+23

flake.lock

··· 1 1 { 2 2 "nodes": { 3 3 + "agenix": { 4 4 + "inputs": { 5 5 + "darwin": "darwin", 6 6 + "home-manager": "home-manager", 7 7 + "nixpkgs": [ 8 8 + "nixpkgs" 9 9 + ], 10 10 + "systems": "systems" 11 11 + }, 12 12 + "locked": { 13 13 + "lastModified": 1762618334, 14 14 + "narHash": "sha256-wyT7Pl6tMFbFrs8Lk/TlEs81N6L+VSybPfiIgzU8lbQ=", 15 15 + "owner": "ryantm", 16 16 + "repo": "agenix", 17 17 + "rev": "fcdea223397448d35d9b31f798479227e80183f6", 18 18 + "type": "github" 19 19 + }, 20 20 + "original": { 21 21 + "owner": "ryantm", 22 22 + "repo": "agenix", 23 23 + "type": "github" 24 24 + } 25 25 + }, 3 26 "catppuccin": { 4 27 "inputs": { 5 28 "nixpkgs": [

+4 -1

flake.nix

··· 29 29 url = "github:sodiboo/niri-flake"; 30 30 inputs.nixpkgs.follows = "nixpkgs"; 31 31 }; 32 32 - vicinae.url = "github:vicinaehq/vicinae"; 32 32 + agenix = { 33 33 + url = "github:ryantm/agenix"; 34 34 + inputs.nixpkgs.follows = "nixpkgs"; 35 35 + }; 33 36 34 37 vicinae.url = "github:vicinaehq/vicinae"; 35 38 vscode-server.url = "github:nix-community/nixos-vscode-server";

+29 -1

hosts/ivy/default.nix

··· 1 1 { 2 2 pkgs, 3 3 inputs, 4 4 + config, 4 5 ... 5 6 }: 6 7 { 7 8 imports = [ 9 9 + inputs.agenix.nixosModules.default 8 10 ../../modules/shared 9 11 ../../user 10 12 ./caddy.nix 11 13 ./services 12 14 ]; 15 15 + 16 16 + age = { 17 17 + identityPaths = [ "/etc/ssh/ssh_host_ed25519_key" ]; 18 18 + secrets = { 19 19 + immich-env = { 20 20 + file = ../../secrets/immich-env.age; 21 21 + owner = "immich"; 22 22 + group = "immich"; 23 23 + }; 24 24 + pds-env = { 25 25 + file = ../../secrets/pds-env.age; 26 26 + owner = "pds"; 27 27 + group = "pds"; 28 28 + }; 29 29 + vaultwarden-env = { 30 30 + file = ../../secrets/vaultwarden-env.age; 31 31 + owner = "vaultwarden"; 32 32 + group = "vaultwarden"; 33 33 + }; 34 34 + 35 35 + password-file = { 36 36 + file = ../../secrets/password-file.age; 37 37 + owner = "willow"; 38 38 + }; 39 39 + }; 40 40 + }; 13 41 14 42 boot = { 15 43 loader = { ··· 70 98 mutableUsers = false; 71 99 users."willow" = { 72 100 isNormalUser = true; 73 73 - hashedPassword = null; 101 101 + hashedPasswordFile = config.age.secrets.password-file.path; 74 102 extraGroups = [ 75 103 "wheel" 76 104 "docker"

+1 -2

hosts/ivy/services/immich.nix

··· 1 1 { config, ... }: 2 2 - 3 2 { 4 3 services.immich = { 5 4 enable = true; 6 6 - secretsFile = "/var/lib/secrets/immich"; 5 5 + secretsFile = config.age.secrets.immich-env.path; 7 6 port = 8081; 8 7 settings = { 9 8 server = {

+2 -1

hosts/ivy/services/pds.nix

··· 1 1 + { config, ... }: 1 2 { 2 3 services.bluesky-pds = { 3 4 enable = true; 4 5 5 6 environmentFiles = [ 6 6 - "/var/lib/secrets/pds" 7 7 + config.age.secrets.pds-env.path 7 8 ]; 8 9 9 10 settings = {

+2 -2

hosts/ivy/services/vaultwarden.nix

··· 1 1 - { ... }: 1 1 + { config, ... }: 2 2 { 3 3 services.vaultwarden = { 4 4 enable = true; 5 5 backupDir = "/var/backups/vaultwarden"; 6 6 - environmentFile = "/var/lib/vaultwarden/vaultwarden.env"; 6 6 + environmentFile = config.age.secrets.vaultwarden-env.path; 7 7 config = { 8 8 DOMAIN = "https://vaultwarden.wlo.moe"; 9 9 SIGNUPS_ALLOWED = false;

