commit 55f7d7d529664abc05737ba4edba6755e838d735
parent 3f30aa5e1d21406d956256cb54683fbfa8f353ff
Author: Katja (zaphyra) <git@ctu.cx>
Date: Wed, 4 Jun 2025 12:34:59 +0200
parent 3f30aa5e1d21406d956256cb54683fbfa8f353ff
Author: Katja (zaphyra) <git@ctu.cx>
Date: Wed, 4 Jun 2025 12:34:59 +0200
fix sops foo
10 files changed, 22 insertions(+), 4 deletions(-)
diff --git a/config/nixos/modules/presets/katja/dnsServer.nix b/config/nixos/modules/presets/katja/dnsServer.nix @@ -104,6 +104,7 @@ in in { + systemd.services.knot.after = [ "sops-install-secrets.service" ]; sops.secrets.knotKeys = lib.mkIf cfg.isPrimary { owner = "knot"; group = "knot";
diff --git a/config/nixos/modules/presets/katja/mailServer.nix b/config/nixos/modules/presets/katja/mailServer.nix @@ -139,6 +139,8 @@ in }; }) cfg.extraDomains); + + systemd.services.dovecot.after = [ "sops-install-secrets.service" ]; sops.secrets = { "mailPasswords/katja@zaphyra.eu" = { }; "mailPasswords/gts@zaphyra.eu" = { }; @@ -191,7 +193,6 @@ in } ]; - security.acme.certs."${cfg.hostName}".reloadServices = [ "postfix.service" "dovecot2.service"
diff --git a/config/nixos/modules/services/gotosocial.nix b/config/nixos/modules/services/gotosocial.nix @@ -133,7 +133,7 @@ in gotosocial = { description = "GoToSocial ActivityPub Server"; wants = [ "network-online.target" ]; - after = [ "network-online.target" ]; + after = [ "network-online.target" "sops-install-secrets.service" ]; wantedBy = [ "multi-user.target" ]; environment = { GTS_WAZERO_COMPILATION_CACHE = "${cfg.stateDir}/.cache";
diff --git a/config/nixos/modules/services/openssh.nix b/config/nixos/modules/services/openssh.nix @@ -36,7 +36,18 @@ in }; }; - sops.age.sshKeyPaths = [ "/var/lib/sshd/ed25519_hostkey" ]; + + # this is required because the secrets need to be decryped before the users get created + # but the impermanence bind-mounts get created _after_ the user creation... + sops.age.sshKeyPaths = [ + ( + if config.modules.filesystem.impermanence.system.enable then + "/nix/persist/system/var/lib/sshd/ed25519_hostkey" + else + "/var/lib/sshd/ed25519_hostkey" + ) + ]; + modules.filesystem.impermanence.system.dirs = [ "/var/lib/sshd" ]; services.openssh = {
diff --git a/config/nixos/modules/services/systemd-oomd.nix b/config/nixos/modules/services/systemd-oomd.nix @@ -17,6 +17,8 @@ in }; config = lib.mkIf cfg.enable { + + systemd.services.systemd-oomd.after = [ "systemd-sysusers.service" ]; systemd.oomd = { enable = true; enableUserSlices = true;
diff --git a/config/nixos/modules/sops.nix b/config/nixos/modules/sops.nix @@ -22,7 +22,6 @@ in config = lib.mkIf cfg.enable { sops = { defaultSopsFile = inputs.self.sopsSecrets.${config.networking.hostName}; - age.sshKeyPaths = [ "/etc/ssh/ed25519_hostkey" ]; }; };
diff --git a/config/nixos/modules/websites/dav.zaphyra.eu.nix b/config/nixos/modules/websites/dav.zaphyra.eu.nix @@ -41,6 +41,7 @@ in } ]; + systemd.services.radicale.after = [ "sops-install-secrets.service" ]; sops.secrets = { "resticPasswords/radicale" = { }; radicaleUsers = {
diff --git a/config/nixos/modules/websites/fedi.ctu.cx.nix b/config/nixos/modules/websites/fedi.ctu.cx.nix @@ -41,6 +41,7 @@ in dns.zones."${cfg.domain}".subdomains."${cfg.subdomain}".CNAME = [ "${config.networking.fqdn}." ]; + systemd.services.gotosocial.after = [ "sops-install-secrets.service" ]; sops.secrets = { "resticPasswords/gotosocial" = { }; "environments/gotosocial" = {
diff --git a/config/nixos/modules/websites/gts.zaphyra.eu.nix b/config/nixos/modules/websites/gts.zaphyra.eu.nix @@ -41,6 +41,7 @@ in dns.zones."${cfg.domain}".subdomains."${cfg.subdomain}".CNAME = [ "${config.networking.fqdn}." ]; + systemd.services.gotosocial.after = [ "sops-install-secrets.service" ]; sops.secrets = { "resticPasswords/gotosocial" = { }; gotosocialEnv = {
diff --git a/config/nixos/modules/websites/vault.zaphyra.eu.nix b/config/nixos/modules/websites/vault.zaphyra.eu.nix @@ -47,6 +47,7 @@ in } ]; + systemd.services.vaultwarden.after = [ "sops-install-secrets.service" ]; sops.secrets = { "resticPasswords/vaultwarden" = { }; "environments/vaultwarden" = {