From 6f92df983e55dda4cfbda2887c3f77c4668d06d4 Mon Sep 17 00:00:00 2001
From: John Bargman
Date: Sat, 30 Nov 2024 17:46:20 +0000
Subject: engage secrix

---
 flake.nix | 34 ++++++++++++++++++++++------------
 1 file changed, 22 insertions(+), 12 deletions(-)

(limited to 'flake.nix')

diff --git a/flake.nix b/flake.nix
index 4f7d5f9..4853a38 100644
--- a/flake.nix
+++ b/flake.nix
@@ -3,14 +3,15 @@
 # TODO: cgit, ejabber signup
   inputs = {
     nixinate.url = "github:matthewcroughan/nixinate";
-    agenix.url = "github:ryantm/agenix";
+    secrix.url = "github:platonic-systems/secrix";
     nixpkgs_unstable.url = "github:nixos/nixpkgs/nixos-unstable";
     nixpkgs.url = "github:nixos/nixpkgs/nixos-24.05";
     simple-nixos-mailserver.url = "gitlab:simple-nixos-mailserver/nixos-mailserver";
   };
 
-  outputs = inputs@{ self, nixpkgs, agenix, nixinate, nixpkgs_unstable, simple-nixos-mailserver }:
+  outputs = inputs@{ self, nixpkgs, secrix, nixinate, nixpkgs_unstable, simple-nixos-mailserver }:
     let
+      inherit (inputs.secrix) secrix;
       pkgs = nixpkgs.legacyPackages.x86_64-linux;
       webroot = "${self}/webroot";
       fqdn = "crashoverburn.com";
@@ -18,7 +19,7 @@
     in
     {
       formatter.x86_64-linux = pkgs.nixpkgs-fmt;
-      apps.x86_64-linux = (inputs.nixinate.nixinate.x86_64-linux inputs.self).nixinate;
+      apps.x86_64-linux = (inputs.nixinate.nixinate.x86_64-linux inputs.self).nixinate // ({ secrix = secrix self; });
       devShell.x86_64-linux =
         pkgs.mkShell {
           buildInputs = with pkgs; [ figlet tmux ];
@@ -60,25 +61,34 @@
           nixpkgs.lib.nixosSystem {
             system = "x86_64-linux";
             modules = [
-              agenix.nixosModules.default
               simple-nixos-mailserver.nixosModule
+              inputs.secrix.nixosModules.default
               ./openstack.nix
               ./users/commander.nix
-              (import ./services/cgit.nix { inherit pkgs; inherit fqdn; })
+              (import ./services/cgit.nix { fqdn = "code.${fqdn}"; })
+              (import ./services/murmur.nix { fqdn = "mumble.${fqdn}"; })
               (import ./services/website.nix { inherit webroot; })
               (import ./services/ejabberd.nix { inherit fqdn; })
-              (import ./services/mailserver.nix { inherit pkgs; inherit hashedPasswordFile; })
+              (import ./services/mailserver.nix { inherit hashedPasswordFile; })
               ./machines/overburn-1.nix
                 {
+                secrix.hostPubKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAII3ElH/WQjW3B2yUBFFPpF8IIHsYrHODwTid6YM2npiw root@web-crash-over-burn";
+                secrix.defaultEncryptKeys = {
+                    crash = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILhzz/CAb74rLQkDF2weTCb0DICw1oyXNv6XmdLfEsT5 crash@crashoverburn.com" ];
+                };
                 imports = [
                     "${nixpkgs}/nixos/modules/virtualisation/openstack-config.nix"
                 ];
-                _module.args.nixinate = {
-                  host = "193.16.42.36";
-                  sshUser = "commander";
-                  substituteOnTarget = true;
-                  hermetic = true;
-                  buildOn = "local";
+                _module.args = 
+                { 
+                    inherit self;
+                    nixinate = {
+                        host = "193.16.42.36";
+                        sshUser = "commander";
+                        substituteOnTarget = true;
+                        hermetic = true;
+                        buildOn = "local";
+                    };
                 };
                 }
             ];
-- 
cgit v1.2.3