security: start setting permissions on secrets properly

2025-12-01 23:53:27 +01:00 · 2025-12-01 23:53:27 +01:00 · ad9862019c
commit ad9862019c
parent 01fb6d8ec9
11 changed files with 126 additions and 53 deletions
--- a/modules/base/system/nixdaemon.nix
+++ b/modules/base/system/nixdaemon.nix
@ -41,7 +41,7 @@
              username
            ]
            ++ lib.optional (builtins.hasAttr "native" config.services.gitea-actions-runner.instances) "gitea-runner"
-            ++ lib.optional config.services.hydra.enable "hydra hydra-www hydra-evaluator hydra-queue-runner";
+            ++ lib.optional config.services.hydra.enable "hydra hydra-www hydra-evaluator";
          in
          {
            nix-path = "nixpkgs=flake:nixpkgs";
--- a/modules/hosts/loptland/default.nix
+++ b/modules/hosts/loptland/default.nix
@ -1,12 +1,7 @@
-{
-  config,
-  ...
-}:
-let
-in
-{
+topLevel: {
  flake.modules.nixos."hosts/loptland" =
    {
+      config,
      inputs,
      lib,
      pkgs,
@ -25,7 +20,7 @@ in
      environment.systemPackages = [ pkgs.dconf ];

      imports =
-        with config.flake.modules.nixos;
+        with topLevel.config.flake.modules.nixos;
        [
          (modulesPath + "/profiles/qemu-guest.nix")
          inputs.catppuccin.nixosModules.catppuccin
@ -50,7 +45,7 @@ in
        ++ [
          {
            home-manager.users.cholli = {
-              imports = with config.flake.modules.homeManager; [
+              imports = with topLevel.config.flake.modules.homeManager; [
                inputs.catppuccin.homeModules.catppuccin

                # components
@ -80,6 +75,14 @@ in
        443
      ];

+      sops.secrets = {
+        "hydra/remotebuild/private-key" = {
+          inherit sopsFile;
+          owner = config.systemd.services.hydra-queue-runner.serviceConfig.User;
+          mode = "0400";
+        };
+      };
+
      nix = {
        distributedBuilds = true;

@ -103,7 +106,7 @@ in
          {
            hostName = "nixberry";
            sshUser = "remotebuild";
-            sshKey = "/root/.ssh/remotebuild";
+            sshKey = config.sops.secrets."hydra/remotebuild/private-key".path;
            systems = [ "aarch64-linux" ];
            protocol = "ssh";

--- a/modules/server/factorio-server.nix
+++ b/modules/server/factorio-server.nix
@ -20,21 +20,25 @@
            inherit sopsFile;
          };
        };
-        templates."extraSettingsFile.json".content = ''
-          {
-            "name": "Pyanodons Holli",
-            "description": "Trying to run a factorio-headless-server on my nix system",
-            "tags": ["vanilla"],
-            "max_players": 10,
-            "game_password": "${config.sops.placeholder."factorio/game_password"}",
-            "allow_commands": "admins-only",
-            "autosave_slots": 5,
-            "ignore_player_limit_for_returning_players": true,
-            "username" : "${config.sops.placeholder."factorio/username"}",
-            "token": "${config.sops.placeholder."factorio/token"}"
-          }
-        '';
-        templates."extraSettingsFile.json".mode = "0444";
+        templates."extraSettingsFile.json" = {
+          content = ''
+            {
+              "name": "Pyanodons Holli",
+              "description": "Trying to run a factorio-headless-server on my nix system",
+              "tags": ["vanilla"],
+              "max_players": 10,
+              "game_password": "${config.sops.placeholder."factorio/game_password"}",
+              "allow_commands": "admins-only",
+              "autosave_slots": 5,
+              "ignore_player_limit_for_returning_players": true,
+              "username" : "${config.sops.placeholder."factorio/username"}",
+              "token": "${config.sops.placeholder."factorio/token"}"
+            }
+          '';
+          mode = "0400";
+          owner = "factorio";
+          group = "factorio";
+        };
      };

      systemd.tmpfiles.rules = [
--- a/modules/server/hydra.nix
+++ b/modules/server/hydra.nix
@ -1,8 +1,18 @@
 {
  flake.modules.nixos.hydra =
-    { ... }:
+    { config, pkgs, ... }:
    let
      httpPort = 2000;
+
+      remotebuild-ssh-config = pkgs.writeTextFile {
+        name = "remotebuild-ssh-config";
+        text = ''
+          Host nixberry
+            IdentitiesOnly yes
+            IdentityFile ${config.sops.secrets."hydra/remotebuild/private-key".path}
+            User remotebuild
+        '';
+      };
    in
    {
      services.nix-serve = {
@ -18,5 +28,27 @@
        useSubstitutes = true;
      };

+      systemd =
+        let
+          user = "hydra-queue-runner";
+        in
+        {
+          tmpfiles.rules = [
+            "d ${config.users.users.${user}.home}/.ssh 0700 ${user} ${user} -"
+          ];
+
+          services.hydra-queue-runner = {
+
+            serviceConfig.ExecStartPre =
+              let
+                targetFile = "${config.users.users.${user}.home}/.ssh/config";
+              in
+              ''
+                ${pkgs.coreutils}/bin/ln -sf ${remotebuild-ssh-config} ${targetFile}
+                ${pkgs.coreutils}/bin/chown ${user}:${user} ${targetFile} 
+              '';
+          };
+        };
+
    };
 }
--- a/modules/users/cholli/default.nix
+++ b/modules/users/cholli/default.nix
@ -1,8 +1,4 @@
-{
-  config,
-  ...
-}:
-{
+topLevel: {
  flake = {
    meta.users = {
      cholli = {
@ -22,12 +18,13 @@

    modules = {
      nixos.cholli =
-        { pkgs, ... }:
+        { config, pkgs, ... }:
        {
          programs.fish.enable = true;
+          sops.secrets.passwordHash.neededForUsers = true;

          users.users.cholli = {
-            description = config.flake.meta.users.cholli.name;
+            description = topLevel.config.flake.meta.users.cholli.name;
            isNormalUser = true;
            createHome = true;
            extraGroups = [
@ -39,13 +36,12 @@
              "wheel"
            ];
            shell = pkgs.fish;
-            # TODO: fix this with sops
-            initialPassword = "asdf";
+            hashedPasswordFile = config.sops.secrets.passwordHash.path;

-            openssh.authorizedKeys.keys = config.flake.meta.users.cholli.authorizedKeys;
+            openssh.authorizedKeys.keys = topLevel.config.flake.meta.users.cholli.authorizedKeys;
          };

-          nix.settings.trusted-users = [ config.flake.meta.users.cholli.username ];
+          nix.settings.trusted-users = [ topLevel.config.flake.meta.users.cholli.username ];

        };

--- a/modules/users/root/default.nix
+++ b/modules/users/root/default.nix
@ -1,18 +1,15 @@
-{
-  config,
-  ...
-}:
-{
+topLevel: {
  flake = {
    modules.nixos.root =
-      { pkgs, ... }:
+      { config, pkgs, ... }:
      {
        programs.fish.enable = true;
+        sops.secrets.passwordHash.neededForUsers = true;

        users.users.root = {
          shell = pkgs.fish;
-          openssh.authorizedKeys.keys = config.flake.meta.users.cholli.authorizedKeys;
-          initialPassword = "asdf1234";
+          openssh.authorizedKeys.keys = topLevel.config.flake.meta.users.cholli.authorizedKeys;
+          hashedPasswordFile = config.sops.secrets.passwordHash.path;
        };
      };
  };