odie
/
nixos-combined-flake
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

add sops

This commit is contained in:
Patrick Neff 2025-01-05 23:42:49 +01:00
parent b70f9366d7
commit 036d6fdca8
16 changed files with 461 additions and 86 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

19
.sops.yaml Normal file
View File

@ -0,0 +1,19 @@
keys:
- &admin_odie age1ac27ksfvxydn20g29s09j66mag45vee3cgk5namsnup5e4l9v3sq7kypg7
- &server_asgard age1nnx85asl5nmxmurr3g8mazcsggvtazt0hpauw42l7v4k3de74s6s649w0k
- &server_pi0 age1v522tvf0gclgjnnu8q0mekl0rcmpdk7d7lwravwazstfn9zqhecsngvhpf
#- &server_pi1 age1u6k49fuphu4n5p7hhuxd03ktwhujr55mrs72cqe6ttfagljpc5asa0jsgx
- &server_pi1 age16vz5m0stsh39ajn3zhkzj7x7zfgexlx3zzk2k9vrrrsn78tyzd2qmjkt2a
- &server_nixos age1j8wprrs23m46h7xl26su3k6uztnvza5k89c9uk9rwwzefv8a4yvqpscxun
- &workstation_wanaheim age1jerjsfhnenzzqtnuxez8g79kc0xxulxyhu2evp9p6gjyswu2syqskgt62v
creation_rules:
- path_regex: secrets/[^/]+\.(yaml|json|env|ini)$
key_groups:
- age:
- *admin_odie
- *server_asgard
- *server_pi0
- *server_pi1
- *server_nixos
- *workstation_wanaheim

36
flake.lock
View File

@ -486,18 +486,17 @@
"vanillatweaks": "vanillatweaks" "vanillatweaks": "vanillatweaks"
}, },
"locked": { "locked": {
"lastModified": 1735393933, "lastModified": 1735390427,
"narHash": "sha256-RsPZaV73pdgEvMNuKDGL+qAzSCvs1upIp5fr7583n9g=", "narHash": "sha256-M/uZbGQN2VLdr6G5ryFAaWYf+aebpckPSLiSBrYHsjE=",
"ref": "master", "ref": "refs/heads/master",
"rev": "c3d339a685ac9b86d8c4b8908a0fc81605d5e6b7", "rev": "f2da3bd27832b7e3bb2325e1a3238a874ebd95d9",
"revCount": 332, "revCount": 331,
"type": "git", "type": "git",
"url": "file:///home/odie/Code/nix/minecraft-server-flake" "url": "ssh://git@git.gaja-group.com/gaja-group/minecraft-server-flake.git"
}, },
"original": { "original": {
"ref": "master",
"type": "git", "type": "git",
"url": "file:///home/odie/Code/nix/minecraft-server-flake" "url": "ssh://git@git.gaja-group.com/gaja-group/minecraft-server-flake.git"
} }
}, },
"neorg": { "neorg": {
@ -1141,10 +1140,31 @@
"nvim-spell-de-latin1-suggestions": "nvim-spell-de-latin1-suggestions", "nvim-spell-de-latin1-suggestions": "nvim-spell-de-latin1-suggestions",
"nvim-spell-de-utf8-dictionary": "nvim-spell-de-utf8-dictionary", "nvim-spell-de-utf8-dictionary": "nvim-spell-de-utf8-dictionary",
"nvim-spell-de-utf8-suggestions": "nvim-spell-de-utf8-suggestions", "nvim-spell-de-utf8-suggestions": "nvim-spell-de-utf8-suggestions",
"sops-nix": "sops-nix",
"systems": "systems_2", "systems": "systems_2",
"vim-mcfunction": "vim-mcfunction" "vim-mcfunction": "vim-mcfunction"
} }
}, },
"sops-nix": {
"inputs": {
"nixpkgs": [
"nixpkgs"
]
},
"locked": {
"lastModified": 1736064798,
"narHash": "sha256-xJRN0FmX9QJ6+w8eIIIxzBU1AyQcLKJ1M/Gp6lnSD20=",
"owner": "Mic92",
"repo": "sops-nix",
"rev": "5dc08f9cc77f03b43aacffdfbc8316807773c930",
"type": "github"
},
"original": {
"owner": "Mic92",
"repo": "sops-nix",
"type": "github"
}
},
"systems": { "systems": {
"locked": { "locked": {
"lastModified": 1681028828, "lastModified": 1681028828,

11
flake.nix
View File

@ -45,6 +45,7 @@
home-manager = import ./modules/nixos/home-manager; home-manager = import ./modules/nixos/home-manager;
server = import ./modules/nixos/server; server = import ./modules/nixos/server;
games = import ./modules/nixos/games; games = import ./modules/nixos/games;
sops = import ./modules/nixos/sops;
}; };
nixosConfigurations = nixosConfigurations =
flakeLib.mkNixosConfiguration flakeLib.mkNixosConfiguration
@ -62,6 +63,11 @@
system = "x86_64-linux"; system = "x86_64-linux";
hostName = "wsl-dev"; hostName = "wsl-dev";
} }
// flakeLib.mkNixosConfiguration {
inherit inputs outputs nixpkgs vars flakeLib overlays;
system = "aarch64-linux";
hostName = "pi0";
}
// flakeLib.mkNixosConfiguration { // flakeLib.mkNixosConfiguration {
inherit inputs outputs nixpkgs vars flakeLib overlays; inherit inputs outputs nixpkgs vars flakeLib overlays;
system = "aarch64-linux"; system = "aarch64-linux";
@ -82,6 +88,7 @@
mediacenter = import ./modules/home-manager/mediacenter; mediacenter = import ./modules/home-manager/mediacenter;
user = import ./modules/home-manager/user; user = import ./modules/home-manager/user;
binary-cache = import ./modules/home-manager/binary-cache; binary-cache = import ./modules/home-manager/binary-cache;
sops = import ./modules/home-manager/sops;
}; };
homeConfigurations = homeConfigurations =
flakeLib.mkHomeConfiguration flakeLib.mkHomeConfiguration
@ -150,6 +157,10 @@
url = "github:numtide/flake-utils"; url = "github:numtide/flake-utils";
inputs.systems.follows = "systems"; inputs.systems.follows = "systems";
}; };
sops-nix = {
url = "github:Mic92/sops-nix";
inputs.nixpkgs.follows = "nixpkgs";
};
nixos-wsl = { nixos-wsl = {
url = "github:nix-community/NixOS-WSL"; url = "github:nix-community/NixOS-WSL";
inputs = { inputs = {

