feat: rekey to include heimdall

Signed-off-by: Lander Van den Bulcke <landervandenbulcke@gmail.com>
chore: refactor flake layout
2025-09-18 10:30:22 +02:00 · 2025-09-17 00:24:12 +02:00
10 changed files with 130 additions and 46 deletions
--- a/.sops.yaml
+++ b/.sops.yaml
@ -1,6 +1,7 @@
 keys:
  - &lander 4BE1257015580BAB9F4B9D5FCA5B1C34E649BF92
  - &wodan age15m0pdv8mkt4aue8wjay9k4endyymtka5je3gc2t63dgamfzh9vts7774hh
+  - &heimdall age1qjl8ql869njgtrytle66ylnnvesxje4nt6jayfwru3ghh002nuzs683n3g
  - &db-01 age1a5zz4cyda0aqh0hgf8svpyh9ktwy6z5x3gnnu5ysvpvek9rn03csx7dyqn
  - &hosting-01 age18g4z53ykxzq35dsjq3a2np4f88xwat0kwtax229l3zn0ykhlpvqqy8fgtv
  - &hosting-02 age1hvrssz7k9akz66evj4kja53zvdtrss8k2ljxsh5myh2mru62sggqznlzrt
@ -11,12 +12,14 @@ creation_rules:
    key_groups:
      - age:
          - *wodan
+          - *heimdall
        pgp:
          - *lander
  - path_regex: hosts/common/optional/secrets.yam?l$
    key_groups:
      - age:
          - *wodan
+          - *heimdall
        pgp:
          - *lander
  - path_regex: hosts/common/servers/secrets.yam?l$
@ -50,5 +53,6 @@ creation_rules:
    key_groups:
      - age:
          - *wodan
+          - *heimdall
        pgp:
          - *lander
--- a/flake.lock
+++ b/flake.lock
@ -414,6 +414,22 @@
        "type": "github"
      }
    },
+    "nixpkgs-unstable": {
+      "locked": {
+        "lastModified": 1757745802,
+        "narHash": "sha256-hLEO2TPj55KcUFUU1vgtHE9UEIOjRcH/4QbmfHNF820=",
+        "owner": "nixos",
+        "repo": "nixpkgs",
+        "rev": "c23193b943c6c689d70ee98ce3128239ed9e32d1",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nixos",
+        "ref": "nixos-unstable",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
    "nixpkgs_2": {
      "locked": {
        "lastModified": 1757810152,
@ -587,6 +603,7 @@
        "home-manager": "home-manager",
        "nixos-mailserver": "nixos-mailserver",
        "nixpkgs": "nixpkgs_2",
+        "nixpkgs-unstable": "nixpkgs-unstable",
        "nixvim": "nixvim",
        "sops-nix": "sops-nix",
        "tidalcycles": "tidalcycles"
--- a/flake.nix
+++ b/flake.nix
@ -1,9 +1,10 @@
 {
-  description = "Your new nix config";
+  description = "EscapeAngle's Nix config";

  inputs = {
    # Nixpkgs
    nixpkgs.url = "github:nixos/nixpkgs/nixos-25.05";
+    nixpkgs-unstable.url = "github:nixos/nixpkgs/nixos-unstable";

    # Secrets
    sops-nix = {
@ -54,8 +55,26 @@
    }@inputs:
    let
      inherit (self) outputs;
+
+      # I only care about linux builds
+      systems = [
+        "aarch64-linux"
+        "x86_64-linux"
+      ];
+
+      forAllSystems = nixpkgs.lib.genAttrs systems;
    in
    {
+      # custom pkgs
+      packages = forAllSystems (system: import ./pkgs nixpkgs.legacyPackages.${system});
