From 250c949bd6571ea64d3549530271eface291fa87 Mon Sep 17 00:00:00 2001 From: Nathan Date: Thu, 23 Apr 2026 16:03:32 -0500 Subject: [PATCH] more separation --- .sops.yaml | 6 +++ modules/features/home-manager.nix | 21 +++++++++ modules/features/locale.nix | 27 ++++++++++++ modules/features/nix.nix | 21 +++++++++ .../{default.nix => remoteBuilds.nix} | 43 +++---------------- modules/hosts/homebox/configuration.nix | 1 + modules/hosts/iso/configuration.nix | 2 - modules/hosts/laptop/configuration.nix | 1 + modules/users/nathan/nathan.nix | 7 ++- modules/users/nathan/secrets.yaml | 17 ++++++++ 10 files changed, 105 insertions(+), 41 deletions(-) create mode 100644 modules/features/home-manager.nix create mode 100644 modules/features/locale.nix create mode 100644 modules/features/nix.nix rename modules/features/{default.nix => remoteBuilds.nix} (55%) create mode 100644 modules/users/nathan/secrets.yaml diff --git a/.sops.yaml b/.sops.yaml index c4ccad3..c2b0eeb 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -27,3 +27,9 @@ creation_rules: - *laptop - *homebox - *android + - path_regex: users/.*/secrets.yaml$ + key_groups: + - age: + - *laptop + - *homebox + - *android diff --git a/modules/features/home-manager.nix b/modules/features/home-manager.nix new file mode 100644 index 0000000..ac24bcd --- /dev/null +++ b/modules/features/home-manager.nix @@ -0,0 +1,21 @@ +{ inputs, ... }: { + + flake.nixosModules.default = { config, lib, pkgs, ... }: { + + imports = [ + inputs.home-manager.nixosModules.default + ]; + + config = { + + programs.fuse.userAllowOther = true; + + home-manager = { + backupFileExtension = "backup"; + useUserPackages = true; + sharedModules = []; + }; + }; + }; +} + diff --git a/modules/features/locale.nix b/modules/features/locale.nix new file mode 100644 index 0000000..394527e --- /dev/null +++ b/modules/features/locale.nix @@ -0,0 +1,27 @@ +{ ... }: { + + flake.nixosModules.default = { config, lib, pkgs, ... }: { + + config = { + + time.timeZone = lib.mkDefault "America/Chicago"; + + i18n = lib.mkDefault { + defaultLocale = "en_US.UTF-8"; + + extraLocaleSettings = { + LC_ADDRESS = "en_US.UTF-8"; + LC_IDENTIFICATION = "en_US.UTF-8"; + LC_MEASUREMENT = "en_US.UTF-8"; + LC_MONETARY = "en_US.UTF-8"; + LC_NAME = "en_US.UTF-8"; + LC_NUMERIC = "en_US.UTF-8"; + LC_PAPER = "en_US.UTF-8"; + LC_TELEPHONE = "en_US.UTF-8"; + LC_TIME = "en_US.UTF-8"; + }; + }; + }; + }; +} + diff --git a/modules/features/nix.nix b/modules/features/nix.nix new file mode 100644 index 0000000..0e9cd2c --- /dev/null +++ b/modules/features/nix.nix @@ -0,0 +1,21 @@ +{ inputs, ... }: { + + flake.nixosModules.default = { config, lib, pkgs, ... }: { + + config = { + + nix = { + nixPath = [ "nixpkgs=${inputs.nixpkgs}" ]; + channel.enable = false; + settings = { + experimental-features = [ "nix-command" "flakes" ]; + + substituters = lib.mkIf config.programs.hyprland.enable ["https://hyprland.cachix.org"]; + trusted-substituters = lib.mkIf config.programs.hyprland.enable ["https://hyprland.cachix.org"]; + trusted-public-keys = lib.mkIf config.programs.hyprland.enable ["hyprland.cachix.org-1:a7pgxzMz7+chwVL3/pzj6jIBMioiJM7ypFP8PwtkuGc="]; + }; + }; + }; + }; +} + diff --git a/modules/features/default.nix b/modules/features/remoteBuilds.nix similarity index 55% rename from modules/features/default.nix rename to modules/features/remoteBuilds.nix index 7ca891e..f41eb47 100644 --- a/modules/features/default.nix +++ b/modules/features/remoteBuilds.nix @@ -1,6 +1,6 @@ { inputs, ... }: { - flake.nixosModules.default = { config, lib, pkgs, ... }: { + flake.nixosModules.remoteBuilds = { config, lib, ... }: { imports = [ inputs.sops-nix.nixosModules.sops @@ -9,18 +9,13 @@ config = { nix = { - nixPath = [ "nixpkgs=${inputs.nixpkgs}" ]; - channel.enable = false; settings = { - experimental-features = [ "nix-command" "flakes" ]; builders-use-substitutes = (config.sops.secrets ? "remoteBuildKey"); - substituters = lib.mkIf config.programs.hyprland.enable ["https://hyprland.cachix.org"]; - trusted-substituters = lib.mkIf config.programs.hyprland.enable ["https://hyprland.cachix.org"]; - trusted-public-keys = lib.mkIf config.programs.hyprland.enable ["hyprland.cachix.org-1:a7pgxzMz7+chwVL3/pzj6jIBMioiJM7ypFP8PwtkuGc="]; }; distributedBuilds = lib.mkDefault (config.sops.secrets ? "remoteBuildKey"); + buildMachines = lib.mkIf (config.sops.secrets ? "remoteBuildKey") [ { hostName = "esotericbytes.com"; @@ -35,6 +30,7 @@ systems = [ "x86_64-linux" "aarch64-linux" ]; } ]; + }; users.users."remote-builder" = lib.mkIf (builtins.any @@ -46,9 +42,9 @@ }; sops.templates."remote-builder" = lib.mkIf (builtins.any - (x: (builtins.match "^remoteBuildClientKeys/.+" x) != null) - (builtins.attrNames config.sops.secrets) - ) { + (x: (builtins.match "^remoteBuildClientKeys/.+" x) != null) + (builtins.attrNames config.sops.secrets) + ) { content = builtins.concatStringsSep ''''\n'' (builtins.map (y: config.sops.placeholder.${y}) (builtins.filter @@ -64,33 +60,6 @@ age.keyFile = "/var/lib/sops/age/keys.txt"; defaultSopsFormat = "yaml"; }; - - programs.fuse.userAllowOther = true; - - home-manager = { - backupFileExtension = "backup"; - useUserPackages = true; - sharedModules = []; - }; - - time.timeZone = lib.mkDefault "America/Chicago"; - - i18n = lib.mkDefault { - defaultLocale = "en_US.UTF-8"; - - extraLocaleSettings = { - LC_ADDRESS = "en_US.UTF-8"; - LC_IDENTIFICATION = "en_US.UTF-8"; - LC_MEASUREMENT = "en_US.UTF-8"; - LC_MONETARY = "en_US.UTF-8"; - LC_NAME = "en_US.UTF-8"; - LC_NUMERIC = "en_US.UTF-8"; - LC_PAPER = "en_US.UTF-8"; - LC_TELEPHONE = "en_US.UTF-8"; - LC_TIME = "en_US.UTF-8"; - }; - }; }; }; } - diff --git a/modules/hosts/homebox/configuration.nix