20
modules/home-manager/sops/default.nix Normal file
View File

@ -0,0 +1,20 @@
{ inputs, ... }: {
imports = [
inputs.sops-nix.homeManagerModules.sops
];
sops = {
age.keyFile = "/home/user/.age-key.txt"; # must have no password!
# It's also possible to use a ssh key, but only when it has no password:
#age.sshKeyPaths = [ "/home/user/path-to-ssh-key" ];
defaultSopsFile = ../../../secrets/general.yaml;
secrets.hello = {
# sopsFile = ./secrets.yml.enc; # optionally define per-secret files
# %r gets replaced with a runtime directory, use %% to specify a '%'
# sign. Runtime dir is $XDG_RUNTIME_DIR on linux and $(getconf
# DARWIN_USER_TEMP_DIR) on darwin.
path = "%r/hello";
};
};
}

1
modules/nixos/default.nix
View File

@ -2,5 +2,6 @@ _: {
imports = [ imports = [
./base ./base
./wsl ./wsl
./sops
]; ];
} }

7
modules/nixos/mediacenter/default.nix
View File

@ -1,8 +1,7 @@
{lib, ...}: _:
with lib; { {
imports = [ imports = [
./kodi ./kodi
./jellyfin
]; ];
mediacenter.kodi.enable = mkDefault true;
} }

7
modules/nixos/mediacenter/jellyfin/default.nix Normal file
View File

@ -0,0 +1,7 @@
{
services.jellyfin = {
enable = true;
openFirewall = true;
};
}

90
modules/nixos/mediacenter/kodi/default.nix
View File

@ -1,48 +1,24 @@
{ { pkgs, ... }:
pkgs, let
config,
lib,
...
}: let
cfg = config.mediacenter.kodi;
in
with lib; {
options = {
mediacenter.kodi = {
enable = mkEnableOption "kodi";
};
};
config = let
user = "kodi"; user = "kodi";
starter = pkgs.callPackage ( kodi-standalone = pkgs.kodi-wayland.withPackages
{pkgs, kodi-standalone, ...}: (kodiPkgs: with pkgs.kodiPackages; [
pkgs.writeShellApplication { youtube
name = "kodi-launcher"; pvr-iptvsimple
runtimeInputs = [kodi-standalone]; keymap
text = '' inputstream-adaptive
#!/usr/bin/env bash inputstream-ffmpegdirect
requests-cache
while true inputstreamhelper
do advanced-emulator-launcher
ping -c1 svartalbenheim.odie.home.arpa && break jellyfin
sleep 5 ]);
done in
{
while true
do
sleep 1
kodi-standalone
done
'';
}
) {};
in
lib.mkIf cfg.enable {
services.cage = { services.cage = {
inherit user; inherit user;
enable = true; enable = true;
program = "${starter}/bin/kodi-launcher"; program = "${kodi-standalone}/bin/kodi-standalone";
}; };
users.users.kodi = { users.users.kodi = {
@ -59,10 +35,35 @@ in
]; ];
}; };
networking.firewall.allowedTCPPorts = [8080 9090]; sops.secrets = {
"kodi-advancedsettings" = {
owner = user;
format = "binary";
sopsFile = ./secrets/advancedsettings.xml;
path = "/home/${user}/.kodi/userdata/advancedsettings.xml";
};
"kodi-passwords" = {
owner = user;
format = "binary";
sopsFile = ./secrets/passwords.xml;
path = "/home/${user}/.kodi/userdata/passwords.xml";
};
"kodi-youtube" = {
owner = user;
format = "binary";
sopsFile = ./secrets/youtube.json;
path = "/home/${user}/.kodi/userdata/addon_data/plugin.video.youtube/api_keys.json";
};
};
networking.firewall.allowedTCPPorts = [ 8080 9090 ];
environment.sessionVariables = {
WLR_LIBINPUT_NO_DEVICES = builtins.toString 1;
};
environment.systemPackages = with pkgs; [ environment.systemPackages = with pkgs; [
kodi-standalone #kodi-standalone
alsa-utils alsa-utils
(retroarch.override { (retroarch.override {
cores = with libretro; [ cores = with libretro; [
@ -72,5 +73,4 @@ in
]; ];
}) })
]; ];
}; }
}

24
modules/nixos/mediacenter/kodi/secrets/advancedsettings.xml Normal file
View File

