diff --git a/modules/nixos/default.nix b/modules/nixos/default.nix index ef35391..dca611a 100644 --- a/modules/nixos/default.nix +++ b/modules/nixos/default.nix @@ -1,8 +1,7 @@ { - inputs, lib, config, - pkgs, + system, ... }: let @@ -56,22 +55,21 @@ in "/var/lib/systemd" "/var/lib/nixos" ]; - stylix = { - enable = true; - base16Scheme = "${pkgs.base16-schemes}/share/themes/atelier-cave.yaml"; - }; - nixpkgs.config.allowUnfree = true; - nix.nixPath = [ "nixpkgs=${inputs.nixpkgs}" ]; + stylix.enable = true; + nixpkgs = { + hostPlatform = system; + config.allowUnfree = true; + }; nix.settings = { experimental-features = [ "nix-command" "flakes" "pipe-operators" ]; - trusted-users = [ "@wheel" ]; }; + system.stateVersion = "25.05"; # Did you read the comment? time.timeZone = "Asia/Singapore"; i18n.defaultLocale = "en_US.UTF-8"; users = { @@ -106,18 +104,6 @@ in "rafiq/hashedPassword".neededForUsers = true; "rafiq/personalEmailPassword" = { }; "rafiq/workEmailPassword" = { }; - "rafiq/oldSMBCredentials" = { }; - "librechat/creds_key" = { }; - "librechat/creds_iv" = { }; - "librechat/jwt_secret" = { }; - "librechat/jwt_refresh_secret" = { }; - "librechat/meili_master_key" = { }; - }; - templates = { - "smb-credentials".content = '' - username=rafiq - password=${config.sops.placeholder."rafiq/oldSMBCredentials"} - ''; }; }; environment.shellInit = # sh @@ -126,6 +112,5 @@ in export CVT_JIRA_KEY=$(sudo cat ${config.sops.secrets."keys/cvt-jira".path}) export CVT_JIRA_LINK=$(sudo cat ${config.sops.secrets."misc/cvt-jira-link".path}) ''; - system.stateVersion = "25.05"; # Did you read the comment? }; } diff --git a/modules/nixos/server/default.nix b/modules/nixos/server/default.nix index 1102c9c..a9592c5 100644 --- a/modules/nixos/server/default.nix +++ b/modules/nixos/server/default.nix @@ -1,16 +1,15 @@ +{ lib, config, ... }: { - lib, - config, - ... -}: -{ - options.server = { - mountHelios = lib.mkEnableOption ""; - }; + options.server.mountHelios = lib.mkEnableOption ""; - config = lib.mkMerge [ - (lib.mkIf config.server.mountHelios { - fileSystems."/media/helios/data" = { + config = lib.mkIf config.server.mountHelios { + sops.secrets."rafiq/oldSMBCredentials" = { }; + sops.templates."smb-credentials".content = '' + username=rafiq + password=${config.sops.placeholder."rafiq/oldSMBCredentials"} + ''; + fileSystems = { + "/media/helios/data" = { device = "//helios/data"; fsType = "cifs"; options = [ @@ -19,7 +18,7 @@ "x-systemd.mount-timeout=0" ]; }; - fileSystems."/media/helios/rafiqcloud" = { + "/media/helios/rafiqcloud" = { device = "//helios/rafiqcloud"; fsType = "cifs"; options = [ @@ -29,7 +28,7 @@ "credentials=${config.sops.templates."smb-credentials".path}" ]; }; - fileSystems."