+
+      formatter = forAllSystems (system: nixpkgs.legacyPackages.${system}.alejandra);
+
+      overlays = import ./overlays { inherit inputs; };
+
+      nixosModules = import ./modules/nixos;
+      homeManagerModules = import ./modules/home-manager;
+
      nixosConfigurations = {
        # Workstations
        wodan = nixpkgs.lib.nixosSystem {
--- a/home/lander/global/secrets.yaml
+++ b/home/lander/global/secrets.yaml
@ -1,31 +1,36 @@
 inuits-mail-pass: ENC[AES256_GCM,data:0MqpjT2mmKs9UiY=,iv:yFo08gU4jfocr8yOQKQPBl49lOeE1QZrdsdjjOxp0dE=,tag:o2mOPnNJM0EXvkRep5w92w==,type:str]
 sops:
-    kms: []
-    gcp_kms: []
-    azure_kv: []
-    hc_vault: []
    age:
        - recipient: age15m0pdv8mkt4aue8wjay9k4endyymtka5je3gc2t63dgamfzh9vts7774hh
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBnNjFaMmY0cE5QSWZyUmRh
-            VnB1cWJub1lZcWZhQjdJMlJCM0tjV1Eya1RVCjlHODZGQVF6R3N4WDd2dlk5WGRU
-            YlB5eEFDMFcyU1pvM2ZOZjB6dW5uaFkKLS0tIGRvaU1kS2RZc3E0YVUyNy9CSTA0
-            Zm84S0dCNmtUeVJwd3JsZFZTZ0NJUjAKS4z1n4Tns76En2Hj+bzxKK9O/8xKvMIW
-            7frvaBMIIXN2hZkaGbDladav4Z4h858Pr9QG9pSTvIDlVYnapWYyiw==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBhNlo3aFU5cnVUQVNxUDZ5
+            SjY4VndITCtsOSsydkJrWjVJOWQ3aWR6OEZZClNwblVWemdQZTJmclcwSzBZV2xX
+            SXg4dTc1Wkh6NWtpWFhpdnAzZWw5YTgKLS0tIGFUdGtNT09oUlk4MVRNZEtFWVRW
+            K3BWWUdMcG9RVDBROS9sNmJJNkJUQWcK7bQPtL1Bbzm3DPclbxebByXRPlNNIh3f
+            xeH+tVOhPEW6BqjwH3s7GYKtmny+ZpF9ppP+KQjzDQKh7sdZtA9nDg==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1qjl8ql869njgtrytle66ylnnvesxje4nt6jayfwru3ghh002nuzs683n3g
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAzYWV5aE92eER3ZzZjOWE5
+            M0FMazBmbzRkZ001TitsV3VCWDVRZldIckFNClQ1cm16bVg0QWVKc2RXdmNseTNW
+            d3lvbytHcGFLZFZzYjlkcDdYamlhbW8KLS0tIHZHK1c4cXg1S3Z2aTR4RjN5ZU5Z
+            SVJPeW1XM0RPWWI5L0wzSmFmNWRnZ3MKKbpkILPQB7dpzZQcU45g/4SfCdo8+UJK
+            7hrCYeiae9zHu2CfrZqVMkCnAOpda8lL0INLNnrS9hDRNdk3LBLapQ==
            -----END AGE ENCRYPTED FILE-----
    lastmodified: "2024-09-05T06:11:39Z"
    mac: ENC[AES256_GCM,data:SVdNtwrN7MEtXMdWKLQXR9BRlRaYvOBRDLmoDZMkX3t3dlUMR5m5m/btpal1+nPkYjUk58q0hSGA94BREdDTpMYHmvr0V+tWnKsmE8j7r51plN1Dp/4sfgtZBgaqHD2IRDGLI4pW9GCg2fXIxB+BGC6GNU/ZAVbhB4bmzNfFqOY=,iv:ElCt+fJFSjsykoiIS9XO9ViaBJ02Oi169YnUeHiATPk=,tag:vR/KXyuRMnWtW9uXIHNwUw==,type:str]
    pgp:
-        - created_at: "2024-09-05T06:11:29Z"
+        - created_at: "2025-09-18T08:29:55Z"
          enc: |-
            -----BEGIN PGP MESSAGE-----

-            hF4DARdpY4woM6wSAQdAGSK2AVRQnRUm4xQfA3XsO+PMCN9Gss9+jJOKD+npryYw
-            DcwFC5udj+M+XPa3Ggk5WK+vC5hkvUrvwsPqILqzJSv7aiSRqmDyoxTVcsVsIXEP