@ -0,0 +1,24 @@
{
"data": "ENC[AES256_GCM,data:fnIde9f3I9SsfnkR5wATIFUlz7AI2obVhxB3Iih/1V770KbfncCqEcq4PL4y5wGdMbCkwIAr3moGGYccDxlem2E4RSUk48Ot7A92mjKBbdOA1rwhbPlOgFFGcPqXkyAS0DHW5aRaVXSaCoT+4HgCBlxC7TCBuixlTf87zqbdPO7RrzIndxytCEPlGHO5GauP1F0Jai4Dg8p3L/K5e+EEiHLxKTNhbA3V7wHTAp5ufVPoqoEZPKhXEQdYQV1JO56bry8WzriZk8RDP6PirEIJnLz8gCGIpqWQ2zB0RL46++Nl4nIDKaPw958hRN8i9kb674Tb9/JYHjz55Jx0oDdJM5cXD9I3ED0QRtvjA1zmw2cUnh+ZBZC8Vf6psCNw4G/OYbeCC2tHo+jeWp4iHXCK/jxTNUVuvEB2hYT/TKyP1UAqAmuJ1eC+3X2yzcrcjVaqsbtoYcxZh5mySg3k2yIWoVYPaztErs3ppWqUp21QBuMIGtwphzx5FTE9/9gYvZxNqtbbOvE1O0BsIVZDeKUHt4B7uQEc+L+jGXaDBOaKAEm1SdbkSr6mOWv+cEK/sQxqXaU6nVktti+SumHhZCsIeJqC5VtiuQcwAsTfW8AnxbrY1VJCy/1LRB+I6+XKNimBT46oO3lZaetPUz9vd9PzSQ0cMNz5xgCcc49KZQI3UHhOQVqCyor5E0Au4C2drBss7seZLvopK8JjJB2/FCnYgTcisNxXcigb+eUAYR6nmbGRDG4+fZHCteMkWT3p7AbBsR4Zejh2BkRn/9Xp6gmQzak/LHJiZmo8XnuecgIO9I8belsshdfquNlOtieYYLsgWUDNxslD4TavxcR9WT7nKH/oAy8nYt8g6jPFbRZqLCS7d4DZ8u3pRcyMv4/LY8lfafICbSm7pVcAGj4AFHWOYGfB8x/cGj4C6UgKe67FM0PDfr45pYLEOHnv6ReiDLsb93DOOqTG8H8Su2fPDcjtPOjvndGRhUqdfWBQgn5Rb1gjMlFmWV4bsByO04nFV9oQQyYdrMNDV2NjlSzkokwjH2F/PazH8zYcADw/XMvhfTiYxrIOfZPRlpOLofygeMNk0FPxkuDV2sGO/ryDpC/ul8hxUfr2CH31rZYbhTwMwVEGwWIJu/RSOCn0l+1Cb6mFfX4Zhet9XPwKKTfULOelAaSwh/W3C/b74TerCbPfWE3UHQh+1t3RoMw6JIHZAQcPh5528lrY2pg4dB9WoIHQ+qqlog+LVl2cTeRpD4d6cx0dM322pUfQAMD05Nyd6007ZxTFavc4LIT2jTZQGZKej35sV13avYi9ri+Ws6mhget35CI/QMIb8J0pPl6LSTVCNWT3YcrZ80O2uQo+rl5c+t2wa5ryP6OqtUrdRreQnVlcU691xsTBcgpkAm7F3MB+llM2Q2R4jgvVX5fHP+NE2fkPXeVC9zGviGGlte8Z1jdnLjStofP6l71DIC/iDGmoUNgaoHLiwnLMuquU81cec/pZDxW39lIQeTrDFAuCZeu2YZ64PVzpZp3DFjKjZEfGlfQcRlFNGThTD99phPzeqMNQienHaRfij/m81P5OKGn8661Gu0a4kqHyhgBHhMGuFn3oQmByw7CfB/n4lsvt0/yJxs9MVRsjF+a2RlQc6o2UVvTBNXGaGWm7hwiVJ9mReuNANya96R0HbCAlFmOXC9ikshEZuNoXREQ9dYrjaS3PE3pKWPIgJuM7qoFrGAmorTUn0J9SMS7a+VC/o1gTy17ToyBR0INuEwqQ+TlzTouYEglCHAb5FUKMyrJMLtY3+aHE5hNm7RR3ZX6N4HHMTD9XSJfsE9wOeJIMhYO/vxNuTpgCCRp19OVMT4tMgBE/hQ+GcpO+rSpKQdBUEdK34JMWrOGgAJwujD+96WMZn3mN68TDnpOQ+FYLJzyELY5RyrByh38xClPZ8YWpMJEDIMO6jG6Hh2mO+lUIhcek+k8RnSe0paly6c8qdwLU+TBdfiLLI040XobGpYWYdtiFqc1OMutLA5wu4TbFNHc8MMhgka+kHuS7vH2xHzI8QCDHV9ts9HNBYrWMk3CrAK5xkQqpQ5o/THT7eMbavy82Mqi3+xOXAOyrXkBLjy3J41fXomJPvACMhnz/RBkkVpPv6SHPP6v84WWHMK8dPOaQAba+q6wEh/Mk3l4HAVbq/l6fHaIV9W7D5ydJDKR+dsP3Jh641Gn83e9MS4TM0QgZX8WdXNJ7dx6u1OiuSjS6lXwXgqRkXNyNvJGdlAh6lF282UoSqwMkrrYnwCmsUCVCIoA5BoGsHlqF3U7zAGUyrnj7j4yG1+/YzKvdD1HZsblSc/jmxsFPtTokjHp0IZx7sV0DjSoqPZAfHtrYfow7mLyN/qOnz1WRleXJw