diff --git a/.sops.yaml b/.sops.yaml index 10d7d4c..a4ce7d2 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -7,6 +7,8 @@ creation_rules: key_groups: - age: - *primary + - *loptland + - *nixberry - path_regex: secrets/secrets-loptland.yaml$ key_groups: diff --git a/flake.lock b/flake.lock index a9f9c8b..f494242 100644 --- a/flake.lock +++ b/flake.lock @@ -1102,16 +1102,17 @@ ] }, "locked": { - "lastModified": 1764601009, - "narHash": "sha256-HjJyqKbxBoTM8QYo+Rw8htqXI/lVvgfieKiET20jscM=", + "lastModified": 1764618171, + "narHash": "sha256-+rEb55Uuz5GEwJXf9nWwNTDvWjDCGTzux68wgnnZLO8=", "owner": "nix-community", "repo": "nh", - "rev": "1e09253fabb56ce3b14a89f18685b7b0d4ffd200", + "rev": "f1d08030e1ca3829fa26f9bc720119b62f5b09f0", "type": "github" }, "original": { "owner": "nix-community", "repo": "nh", + "rev": "f1d08030e1ca3829fa26f9bc720119b62f5b09f0", "type": "github" } }, diff --git a/flake.nix b/flake.nix index c9725bb..ad06ea5 100644 --- a/flake.nix +++ b/flake.nix @@ -31,7 +31,7 @@ }; nh-flake = { - url = "github:nix-community/nh"; + url = "github:nix-community/nh/f1d08030e1ca3829fa26f9bc720119b62f5b09f0"; inputs.nixpkgs.follows = "nixpkgs-unstable"; }; diff --git a/modules/base/system/nixdaemon.nix b/modules/base/system/nixdaemon.nix index 60626fe..de8e71a 100644 --- a/modules/base/system/nixdaemon.nix +++ b/modules/base/system/nixdaemon.nix @@ -41,7 +41,7 @@ username ] ++ lib.optional (builtins.hasAttr "native" config.services.gitea-actions-runner.instances) "gitea-runner" - ++ lib.optional config.services.hydra.enable "hydra hydra-www hydra-evaluator hydra-queue-runner"; + ++ lib.optional config.services.hydra.enable "hydra hydra-www hydra-evaluator"; in { nix-path = "nixpkgs=flake:nixpkgs"; diff --git a/modules/hosts/loptland/default.nix b/modules/hosts/loptland/default.nix index 10020f3..43d7925 100644 --- a/modules/hosts/loptland/default.nix +++ b/modules/hosts/loptland/default.nix @@ -1,12 +1,7 @@ -{ - config, - ... -}: -let -in -{ +topLevel: { flake.modules.nixos."hosts/loptland" = { + config, inputs, lib, pkgs, @@ -25,7 +20,7 @@ in environment.systemPackages = [ pkgs.dconf ]; imports = - with config.flake.modules.nixos; + with topLevel.config.flake.modules.nixos; [ (modulesPath + "/profiles/qemu-guest.nix") inputs.catppuccin.nixosModules.catppuccin @@ -50,7 +45,7 @@ in ++ [ { home-manager.users.cholli = { - imports = with config.flake.modules.homeManager; [ + imports = with topLevel.config.flake.modules.homeManager; [ inputs.catppuccin.homeModules.catppuccin # components @@ -80,6 +75,14 @@ in 443 ]; + sops.secrets = { + "hydra/remotebuild/private-key" = { + inherit sopsFile; + owner = config.systemd.services.hydra-queue-runner.serviceConfig.User; + mode = "0400"; + }; + }; + nix = { distributedBuilds = true; @@ -103,7 +106,7 @@ in { hostName = "nixberry"; sshUser = "remotebuild"; - sshKey = "/root/.ssh/remotebuild"; + sshKey = config.sops.secrets."hydra/remotebuild/private-key".path; systems = [ "aarch64-linux" ]; protocol = "ssh"; diff --git a/modules/server/factorio-server.nix b/modules/server/factorio-server.nix