-            0l4BXgG9tcQMTu5SjVkeVi5YrS+4GPjmSGXUm83BcJ27CHHv9coGu7wb53KotC2N
-            xBNBWLrhn37jXovF2EFAMI/CBXU6svqDKYoFHXZpW06LLw/F7EgKd2zHReRVHuwj
-            =ETqP
+            hF4DARdpY4woM6wSAQdAFEieEviKo3vWoXlyXVCr1dAzMVuVpTlNA1gOflXjz0Yw
+            utn0sKwCWxYVRjzUFNW07c2qsNJcttqXk8+/1NzvnXQDF6NxSm5JO7QKjsx/BTL7
+            0l4B4B1tHqBuNZluTQzKk8sffiqbumUlS5gAWtmxK5DhQ4edgz4aS1ZR2XDTPxBl
+            NddOSjNdUCUGy4+H/GOZgEdbAdhNdyy7Qj9ZiBxIDDjUDTJ0hhIOG+aEv5APrzXm
+            =J41I
            -----END PGP MESSAGE-----
          fp: 4BE1257015580BAB9F4B9D5FCA5B1C34E649BF92
    unencrypted_suffix: _unencrypted
--- a/hosts/common/global/secrets.yaml
+++ b/hosts/common/global/secrets.yaml
@ -1,31 +1,36 @@
 inuits-mail-pass: ENC[AES256_GCM,data:FgZZfDIPcJc4Vn4=,iv:e5yq7bi6peOrf7eehi0860eEY9dFYFjuVOmGOyxSAKY=,tag:V/hY/9zW5Z7NqhW2fzdt2A==,type:str]
 sops:
-    kms: []
-    gcp_kms: []
-    azure_kv: []
-    hc_vault: []
    age:
        - recipient: age15m0pdv8mkt4aue8wjay9k4endyymtka5je3gc2t63dgamfzh9vts7774hh
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA3amZHakdya085QjRCVWN5
-            OWM0OWh2OVBpYmxYTWVXdXkyck9iVFVJd2dVCk1zU2x0eFNPRmpUcUFTMWpBaHQz
-            a0ZzTEF0TUlkTmpXV1VEN1JaTHQyY3cKLS0tIEttMmE4UGlIU05oNFR3RnZiNkNU
-            Q3UyUzRBZW9YNjlVdDF4akRjcEd5K2MK2c3KfLBgnorRQGvW0AcnJmZTc0rJ9BKi
-            fFuBpIU5GWyd4BvNMF30ChEfJr/CQ3Zh3YEowquVajtBlUGt32nePw==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB0L0tNblo0dFNPVitHZ09p
+            ZisrQ0ZEbDh3dUZNd3lZYUg5eXNiQytnbVE0CmhJb2tDTUFEeW1jRnhrbnFuaGtm
+            SE1SMzRKY2JFZ05wMUdyclk1dVJvdzAKLS0tIExsbTFBSmc0L0RXVlhEc2xzKzdW
+            eEpDL2IvdlVSRWljZGFIMDVWdXdiUjgKsGY7+Qc2baHCuTeqDokf0rxBOWaFdzbL
+            aDXMGXRMeBWGMMOkKzMNl6+PZOSv4SpwuGYYRoArWpp5AAN0oqeqXw==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1qjl8ql869njgtrytle66ylnnvesxje4nt6jayfwru3ghh002nuzs683n3g
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA5WkZvT1BCV2tsU2JLN2xV
+            SW1vOU5tdUVzbjFzYXJ5VElyZnhtd0VyV2tnCjJqNEhmanRQUFliQlJWR1Uvc2R6
+            TjBMcFhpZm5qU0dETVNJV2I1K09URE0KLS0tIG0wRXN0ek9TUk8wdWJxMUdkOEcx
+            dXBrM2JSUmlsTk42Rkg4UnRZejNBVUkK7M3m6+h+bcVufwNYTV6aXGiv7CxpR/KZ
+            xPtQXAUX+pGff3Vu6oAT0aYHJbaGbeapNVGtvPSXfl6T5JVUFW74tg==
            -----END AGE ENCRYPTED FILE-----
    lastmodified: "2024-08-29T14:26:20Z"
    mac: ENC[AES256_GCM,data:4yvj8696SpXsEucOShKjMKIiFcq7L0B6KpH6CFw3aIFslMKa1Wa8aQp64F9pF9grWi9LcXG6btL/iOhPvDXeW1VRwtckzuzhFnI+PMuxJmYVNZHvDkUNBpshCI3BvRzEixpqtwXq36AXtrPoHC39ieQy8EIxpJjMksCODyZyBms=,iv:JcbMRmJwEoRgSx1n9Gb6RzMzZvb/3UiEyk3lBvhYF8I=,tag:BKPx2ZTRkNWRNljkrVyoCA==,type:str]
    pgp:
-        - created_at: "2024-08-29T13:58:05Z"