+q6fHAsRnewgwzc0pIHECQe1tQ3bv/shZj7kQTBKBqxnoRDKAPsxr4xAc4dwfWEyUWgxjt9apWxomZtzJymUVtj4FfSgM4aFuGWOMuZfXO303xfwcbv+3JRX4bQXDK+vn8ML/WrWMQ6arVDARfrx9BZkb8Wf41cJMX9ZhfoMNJfptut4vMSB0xZSnAIAHutWnAbKOk3ivTHdxPATjTe8YD3eUoB3PB0iAeuo8S9rfNVeZcQVgISrYoOhOo4dmGH+vrCl2hi3LhsiGiRv41nh4mGfk1VGY8uTw9/iqpUBToO6qhDraAnZlaYYvbwM8XK5vEeFx1jBQ+UjCG5c6qasqxx4G8mCa3s35Zt0joDWiRLe46cbhn//ki5VXMUvzCjcG5HXiOdKq7fFTJG6vytVucqM1VHGR2ekOrI0siH0ZvqzmBZZwXIwPRiqHK1b4qCjeZ6SVolG0s6g7FE6KYqFe91Qp6qWLM3RQPeND3U+9azIp3zfUIlhY5gmucIxmMERJet3myaufLOikkbQ/upUsQITb4cke/4Fiz64trjRFDpWzUkrpLTOxovJS0a8p3kj8RHLAUFB2ZbBvxJU4vlIKXeHMvrxmAMCv0FnPQk2lMROX1jxh5sP19Rs4YR9B+i2OMewzD7Hanox1DJdhvw2+/GgxuWkUgH+C6CIIB6vThTT6QL2WzvyxV6LRfJynD2nypk1qiTsLhYUbqucdALGeW9dqgY0+mB8vpNinhLG9j+gAqrEevJOgMiz/I3ozOIJPAnzF1xWAOQwi0eEnZgjcnSgxkO2wa1nk1u2omRMKhXix3lOcMapZSdvNp0+P+5gTBNqFI+fNOPCtBqj1K0TYRtkDhPhw0xCfoWxZGaawaB3eOGIVT/eLqkZMuPS43+HMHZjPornUfALk5t9X/su2sJMqy6TFCxdmwlW8c0IWyR,iv:nFT/yFOmF81VwjM5ab5dJQYrlkDeb9Ov9dzTkMxcUqY=,tag:t2UzVTh0cbuFOZm/RWyu9A==,type:str]",
"sops": {
"kms": null,
"gcp_kms": null,
"azure_kv": null,
"hc_vault": null,
"age": [
{
"recipient": "age1ac27ksfvxydn20g29s09j66mag45vee3cgk5namsnup5e4l9v3sq7kypg7",
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBvbGN4YmZ6Q1JZamNIVDd0\nblBJQ3ZyNjBkYWlMdWFZeVB3bDU2NEE2SkdNCkhqc05hbWF5Y0RVS3Jld2pPeGFw\nZ2tXbm9rekpyWDU5d2xRL1RveDBCNTQKLS0tIEZBb3FxRGZuTlZOSE1TeWtsN2pI\nOFUwUEVKTklRSXY3d09zVEs2LzdvYmMKCvbPXIPfwz9XQGG6LqjgXQF3FEwpIrQQ\nxHcCVCFtTnuePDcBpiUa0LNO7pbykTLM8QDk720lXh5YeKcJYN1+wQ==\n-----END AGE ENCRYPTED FILE-----\n"
},
{
"recipient": "age1v522tvf0gclgjnnu8q0mekl0rcmpdk7d7lwravwazstfn9zqhecsngvhpf",
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA0cGZFU3FrZTVsNFE2ZGVn\nKzRabVo4Y2tLWEZrbW1aY1oydkZWbWFxV1FFClE5dkR2N1RFaWRvYlNwaUh0VGNx\nakVnbW84T3pGc1lGNzlLNmRMdHNzN2sKLS0tIEhZbENEUTdLQ0laL1B5Tmd3UW5h\nTWtlZFp2bXFHQ0tYK1pSV2xPSHhJeGMKV2WF/21OkoIUBSViIzX5pXZX+8OIwkuP\nb/4owrDej1otYCczA7upnO8d7r9HgdzV0PohZ9ghY+L7xMDtE2Pb0A==\n-----END AGE ENCRYPTED FILE-----\n"
}
],
"lastmodified": "2025-01-05T05:36:06Z",
"mac": "ENC[AES256_GCM,data:Xm8OaOdmS+XIP1vIA1XUAzM0rvoSXtVmVa3TnyCL5d0hHtJ0WHgCadiEmdngNWaizZ/HyqUipMOR5dRbZSa2KErqvtMXABT5NeoTGQOf11Ug7E+cShfMkEedFXNJ45/qntgpqcd8JqfVHHtcbSb7ccnUapMOFRygtudDb/lHADA=,iv:bVEgaFam+OC5+iGOTA4tH8vU1RRcmuc5tAT03snYgXg=,tag:VMTJjmfH7Qf1/xyQWJFEhA==,type:str]",
"pgp": null,
"unencrypted_suffix": "_unencrypted",
"version": "3.9.0"
}
}