index 3339e4a..a68a0d7 100644 --- a/modules/server/factorio-server.nix +++ b/modules/server/factorio-server.nix @@ -20,21 +20,25 @@ inherit sopsFile; }; }; - templates."extraSettingsFile.json".content = '' - { - "name": "Pyanodons Holli", - "description": "Trying to run a factorio-headless-server on my nix system", - "tags": ["vanilla"], - "max_players": 10, - "game_password": "${config.sops.placeholder."factorio/game_password"}", - "allow_commands": "admins-only", - "autosave_slots": 5, - "ignore_player_limit_for_returning_players": true, - "username" : "${config.sops.placeholder."factorio/username"}", - "token": "${config.sops.placeholder."factorio/token"}" - } - ''; - templates."extraSettingsFile.json".mode = "0444"; + templates."extraSettingsFile.json" = { + content = '' + { + "name": "Pyanodons Holli", + "description": "Trying to run a factorio-headless-server on my nix system", + "tags": ["vanilla"], + "max_players": 10, + "game_password": "${config.sops.placeholder."factorio/game_password"}", + "allow_commands": "admins-only", + "autosave_slots": 5, + "ignore_player_limit_for_returning_players": true, + "username" : "${config.sops.placeholder."factorio/username"}", + "token": "${config.sops.placeholder."factorio/token"}" + } + ''; + mode = "0400"; + owner = "factorio"; + group = "factorio"; + }; }; systemd.tmpfiles.rules = [ diff --git a/modules/server/hydra.nix b/modules/server/hydra.nix index 73495fd..a2d2a02 100644 --- a/modules/server/hydra.nix +++ b/modules/server/hydra.nix @@ -1,8 +1,18 @@ { flake.modules.nixos.hydra = - { ... }: + { config, pkgs, ... }: let httpPort = 2000; + + remotebuild-ssh-config = pkgs.writeTextFile { + name = "remotebuild-ssh-config"; + text = '' + Host nixberry + IdentitiesOnly yes + IdentityFile ${config.sops.secrets."hydra/remotebuild/private-key".path} + User remotebuild + ''; + }; in { services.nix-serve = { @@ -18,5 +28,27 @@ useSubstitutes = true; }; + systemd = + let + user = "hydra-queue-runner"; + in + { + tmpfiles.rules = [ + "d ${config.users.users.${user}.home}/.ssh 0700 ${user} ${user} -" + ]; + + services.hydra-queue-runner = { + + serviceConfig.ExecStartPre = + let + targetFile = "${config.users.users.${user}.home}/.ssh/config"; + in + '' + ${pkgs.coreutils}/bin/ln -sf ${remotebuild-ssh-config} ${targetFile} + ${pkgs.coreutils}/bin/chown ${user}:${user} ${targetFile} + ''; + }; + }; + }; } diff --git a/modules/users/cholli/default.nix b/modules/users/cholli/default.nix index 323184b..0e01d63 100644 --- a/modules/users/cholli/default.nix +++ b/modules/users/cholli/default.nix @@ -1,8 +1,4 @@ -{ - config, - ... -}: -{ +topLevel: { flake = { meta.users = { cholli = { @@ -22,12 +18,13 @@ modules = { nixos.cholli = - { pkgs, ... }: + { config, pkgs, ... }: { programs.fish.enable = true; + sops.secrets.passwordHash.neededForUsers = true; users.users.cholli = { - description = config.flake.meta.users.cholli.name; + description = topLevel.config.flake.meta.users.cholli.name; isNormalUser = true; createHome = true; extraGroups = [ @@ -39,13 +36,12 @@ "wheel" ]; shell = pkgs.fish; - # TODO: fix this with sops - initialPassword = "asdf"; + hashedPasswordFile = config.sops.secrets.passwordHash.path; - openssh.authorizedKeys.keys = config.flake.meta.users.cholli.authorizedKeys; + openssh.authorizedKeys.keys = topLevel.config.flake.meta.users.cholli.authorizedKeys; }; - nix.settings.trusted-users = [ config.flake.meta.users.cholli.username ]; + nix.settings.trusted-users = [ topLevel.config.flake.meta.users.cholli.username ]; }; diff --git a/modules/users/root/default.nix b/modules/users/root/default.nix index 99696b7..d092718 100644 --- a/modules/users/root/default.nix +++ b/modules/users/root/default.nix @@ -1,18 +1,15 @@ -{ - config, - ... -}: -{ +topLevel: { flake = { modules.nixos.root = - { pkgs, ... }: + { config, pkgs, ... }: { programs.fish.enable = true; + sops.secrets.passwordHash.neededForUsers = true; users.users.root = { shell = pkgs.fish; - openssh.authorizedKeys.keys = config.flake.meta.users.cholli.authorizedKeys; - initialPassword = "asdf1234"; + openssh.authorizedKeys.keys = topLevel.config.flake.meta.users.cholli.authorizedKeys; + hashedPasswordFile = config.sops.secrets.passwordHash.path; }; }; }; diff --git a/secrets/secrets-loptland.yaml b/secrets/secrets-loptland.yaml index 4fb8bc9..3201cb1 100644 --- a/secrets/secrets-loptland.yaml +++ b/secrets/secrets-loptland.yaml @@ -18,6 +18,8 @@ netcup: hydra: cachix: token: ENC[AES256_GCM,data:FqlJMfw7d1VfWhC+vI4SEMWzzADXK/np33fCsihq3wgC6nWNeTurNn1vDRLIRH+s6iT1C8Ni8iAAlndfUS5SPH6Ymswix9KuJCvYc8Jy+c8pPchYePtMQfv3dVe5a1i06b8I5c+MX8V7j2kaCijYDirnhiD0qlc8SW/mIyB5RNpAgKPTzLjLKJNSUkTGOWUnww==,iv:H2yQ5ioBVnezmhGHbJ7sAlXvUb2MUmHpQpS7f+nIph4=,tag:qvqsbgf2Y/PAd3s9ZFuxWA==,type:str] + remotebuild: + private-key: ENC[AES256_GCM,data:FqdXFj4/leKNtNJ1H1sBnb/Gnso9soaLtdUToMsx3O6LAn2smdkFrguY9EESm+o1nIBWwc1S2cE/sfH8FR89NWbyfCDTsQLHRIIEYMS2kKLv7hqqdsmyQojW38TnUYtSo5W1V9pdmeYuotUrM7bPmW/Io/7/G/vW6LxtI7Mx1qT7OXnyEJVYsvY6TtJitWO0/jGUAGOyvu/+YhV4yRmArM2kjT+iYb8/dN0HpqCwo6aLvY7ctAA6ggESciuovEtUMv19y+RpMUaHxloziM3SFz/GjXekrqtPGDkCUusSChXuhzfmZDoz4dzNnkKn8HsmxzByzaTyNH9kCxzNV7vULTKi6/O4ny64FOk6pjymz2Yv6pK+pm3tP2wrPwynn3C1giwFCGn+2Nazixj4g4wd5iSFwNeAsDbLU0b3YN/NgQv0TeKGXR01Xgqvt06vtAnkpu8byPBUX5cz15kJckeztVHYCQyz6Uthk6NN+ScLok1z3I7Vn37KsF0Ka7k22aPMwXLLKkfEneavT41x1VNBq7Nedf9EFjjUG8S7,iv:mTlEphmcoFMv7dxIeSpsi77e3CJULcXxcOF1Nq66mUM=,tag:K2aGpaw2xeEj8537kB/cGA==,type:str] sops: age: - recipient: age1pc92kl38mfr0j68dxww7tpzvqp3lpw6lwfylj6hn2k3rf4rddgtsjxdx47 @@ -38,7 +40,7 @@ sops: czdSTjNGSEpURlZEUTlIaUtGQUk5cW8KvylMTgtmHNvGnN7DonAsYQZB31mVli75 3OTN+mOetq2YNxh/Se7vqzwbZnshfTDk9nJi9bKZQhBt2nYR8eLRkg== -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-04-30T16:13:29Z" - mac: ENC[AES256_GCM,data:KBJJJc30KARd79w7iTZ4DPwpgcZGTf3oE85xVO//KX8uq/rPPWuXBSwDGcIKlWGVpwiNbCqVvoH3DhKxJfKnuGKadK96xjv3KyIR2H8KMvhTQDXodt61ZyNERDEpa1HcuOemYpAe8W1cUzJkm1wxNublNYBdKz1kQKMQ43tgalk=,iv:wr+nqXKB5wW4VgIr1z61f+LXsw76mMs4kFAOYAkV+tk=,tag:m8uLg6HQhIL1oN1pWQoTAg==,type:str] + lastmodified: "2025-12-01T21:50:41Z" + mac: ENC[AES256_GCM,data:rtICn+ljt414EWhSmVqM3IttqBx07a+m0MHEADNQ7s3USSfq3oEXqfoA1Nt6nIF/ZjNYeebNW9hiiJcZw/Hh749p3Fdu64w63MUTwsBciT651DwNNHJHVGwELaU72nI8amtVln+Ka0VD58/cM0V4mcw+eNvfUS+ykUVZAqmOiHo=,iv:IlgqHdb1gtajBfWogN6EgZ1V6h7ToTR1cArP8jEYocg=,tag:bagJOpWoMSvsgmKT/LsAJg==,type:str] unencrypted_suffix: _unencrypted - version: 3.10.2 + version: 3.11.0 diff --git a/secrets/secrets.yaml b/secrets/secrets.yaml new file mode 100644 index 0000000..e81ca84 --- /dev/null +++ b/secrets/secrets.yaml @@ -0,0 +1,36 @@ +passwordHash: ENC[AES256_GCM,data:T1rPJ5PhicrB54KxuTF2VT9i54uOngZnp1dS1xE/2qiuVUNUmYDrtryCk3nupJx9IVf0XqymQ3ut9A6YD1NjGvCBN+Klk2aevA==,iv:u9tpn9VAwn4yrChxICV6KgHFnvV5rpwKq6WWBjwntEk=,tag:sU9GebazI7gNuLSNO4Sjww==,type:str] +remotebuild: + private-key: ENC[AES256_GCM,data:kLF+Mo5EIS5mu8be0nDVRTAb7mzt6dtEL56aG4mV2BxLRcyUZXs7eCbj7j7sOpjqz0k8m+1lHAouvNjyzxANeH10/R3Fy3GZqeWtgJSOEQE3biZaD3dqz0e3Gv3ib/Y0yNYTafosCmn6CmPIsVfiE/dfS1oM2Ksrf/AQ3ufPKIdV0h+p5SK6LnhpBqxgIf7s3MFbBzR+iEgxn1jnmCLaoVqNXhO2tmQqgmRHyh2kHruFj9ZwUi6mWDBie7zX7qlOt/m9p5QN/v5KWn4CfMDWzMlSTYdjEd6lUlP8UC35MJafVT59ioF+ueqePhr4DyDR7d+Cg6Z/iNHWiSH1z17p4Rxt3D4IAverqcd1i8c92C8S4NJKvtWRyfMgZMB3/iG2ZqrLcJXlxrZZKZ9X5B+y5a0Ljb+Vg00V68ktFISt7vAsK79Qy/QjHCotXY0uugkeaGnxS1qhig5tmXdxD+OKk/cJt0kqYEyUFKVQf9unr6xaD2IuOkFKyp/fYhU5LfS0uiAt99ENrfNrIRdHAsUvgWW6Sq7qSVmjkLfU,iv:mlYWlmFT0Ybmn26Spqri5E9zRkrBweV6bWvvByLnIvs=,tag:tdB7dw+GMnr5/8fXoem10w==,type:str] +sops: + age: + - recipient: age1pc92kl38mfr0j68dxww7tpzvqp3lpw6lwfylj6hn2k3rf4rddgtsjxdx47 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBQcXozOHRMMkpwR1Q2K1pW + L01QSzduUTRjZ3haZjMvaGJOQW0zaytadWdNCnkxa0VXWFdwMjRaTkJoalVDZUgw + OFdnMjRIU1pmek12OXkyUkR1a1BVUzgKLS0tIGZpM1Era3RHWDQ3ek9ZOEpIWmxo + QVBvT1RZUGlMNnM0cTNMaGI4aW9ES28KVoBcR+oDhu3oT3Gbau+0mkFOQujjSdWg + Ytyo6vhJPQU0tyWUkAC1BHmKmfmiV4qjQEVIZRD+8gl4Tw2v8kwSTw== + -----END AGE ENCRYPTED FILE----- + - recipient: age13xshg5e6ucvnu3vqgn344mxpk5kcqutv2lf4gdffvwadq0ku5ewqy4cck6 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBneGlDK2xRVkxzRzd4emZC + djI3MkY4NndLZjZjZkFiaDk2TU55SEtTM1c4CkVQTms4WVJWZ2ZjMTI4d1ZmT0FS + M2ZLZ1NiZGdWL0VyZXdEK1BrV3VBRG8KLS0tIEdWQnR4bHhxN1d0VDg0VUlScnZL + U1F5aXZVd1lvVFVJOFBBSGFLM2U1aXcK8tKAdnvtPIer6XUsm3Ls+raMTUYAhFDz + PEJtm1X3j/UI4+xdGC6V60KQA4uUl/hSzAY6NDkKVsDW3AHv/whW1Q== + -----END AGE ENCRYPTED FILE----- + - recipient: age1mje6kvzzxl6slgpj4rtvmzz3dej3kdq9v85uu69xjcqy6947de6sue05z9 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBrK2FaOTI1djRhTjdxNWJJ + SG9lSGM4MEdvUkpoN1dBTHhHVk9nU1V5RHlZCnlxTitGZ3J0cU95L3RXcGJadzda + V0hTdnRpQmxDVUVWbk13M0FET1NHYTAKLS0tIHBjcTVTMHNWcW5naWNXQmJyKzlC + QUFsdmlYay9lLzF2YWJHVUlBOUhDaHcKKXKuk3ki8WYSrg2YVtaB4PliR/LFy390 + gvCdS/LwqBJlDAwwtOoml7gtgPmn4bACO3z8XnrLfpctDdYgDkqcgQ== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2025-12-01T23:30:01Z" + mac: ENC[AES256_GCM,data:XSGqMKs3XVupy2wf5E1M8eFVwXlkQndY6Gw2aYV/tJ7WhKX3ToYHqDujUjCKE5S2dPZjT0i9wJD//LcC3lPAEbKlyCExBhHxuQjT44GuRyORNiT+ET5bLL0ilrG3U+DxvYCjFkhIZpTPZHG7E6lC2ch5DHyVCSsl/pjZ+/ZrA4Q=,iv:ZHsE8r4a2XkZS7nvvWF024/Xpv42C04M7D22z2LYgwk=,tag:XOm5TCvivijISw3+ItBvKA==,type:str] + unencrypted_suffix: _unencrypted + version: 3.11.0