Daholli/nixos-config
1
0
Fork 0
Code Issues 5 Pull requests Actions Packages Releases Activity

Compare commits

base: Daholli:519824fb96474a99d048ea0ac1d2747ea15ad036
Branches Tags
Daholli:main
..
compare: Daholli:0fc0a6bdd203573bfa3260c29c0e1eefe79f4c63
Branches Tags
Daholli:main

No commits in common. "519824fb96474a99d048ea0ac1d2747ea15ad036" and "0fc0a6bdd203573bfa3260c29c0e1eefe79f4c63" have entirely different histories.
519824fb96 ... 0fc0a6bdd2

9 changed files with 39 additions and 57 deletions
Show stats Expand all files Collapse all files

1
.envrc
View file

@ -1 +0,0 @@
export SOPS_AGE_KEY=$(ssh-to-age -i ~/.ssh/id_ed25519 -private-key)

4
.sops.yaml
View file

@ -1,7 +1,5 @@
keys: keys:
- &primary age1amdd4hu6k0czf3mtlhd03yj3yzkdaynl7q5fdlqmjzpe9pwgxfjs3j0c85 - &primary age1amdd4hu6k0czf3mtlhd03yj3yzkdaynl7q5fdlqmjzpe9pwgxfjs3j0c85
- &yggdrasil age1xxv54tzxz6n4cp4undmejl2lyd7k7s3yh9q0z6ed83evfuz6asqsqhaduv
- &loptland age13xshg5e6ucvnu3vqgn344mxpk5kcqutv2lf4gdffvwadq0ku5ewqy4cck6
creation_rules: creation_rules:
- path_regex: secrets/secrets.yaml$ - path_regex: secrets/secrets.yaml$
key_groups: key_groups:
@ -12,10 +10,8 @@ creation_rules:
key_groups: key_groups:
- age: - age:
- *primary - *primary
- *yggdrasil
- path_regex: secrets/secrets-loptland.yaml$ - path_regex: secrets/secrets-loptland.yaml$
key_groups: key_groups:
- age: - age:
- *primary - *primary
- *loptland

8
flake.lock
View file

@ -816,17 +816,17 @@
}, },
"nixpkgs-latest-factorio": { "nixpkgs-latest-factorio": {
"locked": { "locked": {
"lastModified": 1731242709, "lastModified": 1730638571,
"narHash": "sha256-zGhhtd4U3AxjA5dqzbHhD10q74Ychyu5mNGI7ic+Yng=", "narHash": "sha256-z9Wy1jmhFrABK3cEyiVmQtUwOuQW1YPwA8+HMnbEpnE=",
"owner": "Daholli", "owner": "Daholli",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "2adc4d1f11c5abcf654ed50c2cbce897c6e78ccc", "rev": "d941e9aa2d89f377d45516c5edd765fef15ea90a",
"type": "github" "type": "github"
}, },
"original": { "original": {
"owner": "Daholli", "owner": "Daholli",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "2adc4d1f11c5abcf654ed50c2cbce897c6e78ccc", "rev": "d941e9aa2d89f377d45516c5edd765fef15ea90a",
"type": "github" "type": "github"
} }
}, },

2
flake.nix
View file

@ -7,7 +7,7 @@
nixpkgs-unstable.url = "github:nixos/nixpkgs/nixos-unstable"; nixpkgs-unstable.url = "github:nixos/nixpkgs/nixos-unstable";
nixpkgs-master.url = "github:nixos/nixpkgs/master"; nixpkgs-master.url = "github:nixos/nixpkgs/master";
nixpkgs-latest-factorio.url = "github:Daholli/nixpkgs/2adc4d1f11c5abcf654ed50c2cbce897c6e78ccc"; nixpkgs-latest-factorio.url = "github:Daholli/nixpkgs/d941e9aa2d89f377d45516c5edd765fef15ea90a";
home-manager = { home-manager = {
url = "github:nix-community/home-manager/master"; url = "github:nix-community/home-manager/master";

12
modules/nixos/security/acme/default.nix
View file

@ -26,15 +26,15 @@ in
config = mkIf cfg.enable { config = mkIf cfg.enable {
sops = { sops = {
secrets = { secrets = {
"netcup/customer_number" = { netcup_customer_number = {
inherit (cfg) sopsFile; inherit (cfg) sopsFile;
}; };
"netcup/api/key" = { netcup_api_key = {
inherit (cfg) sopsFile; inherit (cfg) sopsFile;
}; };
"netcup/api/password" = { netcup_api_password = {
inherit (cfg) sopsFile; inherit (cfg) sopsFile;
}; };
}; };
@ -42,9 +42,9 @@ in
templates = { templates = {
"netcup.env" = { "netcup.env" = {
content = '' content = ''
NETCUP_CUSTOMER_NUMBER=${config.sops.placeholder."netcup/customer_number"} NETCUP_CUSTOMER_NUMBER=${config.sops.placeholder.netcup_customer_number}
NETCUP_API_KEY=${config.sops.placeholder."netcup/api/key"} NETCUP_API_KEY=${config.sops.placeholder.netcup_api_key}
NETCUP_API_PASSWORD=${config.sops.placeholder."netcup/api/password"} NETCUP_API_PASSWORD=${config.sops.placeholder.netcup_api_password}
NETCUP_PROPAGATION_TIMEOUT=1200 NETCUP_PROPAGATION_TIMEOUT=1200
''; '';
}; };