24
modules/nixos/mediacenter/kodi/secrets/passwords.xml Normal file
View File

@ -0,0 +1,24 @@
{
"data": "ENC[AES256_GCM,data:M9gOTRJvjxukwifouVoXTIcZhl2jm9xgATC/Zyo3TATDQkdtcJlzOLA8BzvVmfwYooJBdbp7WQMaxHhRuTH7zEDPv0QPvyTPc1PKqdyMsfDd20Bi0ghPIRTlXRxFOZKKUrOtWNfVx4fAYey54GvZbg18JpdmAtKFtfQtmUko7Uy/S6Ko/bQSsOofhBuCCej6XYEVst7Ukr2V4yO8GyM5U7LAolEGGhGhPZi63B1yLcNXCMeI,iv:htvA4uWnmvwA6dJt2mFf3jDuazjK8NiXakhD23dWaZE=,tag:nAI314LRj0rOEXCvEJoJuw==,type:str]",
"sops": {
"kms": null,
"gcp_kms": null,
"azure_kv": null,
"hc_vault": null,
"age": [
{
"recipient": "age1ac27ksfvxydn20g29s09j66mag45vee3cgk5namsnup5e4l9v3sq7kypg7",
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBETWFndzB6RjJvbTVYZTdp\nd2VDUUJkNDBDR3R4Q1hxZGhsdk9yU1NFd2pzCmUxUU45cnEzVW9XK3dhcTA0NGxk\nQUozMk5jb0xDLzJxcFFPclp4VFBlYUkKLS0tIE83a1MwL3psL3I5U0wzRHJUcGxT\nVnNkWUJpK293TTJUeDk4aEtsekg4a0UKR+Pqu+ia+Kg/bHZP6l+bfRZQ1/9O92kZ\nhrfePv7Guxd5t91x+GyKOaGa6KituX7slskcQNc7JbKxhqXgZ1sXUA==\n-----END AGE ENCRYPTED FILE-----\n"
},
{
"recipient": "age1v522tvf0gclgjnnu8q0mekl0rcmpdk7d7lwravwazstfn9zqhecsngvhpf",
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBZTHU4SFIxamhRNkZVWmtC\ndXl0czJkMFVNZEU3Q3ZScitwNW1Qbm9RZ2xJClk0N0E1TEpxVzQyOEtuTUxZR3lF\nSmQxM1VRam9Ici9vaXBWTGdYWjAvYTgKLS0tIEFsUS9UcmZFWWY2S05BTVVZdHcr\neHpuL3dzTEh3dEQxb1B1SDFFSDBhUkUKKgF3hmHbqVZDiCdkvFf8cCI00w0AFWHG\nSMtsQ3i7IhHMLK9RAUM2hlrl4uagF0Qh5WKTX4QlsHFPQur4Qe2qpw==\n-----END AGE ENCRYPTED FILE-----\n"
}
],
"lastmodified": "2025-01-05T05:39:59Z",
"mac": "ENC[AES256_GCM,data:hXVntaa7Tq2A4y5wp9PicERTFjeDGDduxBd321FgRgvKO+9KG6jCzLGUX+dPRQtwM2A/DqRc74yxrorDyjpg5w4JVvfgFWBA+m2Jw6ZG5K/64/VLJgaV/c5dhmaBnyXfCly3441tZuwaocGNbYt2RSHI/izcN4f91iCeTzVFSA0=,iv:qFZ4wGPzQBmL/pZLqy/TDdKobbeqHf+vm6BPSLDsD9w=,tag:7K930Ym3/TbotLioWv4K5g==,type:str]",
"pgp": null,
"unencrypted_suffix": "_unencrypted",
"version": "3.9.0"
}
}