+7

secrets/immich-env.age

··· 1 1 + age-encryption.org/v1 2 2 + -> ssh-ed25519 bC12nA 6o6UIwzkH0FkmGCnaHv1aolAm1Gn/LXhOGnwhevK5HM 3 3 + SZi6J75PHEG/sTiRhV6PyflagB9RLUQgplhmYCSX1Qg 4 4 + -> ssh-ed25519 3AUUoQ HQDjsDP4gPCLdell7jv863xbZZMDlDwkIVSTolLQWRY 5 5 + 6847Mq7tP1NSPKVrZh3njjQNmKHQBTd4Kzwk1Q0UX/M 6 6 + --- 11j/dG6foOx9iN6PGBMuS29JpKwzg5SsockY29oorSw 7 7 + ~v�Œm��j���S���b���Ct���ƟPܘ��Kz�֡X��b�D�Tg�U

+8

secrets/password-file.age

··· 1 1 + age-encryption.org/v1 2 2 + -> ssh-ed25519 bC12nA NbsTF5gwrkqZMfA5dc3RVpo5Qep0yprDPAnaXhB38E0 3 3 + T0lN4qIOOSUaFOvI1uuMPjXyaL10rNMCcd/j2xbRP4A 4 4 + -> ssh-ed25519 3AUUoQ 5I8ahJ/e/Ran/D+exmHmneX+4Sj9ELnQMDMAqGwFACk 5 5 + ladWUuxssLKJ7JZIRIwAZJjjg9yoX/qLyhJ6agvku6E 6 6 + --- vszryfNlJRxaly9SPMscQGcTIKb5uFkkzaPA3O0/+94 7 7 + ���ߚu���6���OH���Б���� 8 8 + �1o_��O�J�)�ze�<,b�wi�l���������,�0$���B̃�|�7����� ��exM2�Ax���9���T@���Aq��"�kj:Zq���r�r����wN�

+10

secrets/pds-env.age

··· 1 1 + age-encryption.org/v1 2 2 + -> ssh-ed25519 bC12nA Tgn0Ogf8kZbFf3539YXbYAaNtkDGIOAPuwU55ppyfX4 3 3 + QTBWY2Qa1YotnOW/xjEGCZ2oPCoW36V+pDa8AQXPPb0 4 4 + -> ssh-ed25519 3AUUoQ EiuXUsjU+AmiQdW7eGLBVzP+5F0m2YMX5TNnWRVCvlQ 5 5 + IbVec4SvnIxg3hUAz9WqEC45dhVdi/KwOvmnL2BEJ3c 6 6 + --- sa6enOStoAb4oG0MfqDBc6zOsLVG6D883jOzsAsk/G0 7 7 + >w/��� 8 8 + �dR��帙&PU
Ws 9 9 + �h2�{k��!�@�%V1���R�aH��p�,)����$�-d]R��ֶAհ"�Q�����������j�[o[�:���oh12@n 10 10 + �z*Nu�ʏ����G�8�b���EmP��ا�ݶ���+Us`����rK�fG�\_#:ydTn\L��)E<Pd@��!���9�/ե7�n)�.��WAyˤ��!qD��O���BQ2Ʀ����A2�,/�W���(��wȉ0:�.���\�^�

+18

secrets/secrets.nix

··· 1 1 + let 2 2 + users = { 3 3 + "willow" = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPWD6wk95qNhk/36vEH34qIRp/TPCcQ+D+u5Xd9/N0m1 hai@wlo.moe"; 4 4 + }; 5 5 + 6 6 + hosts = { 7 7 + "ivy" = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIL3z4dGVshqysYW9atQFn8H5EPIcQlnck8ciuXgjWnAV root@nixos"; 8 8 + }; 9 9 + 10 10 + allUsers = builtins.attrValues users; 11 11 + allHosts = builtins.attrValues hosts; 12 12 + in 13 13 + { 14 14 + "immich-env.age".publicKeys = allUsers ++ allHosts; 15 15 + "pds-env.age".publicKeys = allUsers ++ allHosts; 16 16 + "vaultwarden-env.age".publicKeys = allUsers ++ allHosts; 17 17 + "password-file.age".publicKeys = allUsers ++ allHosts; 18 18 + }

+8

secrets/vaultwarden-env.age

··· 1 1 + age-encryption.org/v1 2 2 + -> ssh-ed25519 bC12nA CHsmTq8Bad221J8YYolevEKxW2ma3pdy8ZPSAbshhXw 3 3 + tOYl7Um90WnEZ1MuBn6U36sqcUFbl6gnnPrz0hgUEdY 4 4 + -> ssh-ed25519 3AUUoQ +CDBHFJYFSkD9k9eMD7WYfC7hPws6N74DfkNWXeXj3Y 5 5 + 2LlSQizm6yXe3FGgvHTAKlOTmxbN5SCzRMyVeR0JzW0 6 6 + --- olVTYxRmgu8HB4WmjJMF5lfrXZsYyBOoi6bQoomDv+8 7 7 + ����r5���%��[��l�w�HU43�����K8��z�����m� �nݳ|
��7�Wʊ*���4��?]d� 8 8 + ����7띴�4��]bwL��-����KC�}���CH�3�S�wgw�o&@���0��r�1�nMc�� **:�7������ms�X�_a���T�9n�.��