4
modules/nixos/security/sops/default.nix
View file

@ -19,15 +19,13 @@ in
environment.systemPackages = with pkgs; [ environment.systemPackages = with pkgs; [
sops sops
age age
ssh-to-age
]; ];
sops = { sops = {
defaultSopsFile = lib.snowfall.fs.get-file "secrets/secrets.yaml"; defaultSopsFile = lib.snowfall.fs.get-file "secrets/secrets.yaml";
defaultSopsFormat = "yaml"; defaultSopsFormat = "yaml";
# age.keyFile = "/home/cholli/.config/sops/age/keys.txt"; age.keyFile = "/home/cholli/.config/sops/age/keys.txt";
age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
}; };
}; };
} }

12
modules/nixos/services/factorio-server/default.nix
View file

@ -24,15 +24,15 @@ in
environment.systemPackages = [ pkgs.factorio-headless ]; environment.systemPackages = [ pkgs.factorio-headless ];
sops = { sops = {
secrets = { secrets = {
"factorio/token" = { factorio_token = {
restartUnits = [ "factorio.service" ]; restartUnits = [ "factorio.service" ];
inherit (cfg) sopsFile; inherit (cfg) sopsFile;
}; };
"factorio/username" = { factorio_username = {
restartUnits = [ "factorio.service" ]; restartUnits = [ "factorio.service" ];
inherit (cfg) sopsFile; inherit (cfg) sopsFile;
}; };
"factorio/game_password" = { factorio_game_password = {
restartUnits = [ "factorio.service" ]; restartUnits = [ "factorio.service" ];
inherit (cfg) sopsFile; inherit (cfg) sopsFile;
}; };
@ -43,12 +43,12 @@ in
"description": "Trying to run a factorio-headless-server on my nix system", "description": "Trying to run a factorio-headless-server on my nix system",
"tags": ["vanilla"], "tags": ["vanilla"],
"max_players": 10, "max_players": 10,
"game_password": "${config.sops.placeholder."factorio/game_password"}", "game_password": "${config.sops.placeholder.factorio_game_password}",
"allow_commands": "admins-only", "allow_commands": "admins-only",
"autosave_slots": 5, "autosave_slots": 5,
"ignore_player_limit_for_returning_players": true, "ignore_player_limit_for_returning_players": true,
"username" : "${config.sops.placeholder."factorio/username"}", "username" : "${config.sops.placeholder.factorio_username}",
"token": "${config.sops.placeholder."factorio/token"}" "token": "${config.sops.placeholder.factorio_token}"
} }
''; '';
templates."extraSettingsFile.json".mode = "0444"; templates."extraSettingsFile.json".mode = "0444";