+        - created_at: "2025-09-18T08:29:31Z"
          enc: |-
            -----BEGIN PGP MESSAGE-----

-            hF4DARdpY4woM6wSAQdAwnsdN5NJNjxX8y4uZsQ7KCSSSjsUpN7uCuo634KQPyMw
-            uVb6m7wa3SfMy6ex6QZqvVDr8hIbFhmB7SwQ0EpcnK+axnMn8ni1fsfRY007+H0e
-            0lwBZRErE5y+N+9P16FNnEJfnO2KxtrOIYgIPAeds1mFF6OmbUe5bnWBtl/U74nP
-            XfuG9segRf/1Alma43FlflacJ5koaxwItj8MSVwsG0YX//78O++h5Wy8JnC1QQ==
-            =wZyC
+            hF4DARdpY4woM6wSAQdA+SKggTeVF9E89UzFdgRopXtmDcaVuc9oKKzDlWDpBAsw
+            qbMTw5nN9TejyZtA6Vs0p48xpSARhtOWiMo/MPfTjtqtYk8/2M7ZCnbqQKLYR23e
+            0l4B1PkPKPd3zA49sWSDM4QdDLK7GUxTrTorR/7NWKtmp7o5VtC9YMv0Nq1s6rn0
+            q1+CoieqEDGBmcvOk5K9eRaqWCd5Gt4bsSOdrzAi2mWE+e0+VkNTzpsUKLZq1fFP
+            =7Bvu
            -----END PGP MESSAGE-----
          fp: 4BE1257015580BAB9F4B9D5FCA5B1C34E649BF92
    unencrypted_suffix: _unencrypted
--- a/hosts/common/optional/secrets.yaml
+++ b/hosts/common/optional/secrets.yaml
@ -2,32 +2,37 @@ restic-environment: ENC[AES256_GCM,data:CkgRnXNGAsVlWWPj4pvADpNTPyufafaO745vySUB
 restic-password: ENC[AES256_GCM,data:BsJ7fkoeZHxGbKP7YGuD13s1feYWeVj+hg==,iv:vmpWp/vWBt2bw61p43HTp7fuTKOX4k7io/HGt4yPPo4=,tag:f3pfbcWqccKJ1fI00AyKLA==,type:str]
 restic-repository: ENC[AES256_GCM,data:GAm8+hE96byqeyIb9qQ7QCstBYd0j+WIXp69quZ/f8joH2fUst/Kxb18mOKQozlu6Q==,iv:VQYZmGv+fyyYWUeAQTNiwxhAwR6o0LRw2s6G4lYkkDQ=,tag:P0bAsB3Wp9Vw7YH73XspIg==,type:str]
 sops:
-    kms: []
-    gcp_kms: []
-    azure_kv: []
-    hc_vault: []
    age:
        - recipient: age15m0pdv8mkt4aue8wjay9k4endyymtka5je3gc2t63dgamfzh9vts7774hh
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB5Q1BObXBYUFhXdStEbWFa
-            Z29mZXp6NkJZbitZcjhibkl4UGlBazV2MGc4CklZSG82bU9oMUt1WUpUamt2QmpS
-            VDBqWHBQZGl0YUtXOTFSOThOeGk1YmMKLS0tIFJkSlhibVFwVnl0WHl4aUd4ajRm
-            RWRuU0tKTzNQb0hwZHZJYlhjZ2lJYkUK6T9iTfsfgajho1UUgcYTQa3ppT0CaoT7
-            rVLOyhLGHZLoBkmAm0gTJ1SOFHOyYZMbRMvN2saSLgMIiCuvXm4eEg==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSByUWlLQXNWQnV5T1pJbGcy
+            R0lBY1M2WHVwU3BZeDk3QU4vckJhTUVhK1g4Cml0Mk50cDQwZlIwc2lxb0JwTGRK
+            YWRZWHZITGxsZFltbDBtb3AzVEx6S0EKLS0tIERvaUVheXl4NUlPS1pZNFlxQnVm
+            MlM1Ynord1JlWU1WYVJldDNXODdyTGMKyODudvM+gyGRaJgAcG+Fz1M5Ru7RfpPx
+            rIseYmLvyFjTqGQmXkV5oGwqq5jEZlJwBbxEjl9mHKRiYMjC//8Jtg==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1qjl8ql869njgtrytle66ylnnvesxje4nt6jayfwru3ghh002nuzs683n3g
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBTZERqL2Y0M0Nvdk1RbU5Q
+            VEJYRGFBR29mQ01pZjd3UE0xUjRUZEU2cGlBClhVc0xNSm1PME80eVJoc0FObk5T
+            djlWUis5MHRCbDRKMkFpRHA1TldUWmMKLS0tIGNRL0JwVW9DSXR4czhHYjlSZHJJ
