feat(nixos): move smb credentials to server module and add librechat secrets

2025-06-17 10:18:25 +08:00 · 2025-06-17 10:18:25 +08:00 · 9c4fd69420
commit 9c4fd69420
parent 8e9af60c16
5 changed files with 30 additions and 43 deletions
--- a/modules/nixos/default.nix
+++ b/modules/nixos/default.nix
@ -1,8 +1,7 @@
 {
-  inputs,
  lib,
  config,
-  pkgs,
+  system,
  ...
 }:
 let
@ -56,22 +55,21 @@ in
      "/var/lib/systemd"
      "/var/lib/nixos"
    ];
-    stylix = {
-      enable = true;
-      base16Scheme = "${pkgs.base16-schemes}/share/themes/atelier-cave.yaml";
-    };
-    nixpkgs.config.allowUnfree = true;
-    nix.nixPath = [ "nixpkgs=${inputs.nixpkgs}" ];

+    stylix.enable = true;
+    nixpkgs = {
+      hostPlatform = system;
+      config.allowUnfree = true;
+    };
    nix.settings = {
      experimental-features = [
        "nix-command"
        "flakes"
        "pipe-operators"
      ];
-
      trusted-users = [ "@wheel" ];
    };
+    system.stateVersion = "25.05"; # Did you read the comment?
    time.timeZone = "Asia/Singapore";
    i18n.defaultLocale = "en_US.UTF-8";
    users = {
@ -106,18 +104,6 @@ in
        "rafiq/hashedPassword".neededForUsers = true;
        "rafiq/personalEmailPassword" = { };
        "rafiq/workEmailPassword" = { };
-        "rafiq/oldSMBCredentials" = { };
-        "librechat/creds_key" = { };
-        "librechat/creds_iv" = { };
-        "librechat/jwt_secret" = { };
-        "librechat/jwt_refresh_secret" = { };
-        "librechat/meili_master_key" = { };
-      };
-      templates = {
-        "smb-credentials".content = ''
-          username=rafiq
-          password=${config.sops.placeholder."rafiq/oldSMBCredentials"}
-        '';
      };
    };
    environment.shellInit = # sh
@ -126,6 +112,5 @@ in
        export CVT_JIRA_KEY=$(sudo cat ${config.sops.secrets."keys/cvt-jira".path})
        export CVT_JIRA_LINK=$(sudo cat ${config.sops.secrets."misc/cvt-jira-link".path})
      '';
-    system.stateVersion = "25.05"; # Did you read the comment?
  };
 }
--- a/modules/nixos/server/default.nix
+++ b/modules/nixos/server/default.nix
@ -1,16 +1,15 @@
+{ lib, config, ... }:
 {
-  lib,
-  config,
-  ...
-}:
-{
-  options.server = {
-    mountHelios = lib.mkEnableOption "";
-  };
+  options.server.mountHelios = lib.mkEnableOption "";

-  config = lib.mkMerge [
-    (lib.mkIf config.server.mountHelios {
-      fileSystems."/media/helios/data" = {
+  config = lib.mkIf config.server.mountHelios {
+    sops.secrets."rafiq/oldSMBCredentials" = { };
+    sops.templates."smb-credentials".content = ''
+      username=rafiq
+      password=${config.sops.placeholder."rafiq/oldSMBCredentials"}
+    '';
+    fileSystems = {
+      "/media/helios/data" = {
        device = "//helios/data";
        fsType = "cifs";
        options = [
@ -19,7 +18,7 @@
          "x-systemd.mount-timeout=0"
        ];
      };
-      fileSystems."/media/helios/rafiqcloud" = {
+      "/media/helios/rafiqcloud" = {
        device = "//helios/rafiqcloud";
        fsType = "cifs";
        options = [
@ -29,7 +28,7 @@
          "credentials=${config.sops.templates."smb-credentials".path}"
        ];
      };
-      fileSystems."/media/helios/rafiqmedia" = {
+      "/media/helios/rafiqmedia" = {
        device = "//helios/rafiqmedia";
        fsType = "cifs";
        options = [
@ -39,6 +38,6 @@
          "credentials=${config.sops.templates."smb-credentials".path}"
        ];
      };
-    })
-  ];
+    };
+  };
 }
--- a/modules/nixos/server/web-apps/librechat/default.nix
+++ b/modules/nixos/server/web-apps/librechat/default.nix
@ -23,6 +23,12 @@ mkWebApp {
    default = "mongodb://${config.hostname}:27017/LibreChat";
  };
  extraConfig = {
+    sops.secrets = {
+      "librechat/creds_key" = { };
+      "librechat/creds_iv" = { };
+      "librechat/jwt_secret" = { };
+      "librechat/jwt_refresh_secret" = { };
+    };
    services.librechat = {
      enable = true;
      openFirewall = true;