45
secrets/secrets-loptland.yaml
View file

@ -1,15 +1,13 @@
factorio: #ENC[AES256_GCM,data:Cgp+gOU81+rvdlY=,iv:8DxJxnCslDoEu0bxtlTjmNiAUCdiAV/8VYKTb4yqQ50=,tag:ZTkK7WCOBh1It6GuKPUXdg==,type:comment]
username: ENC[AES256_GCM,data:aFRsUMsoaw==,iv:8EGn99WbgJxUyEKuOcwV6U8awOl7bDfmui+M3mDBoCg=,tag:BzMvGS3lfTsXToI/I5dguQ==,type:str] factorio_username: ENC[AES256_GCM,data:egV5kXtAiw==,iv:Hay0PC2yol5FAJGcWxLkxzNdwpD1V4UfDDnkhsjvjVQ=,tag:QBDS6eAeOswQoHBoi4Gj6A==,type:str]
token: ENC[AES256_GCM,data:WP6FTOBOBuNF6+pzi090wXsXpL2XsU34dQ2ZMzmw,iv:uKM4hLyx3vdyk9F0SyKu4x+2sl442GWXwEKbdgo/Dug=,tag:Xw3BJ7wxuft6hOG9cGtW0g==,type:str] factorio_token: ENC[AES256_GCM,data:whruEJQCNIqqfMA0A3yQdwwrzpIJBt815Lvex4Au,iv:hh3zZt+UxV9ltSHIAjpTRwtDvPgPU5APrB/1bXtKUkE=,tag:AgUmBYWp+Oyxm8O7yD8vlA==,type:str]
game_password: ENC[AES256_GCM,data:GtLNoCdQH1M=,iv:dxOMtXscLeMdsQxWjNgrIMb08vL2wAswvd1oM6pEWPA=,tag:a55ciDtw9mjLM9x5YQBTwQ==,type:str] factorio_game_password: ENC[AES256_GCM,data:Gu/p0+Sbd6Y=,iv:6AB1T3JdleiUnusU7hw/0wOFNSBsAsBgP2yD9FB7zXk=,tag:DMgD4csthynuBon+KNZtOw==,type:str]
forgejo: #ENC[AES256_GCM,data:15i2BBxM4iM=,iv:JV6Lsk8jUZl/eIJWkH/w5I2NraB9J9+0ggsENBGgbdI=,tag:HDwGheUv7dFIztQoJBjGmQ==,type:comment]
db: forgejo_db_password: ENC[AES256_GCM,data:CFsvko1AXRymDBC6WiOBs98rvFM=,iv:Wemhu8URxA6HsWQyYcPSwJzuMP4myrDC3rU3GEDVt7c=,tag:6wcNlDFVdnjez8hzi4E2cw==,type:str]
password: ENC[AES256_GCM,data:CicLsCG2WCtiKMcz3DF5eVVaT8A=,iv:SPO1H4AZwo5FjJWkf1OS7aPOrpTGxqsAj4q3cuuWAbA=,tag:0snK8RyAd8heNvui2sbSNw==,type:str] #ENC[AES256_GCM,data:nQnLBl7v,iv:HORr/Uvw4eUXfW5uS6rWr+6FkFF9bTNpMYGaRpVITRY=,tag:/r4n/xpqp7EPecGxDj4N+w==,type:comment]
netcup: netcup_customer_number: ENC[AES256_GCM,data:pRooJa3O,iv:0U/ONcWa2eqcsT1UpgXmLpAvJndaU8zln2g1HMbBQYE=,tag:+pu8EBl/dnm6DoLAtrjZBQ==,type:str]
customer_number: ENC[AES256_GCM,data:9+QboNg1,iv:Tg9ylJUM8L/kzqFmk2uIsD9noqnp5wIxr5GVXMsZwB8=,tag:2qRggSIkPHuCQYDWCfka5Q==,type:str] netcup_api_key: ENC[AES256_GCM,data:nlkDz1VV2NIXxv/tIROWDHN9DLI0lVq9n9l2FlDwt+3H4G4gg6yCeZjGtR+pTCNfwio=,iv:x8HLL10ww52UJDkz7Yi02KBg7jbuLFHAlG0iMYDd8hk=,tag:pcuka4/Hu/QFIwS0b8GlxQ==,type:str]
api: netcup_api_password: ENC[AES256_GCM,data:k2mdQp57x5ZTypRCHbVlq1fembJ0uj5D0rb72K5rac43p888y3TFyiYVuDTosxR66mo=,iv:0OhtKWD/LWeV5ZWN9fbPozebSxvaFRdSn1AkX97ffAM=,tag:uY6A4jBL/9mtGy7++Yvn0A==,type:str]
key: ENC[AES256_GCM,data:eYTKtJSSXmZfkRjlj65OHi99mpD3Iom8dPc8v34pwJIQSBbxVaqdgb7Gqzhse1c9L+U=,iv:9gmsBwlJ+NQIGY5NBA6Fi/1EQium2pcfQkF7x/fHyFU=,tag:v25eeqT6/WEMG9za7LVWAg==,type:str]
password: ENC[AES256_GCM,data:VTW4XGDg19AbE4EM6kS0u89Sz6718vHXvZZmQlkhGJe/4/LQJHmF1FetAClxkLZ9Za0=,iv:sWHvjHEsMXBbtFmkEdAOeSlQ6VTabRJ28kH3iP3GDaY=,tag:5k6NXFXwXHorUGKe+sAbbg==,type:str]
sops: sops:
kms: [] kms: []
gcp_kms: [] gcp_kms: []
@ -19,23 +17,14 @@ sops:
- recipient: age1amdd4hu6k0czf3mtlhd03yj3yzkdaynl7q5fdlqmjzpe9pwgxfjs3j0c85 - recipient: age1amdd4hu6k0czf3mtlhd03yj3yzkdaynl7q5fdlqmjzpe9pwgxfjs3j0c85
enc: | enc: |