40
modules/nixos/mediacenter/kodi/secrets/youtube.json Normal file
View File

@ -0,0 +1,40 @@
{
"data": "ENC[AES256_GCM,data:2wfDxlxAfwClaj05cKIUUW6hDhFhzcaJiPhxfGEYv/O2gAaqe2vkKhUiFU6ZivbMVx9xYFlgGvVPoBggZ9zjqzM5jcC9ggDtX2U11NAk6YEcEgrkviUTK0ddaIDsLIaSu+ih1TzYFpMvprH9jyLsR5aGxwykq21wKw61DamSfw9uJ6fzpEldNmTzzHPPUEfKmV/7NE9Tg4s0CzeQhh4GUdvF36JQfKHeDlqaW+L+u5C/HZld/EQ+71m/egwjb3+bh/iCUAO4iGXmmBnu/IM5tR0WSiR8CbwzZsoW9hE9d5Fwfbeu+kyH7Rdgd/VPXTeKyb2c47GeuEt8h7YK6PRvySorcDCCSHP5CbordQHZfsX+hWl47rb9I1dfpYgKHAU=,iv:wYyVXmb80A70Wch4dy/tu4faAjp/DTnwPGXQJxvi3/w=,tag:Gjdr7HkP3CA6em2KEpIKlA==,type:str]",
"sops": {
"kms": null,
"gcp_kms": null,
"azure_kv": null,
"hc_vault": null,
"age": [
{
"recipient": "age1ac27ksfvxydn20g29s09j66mag45vee3cgk5namsnup5e4l9v3sq7kypg7",
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBmZmoxZmFSb045K29wdE9P\nb2MrMENUUkkrdG1ReS93Q2tpa2pOeldETjE0CktuWHBtanVQY2VtN2NWWlNhdjJw\neDJqVGZBZlN2ZDRWNHY2QmNTbkMzdWMKLS0tIG5XQkZaTzljbXgzb3hkZUREdHVj\ncXA3RzZGT1M0OHBrK0RXNzlPeEJ5b0kKBMVfIOf87UL2iAMz3c2r4mROPBMncr5O\nSVJPGbr79iEAxvLtCJL8jDA0kUt4/L+/hGXCBgtX+VY7GD05cIeesA==\n-----END AGE ENCRYPTED FILE-----\n"
},
{
"recipient": "age1nnx85asl5nmxmurr3g8mazcsggvtazt0hpauw42l7v4k3de74s6s649w0k",
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB2Q3k1bW1qd3RlcGlhQkhI\nYzBLd09ZbG9yOVpGcFJ0dWs0a2p2dGEwYUFjCklpT21aTXhsclBUMUZybnI2TzF2\nYk9zTDVJQzNWSnZSU3ZCZnZPTnd3V1UKLS0tIDNuUTJzYWRwRnluR1Z0aTJRSE80\nWldmQnE5RTlkbVdidk1FMjVvVStvekUKUkY5iCm6PvY5BH696cJC8KSia2MyxM1C\nQrv79R4yZHC6pmn9/v513aiprX2GCbPyDUSMM2pOGeJZgvgfnNmlUQ==\n-----END AGE ENCRYPTED FILE-----\n"
},
{
"recipient": "age1v522tvf0gclgjnnu8q0mekl0rcmpdk7d7lwravwazstfn9zqhecsngvhpf",
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA4Q2ZsdVk4V3R2TVBadmZp\nOFN2aXg2N0owOTQxZG05RExrZ052MThDc2xZCjFhK2lmdGVibi9uMHE5dytUbEdW\nV3FndWRLbmJCZFVMRzZXMDZqU2kwRWMKLS0tIDcwTVo5bWxQcTV2Z0pQcE83Y2pD\naWJMMHFJWmtId3hqWTlUUXdQVk13U0UKlYm7hcHCu3Wmcns30u+8j6cpeK80VpR4\neocylEOaWoNNUZjU7ojWWQ6thCmJOt41o3YlX23kVDgeN4sc4FMKZw==\n-----END AGE ENCRYPTED FILE-----\n"
},
{
"recipient": "age16vz5m0stsh39ajn3zhkzj7x7zfgexlx3zzk2k9vrrrsn78tyzd2qmjkt2a",
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBWQ1hESkgwSjQzaXZCWUU1\nczR0dGUvamt1aEVoaVRUS3dmaTBOL0E1RUV3CkprU3ZGcWdjSGphQ3N6MUk3cTRx\nZVA4bkN3cVErYkFxU2ZzTy9uT1BndUUKLS0tIG1aRk51UjRleWU4Ync5aGhhc1Zt\nR0hkczUydW1HMjJRZ3MrWFZEbDlsTm8Kn2HibVG1t+Z4KhJv9S8wEJqCAhLsFS6v\nSrsYbE4ignDfXf2gN05wgYnqpSXeQHiJaBhLIKhBt+toEgDAXA6d6w==\n-----END AGE ENCRYPTED FILE-----\n"
},
{
"recipient": "age1j8wprrs23m46h7xl26su3k6uztnvza5k89c9uk9rwwzefv8a4yvqpscxun",
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBFSmxwKzU2WVFHL2xEODNL\ndWt5bVdRT2JUa1U5a3JuREc0TEF0UkdBNnlrCkdSVTVvTjBaalZhY3NHQzRhZElX\ncnJlaEVlbTZleCtIeEZxOXdldWEreWcKLS0tIGc4ajBDcGtVODJIN25qSTFUTVN4\nVzltaVN4REo2c05KSnNEZWU4cFViclEKVtUtFv8817DuI/cQRleYVtqTXuqdJzjW\nE2nRwHjRPOCIGlKinUfmdG3t5YVz0iy0YHGkpsvo+elMC/pijpcryQ==\n-----END AGE ENCRYPTED FILE-----\n"
},
{
"recipient": "age1jerjsfhnenzzqtnuxez8g79kc0xxulxyhu2evp9p6gjyswu2syqskgt62v",
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBRUjdnbXJsWXQwb0hZTkYw\nRVYvZU5HbXZUMnY2WHNhRmFnTzQzaGZERlJFCmdIdzBocmVvSUVWUmJQK0ErNURI\nSjVWN2c3dmtwZWl3V25tV1VNMEtmZlkKLS0tIFVJR0g4NUZzcTJYUWN2QlI0WC9D\na3ZPdTRRekRlRDNFMjFPMnI4eG01TTgK7g8H2Quq1DzJYq8Im0j0bwyW5ajg0No8\njfNR05ULMPGbr4rctJ+lNTYeCWpl44eTpxFRWTe+wDSQ2XlCkp5jrA==\n-----END AGE ENCRYPTED FILE-----\n"
}
],
"lastmodified": "2023-11-20T12:29:43Z",
"mac": "ENC[AES256_GCM,data:HgDwUqtV3qljKSq4Jds+57NX6unOmE7wuyDJoNkSzecNNSygXzM8qyRJwwFVfZUUpNLovNaorlHfCiDAK5y3DsbsIDabCSbI0Ch8nR8JxAFhJdKz7EzIY7mOORLPsPPb9wQ3gAC6TW1qYxEzUUrs4gUPGknQAZTlglriDC3ljtU=,iv:BpBV7/OE4v0pwYUAlrKIYDtB8jz2krnMSvd3TE299FI=,tag:NQaHzZUi6uh0l0bcqhyowg==,type:str]",
"pgp": null,
"unencrypted_suffix": "_unencrypted",
"version": "3.8.1"
}
}

