diff --git a/.sops.yaml b/.sops.yaml deleted file mode 100644 index 835dd06..0000000 --- a/.sops.yaml +++ /dev/null @@ -1,7 +0,0 @@ -keys: - - &rafiq age12l33pas8eptwjc7ewux3d8snyzfzwz0tn9qg5kw8le79fswmjgjqdjgyy6 -creation_rules: - - path_regex: \.(yaml)$ - key_groups: - - age: - - *rafiq diff --git a/flake.lock b/flake.lock index d5e0ec6..e3a940a 100644 --- a/flake.lock +++ b/flake.lock @@ -215,31 +215,10 @@ "import-tree": "import-tree", "make-shell": "make-shell", "nixpkgs": "nixpkgs", - "sops-nix": "sops-nix", "systems": "systems", "text": "text" } }, - "sops-nix": { - "inputs": { - "nixpkgs": [ - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1751606940, - "narHash": "sha256-KrDPXobG7DFKTOteqdSVeL1bMVitDcy7otpVZWDE6MA=", - "owner": "Mic92", - "repo": "sops-nix", - "rev": "3633fc4acf03f43b260244d94c71e9e14a2f6e0d", - "type": "github" - }, - "original": { - "owner": "Mic92", - "repo": "sops-nix", - "type": "github" - } - }, "systems": { "locked": { "lastModified": 1681028828, diff --git a/flake.nix b/flake.nix index eafeae6..53bc0fa 100644 --- a/flake.nix +++ b/flake.nix @@ -21,11 +21,6 @@ }; # impermanence provides a nice abstraction over linking files from /persist impermanence.url = "github:nix-community/impermanence"; - # sops-nix lets us version control secrets like passwords and api keys - sops-nix = { - url = "github:Mic92/sops-nix"; - inputs.nixpkgs.follows = "nixpkgs"; - }; # import-tree imports all nix files in a given directory. import-tree.url = "github:vic/import-tree"; # files lets us write text files and automatically add checks for them diff --git a/nix/flake-parts/meta.nix b/nix/flake-parts/meta.nix index 4398cfb..e7659e6 100644 --- a/nix/flake-parts/meta.nix +++ b/nix/flake-parts/meta.nix @@ -1,16 +1,8 @@ -{ - lib, - config, - inputs, - ... -}: +{ lib, inputs, ... }: let inherit (lib.options) mkOption; inherit (lib.types) path lazyAttrsOf raw; inherit (inputs.flake-parts.lib) mkSubmoduleOptions; - inherit (cfg.lib.attrsets) firstAttrNameMatching; - cfg = config.flake; - username = firstAttrNameMatching (_: v: v.primary or false) cfg.manifest.users; in { options.flake = mkSubmoduleOptions { @@ -22,13 +14,5 @@ in type = path; default = ""; }; - admin = mkOption { - type = lazyAttrsOf raw; - default = { }; - }; - }; - - config.flake.admin = cfg.manifest.users.${username} // { - inherit username; }; } diff --git a/nix/lib/attrsets.nix b/nix/lib/attrsets.nix deleted file mode 100644 index 1361c2a..0000000 --- a/nix/lib/attrsets.nix +++ /dev/null @@ -1,54 +0,0 @@ -{ lib, ... }: -let - inherit (builtins) attrNames head; - inherit (lib.trivial) pipe; - inherit (lib.attrsets) filterAttrs; -in -{ - flake.lib.attrsets = { - /** - `firstAttrNameMatching pred set` filters an attribute set `set` based on a predicate `pred` - and returns the *first* attribute name that satisfies the predicate. - - # Example - - ```nix - let - mySet = { - a = { value = 1; }; - b = { value = 2; }; - c = { value = 3; }; - }; - - isGreaterThanOne = name: value: value.value > 1; - - result = firstAttrNameMatching isGreaterThanOne mySet; - - in - result - # Output: "b" - ``` - - # Type - - ``` - firstAttrNameMatching :: (String -> Any -> Bool) -> AttrSet -> String - ``` - - # Arguments - - pred - : A function that takes an attribute name and its value and returns a boolean. - - set - : The attribute set to filter. - */ - firstAttrNameMatching = - pred: set: - pipe set [ - (filterAttrs pred) - attrNames - head - ]; - }; -} diff --git a/nix/lib/modules.nix b/nix/lib/modules.nix index 0d5b50b..28b6a0b 100644 --- a/nix/lib/modules.nix +++ b/nix/lib/modules.nix @@ -1,41 +1,10 @@ { lib, config, ... }: let cfg = config.flake; - inherit (builtins) foldl' attrNames; inherit (lib.attrsets) mapAttrs; in { flake.lib.modules = { - /** - Fold over the users list and create an attribute set. - - # Inputs - - `f` - - : A function that takes the name of a user