-----BEGIN AGE ENCRYPTED FILE----- -----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBleDhiRlplSndCcUhaMXV3 YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA3NFlTd2hOTHBtUDhuT0lF
ZUR5QXVyemQ2VlhaQ1JjampwaWV5emhnVGt3ClBWRlJJbmx4cldDWmI3cUd2M0Z5 amtLclY2ZTN0SStZQjFSNkZUd1RmMkdJZ0dJCnB2WU04dk41Qk45aGphMW9GQVJ4
YTl5ODVTbmZjM2UxQkhGZ3hvRWVqWmMKLS0tIFlDZXJTQi9wTGxRWElvcDRPVStj b2VWQVlOVFFLaGJWaU9FVU5ZUWtlRncKLS0tIGVPYW5DQnJMeW1qdWtINDNlQWFo
MGV3VDBEMWkxNkV4TGV6dTFWaDhLWXMKg2Xt5PJe7etU1yp+IgnwTnLl7AXaN1MA NmhrdXhpbVlmUFNsT1VaQjZyYkZkdzgKhL2BKXfPWNWUbFavpmtBQpnNEm/x0xH6
5RymeKYjdNipJtxSNxzTjkNpENtHyXLcjVEBTH3IjGujtyGPMpk3eg== NsjiV05AcrqPmGjj2kjvTv4ULPSoHiHiC5McUMfFTYIrCJgNvUbmMg==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
- recipient: age13xshg5e6ucvnu3vqgn344mxpk5kcqutv2lf4gdffvwadq0ku5ewqy4cck6 lastmodified: "2024-11-07T14:40:34Z"
enc: | mac: ENC[AES256_GCM,data:uk2AeOA9pnhekuofIjXavCGy9ZaO0ObprkvnGhJg5lPr/hyT9l7YcZtMQ7wckKDLS03I1hCAcNg0w/EmSUeU2+EHLb6Z1IUj3l0HBUPtPIJwJZifkrzp9iQwGwlK+i6nfREEgPGeuNMj/rnD67MECO4NRHTzGBzH7ZImoDpu0Us=,iv:ss8Q7i75UOQDMJfw4dQCT0qxPUGwfHizX0c/TUej+vc=,tag:iufeO6sfaToNcJg6E8tuxA==,type:str]
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSArRTBLR09YS0tuM212a25G
cWV5bnR5ZytjQWIvd2txSmdEWjExeWRSbTNvClQwMjc4VnhtdnpKQmQ3Z0JOTEFW
OEtEZ0h2bDlPb3UrNTZFVFdCajdzSGcKLS0tIG16UFNqRVpWOHJNTE03TkFTUDF1
UllqSDR1YWl6aU1jSnY2WE9oczg5Q28KfN15tFxXHrJmOHySK+cyLi2bFqArg244
bNTYyuBUtBW1Y/EuNpbyLjSNQpKZWFz7grE64uxrNQHP865N3wv0gg==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2024-11-12T14:29:12Z"
mac: ENC[AES256_GCM,data:lKx1qAe689wkWkrMRvqHpE0zmv+ShLwpApBw2C4+JEuuHnoN1W7aoB/GQRkWzmImCCy9odzM2yoUa0mJogl0i+bddblrl+ZS0uPmPQrm3pM0sl876pelogxKuNpQWS8PRNDe24z3m06f0TozhfPF9D2ywH30tFH8naZONfWTTUU=,iv:tDhJVlWnTHnjZak32pgnUZ8XtM6TK9o2gZ0X3tcQD4Q=,tag:PcMS/5DpEkDkk+U0GG918w==,type:str]
pgp: [] pgp: []
unencrypted_suffix: _unencrypted unencrypted_suffix: _unencrypted
version: 3.9.1 version: 3.9.1

8
systems/x86_64-linux/loptland/default.nix
View file

@ -23,7 +23,7 @@ in
sops = { sops = {
secrets = { secrets = {
"forgejo/db/password" = { forgejo_db_password = {
inherit sopsFile; inherit sopsFile;
}; };
}; };
@ -71,7 +71,7 @@ in
database.type = "postgres"; database.type = "postgres";
lfs.enable = true; lfs.enable = true;
database = { database = {
passwordFile = config.sops.secrets."forgejo/db/password".path; passwordFile = config.sops.secrets.forgejo_db_password.path;
}; };
settings = { settings = {
@ -111,8 +111,8 @@ in
}; };
user.trustedPublicKeys = [ user.trustedPublicKeys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHFrDiO5+vMfD5MimkzN32iw3MnSMLZ0mHvOrHVVmLD0" # yggdrasil "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHFrDiO5+vMfD5MimkzN32iw3MnSMLZ0mHvOrHVVmLD0"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAII4Pr7p0jizrvIl0UhcvrmL5SHRQQQWIcHLAnRFyUZS6" # Phone "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAII4Pr7p0jizrvIl0UhcvrmL5SHRQQQWIcHLAnRFyUZS6"
]; ];
}; };