21
modules/nixos/sops/default.nix Normal file
View File

@ -0,0 +1,21 @@
{ inputs, ... }: {
imports = [ inputs.sops-nix.nixosModules.sops ];
# This will add secrets.yml to the nix store
# You can avoid this by adding a string to the full path instead, i.e.
# sops.defaultSopsFile = "/root/.sops/secrets/example.yaml";
sops = {
defaultSopsFile = ../../../secrets/general.yaml;
# This will automatically import SSH keys as age keys
age = {
sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
# This is using an age key that is expected to already be in the filesystem
keyFile = "/var/lib/sops-nix/key.txt";
# This will generate a new key if the key specified above does not exist
generateKey = true;
};
# This is the actual specification of the secrets.
secrets = {
hello = { };
};
};
}

1
profiles/home-manager/odie@asgard/home.nix
View File

@ -12,6 +12,7 @@
outputs.homeManagerModules.development outputs.homeManagerModules.development
outputs.homeManagerModules.games outputs.homeManagerModules.games
outputs.homeManagerModules.user outputs.homeManagerModules.user
outputs.homeManagerModules.sops
]; ];
desktop = { desktop = {
enable = true; enable = true;

116
profiles/nixos/pi0/configuration.nix
View File

@ -1,9 +1,10 @@
{ /*
{
outputs, outputs,
flakeLib, flakeLib,
vars, vars,
... ...
}: { }: {
imports = [ imports = [
outputs.nixosModules.base outputs.nixosModules.base
outputs.nixosModules.home-manager outputs.nixosModules.home-manager
@ -15,4 +16,115 @@
}; };
home-manager.users = flakeLib.mkNixosHomeConfiguration {inherit vars;}; home-manager.users = flakeLib.mkNixosHomeConfiguration {inherit vars;};
}
*/
{ inputs
, pkgs
, outputs
, vars
, ...
}: {
imports = [
inputs.nixos-hardware.nixosModules.raspberry-pi-4
outputs.nixosModules.base
outputs.nixosModules.home-manager
outputs.nixosModules.mediacenter
];
networking = {
inherit (vars) hostName domain;
};
boot = {
kernelPackages = pkgs.linuxPackages_rpi4;
kernelParams = [ "snd_bcm2835.enable_headphones=1" "snd_bcm2835.enable_hdmi=1" ];
initrd.availableKernelModules = [
# Allows early (earlier) modesetting for the Raspberry Pi
"vc4"
"bcm2835_dma"
"i2c_bcm2835"
"xhci_pci"
"usbhid"
"usb_storage"
];
};
fileSystems = {
"/" = {
device = "/dev/disk/by-label/NIXOS_SD";
fsType = "ext4";
options = [ "noatime" ];
};
"/media/net/hel_Public" = {
device = "hel.odie.home.arpa:/nfs/Public";
fsType = "nfs";
};
"/media/net/hel_USB" = {
device = "hel.odie.home.arpa:/nfs/USB_Video";
fsType = "nfs";
};
"/media/net/svartalbenheim_Video" = {
device = "svartalbenheim.odie.home.arpa:/volume1/media/Video";
fsType = "nfs";
};
};
swapDevices = [{
device = "/var/lib/swapfile";
size = 4 * 1024;
}];
hardware = {
raspberry-pi."4" = {
apply-overlays-dtmerge.enable = true;
fkms-3d.enable = true;
};
enableRedistributableFirmware = true;
};
home-manager = {
extraSpecialArgs = {
inherit inputs outputs;
};
useGlobalPkgs = true;
useUserPackages = true;
users = {
kodi = import ../../home-manager/kodi/pi0;
odie = import ../../home-manager/odie/pi0;
};
};
security.rtkit.enable = true;
environment.systemPackages = with pkgs; [
libraspberrypi
raspberrypi-eeprom
libcec
kitty
nfs-utils
];
programs.zsh.enable = true;
services.udev.extraRules = ''
# allow access to raspi cec device for video group (and optionally register it as a systemd device, used below)
KERNEL=="vchiq", GROUP="video", MODE="0660", TAG+="systemd", ENV{SYSTEMD_ALIAS}="/dev/vchiq"
'';
system = {
stateVersion = "23.05";
};
nixpkgs = {
hostPlatform.system = "aarch64-linux";
# Fix missing modules
# https://github.com/NixOS/nixpkgs/issues/154163
overlays = [
(final: prev: {
makeModulesClosure = x: prev.makeModulesClosure (x // { allowMissing = true; });
libcec = prev.libcec.override { withLibraspberrypi = true; };
})
];
};
} }

10
remote-deploy.sh Executable file
View File

@ -0,0 +1,10 @@
#!/usr/bin/env sh
set -e
HOSTNAME=$1
nix build -L ".#nixosConfigurations.${HOSTNAME}.config.system.build.toplevel"
#nix copy --no-check-sigs --to "ssh-ng://root@${HOSTNAME}" "./result"
#ssh "root@${HOSTNAME}" nix-env -p /nix/var/nix/profiles/system --set "$(readlink ./result)"
#ssh "root@${HOSTNAME}" /nix/var/nix/profiles/system/bin/switch-to-configuration switch

