Daholli/nixos-config
1
0
Fork 0
Code Issues 2 Pull requests Releases Packages Activity Actions

security: start setting permissions on secrets properly

Browse source
This commit is contained in:
Christoph Hollizeck 2025-12-01 23:53:27 +01:00
parent 01fb6d8ec9
commit ad9862019c
Signed by: Daholli
GPG key ID: 249300664F2AF2C7
11 changed files with 126 additions and 53 deletions
Download patch file Download diff file Expand all files Collapse all files

2
.sops.yaml
View file

@ -7,6 +7,8 @@ creation_rules:
key_groups: key_groups:
- age: - age:
- *primary - *primary
- *loptland
- *nixberry
- path_regex: secrets/secrets-loptland.yaml$ - path_regex: secrets/secrets-loptland.yaml$
key_groups: key_groups:

7
flake.lock generated
View file

@ -1102,16 +1102,17 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1764601009, "lastModified": 1764618171,
"narHash": "sha256-HjJyqKbxBoTM8QYo+Rw8htqXI/lVvgfieKiET20jscM=", "narHash": "sha256-+rEb55Uuz5GEwJXf9nWwNTDvWjDCGTzux68wgnnZLO8=",
"owner": "nix-community", "owner": "nix-community",
"repo": "nh", "repo": "nh",
"rev": "1e09253fabb56ce3b14a89f18685b7b0d4ffd200", "rev": "f1d08030e1ca3829fa26f9bc720119b62f5b09f0",
"type": "github" "type": "github"
}, },
"original": { "original": {
"owner": "nix-community", "owner": "nix-community",
"repo": "nh", "repo": "nh",
"rev": "f1d08030e1ca3829fa26f9bc720119b62f5b09f0",
"type": "github" "type": "github"
} }
}, },

2
flake.nix
View file

@ -31,7 +31,7 @@
}; };
nh-flake = { nh-flake = {
url = "github:nix-community/nh"; url = "github:nix-community/nh/f1d08030e1ca3829fa26f9bc720119b62f5b09f0";
inputs.nixpkgs.follows = "nixpkgs-unstable"; inputs.nixpkgs.follows = "nixpkgs-unstable";
}; };

2
modules/base/system/nixdaemon.nix
View file

@ -41,7 +41,7 @@
username username
] ]
++ lib.optional (builtins.hasAttr "native" config.services.gitea-actions-runner.instances) "gitea-runner" ++ lib.optional (builtins.hasAttr "native" config.services.gitea-actions-runner.instances) "gitea-runner"
++ lib.optional config.services.hydra.enable "hydra hydra-www hydra-evaluator hydra-queue-runner"; ++ lib.optional config.services.hydra.enable "hydra hydra-www hydra-evaluator";
in in
{ {
nix-path = "nixpkgs=flake:nixpkgs"; nix-path = "nixpkgs=flake:nixpkgs";

23
modules/hosts/loptland/default.nix
View file

@ -1,12 +1,7 @@
{ topLevel: {
config,
...
}:
let
in
{
flake.modules.nixos."hosts/loptland" = flake.modules.nixos."hosts/loptland" =
{ {
config,
inputs, inputs,
lib, lib,
pkgs, pkgs,
@ -25,7 +20,7 @@ in
environment.systemPackages = [ pkgs.dconf ]; environment.systemPackages = [ pkgs.dconf ];
imports = imports =
with config.flake.modules.nixos; with topLevel.config.flake.modules.nixos;
[ [
(modulesPath + "/profiles/qemu-guest.nix") (modulesPath + "/profiles/qemu-guest.nix")
inputs.catppuccin.nixosModules.catppuccin inputs.catppuccin.nixosModules.catppuccin
@ -50,7 +45,7 @@ in
++ [ ++ [
{ {
home-manager.users.cholli = { home-manager.users.cholli = {
imports = with config.flake.modules.homeManager; [ imports = with topLevel.config.flake.modules.homeManager; [
inputs.catppuccin.homeModules.catppuccin inputs.catppuccin.homeModules.catppuccin
# components # components
@ -80,6 +75,14 @@ in
443 443
]; ];
sops.secrets = {
"hydra/remotebuild/private-key" = {
inherit sopsFile;
owner = config.systemd.services.hydra-queue-runner.serviceConfig.User;
mode = "0400";
};
};
nix = { nix = {
distributedBuilds = true; distributedBuilds = true;
@ -103,7 +106,7 @@ in
{ {
hostName = "nixberry"; hostName = "nixberry";
sshUser = "remotebuild"; sshUser = "remotebuild";
sshKey = "/root/.ssh/remotebuild"; sshKey = config.sops.secrets."hydra/remotebuild/private-key".path;
systems = [ "aarch64-linux" ]; systems = [ "aarch64-linux" ];
protocol = "ssh"; protocol = "ssh";

