diff --git a/flake.lock b/flake.lock index 57ebe2b..1fe7319 100644 --- a/flake.lock +++ b/flake.lock @@ -1,9 +1,32 @@ { "nodes": { + "agenix": { + "inputs": { + "darwin": "darwin", + "home-manager": "home-manager", + "nixpkgs": [ + "nixpkgs" + ], + "systems": "systems" + }, + "locked": { + "lastModified": 1723293904, + "narHash": "sha256-b+uqzj+Wa6xgMS9aNbX4I+sXeb5biPDi39VgvSFqFvU=", + "owner": "ryantm", + "repo": "agenix", + "rev": "f6291c5935fdc4e0bef208cfc0dcab7e3f7a1c41", + "type": "github" + }, + "original": { + "owner": "ryantm", + "repo": "agenix", + "type": "github" + } + }, "ags": { "inputs": { "nixpkgs": "nixpkgs", - "systems": "systems" + "systems": "systems_2" }, "locked": { "lastModified": 1728326430, @@ -60,6 +83,28 @@ "type": "github" } }, + "darwin": { + "inputs": { + "nixpkgs": [ + "agenix", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1700795494, + "narHash": "sha256-gzGLZSiOhf155FW7262kdHo2YDeugp3VuIFb4/GGng0=", + "owner": "lnl7", + "repo": "nix-darwin", + "rev": "4b9b83d5a92e8c1fbfd8eb27eda375908c11ec4d", + "type": "github" + }, + "original": { + "owner": "lnl7", + "ref": "master", + "repo": "nix-darwin", + "type": "github" + } + }, "deploy-rs": { "inputs": { "flake-compat": "flake-compat_2", @@ -243,7 +288,7 @@ }, "flake-utils_2": { "inputs": { - "systems": "systems_3" + "systems": "systems_4" }, "locked": { "lastModified": 1710146030, @@ -261,7 +306,7 @@ }, "flake-utils_3": { "inputs": { - "systems": "systems_4" + "systems": "systems_5" }, "locked": { "lastModified": 1710146030, @@ -279,7 +324,7 @@ }, "flake-utils_4": { "inputs": { - "systems": "systems_7" + "systems": "systems_8" }, "locked": { "lastModified": 1710146030, @@ -352,6 +397,27 @@ } }, "home-manager": { + "inputs": { + "nixpkgs": [ + "agenix", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1703113217, + "narHash": "sha256-7ulcXOk63TIT2lVDSExj7XzFx09LpdSAPtvgtM7yQPE=", + "owner": "nix-community", + "repo": "home-manager", + "rev": "3bfaacf46133c037bb356193bd2f1765d9dc82c1", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "home-manager", + "type": "github" + } + }, + "home-manager_2": { "inputs": { "nixpkgs": [ "nixpkgs" @@ -892,7 +958,7 @@ "plugin-vim-vsnip": "plugin-vim-vsnip", "plugin-which-key": "plugin-which-key", "rnix-lsp": "rnix-lsp", - "systems": "systems_5" + "systems": "systems_6" }, "locked": { "lastModified": 1728378979, @@ -2597,11 +2663,12 @@ }, "root": { "inputs": { + "agenix": "agenix", "ags": "ags", "basix": "basix", "deploy-rs": "deploy-rs", "firefox-addons": "firefox-addons", - "home-manager": "home-manager", + "home-manager": "home-manager_2", "lanzaboote": "lanzaboote", "niri": "niri", "nix-index-db": "nix-index-db", @@ -2609,7 +2676,7 @@ "nixpkgs": "nixpkgs_5", "nvf": "nvf", "plasma-manager": "plasma-manager", - "systems": "systems_6", + "systems": "systems_7", "treefmt-nix": "treefmt-nix", "wezterm": "wezterm" } @@ -2688,21 +2755,6 @@ } }, "systems": { - "locked": { - "lastModified": 1689347949, - "narHash": "sha256-12tWmuL2zgBgZkdoB6qXZsgJEH9LR3oUgpaQq2RbI80=", - "owner": "nix-systems", - "repo": "default-linux", - "rev": "31732fcf5e8fea42e59c2488ad31a0e651500f68", - "type": "github" - }, - "original": { - "owner": "nix-systems", - "repo": "default-linux", - "type": "github" - } - }, - "systems_2": { "locked": { "lastModified": 1681028828, "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", @@ -2717,6 +2769,21 @@ "type": "github" } }, + "systems_2": { + "locked": { + "lastModified": 