From 2adc358decf3edcca6f7fd68ad19d502d0276da8 Mon Sep 17 00:00:00 2001
From: Christoph Hollizeck <christoph.hollizeck@hey.com>
Date: Mon, 1 Dec 2025 23:53:27 +0100
Subject: [PATCH 1/2] security: start setting permissions on secrets properly

---
 flake.lock                         |  7 +++---
 flake.nix                          |  2 +-
 modules/base/system/nixdaemon.nix  |  3 +--
 modules/hosts/loptland/default.nix | 23 +++++++++++---------
 modules/server/factorio-server.nix | 34 +++++++++++++++++-------------
 secrets/secrets-loptland.yaml      |  8 ++++---
 6 files changed, 43 insertions(+), 34 deletions(-)

diff --git a/flake.lock b/flake.lock
index a9f9c8b..f494242 100644
--- a/flake.lock
+++ b/flake.lock
@@ -1102,16 +1102,17 @@
         ]
       },
       "locked": {
-        "lastModified": 1764601009,
-        "narHash": "sha256-HjJyqKbxBoTM8QYo+Rw8htqXI/lVvgfieKiET20jscM=",
+        "lastModified": 1764618171,
+        "narHash": "sha256-+rEb55Uuz5GEwJXf9nWwNTDvWjDCGTzux68wgnnZLO8=",
         "owner": "nix-community",
         "repo": "nh",
-        "rev": "1e09253fabb56ce3b14a89f18685b7b0d4ffd200",
+        "rev": "f1d08030e1ca3829fa26f9bc720119b62f5b09f0",
         "type": "github"
       },
       "original": {
         "owner": "nix-community",
         "repo": "nh",
+        "rev": "f1d08030e1ca3829fa26f9bc720119b62f5b09f0",
         "type": "github"
       }
     },
diff --git a/flake.nix b/flake.nix
index c9725bb..ad06ea5 100644
--- a/flake.nix
+++ b/flake.nix
@@ -31,7 +31,7 @@
     };
 
     nh-flake = {
-      url = "github:nix-community/nh";
+      url = "github:nix-community/nh/f1d08030e1ca3829fa26f9bc720119b62f5b09f0";
       inputs.nixpkgs.follows = "nixpkgs-unstable";
     };
 
diff --git a/modules/base/system/nixdaemon.nix b/modules/base/system/nixdaemon.nix
index 60626fe..7989f60 100644
--- a/modules/base/system/nixdaemon.nix
+++ b/modules/base/system/nixdaemon.nix
@@ -40,8 +40,7 @@
               "root"
               username
             ]
-            ++ lib.optional (builtins.hasAttr "native" config.services.gitea-actions-runner.instances) "gitea-runner"
-            ++ lib.optional config.services.hydra.enable "hydra hydra-www hydra-evaluator hydra-queue-runner";
+            ++ lib.optional (builtins.hasAttr "native" config.services.gitea-actions-runner.instances) "gitea-runner";
           in
           {
             nix-path = "nixpkgs=flake:nixpkgs";
diff --git a/modules/hosts/loptland/default.nix b/modules/hosts/loptland/default.nix
index 10020f3..2681840 100644
--- a/modules/hosts/loptland/default.nix
+++ b/modules/hosts/loptland/default.nix
@@ -1,12 +1,7 @@
-{
-  config,
-  ...
-}:
-let
-in
-{
+topLevel: {
   flake.modules.nixos."hosts/loptland" =
     {
+      config,
       inputs,
       lib,
       pkgs,
@@ -25,7 +20,7 @@ in
       environment.systemPackages = [ pkgs.dconf ];
 
       imports =
-        with config.flake.modules.nixos;
+        with topLevel.config.flake.modules.nixos;
         [
           (modulesPath + "/profiles/qemu-guest.nix")
           inputs.catppuccin.nixosModules.catppuccin
@@ -50,7 +45,7 @@ in
         ++ [
           {
             home-manager.users.cholli = {
-              imports = with config.flake.modules.homeManager; [
+              imports = with topLevel.config.flake.modules.homeManager; [
                 inputs.catppuccin.homeModules.catppuccin
 
                 # components
@@ -80,6 +75,14 @@ in
         443
       ];
 
+      sops.secrets = {
+        "hydra/remotebuild/private-key" = {
+          inherit sopsFile;
+          owner = config.systemd.services.hydra-queue-runner.serviceConfig.User;
+          mode = "4000";
+        };
+      };
+
       nix = {
         distributedBuilds = true;
 