/media/helios/rafiqmedia" = { + "/media/helios/rafiqmedia" = { device = "//helios/rafiqmedia"; fsType = "cifs"; options = [ @@ -39,6 +38,6 @@ "credentials=${config.sops.templates."smb-credentials".path}" ]; }; - }) - ]; + }; + }; } diff --git a/modules/nixos/server/web-apps/librechat/default.nix b/modules/nixos/server/web-apps/librechat/default.nix index 1c51941..1c2cc78 100644 --- a/modules/nixos/server/web-apps/librechat/default.nix +++ b/modules/nixos/server/web-apps/librechat/default.nix @@ -23,6 +23,12 @@ mkWebApp { default = "mongodb://${config.hostname}:27017/LibreChat"; }; extraConfig = { + sops.secrets = { + "librechat/creds_key" = { }; + "librechat/creds_iv" = { }; + "librechat/jwt_secret" = { }; + "librechat/jwt_refresh_secret" = { }; + }; services.librechat = { enable = true; openFirewall = true; diff --git a/secrets/secrets.yaml b/secrets/secrets.yaml index 3f71b01..59f8da2 100644 --- a/secrets/secrets.yaml +++ b/secrets/secrets.yaml @@ -17,7 +17,6 @@ librechat: creds_iv: ENC[AES256_GCM,data:fbBD9RsuEHwDETwiYtAS9kBxgTy6zubrxHWpcuoEsR0=,iv:uZcwIfDPPn4XUf8IZkI29VH9CiKvEOlWuUaWgSjl1Kc=,tag:qbgiQU7bWSFjoGEwoptCpg==,type:str] jwt_secret: ENC[AES256_GCM,data:ZhDNIXrCaRWWfrlPxpBfnmeUluW0z72KGpQv9mGyf1kCCnfx3V2lPMm6QS6biajC+4oPVfgwqcXc4Lvs8OqU9g==,iv:1Ecj8fh+M5kw8cmVD96U6QgE7fNy9cbQV9v2Q305puc=,tag:U1ZglGWdTH1TGfcIIORMHQ==,type:str] jwt_refresh_secret: ENC[AES256_GCM,data:/4X6h51oRRaOg7UZ/zUcS1L8QyFnhsTYrz8D6R3ZP/tFAEMO/IfYJHHQQ8UtgKjAEwIVYcpIco8lUDhm06folw==,iv:02/LgoiMZ6MzBSd+JAi+iuF3dzqsVyqX6gQfWPY8sIc=,tag:5VrCh7ZKNJD3ynjcyQpVyg==,type:str] - meili_master_key: ENC[AES256_GCM,data:SFBALLqK1Gi5nvh5NyQF6Sr+BQdln4/SUSUGevK04eM=,iv:fElBxrcOCgi3ZO9Jtz2aA6q/S4liHjRpfxSg+LmSu+4=,tag:kx4k2DDm8Kt0KkQl63UMIQ==,type:str] sops: age: - recipient: age12l33pas8eptwjc7ewux3d8snyzfzwz0tn9qg5kw8le79fswmjgjqdjgyy6 @@ -29,7 +28,7 @@ sops: WXFKbjNMWDF0LzNyekJJMGFva2diemcKQTc8ODuK6IWqRhulHiCF92aU+3p23riY M94Nzh+VT6QTFOgb3J7bBJMLhRH/fkQb6L6ia2n9QrVXFyYYMJ0oBw== -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-06-07T06:11:21Z" - mac: ENC[AES256_GCM,data:ntsLgImSp1j4a1D3KxnjxKJW7DHbel1PmuDlDUeMm3zPvqkzo5Hm/sAW/BlcPYsrZPRci1xfxTs2SqUClwgEBvewbrxvP0ELWH+Aq6IC6ckRQe1OUJKHpq+/BnPRyJOXmjjlxNPYoNxmnShDlbI/AaiNLupdNNpgyaobHyRZBUw=,iv:EW/ag6o8UhZbBGhr32VoKkZbM5a43rDbZTmRO2hshQ8=,tag:h4KYFxOQToNQ+hCH+q1Cgg==,type:str] + lastmodified: "2025-06-17T02:15:21Z" + mac: ENC[AES256_GCM,data:rFjFrXeRo5sMGQBR1UjLhJOGs0K/GVhKjhrbnyDq5JiUZRKnDns5JJfhBTwCZXcFXg8shDgj6P+vox+4Tl8PhadWV+s9OZVulvGGahZF39Msb7au7p+S77xVFw35QSB/d9LLEncO2WRyIm8tds18eJ8z3PBvGoad3DGcuLkYdlU=,iv:lUItY1Drr2e1rWLUw8JwdA42UVF1KZL+YMXZRSBIWtU=,tag:esr6v/lkHPcSkY/CP4g88Q==,type:str] unencrypted_suffix: _unencrypted version: 3.10.2 diff --git a/systems/x86_64-linux/common.nix b/systems/x86_64-linux/common.nix index 1ac9116..12cda14 100644 --- a/systems/x86_64-linux/common.nix +++ b/systems/x86_64-linux/common.nix @@ -9,12 +9,10 @@ in email = "rafiq@rrv.sh"; }; server.mountHelios = true; - + stylix.base16Scheme = "${pkgs.base16-schemes}/share/themes/atelier-cave.yaml"; users.defaultUserShell = zsh; programs = { zsh.enable = true; zsh.enableCompletion = true; }; - - nixpkgs.hostPlatform = "x86_64-linux"; }