1689347949, + "narHash": "sha256-12tWmuL2zgBgZkdoB6qXZsgJEH9LR3oUgpaQq2RbI80=", + "owner": "nix-systems", + "repo": "default-linux", + "rev": "31732fcf5e8fea42e59c2488ad31a0e651500f68", + "type": "github" + }, + "original": { + "owner": "nix-systems", + "repo": "default-linux", + "type": "github" + } + }, "systems_3": { "locked": { "lastModified": 1681028828, @@ -2763,6 +2830,21 @@ } }, "systems_6": { + "locked": { + "lastModified": 1681028828, + "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", + "owner": "nix-systems", + "repo": "default", + "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", + "type": "github" + }, + "original": { + "owner": "nix-systems", + "repo": "default", + "type": "github" + } + }, + "systems_7": { "locked": { "lastModified": 1689347949, "narHash": "sha256-12tWmuL2zgBgZkdoB6qXZsgJEH9LR3oUgpaQq2RbI80=", @@ -2777,7 +2859,7 @@ "type": "github" } }, - "systems_7": { + "systems_8": { "locked": { "lastModified": 1681028828, "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", @@ -2812,7 +2894,7 @@ }, "utils": { "inputs": { - "systems": "systems_2" + "systems": "systems_3" }, "locked": { "lastModified": 1701680307, diff --git a/flake.nix b/flake.nix index 1c4a530..8ff097f 100644 --- a/flake.nix +++ b/flake.nix @@ -5,8 +5,9 @@ self, nixpkgs, systems, - treefmt-nix, + agenix, deploy-rs, + treefmt-nix, ... } @ inputs: let eachSystem = f: nixpkgs.lib.genAttrs (import systems) (system: f nixpkgs.legacyPackages.${system}); @@ -18,6 +19,7 @@ pkgs.alejandra pkgs.git deploy-rs.packages.${pkgs.system}.default + agenix.packages.${pkgs.system}.default ]; }; }); @@ -45,6 +47,10 @@ }; # other + agenix = { + url = "github:ryantm/agenix"; + inputs.nixpkgs.follows = "nixpkgs"; + }; ags.url = "github:Aylur/ags"; basix.url = "github:notashelf/basix"; deploy-rs.url = "github:serokell/deploy-rs"; diff --git a/hosts/anastacia/default.nix b/hosts/anastacia/default.nix index 13cf655..18cba8e 100644 --- a/hosts/anastacia/default.nix +++ b/hosts/anastacia/default.nix @@ -1,10 +1,16 @@ -{self, ...}: let +{ + self, + inputs, + ... +}: let mod = "${self}/system"; in { imports = [ ./hardware-configuration.nix ./networking.nix # generated at runtime by nixos-infect + inputs.agenix.nixosModules.default + "${mod}/services/forgejo.nix" "${mod}/services/searx.nix" ]; diff --git a/secrets/searx-env-file.age b/secrets/searx-env-file.age new file mode 100644 index 0000000..8ede959 Binary files /dev/null and b/secrets/searx-env-file.age differ diff --git a/secrets/secrets.nix b/secrets/secrets.nix new file mode 100644 index 0000000..6823de6 --- /dev/null +++ b/secrets/secrets.nix @@ -0,0 +1,5 @@ +let + anastacia = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEplguGeXCbdz++Ry5pwJylmtAMnwtf1+9JoJnCGfw3A root@anastacia"; +in { + "searx-env-file.age".publicKeys = [anastacia]; +} diff --git a/system/services/searx.nix b/system/services/searx.nix index 19ef833..14f2a0b 100644 --- a/system/services/searx.nix +++ b/system/services/searx.nix @@ -1,8 +1,14 @@ -{pkgs, ...}: { +{ + config, + pkgs, + ... +}: { + age.secrets.searx-env-file.file = ../../secrets/searx-env-file.age; services = { searx = { enable = true; package = pkgs.searxng; + environmentFile = config.age.secrets.searx-env-file.path; settings = { search = { safe_search = 1; # 0 = None, 1 = Moderate, 2 = Strict @@ -10,7 +16,7 @@ default_lang = "en"; }; server = { - secret_key = "TODO_USE_SOPS_INSTEAD"; + secret_key = "@SEARX_SECRET_KEY@"; port = 8888; # Internal port bind_address = "localhost"; # Only listen locally base_url = "https://search.nezia.dev/";