@@ -103,7 +106,7 @@ in
           {
             hostName = "nixberry";
             sshUser = "remotebuild";
-            sshKey = "/root/.ssh/remotebuild";
+            sshKey = config.sops.secrets."hydra/remotebuild/private-key".path;
             systems = [ "aarch64-linux" ];
             protocol = "ssh";
 
diff --git a/modules/server/factorio-server.nix b/modules/server/factorio-server.nix
index 3339e4a..4ae7fdc 100644
--- a/modules/server/factorio-server.nix
+++ b/modules/server/factorio-server.nix
@@ -20,21 +20,25 @@
             inherit sopsFile;
           };
         };
-        templates."extraSettingsFile.json".content = ''
-          {
-            "name": "Pyanodons Holli",
-            "description": "Trying to run a factorio-headless-server on my nix system",
-            "tags": ["vanilla"],
-            "max_players": 10,
-            "game_password": "${config.sops.placeholder."factorio/game_password"}",
-            "allow_commands": "admins-only",
-            "autosave_slots": 5,
-            "ignore_player_limit_for_returning_players": true,
-            "username" : "${config.sops.placeholder."factorio/username"}",
-            "token": "${config.sops.placeholder."factorio/token"}"
-          }
-        '';
-        templates."extraSettingsFile.json".mode = "0444";
+        templates."extraSettingsFile.json" = {
+          content = ''
+            {
+              "name": "Pyanodons Holli",
+              "description": "Trying to run a factorio-headless-server on my nix system",
+              "tags": ["vanilla"],
+              "max_players": 10,
+              "game_password": "${config.sops.placeholder."factorio/game_password"}",
+              "allow_commands": "admins-only",
+              "autosave_slots": 5,
+              "ignore_player_limit_for_returning_players": true,
+              "username" : "${config.sops.placeholder."factorio/username"}",
+              "token": "${config.sops.placeholder."factorio/token"}"
+            }
+          '';
+          mode = "4000";
+          owner = "factorio";
+          group = "factorio";
+        };
       };
 
       systemd.tmpfiles.rules = [
diff --git a/secrets/secrets-loptland.yaml b/secrets/secrets-loptland.yaml
index 4fb8bc9..3201cb1 100644
--- a/secrets/secrets-loptland.yaml
+++ b/secrets/secrets-loptland.yaml
@@ -18,6 +18,8 @@ netcup:
 hydra:
     cachix:
         token: ENC[AES256_GCM,data:FqlJMfw7d1VfWhC+vI4SEMWzzADXK/np33fCsihq3wgC6nWNeTurNn1vDRLIRH+s6iT1C8Ni8iAAlndfUS5SPH6Ymswix9KuJCvYc8Jy+c8pPchYePtMQfv3dVe5a1i06b8I5c+MX8V7j2kaCijYDirnhiD0qlc8SW/mIyB5RNpAgKPTzLjLKJNSUkTGOWUnww==,iv:H2yQ5ioBVnezmhGHbJ7sAlXvUb2MUmHpQpS7f+nIph4=,tag:qvqsbgf2Y/PAd3s9ZFuxWA==,type:str]
+    remotebuild:
+        private-key: ENC[AES256_GCM,data:FqdXFj4/leKNtNJ1H1sBnb/Gnso9soaLtdUToMsx3O6LAn2smdkFrguY9EESm+o1nIBWwc1S2cE/sfH8FR89NWbyfCDTsQLHRIIEYMS2kKLv7hqqdsmyQojW38TnUYtSo5W1V9pdmeYuotUrM7bPmW/Io/7/G/vW6LxtI7Mx1qT7OXnyEJVYsvY6TtJitWO0/jGUAGOyvu/+YhV4yRmArM2kjT+iYb8/dN0HpqCwo6aLvY7ctAA6ggESciuovEtUMv19y+RpMUaHxloziM3SFz/GjXekrqtPGDkCUusSChXuhzfmZDoz4dzNnkKn8HsmxzByzaTyNH9kCxzNV7vULTKi6/O4ny64FOk6pjymz2Yv6pK+pm3tP2wrPwynn3C1giwFCGn+2Nazixj4g4wd5iSFwNeAsDbLU0b3YN/NgQv0TeKGXR01Xgqvt06vtAnkpu8byPBUX5cz15kJckeztVHYCQyz6Uthk6NN+ScLok1z3I7Vn37KsF0Ka7k22aPMwXLLKkfEneavT41x1VNBq7Nedf9EFjjUG8S7,iv:mTlEphmcoFMv7dxIeSpsi77e3CJULcXxcOF1Nq66mUM=,tag:K2aGpaw2xeEj8537kB/cGA==,type:str]
 sops:
     age:
         - recipient: age1pc92kl38mfr0j68dxww7tpzvqp3lpw6lwfylj6hn2k3rf4rddgtsjxdx47
@@ -38,7 +40,7 @@ sops:
             czdSTjNGSEpURlZEUTlIaUtGQUk5cW8KvylMTgtmHNvGnN7DonAsYQZB31mVli75
             3OTN+mOetq2YNxh/Se7vqzwbZnshfTDk9nJi9bKZQhBt2nYR8eLRkg==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2025-04-30T16:13:29Z"
-    mac: ENC[AES256_GCM,data:KBJJJc30KARd79w7iTZ4DPwpgcZGTf3oE85xVO//KX8uq/rPPWuXBSwDGcIKlWGVpwiNbCqVvoH3DhKxJfKnuGKadK96xjv3KyIR2H8KMvhTQDXodt61ZyNERDEpa1HcuOemYpAe8W1cUzJkm1wxNublNYBdKz1kQKMQ43tgalk=,iv:wr+nqXKB5wW4VgIr1z61f+LXsw76mMs4kFAOYAkV+tk=,tag:m8uLg6HQhIL1oN1pWQoTAg==,type:str]
+    lastmodified: "2025-12-01T21:50:41Z"
+    mac: ENC[AES256_GCM,data:rtICn+ljt414EWhSmVqM3IttqBx07a+m0MHEADNQ7s3USSfq3oEXqfoA1Nt6nIF/ZjNYeebNW9hiiJcZw/Hh749p3Fdu64w63MUTwsBciT651DwNNHJHVGwELaU72nI8amtVln+Ka0VD58/cM0V4mcw+eNvfUS+ykUVZAqmOiHo=,iv:IlgqHdb1gtajBfWogN6EgZ1V6h7ToTR1cArP8jEYocg=,tag:bagJOpWoMSvsgmKT/LsAJg==,type:str]
     unencrypted_suffix: _unencrypted
-    version: 3.10.2
+    version: 3.11.0

