parent
8ec94691fa
commit
55b3b6ad46
|
@ -1,2 +1,2 @@
|
|||
result
|
||||
secrets/
|
||||
secrets/*
|
||||
|
|
|
@ -7,7 +7,7 @@
|
|||
# create key with: b2 create-key --bucket uninsane-host-duplicity uninsane-host-duplicity-safe listBuckets,listFiles,readBuckets,readFiles,writeFiles
|
||||
# ^ run this until you get a key with no forward slashes :upside_down:
|
||||
# web-created keys are allowed to delete files, which you probably don't want for an incremental backup program
|
||||
services.duplicity.targetUrl = builtins.replaceStrings ["\n"] [""] (builtins.readFile /etc/nixos/secrets/duplicity_url);
|
||||
services.duplicity.targetUrl = builtins.replaceStrings ["\n"] [""] (builtins.readFile ../../secrets/duplicity_url);
|
||||
# format: PASSPHRASE=<cleartext>
|
||||
# two sisters
|
||||
services.duplicity.secretFile = /etc/nixos/secrets/duplicity_env;
|
||||
|
|
|
@ -14,7 +14,7 @@
|
|||
uid = 1000;
|
||||
# XXX colin: this is what the installer has, but is it necessary?
|
||||
# group = "users";
|
||||
extraGroups = [ "wheel" ];
|
||||
extraGroups = [ "wheel" "nixbuild" ];
|
||||
initialHashedPassword = "";
|
||||
shell = pkgs.bashInteractive;
|
||||
# XXX colin: create ssh key for THIS user by logging in and running:
|
||||
|
|
|
@ -8,7 +8,7 @@
|
|||
# nix-option ## query options -- including their SET VALUE; similar to search: https://search.nixos.org/options
|
||||
# nixos-rebuild switch --upgrade ## pull changes from the nixos channel (e.g. security updates) and rebuild
|
||||
|
||||
{ config, modulesPath, pkgs, specialArgs, options }:
|
||||
{ config, pkgs, ... }:
|
||||
|
||||
{
|
||||
|
||||
|
@ -21,37 +21,5 @@
|
|||
experimental-features = nix-command flakes
|
||||
'';
|
||||
};
|
||||
|
||||
nixpkgs.overlays = [
|
||||
(self: super: {
|
||||
#### customized packages
|
||||
# nixos-unstable pleroma is too far out-of-date for our db
|
||||
pleroma = super.callPackage ./pkgs/pleroma { };
|
||||
# jackett doesn't allow customization of the bind address: this will probably always be here.
|
||||
jackett = self.callPackage ./pkgs/jackett { pkgs = super; };
|
||||
# fix abrupt HDD poweroffs as during reboot. patching systemd requires rebuilding nearly every package.
|
||||
# systemd = import ./pkgs/systemd { pkgs = super; };
|
||||
|
||||
#### nixos-unstable packages
|
||||
# gitea: 1.16.5 contains a fix which makes manual user approval *actually* work.
|
||||
# https://github.com/go-gitea/gitea/pull/19119
|
||||
# safe to remove after 1.16.5 (or 1.16.7 if we need db compat?)
|
||||
gitea = pkgs.unstable.gitea;
|
||||
|
||||
# try a newer rpi4 u-boot
|
||||
# ubootRaspberryPi4_64bit = pkgs.unstable.ubootRaspberryPi4_64bit;
|
||||
ubootRaspberryPi4_64bit = self.callPackage ./pkgs/ubootRaspberryPi4_64bit { pkgs = super; };
|
||||
})
|
||||
];
|
||||
|
||||
|
||||
# This value determines the NixOS release from which the default
|
||||
# settings for stateful data, like file locations and database versions
|
||||
# on your system were taken. It‘s perfectly fine and recommended to leave
|
||||
# this value at the release version of the first install of this system.
|
||||
# Before changing this value read the documentation for this option
|
||||
# (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
|
||||
system.stateVersion = "21.11"; # Did you read the comment?