34
modules/server/factorio-server.nix
View file

@ -20,21 +20,25 @@
inherit sopsFile; inherit sopsFile;
}; };
}; };
templates."extraSettingsFile.json".content = '' templates."extraSettingsFile.json" = {
{ content = ''
"name": "Pyanodons Holli", {
"description": "Trying to run a factorio-headless-server on my nix system", "name": "Pyanodons Holli",
"tags": ["vanilla"], "description": "Trying to run a factorio-headless-server on my nix system",
"max_players": 10, "tags": ["vanilla"],
"game_password": "${config.sops.placeholder."factorio/game_password"}", "max_players": 10,
"allow_commands": "admins-only", "game_password": "${config.sops.placeholder."factorio/game_password"}",
"autosave_slots": 5, "allow_commands": "admins-only",
"ignore_player_limit_for_returning_players": true, "autosave_slots": 5,
"username" : "${config.sops.placeholder."factorio/username"}", "ignore_player_limit_for_returning_players": true,
"token": "${config.sops.placeholder."factorio/token"}" "username" : "${config.sops.placeholder."factorio/username"}",
} "token": "${config.sops.placeholder."factorio/token"}"
''; }
templates."extraSettingsFile.json".mode = "0444"; '';
mode = "0400";
owner = "factorio";
group = "factorio";
};
}; };
systemd.tmpfiles.rules = [ systemd.tmpfiles.rules = [

34
modules/server/hydra.nix
View file

@ -1,8 +1,18 @@
{ {
flake.modules.nixos.hydra = flake.modules.nixos.hydra =
{ ... }: { config, pkgs, ... }:
let let
httpPort = 2000; httpPort = 2000;
remotebuild-ssh-config = pkgs.writeTextFile {
name = "remotebuild-ssh-config";
text = ''
Host nixberry
IdentitiesOnly yes
IdentityFile ${config.sops.secrets."hydra/remotebuild/private-key".path}
User remotebuild
'';
};
in in
{ {
services.nix-serve = { services.nix-serve = {
@ -18,5 +28,27 @@
useSubstitutes = true; useSubstitutes = true;
}; };
systemd =
let
user = "hydra-queue-runner";
in
{
tmpfiles.rules = [
"d ${config.users.users.${user}.home}/.ssh 0700 ${user} ${user} -"
];
services.hydra-queue-runner = {
serviceConfig.ExecStartPre =
let
targetFile = "${config.users.users.${user}.home}/.ssh/config";
in
''
${pkgs.coreutils}/bin/ln -sf ${remotebuild-ssh-config} ${targetFile}
${pkgs.coreutils}/bin/chown ${user}:${user} ${targetFile}
'';
};
};
}; };
} }

18
modules/users/cholli/default.nix
View file

@ -1,8 +1,4 @@
{ topLevel: {
config,
...
}:
{
flake = { flake = {
meta.users = { meta.users = {
cholli = { cholli = {
@ -22,12 +18,13 @@
modules = { modules = {
nixos.cholli = nixos.cholli =
{ pkgs, ... }: { config, pkgs, ... }:
{ {
programs.fish.enable = true; programs.fish.enable = true;
sops.secrets.passwordHash.neededForUsers = true;
users.users.cholli = { users.users.cholli = {
description = config.flake.meta.users.cholli.name; description = topLevel.config.flake.meta.users.cholli.name;
isNormalUser = true; isNormalUser = true;
createHome = true; createHome = true;
extraGroups = [ extraGroups = [
@ -39,13 +36,12 @@
"wheel" "wheel"
]; ];
shell = pkgs.fish; shell = pkgs.fish;
# TODO: fix this with sops hashedPasswordFile = config.sops.secrets.passwordHash.path;
initialPassword = "asdf";
openssh.authorizedKeys.keys = config.flake.meta.users.cholli.authorizedKeys; openssh.authorizedKeys.keys = topLevel.config.flake.meta.users.cholli.authorizedKeys;
}; };
nix.settings.trusted-users = [ config.flake.meta.users.cholli.username ]; nix.settings.trusted-users = [ topLevel.config.flake.meta.users.cholli.username ];
}; };

