xengi/infra
0
1
Fork 0
Code Pull requests Activity Actions
infra/flake.nix
Ricardo (XenGi) Band 8a607a37a8
add secret
2026-02-24 09:51:38 +01:00

194 lines
6.1 KiB
Nix
Raw Blame History

{
description = "CCCB services";
inputs = {
nixpkgs.url = "github:NixOS/nixpkgs/nixos-25.11";
#flake-utils.url = "github:numtide/flake-utils";
agenix = {
url = "github:ryantm/agenix";
inputs.nixpkgs.follows = "nixpkgs";
};
};
outputs =
{
self,
nixpkgs,
#flake-utils,
agenix,
}:
#flake-utils.lib.eachDefaultSystem (
# system:
let
pkgs = import nixpkgs { inherit system; };
system = "x86_64-linux";
in
{
formatter.${system} = pkgs.nixfmt-tree;
apps.nixos-diff = {
type = "app";
program = "${pkgs.writeShellScript "nixos-diff.sh" ''
${pkgs.git}/bin/git pull --ff-only
${pkgs.nixos-rebuild}/bin/nixos-rebuild build --log-format internal-json -v |& ${pkgs.nix-output-monitor}/bin/nom --json
${pkgs.nvd}/bin/nvd diff /run/current-system ./result
''}";
};
devShells.${system}.default = pkgs.mkShell {
packages = [
(agenix.packages.${system}.default)
pkgs.age
];
};
nixosConfigurations."matrix" = nixpkgs.lib.nixosSystem {
#system = "x86_64-linux";
#pkgs = import nixpkgs { inherit system; };
inherit system;
modules = [
agenix.nixosModules.default
{ environment.systemPackages = [ (agenix.packages.${system}.default) ]; }
{
age.secrets = {
matrix_registration_shared_secret = {
file = ./secrets/matrix_registration_shared_secret.age;
mode = "440";
owner = "matrix-synapse";
group = "matrix-synapse";
};
matrix_signing_key = {
file = ./secrets/matrix_signing_key.age;
mode = "440";
owner = "matrix-synapse";
group = "matrix-synapse";
};
matrix_db_password = {
file = ./secrets/matrix_db_password.age;
mode = "440";
owner = "matrix-synapse";
group = "matrix-synapse";
};
draupnir_access_token = {
file = ./secrets/draupnir_access_token.age;
mode = "440";
owner = "root";
group = "root";
};
};
}
./hosts/matrix
];
};
nixosConfigurations."md" = nixpkgs.lib.nixosSystem {
#system = "x86_64-linux";
#pkgs = import nixpkgs { inherit system; };
inherit system;
modules = [
agenix.nixosModules.default
{ environment.systemPackages = [ (agenix.packages.${system}.default) ]; }
{
age.secrets.hedgedoc_db_password = {
file = ./secrets/hedgedoc_db_password.age;
owner = "hedgedoc";
group = "hedgedoc";
mode = "0440";
};
}
./hosts/md
];
};
nixosConfigurations."www" = nixpkgs.lib.nixosSystem {
#system = "x86_64-linux";
#pkgs = import nixpkgs { inherit system; };
inherit system;
modules = [
agenix.nixosModules.default
{ environment.systemPackages = [ (agenix.packages.${system}.default) ]; }
{
age.secrets = {
www-staging-htpasswd = {
file = ./secrets/www-staging-htpasswd.age;
owner = "nginx";
group = "nginx";
mode = "0440";
};
};
}
./hosts/www
];
};
nixosConfigurations."monitoring" = nixpkgs.lib.nixosSystem {
#system = "x86_64-linux";
#pkgs = import nixpkgs { inherit system; };
inherit system;
modules = [
agenix.nixosModules.default
{ environment.systemPackages = [ (agenix.packages.${system}.default) ]; }
{
age.secrets = {
grafana_secret_key = {
file = ./secrets/grafana_secret_key.age;
mode = "440";
owner = "grafana";
group = "grafana";
};
grafana_admin_password = {
file = ./secrets/grafana_admin_password.age;
mode = "440";
owner = "grafana";
group = "grafana";
};
grafana_basic_auth = {
file = ./secrets/grafana_basic_auth.age;
mode = "440";
owner = "nginx";
group = "nginx";
};
postgres-grafana = {
file = ./secrets/postgres-grafana.age;
mode = "440";
owner = "grafana";
group = "grafana";
};
pve-exporter = {
file = ./secrets/pve-exporter.age;
mode = "440";
owner = "prometheus";
group = "prometheus";
};
};
}
./hosts/monitoring
];
};
nixosConfigurations."sql" = nixpkgs.lib.nixosSystem {
#system = "x86_64-linux";
#pkgs = import nixpkgs { inherit system; };
inherit system;
modules = [
agenix.nixosModules.default
{ environment.systemPackages = [ (agenix.packages.${system}.default) ]; }
{
age.secrets = {
postgres-matrix-synapse = {
file = ./secrets/postgres-matrix-synapse.age;
owner = "postgres";
group = "postgres";
mode = "0400";
};
postgres-hedgedoc = {
file = ./secrets/postgres-hedgedoc.age;
owner = "postgres";
group = "postgres";
mode = "0400";
};
postgres-grafana = {
file = ./secrets/postgres-grafana.age;
owner = "postgres";
group = "postgres";
mode = "0400";
};
};
}
./hosts/sql
];
};
};
#);
}
View git blame Copy permalink