and returns an attribute set. - - # Type - - ``` - userListToAttrs :: (String -> AttrSet) -> AttrSet - ``` - - # Examples - :::{.example} - ## `userListToAttrs` usage example - - ```nix - flake.manifest.users.rafiq = { ... }; - flake.modules.homeManager.users = userListToAttrs (name: { - ${name}.home.username = name; - }); - => flake.modules.homeManager.default.users.rafiq.home.username = "rafiq"; - ``` - - ::: - */ - userListToAttrs = f: foldl' (acc: elem: acc // (f elem)) { } (attrNames cfg.manifest.users); /** Return an attribute set for use with a option that needs to be used for all users. diff --git a/nix/modules/secrets.nix b/nix/modules/secrets.nix deleted file mode 100644 index 5d76562..0000000 --- a/nix/modules/secrets.nix +++ /dev/null @@ -1,52 +0,0 @@ -{ - config, - inputs, - lib, - ... -}: -let - cfg = config.flake; - inherit (builtins) readFile; - inherit (lib.meta) getExe; - inherit (lib.strings) trim; - inherit (cfg.admin) username pubkey; -in -{ - flake.modules.nixos.default = - { config, ... }: - { - imports = [ inputs.sops-nix.nixosModules.sops ]; - config.sops = { - defaultSopsFile = "${cfg.root}/secrets/secrets.yaml"; - age.sshKeyPaths = [ - "/persist${config.users.defaultUserHome}/${username}/.ssh/id_ed25519" - ]; - }; - }; - perSystem = - { pkgs, ... }: - { - files.files = [ - { - path_ = ".sops.yaml"; - drv = - pkgs.writeText ".sops.yaml" # yaml - '' - keys: - - &${username} ${trim ( - readFile "${ - pkgs.runCommand "" { } '' - mkdir $out; echo ${pubkey} | ${getExe pkgs.ssh-to-age} > $out/agepubkey - '' - }/agepubkey" - )} - creation_rules: - - path_regex: \.(yaml)$ - key_groups: - - age: - - *${username} - ''; - } - ]; - }; -} diff --git a/nix/modules/users.nix b/nix/modules/users.nix index 1b43eb6..c6e74e6 100644 --- a/nix/modules/users.nix +++ b/nix/modules/users.nix @@ -1,7 +1,7 @@ { config, lib, ... }: let cfg = config.flake; - inherit (cfg.lib.modules) userListToAttrs forAllUsers'; + inherit (cfg.lib.modules) forAllUsers'; inherit (lib.lists) optional; in { @@ -19,17 +19,13 @@ in mutableUsers = false; groups.users.gid = 100; users = forAllUsers' ( - name: value: { + _: value: { isNormalUser = true; - hashedPasswordFile = config.sops.secrets."${name}/hashedPassword".path; extraGroups = optional (value.primary or false) "wheel"; openssh.authorizedKeys.keys = [ value.pubkey ]; } ); }; - sops.secrets = userListToAttrs (name: { - "${name}/hashedPassword".neededForUsers = true; - }); home-manager.users = forAllUsers' ( name: _: { home.username = name; diff --git a/secrets/secrets.yaml b/secrets/secrets.yaml deleted file mode 100644 index 76fe7e0..0000000 --- a/secrets/secrets.yaml +++ /dev/null @@ -1,18 +0,0 @@ -rafiq: - password: ENC[AES256_GCM,data:8KAfatz+YSaNozd5VGo=,iv:LNRxt47iBKSWzMZuBHSxv/qDZ2h6JiTIPps7OK/o7uU=,tag:oiSfLyRVswb/wxSTE69QMA==,type:str] - hashedPassword: ENC[AES256_GCM,data:NogYQ3kR1TseC79HIXARrXhIncCnvxzf9zMF2QrUyTmojTffPXRGtMdjNpfMEFj5dkKfZujBL/QTIpPFFTm1py7Dreg5/9VSKQ==,iv:IwfZsrsJbLYG1ELte6aBHUtff6hIQu9rHT5tSvILIGQ=,tag:oav3paDcUY+cl4FJlZa90A==,type:str] -sops: - age: - - recipient: age12l33pas8eptwjc7ewux3d8snyzfzwz0tn9qg5kw8le79fswmjgjqdjgyy6 - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBVd09tYkhKUkVjNTBRdld6 - a1RkUnZqdnRqMlFTSGgwUFVCZlRhL0tLTnpVCjNXVjZldzNUOE9DQ0ZGejhWakY2 - TmRIZnpobE0ydDhNSDdJQUp2U3pSTzgKLS0tIDkxU3Fxa2lMUkhZY0g1Wm02T2ZE - UkQwOWZtVXVPSGJiRk1qRHVHYkN2cDgKLiYiA0q5se/oHfGRqvHLn3gRRDfmefEZ - z2U2N1Tjt0QgCfYOOXVfPV9F36a7PpabFva5ElSazawHgvI+Bot6og== - -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-07-07T08:56:26Z" - mac: ENC[AES256_GCM,data:2uGjIMxRgk7uWToQC4MrHpHFAt4bI7sEhaHvPU6Ae3bvRVH/TdJxZtikSPe95LEwReOuBmPajbcM580/d3Jt6VbA7nZzj1JduVscrRkSAFCzZp9Ti/mbOGITPJa6xWSGwVF1wSN3BnHXYIHDcKeSGtUdP7L7nBZr1KXPkok4NCo=,iv:+ELIes7lzb8M6CvOemAcyoq7Rx7L6NkNmHwntJN/RSc=,tag:ubyxO6VllH9cQK3VbvxiGg==,type:str] - unencrypted_suffix: _unencrypted - version: 3.10.2