13
modules/users/root/default.nix
View file

@ -1,18 +1,15 @@
{ topLevel: {
config,
...
}:
{
flake = { flake = {
modules.nixos.root = modules.nixos.root =
{ pkgs, ... }: { config, pkgs, ... }:
{ {
programs.fish.enable = true; programs.fish.enable = true;
sops.secrets.passwordHash.neededForUsers = true;
users.users.root = { users.users.root = {
shell = pkgs.fish; shell = pkgs.fish;
openssh.authorizedKeys.keys = config.flake.meta.users.cholli.authorizedKeys; openssh.authorizedKeys.keys = topLevel.config.flake.meta.users.cholli.authorizedKeys;
initialPassword = "asdf1234"; hashedPasswordFile = config.sops.secrets.passwordHash.path;
}; };
}; };
}; };

8
secrets/secrets-loptland.yaml
View file

@ -18,6 +18,8 @@ netcup:
hydra: hydra:
cachix: cachix:
token: ENC[AES256_GCM,data:FqlJMfw7d1VfWhC+vI4SEMWzzADXK/np33fCsihq3wgC6nWNeTurNn1vDRLIRH+s6iT1C8Ni8iAAlndfUS5SPH6Ymswix9KuJCvYc8Jy+c8pPchYePtMQfv3dVe5a1i06b8I5c+MX8V7j2kaCijYDirnhiD0qlc8SW/mIyB5RNpAgKPTzLjLKJNSUkTGOWUnww==,iv:H2yQ5ioBVnezmhGHbJ7sAlXvUb2MUmHpQpS7f+nIph4=,tag:qvqsbgf2Y/PAd3s9ZFuxWA==,type:str] token: ENC[AES256_GCM,data:FqlJMfw7d1VfWhC+vI4SEMWzzADXK/np33fCsihq3wgC6nWNeTurNn1vDRLIRH+s6iT1C8Ni8iAAlndfUS5SPH6Ymswix9KuJCvYc8Jy+c8pPchYePtMQfv3dVe5a1i06b8I5c+MX8V7j2kaCijYDirnhiD0qlc8SW/mIyB5RNpAgKPTzLjLKJNSUkTGOWUnww==,iv:H2yQ5ioBVnezmhGHbJ7sAlXvUb2MUmHpQpS7f+nIph4=,tag:qvqsbgf2Y/PAd3s9ZFuxWA==,type:str]
remotebuild:
private-key: ENC[AES256_GCM,data:FqdXFj4/leKNtNJ1H1sBnb/Gnso9soaLtdUToMsx3O6LAn2smdkFrguY9EESm+o1nIBWwc1S2cE/sfH8FR89NWbyfCDTsQLHRIIEYMS2kKLv7hqqdsmyQojW38TnUYtSo5W1V9pdmeYuotUrM7bPmW/Io/7/G/vW6LxtI7Mx1qT7OXnyEJVYsvY6TtJitWO0/jGUAGOyvu/+YhV4yRmArM2kjT+iYb8/dN0HpqCwo6aLvY7ctAA6ggESciuovEtUMv19y+RpMUaHxloziM3SFz/GjXekrqtPGDkCUusSChXuhzfmZDoz4dzNnkKn8HsmxzByzaTyNH9kCxzNV7vULTKi6/O4ny64FOk6pjymz2Yv6pK+pm3tP2wrPwynn3C1giwFCGn+2Nazixj4g4wd5iSFwNeAsDbLU0b3YN/NgQv0TeKGXR01Xgqvt06vtAnkpu8byPBUX5cz15kJckeztVHYCQyz6Uthk6NN+ScLok1z3I7Vn37KsF0Ka7k22aPMwXLLKkfEneavT41x1VNBq7Nedf9EFjjUG8S7,iv:mTlEphmcoFMv7dxIeSpsi77e3CJULcXxcOF1Nq66mUM=,tag:K2aGpaw2xeEj8537kB/cGA==,type:str]
sops: sops:
age: age:
- recipient: age1pc92kl38mfr0j68dxww7tpzvqp3lpw6lwfylj6hn2k3rf4rddgtsjxdx47 - recipient: age1pc92kl38mfr0j68dxww7tpzvqp3lpw6lwfylj6hn2k3rf4rddgtsjxdx47
@ -38,7 +40,7 @@ sops:
czdSTjNGSEpURlZEUTlIaUtGQUk5cW8KvylMTgtmHNvGnN7DonAsYQZB31mVli75 czdSTjNGSEpURlZEUTlIaUtGQUk5cW8KvylMTgtmHNvGnN7DonAsYQZB31mVli75
3OTN+mOetq2YNxh/Se7vqzwbZnshfTDk9nJi9bKZQhBt2nYR8eLRkg== 3OTN+mOetq2YNxh/Se7vqzwbZnshfTDk9nJi9bKZQhBt2nYR8eLRkg==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
lastmodified: "2025-04-30T16:13:29Z" lastmodified: "2025-12-01T21:50:41Z"
mac: ENC[AES256_GCM,data:KBJJJc30KARd79w7iTZ4DPwpgcZGTf3oE85xVO//KX8uq/rPPWuXBSwDGcIKlWGVpwiNbCqVvoH3DhKxJfKnuGKadK96xjv3KyIR2H8KMvhTQDXodt61ZyNERDEpa1HcuOemYpAe8W1cUzJkm1wxNublNYBdKz1kQKMQ43tgalk=,iv:wr+nqXKB5wW4VgIr1z61f+LXsw76mMs4kFAOYAkV+tk=,tag:m8uLg6HQhIL1oN1pWQoTAg==,type:str] mac: ENC[AES256_GCM,data:rtICn+ljt414EWhSmVqM3IttqBx07a+m0MHEADNQ7s3USSfq3oEXqfoA1Nt6nIF/ZjNYeebNW9hiiJcZw/Hh749p3Fdu64w63MUTwsBciT651DwNNHJHVGwELaU72nI8amtVln+Ka0VD58/cM0V4mcw+eNvfUS+ykUVZAqmOiHo=,iv:IlgqHdb1gtajBfWogN6EgZ1V6h7ToTR1cArP8jEYocg=,tag:bagJOpWoMSvsgmKT/LsAJg==,type:str]
unencrypted_suffix: _unencrypted unencrypted_suffix: _unencrypted
version: 3.10.2 version: 3.11.0