66
secrets/general.yaml Normal file
View File

@ -0,0 +1,66 @@
hello: ENC[AES256_GCM,data:XWkc+qY=,iv:wgY5hrihkWjCGOBluavDO6basgTll+WukeZAzsK3SIQ=,tag:5qYd+QcKOWpyzq1c0QlZEQ==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1ac27ksfvxydn20g29s09j66mag45vee3cgk5namsnup5e4l9v3sq7kypg7
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBIOFVYT2doR05kOC9QV1JX
T0pSaEV2NVcyOElhcXE3V1d1UGIva0RxbFJNClFKTWpqSUt5L01KNnpZYnMrL0h3
OE9OU2VVMWo3Z0p5cXlhQm5FUG5Cem8KLS0tIElDOGRvcXVvY1lsMmgrTTNKSGVi
RlJCSlE2NXZSc21qV1paWVVNK1BGVTQKq6164b3zZqKSff6weDeG9Lyul81vXSWU
BNPdVR98/moEz8QfiiUCs3UQTRUOY+/muWnpn5wTD/c0PYlfFtrNsQ==
-----END AGE ENCRYPTED FILE-----
- recipient: age1nnx85asl5nmxmurr3g8mazcsggvtazt0hpauw42l7v4k3de74s6s649w0k
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBaNnJjbysxWmdBb0F0MExj
cHBuMkE4bENNYUtYNWxPZ1JEVTV0NzdUdGpJCkUyd2xHVWprWXZKS2xJM3pZZFhF
N0ZZdUI2ZndRa3FLOWZRM3BnR3Y3M0kKLS0tIGZWYTc1YkZoNnNpSDBla3pSaWR5
TStTQk85STFENlVXM1RMb2c5Vjd0djAKBKswTBhTtt5K8eVqmUl0m8lG7JF++qpU
WQm22QEVZ9SW/ZI6DUFN2L4Ga1cGDXPiXxZuTSjp9WElDiLg33XHEw==
-----END AGE ENCRYPTED FILE-----
- recipient: age1v522tvf0gclgjnnu8q0mekl0rcmpdk7d7lwravwazstfn9zqhecsngvhpf
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB6VEdLRnhWTnY2NCsrSlNN
QmRoY25TYnJzbnpIT2dIRi94V1dZV3JQZDM4CnlsTWlaQXFaaDFSSWFweml5NjZv
K3crc1VXakREMTlwSzEwWHo1di9LcmMKLS0tIEtzVk1STSthRVVGUGZhSnFzUmZD
M2lYbDRpWk9BaEYwcng1d2JDQ3JyQWcKkQB8k55P8xRMIix8MeI1YCOD+Uq2/z4W
Zek12JWzIFS1NMLduuO997AZk8bwF3yRqSpkYSuhx2dvxWOgusKprQ==
-----END AGE ENCRYPTED FILE-----
- recipient: age16vz5m0stsh39ajn3zhkzj7x7zfgexlx3zzk2k9vrrrsn78tyzd2qmjkt2a
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBJa0FZU2FnUUQvQzZicklB
L25Gb0ZsdVlNNzV3Yld4Rzk3SG9DaUlQYWxnCjgvd2xqbEpiNjdRN1BwRk9vTllx
N1gyREMvbHFKSEh6Vi95VXYzZWNENk0KLS0tIDQzU3A0eEZtZTV0RmNVaEVXbSt6
YVNxNzBRRUpxYkVhZWFUTlBQTmUvMGMKpc9rIUi08CFS3mAI6Iz9QgiEMj0lF/dK
tM2zk2A9hJSt/ZQ59XfrQitZc5IcW52T2lq5pMM+oUbASNREdrycbg==
-----END AGE ENCRYPTED FILE-----
- recipient: age1j8wprrs23m46h7xl26su3k6uztnvza5k89c9uk9rwwzefv8a4yvqpscxun
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBUNlRhYWd6SzkzTVRIUUNG
VThFSEdSdGZhOVFtNWRLK2NIQ1V3b2xiN1VRClpqUGw1b09JSU1zVzIrRlVJd0lV
R2xSK2k1K21sWkNRbk9TV2IvNm95TTgKLS0tIDZHNFhyYkx4c0FTb1I2RmVQQ2Ji
djhxdm5iV3Bwd2tsdnZUMmtFWXFLN3MKTm8Y5MT5vNBZ5Y0eSWcscTn/I4nAHnKy
Q0CK4m+HHPEikaUnd+v/bxqPwAwjZ2+R7HrR3wuEPdl0WEIbfQeRzw==
-----END AGE ENCRYPTED FILE-----
- recipient: age1jerjsfhnenzzqtnuxez8g79kc0xxulxyhu2evp9p6gjyswu2syqskgt62v
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBRRnZyWGE4ZHk5dER3SHZK
bDlXb00zZmlCaC8rODcyY3laZ3Z4OStMQ0dnCk5WcUFzcDVsQmFMS2p0QTEySVhn
QlF6Nnd3anNDVG1DcGUyVGRoaGdwaXMKLS0tIGtMck1CdmNCT29PMmNNd1dyekM0
bnc0d2JDV1ZHOWM4Q2FPUit4OWgzOW8KcVjHNOD1y9NRrye3uhe7L6yWc54DtMOj
lhI75HtNIDsgxLUrtBvUHA/sNBdlIE8tHpXnwnuj7qQRiu6d3leK3A==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2025-01-05T22:35:45Z"
mac: ENC[AES256_GCM,data:Aayg2XiuB3+oiS/8wesJQnn8WonNG19loLmSToSR/5B2ha2CEaS9xBJZD0OOett6mumtn70aMK75quWCYTaQzf1vTaIBt1eDVHmBN3dWaTk/an5DtYmJ5oZKUCNiIOGo8jwDbd+e+nZYQXwI1pCn8BbyopsF+AhqOpl7WX8WzyY=,iv:fvJqyWT8M+DFCtCaqVO95HTEDzaOVrg0gwNpp3NOpb0=,tag:dnYnRdRSaaMvEDCNQ+sLUQ==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.9.1