zuckerberg/nix-config
1
0
Fork 0
Code Issues Pull Requests Actions Activity

Refactor imports and secrets. Add per system properties and role based secret access.

Browse Source 
Highlights
- No need to update flake for every machine anymore, just add a properties.nix file.
- Roles are automatically generated from all machine configurations.
- Roles and their secrets automatically are grouped and show up in agenix secrets.nix
- Machines and their service configs may now query the properties of all machines.
- Machine configuration and secrets are now competely isolated into each machine's directory.
- Safety checks to ensure no mixing of luks unlocking secrets and hosts with primary ones.
- SSH pubkeys no longer centrally stored but instead per machine where the private key lies for better cleanup.
This commit is contained in:
Zuckerberg
2023-04-20 22:01:21 -06:00
parent a02775a234
commit 71baa09bd2
42 changed files with 632 additions and 383 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
common/server/mailserver.nix
View File

@@ -33,7 +33,7 @@ in
inherit domains;
loginAccounts = {
"jeremy@runyan.org" = {
hashedPasswordFile = "/run/agenix/email-pw";
hashedPasswordFile = "/run/agenix/hashed-email-pw";
# catchall for all domains
aliases = map (domain: "@${domain}") domains;
};
@@ -54,7 +54,7 @@ in
];
certificateScheme = 3; # use let's encrypt for certs
};
age.secrets.email-pw.file = ../../secrets/email-pw.age;
age.secrets.hashed-email-pw.file = ../../secrets/hashed-email-pw.age;
age.secrets.hashed-robots-email-pw.file = ../../secrets/hashed-robots-email-pw.age;
# sendmail to use xxx@domain instead of xxx@mail.domain