+            Sm0wclJuU2pZTnVKM1pPMFdkQ3QycHcKTrZzAZsH1fuwUyS7eWBDhuYX42puSRvX
+            WD+tDdWWSBjUWOxgnA9x9c+eHvKvydK2Ztuo5yFX61b2uP9aMkrVTg==
            -----END AGE ENCRYPTED FILE-----
    lastmodified: "2025-01-13T17:47:53Z"
    mac: ENC[AES256_GCM,data:qKEbUu0/kt4eM7JXCOl73hJ3IuHr6kr3A7Y0xdXKZ0A/5Ex2F2dgLRTtmFeEMdmm77dYr6PLm8u+eQ+FmpuMb59+q1Y3k/IUpaQXfBJ6qtQCX5lOxJrE9VpR84OIDVQZ7pKclXuNfc6H+MKlGEbmVRnpdJrd6lWxIkpgwmBLBRc=,iv:xh6ywlS7sn/BVpYpej7mmxV/Be33wvQYn/8glbMLnrA=,tag:iIixjf9VZ6OuP5Pgw0w/WA==,type:str]
    pgp:
-        - created_at: "2025-01-13T15:15:34Z"
+        - created_at: "2025-09-18T08:29:44Z"
          enc: |-
            -----BEGIN PGP MESSAGE-----

-            hF4DARdpY4woM6wSAQdAwVc6Y2JuSKZ+CfVXGcZwXGLPxd4qzYEYCXeVw6fUMn0w
-            8nCY3GAdJR2doPeQFtakqulb6sNH+sA2eGSUS1B+MQ7HpxkungLAbWI0wpFYwnfw
-            0lwB5Zz4+rRkhPTqQNudTSBHX018kR5/A6/jLslox6vaKesyPIFSMejJqFp3hmHu
-            3QoK0HNLTCgmUw4OZsYtgPLw00KxDYNbUN6JY9H/MOuBT3Uwe4y8HXlffPXr1w==
-            =Csbt
+            hF4DARdpY4woM6wSAQdAhtZLnsE71OX18DaQHEW/BMpS/HtQyKCToYUxKgfmV1cw
+            Cq2OA4I2a/QN/uZeJVAkHjTrasTAK+g2AV5dKjQY2gnD0UXJFDgX9EtpjCPXnMWH
+            0l4BNn+Alhf6CBs4k8WOVDV5+rtJRBrmfmMTutQ48279G0JNGEO1MrH8oC6uHzfF
+            8SO4niqVL+jE6faaLlEktcVJUTs0HOHlmR7wmF5RHowgVbmYb6OJocv7cqgodhBR
+            =Dh78
            -----END PGP MESSAGE-----
          fp: 4BE1257015580BAB9F4B9D5FCA5B1C34E649BF92
    unencrypted_suffix: _unencrypted
--- a/modules/home-manager/default.nix
+++ b/modules/home-manager/default.nix
@ -0,0 +1,3 @@
+{
+  # my-module = import ./my-module.nix;
+}
--- a/modules/nixos/default.nix
+++ b/modules/nixos/default.nix
@ -0,0 +1,3 @@
+{
+  # my-module = import ./my-module.nix
+}
--- a/overlays/default.nix
+++ b/overlays/default.nix
@ -0,0 +1,20 @@
+{ inputs, ... }:
+{
+  # Import custom packages
+  additions = final: _prev: import ../pkgs final.pkgs;
+
+  # Add modifications here:
+  modifications = final: prev: {
+    # example = prev.example.overrideAttrs (oldAttrs: rec {
+    # ...
+    # });
+  };
+
+  # add nixpkgs unstable (accessible through pkgs.unstable)
+  unstable-packages = final: _prev: {
+    unstable = import inputs.nixpkgs-unstable {
+      system = final.system;
+      config.allowUnfree = true;
+    };
+  };
+}
--- a/pkgs/default.nix
+++ b/pkgs/default.nix
@ -0,0 +1,3 @@
+pkgs: {
+  # example = pkgs.callPackage ./example { };
+}
Author	SHA1	Message	Date
Lander Van den Bulcke	eb1d4559a0	feat: rekey to include heimdall Signed-off-by: Lander Van den Bulcke <landervandenbulcke@gmail.com>	2025-09-18 10:30:22 +02:00
Lander Van den Bulcke	105f613c6b	chore: refactor flake layout Signed-off-by: Lander Van den Bulcke <landervandenbulcke@gmail.com>	2025-09-17 00:24:12 +02:00