From a86a50f6c178e419b887e31d0bba5880812468fc Mon Sep 17 00:00:00 2001
From: "forgjo-actions[bot]" <christoph.hollizeck@hey.com>
Date: Tue, 2 Dec 2025 01:00:38 +0100
Subject: [PATCH 2/2] chore: update flake

---
 flake.lock | 18 +++++++++---------
 1 file changed, 9 insertions(+), 9 deletions(-)

diff --git a/flake.lock b/flake.lock
index f494242..c499aee 100644
--- a/flake.lock
+++ b/flake.lock
@@ -146,11 +146,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1764350888,
-        "narHash": "sha256-6Rp18zavTlnlZzcoLoBTJMBahL2FycVkw2rAEs3cQvo=",
+        "lastModified": 1764627417,
+        "narHash": "sha256-D6xc3Rl8Ab6wucJWdvjNsGYGSxNjQHzRc2EZ6eeQ6l4=",
         "owner": "nix-community",
         "repo": "disko",
-        "rev": "2055a08fd0e2fd41318279a5355eb8a161accf26",
+        "rev": "5a88a6eceb8fd732b983e72b732f6f4b8269bef3",
         "type": "github"
       },
       "original": {
@@ -1415,11 +1415,11 @@
     },
     "nixpkgs-master": {
       "locked": {
-        "lastModified": 1764611609,
-        "narHash": "sha256-yU9BNcP0oadUKupw0UKmO9BKDOVIg9NStdJosEbXf8U=",
+        "lastModified": 1764632834,
+        "narHash": "sha256-KbBASKZKUqFsw58rODQvYt+OVBVNsNJX8rx4VH4iveY=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "8c29968b3a942f2903f90797f9623737c215737c",
+        "rev": "d5fdfd55c2a43206af78a6c3094d7388a5690456",
         "type": "github"
       },
       "original": {
@@ -1662,11 +1662,11 @@
         "nixpkgs": "nixpkgs_4"
       },
       "locked": {
-        "lastModified": 1764381008,
-        "narHash": "sha256-s+/BuhPPSJHpPRcylqfW+3UFyYsHjAhKdtPSxusYn0U=",
+        "lastModified": 1764627443,
+        "narHash": "sha256-tO2JO1NNvKswm4KsioIDvsSjCjRZKuJTrLQSVpGn5Fk=",
         "owner": "simple-nixos-mailserver",
         "repo": "nixos-mailserver",
-        "rev": "76bd7a85e78a9b8295782a9cf719ec3489d8eb55",
+        "rev": "0d27ef29128e39bce87738b1b053eec99c4d0c3a",
         "type": "gitlab"
       },
       "original": {