3ba7666641aa52",
"type": "github"
}, },
"original": { "original": {
"path": "/nix/persist/home/main/repos/impermanence", "owner": "MagicRB",
"type": "path" "repo": "impermanence",
"type": "github"
} }
}, },
"iserv-proxy": { "iserv-proxy": {

15
flake.lock
View file

@ -868,14 +868,17 @@
}, },
"impermenance": { "impermenance": {
"locked": { "locked": {
"lastModified": 1696322197, "lastModified": 1697902518,
"narHash": "sha256-WvxAZaeefq88RpXGKwGPekvqcITK7jIB38ow6ULHCTQ=", "narHash": "sha256-L0wNEjROZFZS/2DxH3LkRYxgKAtVwNRcMab41jK9MDE=",
"path": "/nix/persist/home/main/repos/impermanence", "owner": "MagicRB",
"type": "path" "repo": "impermanence",
"rev": "1e7f9def3b0d74dccb9f3876ba3ba7666641aa52",
"type": "github"
}, },
"original": { "original": {
"path": "/nix/persist/home/main/repos/impermanence", "owner": "MagicRB",
"type": "path" "repo": "impermanence",
"type": "github"
} }
}, },
"iserv-proxy": { "iserv-proxy": {

2
flake.nix
View file

@ -18,7 +18,7 @@
website.url = "sourcehut:~magic_rb/website"; website.url = "sourcehut:~magic_rb/website";
microvm.url = "github:astro/microvm.nix"; microvm.url = "github:astro/microvm.nix";
notnft.url = "github:chayleaf/notnft"; notnft.url = "github:chayleaf/notnft";
impermenance.url = "path:///nix/persist/home/main/repos/impermanence"; impermenance.url = "github:MagicRB/impermanence";
numen-nix.url = "github:anpandey/numen-nix"; numen-nix.url = "github:anpandey/numen-nix";
hydra.url = "github:t184256/hydra/nix-ca-reprise"; hydra.url = "github:t184256/hydra/nix-ca-reprise";

6
lib/load_secrets.nix
View file

@ -4,11 +4,11 @@
{ lib, ... }: { lib, ... }:
{ {
flake.libOverlays.loadSecrets = flake.libOverlays.loadSecrets =
final: prev: (lib.traceVal { final: prev: {
loadSecrets = path: loadSecrets = path:
if builtins.pathExists "${path}/default.nix" then if builtins.pathExists "${path}/default.nix" then
import path { lib = final; } import path { lib = final; }
else else
{}; builtins.trace "Not loading secrets!" {};
}); };
} }

1
nixos/systems/heater/nixpkgs.nix
View file

@ -11,6 +11,7 @@
emacs-rofi emacs-rofi
tree-sitter-grammars tree-sitter-grammars
emacs-master-nativecomp emacs-master-nativecomp
ledger-compat
]) ])
++ ++
(with inputs'.nixng.overlays; [ (with inputs'.nixng.overlays; [

4
nixos/systems/omen/firewall.nix
View file

@ -80,9 +80,11 @@
# TCP 22 altra # TCP 22 altra
[ (is.eq ip.protocol (f: with f; set [ tcp ])) (is.eq th.dport (set [ 22 ])) (is.eq ip.saddr (secret.network.ips.omen.vpn or "")) (is.eq ip.daddr (secret.network.ips.altra.ip or "")) accept ] [ (is.eq ip.protocol (f: with f; set [ tcp ])) (is.eq th.dport (set [ 22 ])) (is.eq ip.saddr (secret.network.ips.omen.vpn or "")) (is.eq ip.daddr (secret.network.ips.altra.ip or "")) accept ]
# ICMP to blowhole, toothpick # ICMP to blowhole, toothpick, altra
[ (is.eq ip.protocol (f: f.icmp)) (is.eq ip.saddr (secret.network.ips.omen.vpn or "")) (is.eq ip.daddr (set [ (secret.network.ips.toothpick or "") (secret.network.ips.altra.ip or "") (secret.network.ips.blowhole.ip or "") ])) accept ] [ (is.eq ip.protocol (f: f.icmp)) (is.eq ip.saddr (secret.network.ips.omen.vpn or "")) (is.eq ip.daddr (set [ (secret.network.ips.toothpick or "") (secret.network.ips.altra.ip or "") (secret.network.ips.blowhole.ip or "") ])) accept ]
[ (is.eq ip.protocol (f: f.tcp)) (is.eq th.dport 8883) (is.eq ip.saddr (secret.network.ips.omen.vpn or "")) (is.eq ip.daddr (secret.network.ips.altra.ip or "")) accept ]
# accept syncthing sharing # accept syncthing sharing
[ (is.eq ip.protocol (f: f.udp)) (is.eq th.sport "22000") (is.eq th.dport "22000") accept ] [ (is.eq ip.protocol (f: f.udp)) (is.eq th.sport "22000") (is.eq th.dport "22000") accept ]
[ (is.eq ip.protocol (f: f.tcp)) (is.eq th.dport "22000") accept ] [ (is.eq ip.protocol (f: f.tcp)) (is.eq th.dport "22000") accept ]

10
nixos/systems/omen/networking.nix
View file

@ -10,7 +10,7 @@ in
hostId = "10c7ffc5"; hostId = "10c7ffc5";
nameservers = [ secret.network.ips.blowhole.ip ]; nameservers = [ (secret.network.ips.blowhole.ip or "") ];
firewall.enable = false; firewall.enable = false;
@ -36,7 +36,7 @@ in
case $IFACE in case $IFACE in
eth0) eth0)
echo $IP_ADDRS | ${lib.getExe' pkgs.grepcidr "grepcidr"} ${secret.network.networks.home.amsterdam} > /dev/null echo $IP_ADDRS | ${lib.getExe' pkgs.grepcidr "grepcidr"} ${secret.network.networks.home.amsterdam or ""} > /dev/null
home_net=$? home_net=$?
case $STATE in case $STATE in
@ -63,7 +63,7 @@ in
}; };
systemd.network.links."50-eth0" = { systemd.network.links."50-eth0" = {
matchConfig.MACAddress = secret.network.mac.usbc-omen; matchConfig.MACAddress = secret.network.mac.usbc-omen or "";
linkConfig.Name = "eth0"; linkConfig.Name = "eth0";
}; };
@ -85,12 +85,12 @@ in
services.resolved.enable = false; services.resolved.enable = false;
environment.etc."resolv.conf".text = '' environment.etc."resolv.conf".text = ''
nameserver ${secret.network.ips.blowhole.ip} nameserver ${secret.network.ips.blowhole.ip or ""}
''; '';
services.resolved.extraConfig = '' services.resolved.extraConfig = ''
[Resolve] [Resolve]
DNS=${secret.network.ips.blowhole.ip} DNS=${secret.network.ips.blowhole.ip or ""}
FallbackDNS= FallbackDNS=
''; '';