b/modules/hosts/homebox/configuration.nix index fe079d6..4e436de 100644 --- a/modules/hosts/homebox/configuration.nix +++ b/modules/hosts/homebox/configuration.nix @@ -13,6 +13,7 @@ avahi netbird openssh + remoteBuilds docker diff --git a/modules/hosts/iso/configuration.nix b/modules/hosts/iso/configuration.nix index 679e6c9..729ae54 100644 --- a/modules/hosts/iso/configuration.nix +++ b/modules/hosts/iso/configuration.nix @@ -37,8 +37,6 @@ ]; }; - sops.defaultSopsFile = ./secrets.yaml; - users.users.nixos.enable = lib.mkForce false; networking = { diff --git a/modules/hosts/laptop/configuration.nix b/modules/hosts/laptop/configuration.nix index 2ba04d0..a826978 100644 --- a/modules/hosts/laptop/configuration.nix +++ b/modules/hosts/laptop/configuration.nix @@ -15,6 +15,7 @@ avahi netbird openssh + remoteBuilds ]; config = { diff --git a/modules/users/nathan/nathan.nix b/modules/users/nathan/nathan.nix index 8900e57..db48eda 100644 --- a/modules/users/nathan/nathan.nix +++ b/modules/users/nathan/nathan.nix @@ -9,13 +9,16 @@ config = { - sops.secrets."nathan/pass".neededForUsers = true; + sops.secrets."nathan/pass" = { + neededForUsers = true; + sopsFile = ./secrets.yaml; + }; users.users.nathan = { shell = pkgs.zsh; name = lib.mkDefault "nathan"; isNormalUser = lib.mkDefault true; -#hashedPasswordFile = lib.mkIf (cfg.hashedPasswordFile != null) cfg.hashedPasswordFile; + hashedPasswordFile = lib.mkDefault config.sops.secrets."nathan/pass".path; extraGroups = [ "networkmanager" "docker" "libvirtd" "wheel" ]; openssh.authorizedKeys.keys = lib.mkMerge [ (useWith (homebox ++ iso) [ diff --git a/modules/users/nathan/secrets.yaml b/modules/users/nathan/secrets.yaml new file mode 100644 index 0000000..e18d6b8 --- /dev/null +++ b/modules/users/nathan/secrets.yaml @@ -0,0 +1,17 @@ +nathan: + pass: ENC[AES256_GCM,data:0hmcbyTLbmadTAMoSeOgBmpqgtCKtfrY1EIxIUoxgo+3297+jZqcsSmhPlFKtbornezm+7uPRzaVRHyp2G0Ee6mG4FbzUfGYFg==,iv:F2aTS/BPPxTemu4vEy9H0FY0HUEBWaRFeaoMr8TJbmA=,tag:Ai90KJluCimR6OG5BtCnVQ==,type:str] +sops: + age: + - recipient: age1yqgyp2uxz4lzrc9f9ka0mfjl5fr6ahf8nf24nlmran2wulg6fpvq9hyp9q + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA5cUF3YWY2STgwc1pzREJP + QndUajV6WUJFZEdtOGNOQ05Ua1hGM25IbzJJCjF3Z24rc0JwMSt5bnpIVDZ0ZGJG + ZE9LdEU3bXhsMUxEL0hlMTNTc0VkR0kKLS0tIHhWOGJocS94eWJUSXdtaldJSG50 + TjZCN3RneGtJa0hLNU1yTUlLMDJpcEUKNvpcKkNXeRyFsn0CRjSKNb89l1864I6A + Yzijw0c0BVfivhn2wAyq0fYuw2rT+vIJdFUHvIgxkpkZFl4n/RucOQ== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2025-08-31T19:51:15Z" + mac: ENC[AES256_GCM,data:L4SK7iaPX3dPJTyl2RgSuqMcoFRm8q9k64TsroV3tT1uWn0J9XRBj9KXgGj/qLloQkgmZsmtct8w2x5tYYosh5k1+056/DeTD8l/Nw5339qKJppRjg6jYNtw02ZGPSNFQdmGNQU9NOOuT8Q94sl0mphwlYhFV1Tf1r/AoSg1ja8=,iv:/qEVdxOR8CDJ2plE8Ez9ML+u+lKPmsNfV0GyXgBbQRk=,tag:EyjdJzvuHXn+0+5hOk0dVg==,type:str] + unencrypted_suffix: _unencrypted + version: 3.10.2