diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 18538e7..566b250 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -22,6 +22,10 @@ jobs: uses: DeterminateSystems/nix-installer-action@v14 with: extra-conf: allow-import-from-derivation = true + - name: Add SSH keys to ssh-agent + uses: webfactory/ssh-agent@v0.9.0 + with: + ssh-private-key: ${{ secrets.SECRETS_DEPLOY_KEY }} - name: Setup Attic cache uses: ryanccn/attic-action@v0.3.1 with: @@ -66,6 +70,10 @@ jobs: uses: DeterminateSystems/nix-installer-action@v14 with: extra-conf: allow-import-from-derivation = true + - name: Add SSH keys to ssh-agent + uses: webfactory/ssh-agent@v0.9.0 + with: + ssh-private-key: ${{ secrets.SECRETS_DEPLOY_KEY }} - name: Setup Attic cache uses: ryanccn/attic-action@v0.3.1 with: diff --git a/.github/workflows/check.yml b/.github/workflows/check.yml index c63a1d1..7e94cd5 100644 --- a/.github/workflows/check.yml +++ b/.github/workflows/check.yml @@ -17,6 +17,10 @@ jobs: uses: DeterminateSystems/nix-installer-action@v14 with: extra-conf: allow-import-from-derivation = true + - name: Add SSH keys to ssh-agent + uses: webfactory/ssh-agent@v0.9.0 + with: + ssh-private-key: ${{ secrets.SECRETS_DEPLOY_KEY }} - name: Setup Attic cache uses: ryanccn/attic-action@v0.3.1 with: diff --git a/flake.lock b/flake.lock index 43ea1d5..9a8411b 100644 --- a/flake.lock +++ b/flake.lock @@ -25,6 +25,33 @@ "type": "github" } }, + "attic_2": { + "inputs": { + "crane": "crane_2", + "flake-compat": "flake-compat_3", + "flake-parts": "flake-parts_2", + "nix-github-actions": "nix-github-actions_3", + "nixpkgs": [ + "e10-secrets", + "e10", + "nixpkgs" + ], + "nixpkgs-stable": "nixpkgs-stable_2" + }, + "locked": { + "lastModified": 1758711588, + "narHash": "sha256-0nZlCCDC5PfndsQJXXtcyrtrfW49I3KadGMDlutzaGU=", + "owner": "zhaofengli", + "repo": "attic", + "rev": "12cbeca141f46e1ade76728bce8adc447f2166c6", + "type": "github" + }, + "original": { + "owner": "zhaofengli", + "repo": "attic", + "type": "github" + } + }, "colmena": { "inputs": { "flake-compat": "flake-compat_2", @@ -49,6 +76,32 @@ "type": "github" } }, + "colmena_2": { + "inputs": { + "flake-compat": "flake-compat_4", + "flake-utils": "flake-utils_2", + "nix-github-actions": "nix-github-actions_4", + "nixpkgs": [ + "e10-secrets", + "e10", + "nixpkgs" + ], + "stable": "stable_2" + }, + "locked": { + "lastModified": 1762034856, + "narHash": "sha256-QVey3iP3UEoiFVXgypyjTvCrsIlA4ecx6Acaz5C8/PQ=", + "owner": "zhaofengli", + "repo": "colmena", + "rev": "349b035a5027f23d88eeb3bc41085d7ee29f18ed", + "type": "github" + }, + "original": { + "owner": "zhaofengli", + "repo": "colmena", + "type": "github" + } + }, "crane": { "locked": { "lastModified": 1751562746, @@ -64,6 +117,21 @@ "type": "github" } }, + "crane_2": { + "locked": { + "lastModified": 1751562746, + "narHash": "sha256-smpugNIkmDeicNz301Ll1bD7nFOty97T79m4GUMUczA=", + "owner": "ipetkov", + "repo": "crane", + "rev": "aed2020fd3dc26e1e857d4107a5a67a33ab6c1fd", + "type": "github" + }, + "original": { + "owner": "ipetkov", + "repo": "crane", + "type": "github" + } + }, "disko": { "inputs": { "nixpkgs": [ @@ -84,6 +152,92 @@ "type": "github" } }, + "disko_2": { + "inputs": { + "nixpkgs": [ + "e10-secrets", + "e10", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1766150702, + "narHash": "sha256-P0kM+5o+DKnB6raXgFEk3azw8Wqg5FL6wyl9jD+G5a4=", + "owner": "nix-community", + "repo": "disko", + "rev": "916506443ecd0d0b4a0f4cf9d40a3c22ce39b378", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "disko", + "type": "github" + } + }, + "e10": { + "inputs": { + "attic": "attic_2", + "colmena": "colmena_2", + "disko": "disko_2", + "flake-parts": "flake-parts_3", + "flake-root": "flake-root", + "haumea": "haumea", + "nixago": "nixago", + "nixos-anywhere": "nixos-anywhere", + "nixos-generators": "nixos-generators", + "nixos-hardware": "nixos-hardware", + "nixpkgs": "nixpkgs", + "nixpkgs-master": "nixpkgs-master", + "sops-nix": "sops-nix", + "treefmt": "treefmt" + }, + "locked": { + "lastModified": 1766898158, + "narHash": "sha256-dEh05XtUlfjV001vgUXG73jpCTeHnLjx8snDa3zUFms=", + "owner": "ethnt", + "repo": "e10", + "rev": "e9a4073ae13822df5a1090d002e7f5863a7fc5ea", + "type": "github" + }, + "original": { + "owner": "ethnt", + "repo": "e10", + "type": "github" + } + }, + "e10-secrets": { + "inputs": { + "e10": "e10", + "flake-parts": [ + "e10-secrets", + "e10", + "flake-parts" + ], + "haumea": [ + "e10-secrets", + "e10", + "haumea" + ], + "nixpkgs": [ + "e10-secrets", + "e10", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1767018483, + "narHash": "sha256-BX3ogzhAv5QGxn7H2h4VZf4NcftNp0rWQrsNr4KB17A=", + "ref": "refs/heads/main", + "rev": "cba82016e3adcb83c90000ddf1340686f800b38b", + "revCount": 2, + "type": "git", + "url": "ssh://git@github.com/ethnt/e10-secrets" + }, + "original": { + "type": "git", + "url": "ssh://git@github.com/ethnt/e10-secrets" + } + }, "flake-compat": { "flake": false, "locked": { @@ -116,6 +270,38 @@ "type": "github" } }, + "flake-compat_3": { + "flake": false, + "locked": { + "lastModified": 1747046372, + "narHash": "sha256-CIVLLkVgvHYbgI2UpXvIIBJ12HWgX+fjA8Xf8PUmqCY=", + "owner": "edolstra", + "repo": "flake-compat", + "rev": "9100a0f413b0c601e0533d1d94ffd501ce2e7885", + "type": "github" + }, + "original": { + "owner": "edolstra", + "repo": "flake-compat", + "type": "github" + } + }, + "flake-compat_4": { + "flake": false, + "locked": { + "lastModified": 1650374568, + "narHash": "sha256-Z+s0J8/r907g149rllvwhb4pKi8Wam5ij0st8PwAh+E=", + "owner": "edolstra", + "repo": "flake-compat", + "rev": "b4a34015c698c7793d592d66adbab377907a2be8", + "type": "github" + }, + "original": { + "owner": "edolstra", + "repo": "flake-compat", + "type": "github" + } + }, "flake-parts": { "inputs": { "nixpkgs-lib": [ @@ -138,6 +324,29 @@ } }, "flake-parts_2": { + "inputs": { + "nixpkgs-lib": [ + "e10-secrets", + "e10", + "attic", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1751413152, + "narHash": "sha256-Tyw1RjYEsp5scoigs1384gIg6e0GoBVjms4aXFfRssQ=", + "owner": "hercules-ci", + "repo": "flake-parts", + "rev": "77826244401ea9de6e3bac47c2db46005e1f30b5", + "type": "github" + }, + "original": { + "owner": "hercules-ci", + "repo": "flake-parts", + "type": "github" + } + }, + "flake-parts_3": { "inputs": { "nixpkgs-lib": "nixpkgs-lib" }, @@ -155,7 +364,48 @@ "type": "github" } }, - "flake-parts_3": { + "flake-parts_4": { + "inputs": { + "nixpkgs-lib": [ + "e10-secrets", + "e10", + "nixos-anywhere", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1748821116, + "narHash": "sha256-F82+gS044J1APL0n4hH50GYdPRv/5JWm34oCJYmVKdE=", + "owner": "hercules-ci", + "repo": "flake-parts", + "rev": "49f0870db23e8c1ca0b5259734a02cd9e1e371a1", + "type": "github" + }, + "original": { + "owner": "hercules-ci", + "repo": "flake-parts", + "type": "github" + } + }, + "flake-parts_5": { + "inputs": { + "nixpkgs-lib": "nixpkgs-lib_2" + }, + "locked": { + "lastModified": 