Zuckerberg 71baa09bd2 Refactor imports and secrets. Add per system properties and role based secret access.

Highlights
- No need to update flake for every machine anymore, just add a properties.nix file.
- Roles are automatically generated from all machine configurations.
- Roles and their secrets automatically are grouped and show up in agenix secrets.nix
- Machines and their service configs may now query the properties of all machines.
- Machine configuration and secrets are now competely isolated into each machine's directory.
- Safety checks to ensure no mixing of luks unlocking secrets and hosts with primary ones.
- SSH pubkeys no longer centrally stored but instead per machine where the private key lies for better cleanup.

2023-04-21 12:58:11 -06:00

812 B

Raw Permalink Blame History

My NixOS configurations

Source Layout

/common - common configuration imported into all /machines
- /boot - config related to bootloaders, cpu microcode, and unlocking LUKS root disks over tor
- /network - config for tailscale, and NixOS container with automatic vpn tunneling via PIA
- /pc - config that a graphical desktop computer should have. Use de.enable = true; to enable everthing.
- /server - config that creates new nixos services or extends existing ones to meet my needs
/machines - all my NixOS machines along with their machine unique configuration for hardware and services
- /kexec - a special machine for generating minimal kexec images. Does not import /common
/secrets - encrypted shared secrets unlocked through /machines ssh host keys

812 B Raw Permalink Blame History

My NixOS configurations

Source Layout

812 B

Raw Permalink Blame History