|
||||
|
||||
}
|
||||
|
||||
|
|
|
@ -0,0 +1,42 @@
|
|||
{
|
||||
"nodes": {
|
||||
"nixpkgs": {
|
||||
"locked": {
|
||||
"lastModified": 1652975354,
|
||||
"narHash": "sha256-qP1DpEYQdSq7NZ542TSHffIT6xGm7MaSMG9faQWPcg0=",
|
||||
"owner": "NixOS",
|
||||
"repo": "nixpkgs",
|
||||
"rev": "685d243d971c4f9655c981036b9c7bafdb728a0d",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"id": "nixpkgs",
|
||||
"ref": "nixos-21.11",
|
||||
"type": "indirect"
|
||||
}
|
||||
},
|
||||
"pkgsUnstable": {
|
||||
"locked": {
|
||||
"lastModified": 1651726670,
|
||||
"narHash": "sha256-dSGdzB49SEvdOJvrQWfQYkAefewXraHIV08Vz6iDXWQ=",
|
||||
"owner": "NixOS",
|
||||
"repo": "nixpkgs",
|
||||
"rev": "c777cdf5c564015d5f63b09cc93bef4178b19b01",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"id": "nixpkgs",
|
||||
"rev": "c777cdf5c564015d5f63b09cc93bef4178b19b01",
|
||||
"type": "indirect"
|
||||
}
|
||||
},
|
||||
"root": {
|
||||
"inputs": {
|
||||
"nixpkgs": "nixpkgs",
|
||||
"pkgsUnstable": "pkgsUnstable"
|
||||
}
|
||||
}
|
||||
},
|
||||
"root": "root",
|
||||
"version": 7
|
||||
}
|
48
flake.nix
48
flake.nix
|
@ -9,20 +9,54 @@
|
|||
};
|
||||
outputs = { self, pkgsUnstable, nixpkgs }: {
|
||||
nixosConfigurations.uninsane = nixpkgs.lib.nixosSystem {
|
||||
inherit (self.packages.aarch64-linux) pkgs;
|
||||
pkgs.unstable = pkgsUnstable;
|
||||
# inherit (self.packages.aarch64-linux) pkgs;
|
||||
pkgs = import nixpkgs {
|
||||
system = "aarch64-linux";
|
||||
config.allowUnfree = true;
|
||||
overlays = [
|
||||
(self: super: {
|
||||
pkgsUnstable.system = "aarch64-linux"; # extraneous?
|
||||
#### customized packages
|
||||
# nixos-unstable pleroma is too far out-of-date for our db
|
||||
pleroma = super.callPackage ./pkgs/pleroma { };
|
||||
# jackett doesn't allow customization of the bind address: this will probably always be here.
|
||||
jackett = self.callPackage ./pkgs/jackett { pkgs = super; };
|
||||
# fix abrupt HDD poweroffs as during reboot. patching systemd requires rebuilding nearly every package.
|
||||
# systemd = import ./pkgs/systemd { pkgs = super; };
|
||||
|
||||
#### nixos-unstable packages
|
||||
# gitea: 1.16.5 contains a fix which makes manual user approval *actually* work.
|
||||
# https://github.com/go-gitea/gitea/pull/19119
|
||||
# safe to remove after 1.16.5 (or 1.16.7 if we need db compat?)
|
||||
gitea = pkgsUnstable.legacyPackages.aarch64-linux.gitea;
|
||||
|
||||
# try a newer rpi4 u-boot
|
||||
# ubootRaspberryPi4_64bit = pkgs.unstable.ubootRaspberryPi4_64bit;
|
||||
ubootRaspberryPi4_64bit = self.callPackage ./pkgs/ubootRaspberryPi4_64bit { pkgs = super; };
|
||||
})
|
||||
];
|
||||
};
|
||||
system = "aarch64-linux";
|
||||
modules = [
|
||||
./configuration.nix
|
||||
./cfg
|
||||
./modules
|
||||
({ pkgs, ... }: {
|
||||
# This value determines the NixOS release from which the default
|
||||
# settings for stateful data, like file locations and database versions
|
||||
# on your system were taken. It‘s perfectly fine and recommended to leave
|
||||
# this value at the release version of the first install of this system.
|
||||
# Before changing this value read the documentation for this option
|
||||
# (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
|
||||
system.stateVersion = "21.11"; # Did you read the comment?
|
||||
})
|
||||
];
|
||||
};
|
||||
packages = nixpkgs.lib.genAttrs nixpkgs.lib.platforms.all (system:
|
||||
{
|
||||
pkgs = import nixpkgs { inherit system; config.allowUnfree = true; };
|
||||
}
|
||||
);
|
||||
# packages = nixpkgs.lib.genAttrs nixpkgs.lib.platforms.all (system:
|
||||
# {
|
||||
# pkgs = import nixpkgs { inherit system; config.allowUnfree = true; };
|
||||
# }
|
||||
# );
|
||||
# flake-utils.lib.eachDefaultSystem (system:
|
||||
# let pkgs = nixpkgs.legacyPackages.${system};
|
||||
# in {
|
||||
|
|
|
@ -0,0 +1,11 @@
|
|||
after checking out, drop secrets into secrets/
|
||||
|
||||
to build:
|
||||
```sh
|
||||
nixos-rebuild --flake "/etc/nixos/#uninsane" {build,switch}
|
||||
```
|
||||
|
||||
query with:
|
||||
```sh
|
||||
nix flake show
|
||||
```
|
|
@ -0,0 +1 @@
|
|||
b2://<REPLACEME:api-key-id>:<REPLACEME:api-key>@<REPLACEME:bucket-name>
|
|
@ -0,0 +1,6 @@
|
|||
populate the files here which are referenced from the rest of the nix config.
|
||||
|
||||
hacky secrets management. TODO: read:
|
||||
- https://christine.website/blog/nixos-encrypted-secrets-2021-01-20
|
||||
- git-crypt (https://github.com/bobbbay/dotfiles.git)
|
||||
|
Loading…
Reference in New Issue