1765835352, + "narHash": "sha256-XswHlK/Qtjasvhd1nOa1e8MgZ8GS//jBoTqWtrS1Giw=", + "owner": "hercules-ci", + "repo": "flake-parts", + "rev": "a34fae9c08a15ad73f295041fec82323541400a9", + "type": "github" + }, + "original": { + "owner": "hercules-ci", + "repo": "flake-parts", + "type": "github" + } + }, + "flake-parts_6": { "inputs": { "nixpkgs-lib": [ "nixos-anywhere", @@ -191,6 +441,21 @@ "type": "github" } }, + "flake-root_2": { + "locked": { + "lastModified": 1723604017, + "narHash": "sha256-rBtQ8gg+Dn4Sx/s+pvjdq3CB2wQNzx9XGFq/JVGCB6k=", + "owner": "srid", + "repo": "flake-root", + "rev": "b759a56851e10cb13f6b8e5698af7b59c44be26e", + "type": "github" + }, + "original": { + "owner": "srid", + "repo": "flake-root", + "type": "github" + } + }, "flake-utils": { "locked": { "lastModified": 1659877975, @@ -206,7 +471,7 @@ "type": "github" } }, - "flake-utils_2": { + "flake-utils_10": { "locked": { "lastModified": 1653893745, "narHash": "sha256-0jntwV3Z8//YwuOjzhV2sgJJPt+HY6KhU7VZUL0fKZQ=", @@ -221,6 +486,51 @@ "type": "github" } }, + "flake-utils_11": { + "locked": { + "lastModified": 1653893745, + "narHash": "sha256-0jntwV3Z8//YwuOjzhV2sgJJPt+HY6KhU7VZUL0fKZQ=", + "owner": "numtide", + "repo": "flake-utils", + "rev": "1ed9fb1935d260de5fe1c2f7ee0ebaae17ed2fa1", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "flake-utils", + "type": "github" + } + }, + "flake-utils_12": { + "locked": { + "lastModified": 1653893745, + "narHash": "sha256-0jntwV3Z8//YwuOjzhV2sgJJPt+HY6KhU7VZUL0fKZQ=", + "owner": "numtide", + "repo": "flake-utils", + "rev": "1ed9fb1935d260de5fe1c2f7ee0ebaae17ed2fa1", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "flake-utils", + "type": "github" + } + }, + "flake-utils_2": { + "locked": { + "lastModified": 1659877975, + "narHash": "sha256-zllb8aq3YO3h8B/U0/J1WBgAL8EX5yWf5pMj3G0NAmc=", + "owner": "numtide", + "repo": "flake-utils", + "rev": "c0e246b9b83f637f4681389ecabcb2681b4f3af0", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "flake-utils", + "type": "github" + } + }, "flake-utils_3": { "locked": { "lastModified": 1653893745, @@ -281,7 +591,74 @@ "type": "github" } }, + "flake-utils_7": { + "locked": { + "lastModified": 1653893745, + "narHash": "sha256-0jntwV3Z8//YwuOjzhV2sgJJPt+HY6KhU7VZUL0fKZQ=", + "owner": "numtide", + "repo": "flake-utils", + "rev": "1ed9fb1935d260de5fe1c2f7ee0ebaae17ed2fa1", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "flake-utils", + "type": "github" + } + }, + "flake-utils_8": { + "locked": { + "lastModified": 1653893745, + "narHash": "sha256-0jntwV3Z8//YwuOjzhV2sgJJPt+HY6KhU7VZUL0fKZQ=", + "owner": "numtide", + "repo": "flake-utils", + "rev": "1ed9fb1935d260de5fe1c2f7ee0ebaae17ed2fa1", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "flake-utils", + "type": "github" + } + }, + "flake-utils_9": { + "locked": { + "lastModified": 1653893745, + "narHash": "sha256-0jntwV3Z8//YwuOjzhV2sgJJPt+HY6KhU7VZUL0fKZQ=", + "owner": "numtide", + "repo": "flake-utils", + "rev": "1ed9fb1935d260de5fe1c2f7ee0ebaae17ed2fa1", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "flake-utils", + "type": "github" + } + }, "haumea": { + "inputs": { + "nixpkgs": [ + "e10-secrets", + "e10", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1708375098, + "narHash": "sha256-DaFJp3wDHgOqx98U0SF57bXaH2Orp106c+jSdPCVu1E=", + "owner": "nix-community", + "repo": "haumea", + "rev": "ec6350fd9353e7f27ce0e85d31f82e3ed73e4d70", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "haumea", + "type": "github" + } + }, + "haumea_2": { "inputs": { "nixpkgs": [ "nixpkgs" @@ -343,7 +720,76 @@ "type": "github" } }, + "nix-github-actions_3": { + "inputs": { + "nixpkgs": [ + "e10-secrets", + "e10", + "attic", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1737420293, + "narHash": "sha256-F1G5ifvqTpJq7fdkT34e/Jy9VCyzd5XfJ9TO8fHhJWE=", + "owner": "nix-community", + "repo": "nix-github-actions", + "rev": "f4158fa080ef4503c8f4c820967d946c2af31ec9", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "nix-github-actions", + "type": "github" + } + }, + "nix-github-actions_4": { + "inputs": { + "nixpkgs": [ + "e10-secrets", + "e10", + "colmena", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1729742964, + "narHash": "sha256-B4mzTcQ0FZHdpeWcpDYPERtyjJd/NIuaQ9+BV1h+MpA=", + "owner": "nix-community", + "repo": "nix-github-actions", + "rev": "e04df33f62cdcf93d73e9a04142464753a16db67", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "nix-github-actions", + "type": "github" + } + }, "nix-vm-test": { + "inputs": { + "nixpkgs": [ + "e10-secrets", + "e10", + "nixos-anywhere", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1748765518, + "narHash": "sha256-vftOR+7zwnMWl5UpG32GL1VBeNGTDZZT0hv+2uNuBGw=", + "owner": "Mic92", + "repo": "nix-vm-test", + "rev": "d6642fbaf42fc98883d84bab66cd0ec720d9dd0c", + "type": "github" + }, + "original": { + "owner": "Mic92", + "repo": "nix-vm-test", + "type": "github" + } + }, + "nix-vm-test_2": { "inputs": { "nixpkgs": [ "nixos-anywhere", @@ -366,9 +812,11 @@ }, "nixago": { "inputs": { - "flake-utils": "flake-utils_2", + "flake-utils": "flake-utils_3", "nixago-exts": "nixago-exts", "nixpkgs": [ + "e10-secrets", + "e10", "nixpkgs" ] }, @@ -388,9 +836,11 @@ }, "nixago-exts": { "inputs": { - "flake-utils": "flake-utils_3", + "flake-utils": "flake-utils_4", "nixago": "nixago_2", "nixpkgs": [ + "e10-secrets", + "e10", "nixago", "nixpkgs" ] @@ -411,9 +861,11 @@ }, "nixago-exts_2": { "inputs": { - "flake-utils": "flake-utils_5", + "flake-utils": "flake-utils_6", "nixago": "nixago_3", "nixpkgs": [ + "e10-secrets", + "e10", "nixago", "nixago-exts", "nixago", @@ -434,10 +886,134 @@ "type": "github" } }, - "nixago_2": { + "nixago-exts_3": { + "inputs": { + "flake-utils": "flake-utils_9", + "nixago": "nixago_5", + "nixpkgs": [ + "nixago", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1676070308, + "narHash": "sha256-QaJ65oc2l8iwQIGWUJ0EKjCeSuuCM/LqR8RauxZUUkc=", + "owner": "nix-community", + "repo": "nixago-extensions", + "rev": "e5380cb0456f4ea3c86cf94e3039eb856bf07d0b", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "nixago-extensions", + "type": "github" + } + }, + "nixago-exts_4": { + "inputs": { + "flake-utils": "flake-utils_11", + "nixago": "nixago_6", + "nixpkgs": [ + "nixago", + "nixago-exts", + "nixago", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1655508669, + "narHash": "sha256-BDDdo5dZQMmwNH/GNacy33nPBnCpSIydWFPZs0kkj/g=", + "owner": "nix-community", + "repo": "nixago-extensions", + "rev": "3022a932ce109258482ecc6568c163e8d0b426aa", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "nixago-extensions", + "type": "github" + } + }, + "nixago_2": { + "inputs": { + "flake-utils": "flake-utils_5", + "nixago-exts": "nixago-exts_2", + "nixpkgs": [ + "e10-secrets", + "e10", + "nixago", + "nixago-exts", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1676070010, + "narHash": "sha256-iYzJIWptE1EUD8VINAg66AAMUajizg8JUYN3oBmb8no=", + "owner": "nix-community", + "repo": "nixago", + "rev": "d480ba6c0c16e2c5c0bd2122852d6a0c9ad1ed0e", + "type": "github" + }, + "original": { + "owner": "nix-community", + "ref": "rename-config-data", + "repo": "nixago", + "type": "github" + } + }, + "nixago_3": { + "inputs": { + "flake-utils": "flake-utils_7", + "nixpkgs": [ + "e10-secrets", + "e10", + "nixago", + "nixago-exts", + "nixago", + "nixago-exts", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1655405483, + "narHash": "sha256-Crd49aZWNrpczlRTOwWGfwBMsTUoG9vlHDKQC7cx264=", + "owner": "nix-community", + "repo": "nixago", + "rev": "e6a9566c18063db5b120e69e048d3627414e327d", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "nixago", + "type": "github" + } + }, + "nixago_4": { + "inputs": { + "flake-utils": "flake-utils_8", + "nixago-exts": "nixago-exts_3", + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1746801636, + "narHash": "sha256-dlcKfIXp/eqFHzFm+DzseXAWWlpVwyk9cTvCKGtVKkw=", + "owner": "nix-community", + "repo": "nixago", + "rev": "8cc33f973ab3a891d8a41391e73ef451a783960b", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "nixago", + "type": "github" + } + }, + "nixago_5": { "inputs": { - "flake-utils": "flake-utils_4", - "nixago-exts": "nixago-exts_2", + "flake-utils": "flake-utils_10", + "nixago-exts": "nixago-exts_4", "nixpkgs": [ "nixago", "nixago-exts", @@ -459,9 +1035,9 @@ "type": "github" } }, - "nixago_3": { + "nixago_6": { "inputs": { - "flake-utils": "flake-utils_6", + "flake-utils": "flake-utils_12", "nixpkgs": [ "nixago", "nixago-exts", @@ -499,16 +1075,35 @@ "type": "github" } }, + "nixlib_2": { + "locked": { + "lastModified": 1736643958, + "narHash": "sha256-tmpqTSWVRJVhpvfSN9KXBvKEXplrwKnSZNAoNPf/S/s=", + "owner": "nix-community", + "repo": "nixpkgs.lib", + "rev": "1418bc28a52126761c02dd3d89b2d8ca0f521181", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "nixpkgs.lib", + "type": "github" + } + }, "nixos-anywhere": { "inputs": { "disko": [ + "e10-secrets", + "e10", "disko" ], - "flake-parts": "flake-parts_3", + "flake-parts": "flake-parts_4", "nix-vm-test": "nix-vm-test", "nixos-images": "nixos-images", "nixos-stable": "nixos-stable", "nixpkgs": [ + "e10-secrets", + "e10", "nixpkgs" ], "treefmt-nix": "treefmt-nix" @@ -527,9 +1122,60 @@ "type": "github" } }, + "nixos-anywhere_2": { + "inputs": { + "disko": [ + "disko" + ], + "flake-parts": "flake-parts_6", + "nix-vm-test": "nix-vm-test_2", + "nixos-images": "nixos-images_2", + "nixos-stable": "nixos-stable_2", + "nixpkgs": [ + "nixpkgs" + ], + "treefmt-nix": "treefmt-nix_2" + }, + "locked": { + "lastModified": 1766503044, + "narHash": "sha256-DdJ0OIngRjekqXJauSQ8y9vyDO24dX8v7DiaWmxk7PU=", + "owner": "numtide", + "repo": "nixos-anywhere", + "rev": "e86fad431cf9161ca39747972bd255897572dc3b", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "nixos-anywhere", + "type": "github" + } + }, "nixos-generators": { "inputs": { "nixlib": "nixlib", + "nixpkgs": [ + "e10-secrets", + "e10", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1764234087, + "narHash": "sha256-NHF7QWa0ZPT8hsJrvijREW3+nifmF2rTXgS2v0tpcEA=", + "owner": "nix-community", + "repo": "nixos-generators", + "rev": "032a1878682fafe829edfcf5fdfad635a2efe748", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "nixos-generators", + "type": "github" + } + }, + "nixos-generators_2": { + "inputs": { + "nixlib": "nixlib_2", "nixpkgs": [ "nixpkgs" ] @@ -563,7 +1209,51 @@ "type": "github" } }, + "nixos-hardware_2": { + "locked": { + "lastModified": 1766568855, + "narHash": "sha256-UXVtN77D7pzKmzOotFTStgZBqpOcf8cO95FcupWp4Zo=", + "owner": "nixos", + "repo": "nixos-hardware", + "rev": "c5db9569ac9cc70929c268ac461f4003e3e5ca80", + "type": "github" + }, + "original": { + "owner": "nixos", + "repo": "nixos-hardware", + "type": "github" + } + }, "nixos-images": { + "inputs": { + "nixos-stable": [ + "e10-secrets", + "e10", + "nixos-anywhere", + "nixos-stable" + ], + "nixos-unstable": [ + "e10-secrets", + "e10", + "nixos-anywhere", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1749086071, + "narHash": "sha256-4+fY7i+q78F3t6APz0cMC4kRxsyCb+UTyfhbckkCd7Q=", + "owner": "nix-community", + "repo": "nixos-images", + "rev": "aa38dbbdf0e955baef7e03dfc4265ae3fdac4808", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "nixos-images", + "type": "github" + } + }, + "nixos-images_2": { "inputs": { "nixos-stable": [ "nixos-anywhere", @@ -604,6 +1294,22 @@ "type": "github" } }, + "nixos-stable_2": { + "locked": { + "lastModified": 1749086602, + "narHash": "sha256-DJcgJMekoxVesl9kKjfLPix2Nbr42i7cpEHJiTnBUwU=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "4792576cb003c994bd7cc1edada3129def20b27d", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixos-25.05", + "repo": "nixpkgs", + "type": "github" + } + }, "nixpkgs": { "locked": { "lastModified": 1766309749, @@ -635,6 +1341,21 @@ "type": "github" } }, + "nixpkgs-lib_2": { + "locked": { + "lastModified": 1765674936, + "narHash": "sha256-k00uTP4JNfmejrCLJOwdObYC9jHRrr/5M/a/8L2EIdo=", + "owner": "nix-community", + "repo": "nixpkgs.lib", + "rev": "2075416fcb47225d9b68ac469a5c4801a9c4dd85", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "nixpkgs.lib", + "type": "github" + } + }, "nixpkgs-master": { "locked": { "lastModified": 1766591670, @@ -650,6 +1371,21 @@ "type": "github" } }, + "nixpkgs-master_2": { + "locked": { + "lastModified": 1766591670, + "narHash": "sha256-rJi/drKMi8qyVNuPaaMGIY9BlA/UgMBpN1UjJ69dMKA=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "d6278c3a80d5703b628c14dc9ecb1c8780c1a77f", + "type": "github" + }, + "original": { + "owner": "NixOS", + "repo": "nixpkgs", + "type": "github" + } + }, "nixpkgs-stable": { "locked": { "lastModified": 1751741127, @@ -666,25 +1402,80 @@ "type": "github" } }, + "nixpkgs-stable_2": { + "locked": { + "lastModified": 1751741127, + "narHash": "sha256-t75Shs76NgxjZSgvvZZ9qOmz5zuBE8buUaYD28BMTxg=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "29e290002bfff26af1db6f64d070698019460302", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixos-25.05", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs_2": { + "locked": { + "lastModified": 1766309749, + "narHash": "sha256-3xY8CZ4rSnQ0NqGhMKAy5vgC+2IVK0NoVEzDoOh4DA4=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "a6531044f6d0bef691ea18d4d4ce44d0daa6e816", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixos-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, "root": { "inputs": { "attic": "attic", "colmena": "colmena", "disko": "disko", - "flake-parts": "flake-parts_2", - "flake-root": "flake-root", - "haumea": "haumea", - "nixago": "nixago", - "nixos-anywhere": "nixos-anywhere", - "nixos-generators": "nixos-generators", - "nixos-hardware": "nixos-hardware", - "nixpkgs": "nixpkgs", - "nixpkgs-master": "nixpkgs-master", - "sops-nix": "sops-nix", - "treefmt": "treefmt" + "e10-secrets": "e10-secrets", + "flake-parts": "flake-parts_5", + "flake-root": "flake-root_2", + "haumea": "haumea_2", + "nixago": "nixago_4", + "nixos-anywhere": "nixos-anywhere_2", + "nixos-generators": "nixos-generators_2", + "nixos-hardware": "nixos-hardware_2", + "nixpkgs": "nixpkgs_2", + "nixpkgs-master": "nixpkgs-master_2", + "sops-nix": "sops-nix_2", + "treefmt": "treefmt_2" } }, "sops-nix": { + "inputs": { + "nixpkgs": [ + "e10-secrets", + "e10", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1766289575, + "narHash": "sha256-BOKCwOQQIP4p9z8DasT5r+qjri3x7sPCOq+FTjY8Z+o=", + "owner": "Mic92", + "repo": "sops-nix", + "rev": "9836912e37aef546029e48c8749834735a6b9dad", + "type": "github" + }, + "original": { + "owner": "Mic92", + "repo": "sops-nix", + "type": "github" + } + }, + "sops-nix_2": { "inputs": { "nixpkgs": [ "nixpkgs" @@ -720,9 +1511,27 @@ "type": "github" } }, + "stable_2": { + "locked": { + "lastModified": 1750133334, + "narHash": "sha256-urV51uWH7fVnhIvsZIELIYalMYsyr2FCalvlRTzqWRw=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "36ab78dab7da2e4e27911007033713bab534187b", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixos-25.05", + "repo": "nixpkgs", + "type": "github" + } + }, "treefmt": { "inputs": { "nixpkgs": [ + "e10-secrets", + "e10", "nixpkgs" ] }, @@ -741,6 +1550,29 @@ } }, "treefmt-nix": { + "inputs": { + "nixpkgs": [ + "e10-secrets", + "e10", + "nixos-anywhere", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1749194973, + "narHash": "sha256-eEy8cuS0mZ2j/r/FE0/LYBSBcIs/MKOIVakwHVuqTfk=", + "owner": "numtide", + "repo": "treefmt-nix", + "rev": "a05be418a1af1198ca0f63facb13c985db4cb3c5", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "treefmt-nix", + "type": "github" + } + }, + "treefmt-nix_2": { "inputs": { "nixpkgs": [ "nixos-anywhere", @@ -760,6 +1592,26 @@ "repo": "treefmt-nix", "type": "github" } + }, + "treefmt_2": { + "inputs": { + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1766000401, + "narHash": "sha256-+cqN4PJz9y0JQXfAK5J1drd0U05D5fcAGhzhfVrDlsI=", + "owner": "numtide", + "repo": "treefmt-nix", + "rev": "42d96e75aa56a3f70cab7e7dc4a32868db28e8fd", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "treefmt-nix", + "type": "github" + } } }, "root": "root", diff --git a/flake.nix b/flake.nix index dd3b216..d2216e6 100644 --- a/flake.nix +++ b/flake.nix @@ -55,6 +55,9 @@ attic.inputs.nixpkgs.follows = "nixpkgs"; flake-root.url = "github:srid/flake-root"; + + e10-secrets.url = "git+ssh://git@github.com/ethnt/e10-secrets"; + # e10-secrets.url = "git+file:///Users/ethan/Workspace/e10-secrets"; }; outputs = inputs@{ self, flake-parts, ... }: @@ -71,9 +74,10 @@ ./modules/development/treefmt.nix ./modules/development/flake-root.nix - ./modules/deploy/shell.nix - ./modules/deploy/configuration.nix ./modules/deploy/ansible.nix + ./modules/deploy/configuration.nix + ./modules/deploy/secrets.nix + ./modules/deploy/shell.nix ./modules/deploy/terraform.nix ./hosts diff --git a/hosts/bastion/configuration.nix b/hosts/bastion/configuration.nix index 45fe321..b063db4 100644 --- a/hosts/bastion/configuration.nix +++ b/hosts/bastion/configuration.nix @@ -1,7 +1,8 @@ -{ suites, profiles, ... }: { +{ suites, profiles, secrets, ... }: { imports = with suites; core ++ aws ++ web ++ (with profiles; [ security.lldap.default ]) - ++ [ ./profiles/authelia ./profiles/caddy ]; + ++ [ ./profiles/authelia ./profiles/caddy ] + ++ [ secrets.hosts.bastion.configuration ]; deployment.tags = [ "@external" ]; diff --git a/hosts/bastion/profiles/authelia/default.nix b/hosts/bastion/profiles/authelia/default.nix index 4093ec6..a3d508f 100644 --- a/hosts/bastion/profiles/authelia/default.nix +++ b/hosts/bastion/profiles/authelia/default.nix @@ -138,7 +138,7 @@ remember_me = "1y"; }]; - access_control.rules = lib.mkAfter [ + access_control.rules = lib.mkBefore [ { domain = "*.e10.camp"; policy = "bypass"; diff --git a/hosts/default.nix b/hosts/default.nix index ef2c0f3..15715fe 100644 --- a/hosts/default.nix +++ b/hosts/default.nix @@ -1,6 +1,6 @@ { self, withSystem, ... }: let - inherit (self) inputs; + inherit (self) inputs secrets; inherit (inputs) haumea; inherit (self.lib.utils) flattenTree; l = inputs.nixpkgs.lib // builtins; @@ -34,7 +34,7 @@ let baseConfiguration = _: { networking.hostName = hostname; }; modules = commonModules ++ [ baseConfiguration configuration ]; specialArgs = { - inherit inputs profiles suites; + inherit inputs profiles suites secrets; flake = self; hosts = self.nixosConfigurations; }; diff --git a/hosts/htpc/configuration.nix b/hosts/htpc/configuration.nix index 9705c78..d449002 100644 --- a/hosts/htpc/configuration.nix +++ b/hosts/htpc/configuration.nix @@ -1,7 +1,8 @@ -{ suites, profiles, pkgs, ... }: { +{ suites, profiles, pkgs, secrets, ... }: { imports = with suites; core ++ local ++ proxmox-vm ++ [ profiles.filesystems.blockbuster + profiles.filesystems.files.personal profiles.hardware.nvidia profiles.media-management.bazarr.default profiles.media-management.declutarr.default @@ -23,7 +24,8 @@ profiles.telemetry.prometheus-dcgm-exporter profiles.telemetry.prometheus-plex-media-server-exporter.default profiles.virtualisation.docker - ] ++ [ ./hardware-configuration.nix ./disk-config.nix ]; + ] ++ [ ./hardware-configuration.nix ./disk-config.nix ] + ++ [ secrets.hosts.htpc.configuration ]; deployment = { tags = [ "@vm" "@build-on-target" ]; diff --git a/modules/deploy/secrets.nix b/modules/deploy/secrets.nix new file mode 100644 index 0000000..1d327cd --- /dev/null +++ b/modules/deploy/secrets.nix @@ -0,0 +1 @@ +{ inputs, ... }: { imports = [ inputs.e10-secrets.flakeModule ]; } diff --git a/modules/development/ci.nix b/modules/development/ci.nix index 09f8f9c..718b955 100644 --- a/modules/development/ci.nix +++ b/modules/development/ci.nix @@ -21,6 +21,11 @@ in { uses = "DeterminateSystems/nix-installer-action@v14"; "with" = { extra-conf = "allow-import-from-derivation = true"; }; } + { + name = "Add SSH keys to ssh-agent"; + uses = "webfactory/ssh-agent@v0.9.0"; + "with" = { ssh-private-key = "\${{ secrets.SECRETS_DEPLOY_KEY }}"; }; + } { name = "Setup Attic cache"; uses = "ryanccn/attic-action@v0.3.1"; diff --git a/modules/profiles/filesystems/files/personal.nix b/modules/profiles/filesystems/files/personal.nix new file mode 100644 index 0000000..2b6e75e --- /dev/null +++ b/modules/profiles/filesystems/files/personal.nix @@ -0,0 +1,16 @@ +{ config, hosts, ... }: { + imports = [ ./common.nix ]; + + fileSystems."/mnt/files/personal" = let + # Use local network if local, otherwise use Tailscale + host = if builtins.elem "@external" config.deployment.tags then + hosts.omnibus.config.networking.hostName + else + hosts.omnibus.config.satan.address; + in { + device = + "${host}:${hosts.omnibus.config.disko.devices.zpool.files.datasets.root.mountpoint}/personal"; + fsType = "nfs"; + options = [ "x-systemd.automount" "exec" ]; + }; +}