36
secrets/secrets.yaml Normal file
View file

@ -0,0 +1,36 @@
passwordHash: ENC[AES256_GCM,data:T1rPJ5PhicrB54KxuTF2VT9i54uOngZnp1dS1xE/2qiuVUNUmYDrtryCk3nupJx9IVf0XqymQ3ut9A6YD1NjGvCBN+Klk2aevA==,iv:u9tpn9VAwn4yrChxICV6KgHFnvV5rpwKq6WWBjwntEk=,tag:sU9GebazI7gNuLSNO4Sjww==,type:str]
remotebuild:
private-key: ENC[AES256_GCM,data:kLF+Mo5EIS5mu8be0nDVRTAb7mzt6dtEL56aG4mV2BxLRcyUZXs7eCbj7j7sOpjqz0k8m+1lHAouvNjyzxANeH10/R3Fy3GZqeWtgJSOEQE3biZaD3dqz0e3Gv3ib/Y0yNYTafosCmn6CmPIsVfiE/dfS1oM2Ksrf/AQ3ufPKIdV0h+p5SK6LnhpBqxgIf7s3MFbBzR+iEgxn1jnmCLaoVqNXhO2tmQqgmRHyh2kHruFj9ZwUi6mWDBie7zX7qlOt/m9p5QN/v5KWn4CfMDWzMlSTYdjEd6lUlP8UC35MJafVT59ioF+ueqePhr4DyDR7d+Cg6Z/iNHWiSH1z17p4Rxt3D4IAverqcd1i8c92C8S4NJKvtWRyfMgZMB3/iG2ZqrLcJXlxrZZKZ9X5B+y5a0Ljb+Vg00V68ktFISt7vAsK79Qy/QjHCotXY0uugkeaGnxS1qhig5tmXdxD+OKk/cJt0kqYEyUFKVQf9unr6xaD2IuOkFKyp/fYhU5LfS0uiAt99ENrfNrIRdHAsUvgWW6Sq7qSVmjkLfU,iv:mlYWlmFT0Ybmn26Spqri5E9zRkrBweV6bWvvByLnIvs=,tag:tdB7dw+GMnr5/8fXoem10w==,type:str]
sops:
age:
- recipient: age1pc92kl38mfr0j68dxww7tpzvqp3lpw6lwfylj6hn2k3rf4rddgtsjxdx47
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBQcXozOHRMMkpwR1Q2K1pW
L01QSzduUTRjZ3haZjMvaGJOQW0zaytadWdNCnkxa0VXWFdwMjRaTkJoalVDZUgw
OFdnMjRIU1pmek12OXkyUkR1a1BVUzgKLS0tIGZpM1Era3RHWDQ3ek9ZOEpIWmxo
QVBvT1RZUGlMNnM0cTNMaGI4aW9ES28KVoBcR+oDhu3oT3Gbau+0mkFOQujjSdWg
Ytyo6vhJPQU0tyWUkAC1BHmKmfmiV4qjQEVIZRD+8gl4Tw2v8kwSTw==
-----END AGE ENCRYPTED FILE-----
- recipient: age13xshg5e6ucvnu3vqgn344mxpk5kcqutv2lf4gdffvwadq0ku5ewqy4cck6
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBneGlDK2xRVkxzRzd4emZC
djI3MkY4NndLZjZjZkFiaDk2TU55SEtTM1c4CkVQTms4WVJWZ2ZjMTI4d1ZmT0FS
M2ZLZ1NiZGdWL0VyZXdEK1BrV3VBRG8KLS0tIEdWQnR4bHhxN1d0VDg0VUlScnZL
U1F5aXZVd1lvVFVJOFBBSGFLM2U1aXcK8tKAdnvtPIer6XUsm3Ls+raMTUYAhFDz
PEJtm1X3j/UI4+xdGC6V60KQA4uUl/hSzAY6NDkKVsDW3AHv/whW1Q==
-----END AGE ENCRYPTED FILE-----
- recipient: age1mje6kvzzxl6slgpj4rtvmzz3dej3kdq9v85uu69xjcqy6947de6sue05z9
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBrK2FaOTI1djRhTjdxNWJJ
SG9lSGM4MEdvUkpoN1dBTHhHVk9nU1V5RHlZCnlxTitGZ3J0cU95L3RXcGJadzda
V0hTdnRpQmxDVUVWbk13M0FET1NHYTAKLS0tIHBjcTVTMHNWcW5naWNXQmJyKzlC
QUFsdmlYay9lLzF2YWJHVUlBOUhDaHcKKXKuk3ki8WYSrg2YVtaB4PliR/LFy390
gvCdS/LwqBJlDAwwtOoml7gtgPmn4bACO3z8XnrLfpctDdYgDkqcgQ==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2025-12-01T23:30:01Z"
mac: ENC[AES256_GCM,data:XSGqMKs3XVupy2wf5E1M8eFVwXlkQndY6Gw2aYV/tJ7WhKX3ToYHqDujUjCKE5S2dPZjT0i9wJD//LcC3lPAEbKlyCExBhHxuQjT44GuRyORNiT+ET5bLL0ilrG3U+DxvYCjFkhIZpTPZHG7E6lC2ch5DHyVCSsl/pjZ+/ZrA4Q=,iv:ZHsE8r4a2XkZS7nvvWF024/Xpv42C04M7D22z2LYgwk=,tag:XOm5TCvivijISw3+ItBvKA==,type:str]
unencrypted_suffix: _unencrypted
version: 3.11.0