diff --git a/.sops.yaml b/.sops.yaml index a4ce7d2..10d7d4c 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -7,8 +7,6 @@ creation_rules: key_groups: - age: - *primary - - *loptland - - *nixberry - path_regex: secrets/secrets-loptland.yaml$ key_groups: diff --git a/flake.lock b/flake.lock index 4026973..c499aee 100644 --- a/flake.lock +++ b/flake.lock @@ -1415,11 +1415,11 @@ }, "nixpkgs-master": { "locked": { - "lastModified": 1764634416, - "narHash": "sha256-yajUMe5K+aMelTc9pSInKnH+6yFz2bN/bZLSTsXT8OQ=", + "lastModified": 1764632834, + "narHash": "sha256-KbBASKZKUqFsw58rODQvYt+OVBVNsNJX8rx4VH4iveY=", "owner": "nixos", "repo": "nixpkgs", - "rev": "c3385ea1e90c58755639bff061dfeeea9cbfba1c", + "rev": "d5fdfd55c2a43206af78a6c3094d7388a5690456", "type": "github" }, "original": { diff --git a/modules/base/system/nixdaemon.nix b/modules/base/system/nixdaemon.nix index de8e71a..7989f60 100644 --- a/modules/base/system/nixdaemon.nix +++ b/modules/base/system/nixdaemon.nix @@ -40,8 +40,7 @@ "root" username ] - ++ lib.optional (builtins.hasAttr "native" config.services.gitea-actions-runner.instances) "gitea-runner" - ++ lib.optional config.services.hydra.enable "hydra hydra-www hydra-evaluator"; + ++ lib.optional (builtins.hasAttr "native" config.services.gitea-actions-runner.instances) "gitea-runner"; in { nix-path = "nixpkgs=flake:nixpkgs"; diff --git a/modules/hosts/loptland/default.nix b/modules/hosts/loptland/default.nix index 43d7925..2681840 100644 --- a/modules/hosts/loptland/default.nix +++ b/modules/hosts/loptland/default.nix @@ -79,7 +79,7 @@ topLevel: { "hydra/remotebuild/private-key" = { inherit sopsFile; owner = config.systemd.services.hydra-queue-runner.serviceConfig.User; - mode = "0400"; + mode = "4000"; }; }; diff --git a/modules/server/factorio-server.nix b/modules/server/factorio-server.nix index a68a0d7..4ae7fdc 100644 --- a/modules/server/factorio-server.nix +++ b/modules/server/factorio-server.nix @@ -35,7 +35,7 @@ "token": "${config.sops.placeholder."factorio/token"}" } ''; - mode = "0400"; + mode = "4000"; owner = "factorio"; group = "factorio"; }; diff --git a/modules/server/hydra.nix b/modules/server/hydra.nix index a2d2a02..73495fd 100644 --- a/modules/server/hydra.nix +++ b/modules/server/hydra.nix @@ -1,18 +1,8 @@ { flake.modules.nixos.hydra = - { config, pkgs, ... }: + { ... }: let httpPort = 2000; - - remotebuild-ssh-config = pkgs.writeTextFile { - name = "remotebuild-ssh-config"; - text = '' - Host nixberry - IdentitiesOnly yes - IdentityFile ${config.sops.secrets."hydra/remotebuild/private-key".path} - User remotebuild - ''; - }; in { services.nix-serve = { @@ -28,27 +18,5 @@ useSubstitutes = true; }; - systemd = - let - user = "hydra-queue-runner"; - in - { - tmpfiles.rules = [ - "d ${config.users.users.${user}.home}/.ssh 0700 ${user} ${user} -" - ]; - - services.hydra-queue-runner = { - - serviceConfig.ExecStartPre = - let - targetFile = "${config.users.users.${user}.home}/.ssh/config"; - in - '' - ${pkgs.coreutils}/bin/ln -sf ${remotebuild-ssh-config} ${targetFile} - ${pkgs.coreutils}/bin/chown ${user}:${user} ${targetFile} - ''; - }; - }; - }; } diff --git a/modules/users/cholli/default.nix b/modules/users/cholli/default.nix index 0e01d63..323184b 100644 --- a/modules/users/cholli/default.nix +++ b/modules/users/cholli/default.nix @@ -1,4 +1,8 @@ -topLevel: { +{ + config, + ... +}: +{ flake = { meta.users = { cholli = { @@ -18,13 +22,12 @@ topLevel: { modules = { nixos.cholli = - { config, pkgs, ... }: + { pkgs, ... }: { programs.fish.enable = true; - sops.secrets.passwordHash.neededForUsers = true; users.users.cholli = { - description = topLevel.config.flake.meta.users.cholli.name; + description = config.flake.meta.users.cholli.name; isNormalUser = true; createHome = true; extraGroups = [ @@ -36,12 +39,13 @@ topLevel: { "wheel" ]; shell = pkgs.fish; - hashedPasswordFile = config.sops.secrets.passwordHash.path; + # TODO: fix this with sops + initialPassword = "asdf"; - openssh.authorizedKeys.keys = topLevel.config.flake.meta.users.cholli.authorizedKeys; + openssh.authorizedKeys.keys = config.flake.meta.users.cholli.authorizedKeys; }; - nix.settings.trusted-users = [ topLevel.config.flake.meta.users.cholli.username ]; + nix.settings.trusted-users = [ config.flake.meta.users.cholli.username ]; }; diff --git a/modules/users/root/default.nix b/modules/users/root/default.nix index d092718..99696b7 100644 --- a/modules/users/root/default.nix +++ b/modules/users/root/default.nix @@ -1,15 +1,18 @@ -topLevel: { +{ + config, + ... +}: +{ flake = { modules.nixos.root = - { config, pkgs, ... }: + { pkgs, ... }: { programs.fish.enable = true; - sops.secrets.passwordHash.neededForUsers = true; users.users.root = { shell = pkgs.fish; - openssh.authorizedKeys.keys = topLevel.config.flake.meta.users.cholli.authorizedKeys; - hashedPasswordFile = config.sops.secrets.passwordHash.path; + openssh.authorizedKeys.keys = config.flake.meta.users.cholli.authorizedKeys; + initialPassword = "asdf1234"; }; }; }; diff --git a/secrets/secrets.yaml b/secrets/secrets.yaml deleted file mode 100644 index e81ca84..0000000 --- a/secrets/secrets.yaml +++ /dev/null @@ -1,36 +0,0 @@ -passwordHash: ENC[AES256_GCM,data:T1rPJ5PhicrB54KxuTF2VT9i54uOngZnp1dS1xE/2qiuVUNUmYDrtryCk3nupJx9IVf0XqymQ3ut9A6YD1NjGvCBN+Klk2aevA==,iv:u9tpn9VAwn4yrChxICV6KgHFnvV5rpwKq6WWBjwntEk=,tag:sU9GebazI7gNuLSNO4Sjww==,type:str] -remotebuild: - private-key: ENC[AES256_GCM,data:kLF+Mo5EIS5mu8be0nDVRTAb7mzt6dtEL56aG4mV2BxLRcyUZXs7eCbj7j7sOpjqz0k8m+1lHAouvNjyzxANeH10/R3Fy3GZqeWtgJSOEQE3biZaD3dqz0e3Gv3ib/Y0yNYTafosCmn6CmPIsVfiE/dfS1oM2Ksrf/AQ3ufPKIdV0h+p5SK6LnhpBqxgIf7s3MFbBzR+iEgxn1jnmCLaoVqNXhO2tmQqgmRHyh2kHruFj9ZwUi6mWDBie7zX7qlOt/m9p5QN/v5KWn4CfMDWzMlSTYdjEd6lUlP8UC35MJafVT59ioF+ueqePhr4DyDR7d+Cg6Z/iNHWiSH1z17p4Rxt3D4IAverqcd1i8c92C8S4NJKvtWRyfMgZMB3/iG2ZqrLcJXlxrZZKZ9X5B+y5a0Ljb+Vg00V68ktFISt7vAsK79Qy/QjHCotXY0uugkeaGnxS1qhig5tmXdxD+OKk/cJt0kqYEyUFKVQf9unr6xaD2IuOkFKyp/fYhU5LfS0uiAt99ENrfNrIRdHAsUvgWW6Sq7qSVmjkLfU,iv:mlYWlmFT0Ybmn26Spqri5E9zRkrBweV6bWvvByLnIvs=,tag:tdB7dw+GMnr5/8fXoem10w==,type:str] -sops: - age: - - recipient: age1pc92kl38mfr0j68dxww7tpzvqp3lpw6lwfylj6hn2k3rf4rddgtsjxdx47 - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBQcXozOHRMMkpwR1Q2K1pW - L01QSzduUTRjZ3haZjMvaGJOQW0zaytadWdNCnkxa0VXWFdwMjRaTkJoalVDZUgw - OFdnMjRIU1pmek12OXkyUkR1a1BVUzgKLS0tIGZpM1Era3RHWDQ3ek9ZOEpIWmxo - QVBvT1RZUGlMNnM0cTNMaGI4aW9ES28KVoBcR+oDhu3oT3Gbau+0mkFOQujjSdWg - Ytyo6vhJPQU0tyWUkAC1BHmKmfmiV4qjQEVIZRD+8gl4Tw2v8kwSTw== - -----END AGE ENCRYPTED FILE----- - - recipient: age13xshg5e6ucvnu3vqgn344mxpk5kcqutv2lf4gdffvwadq0ku5ewqy4cck6 - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBneGlDK2xRVkxzRzd4emZC - djI3MkY4NndLZjZjZkFiaDk2TU55SEtTM1c4CkVQTms4WVJWZ2ZjMTI4d1ZmT0FS - M2ZLZ1NiZGdWL0VyZXdEK1BrV3VBRG8KLS0tIEdWQnR4bHhxN1d0VDg0VUlScnZL - U1F5aXZVd1lvVFVJOFBBSGFLM2U1aXcK8tKAdnvtPIer6XUsm3Ls+raMTUYAhFDz - PEJtm1X3j/UI4+xdGC6V60KQA4uUl/hSzAY6NDkKVsDW3AHv/whW1Q== - -----END AGE ENCRYPTED FILE----- - - recipient: age1mje6kvzzxl6slgpj4rtvmzz3dej3kdq9v85uu69xjcqy6947de6sue05z9 - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBrK2FaOTI1djRhTjdxNWJJ - SG9lSGM4MEdvUkpoN1dBTHhHVk9nU1V5RHlZCnlxTitGZ3J0cU95L3RXcGJadzda - V0hTdnRpQmxDVUVWbk13M0FET1NHYTAKLS0tIHBjcTVTMHNWcW5naWNXQmJyKzlC - QUFsdmlYay9lLzF2YWJHVUlBOUhDaHcKKXKuk3ki8WYSrg2YVtaB4PliR/LFy390 - gvCdS/LwqBJlDAwwtOoml7gtgPmn4bACO3z8XnrLfpctDdYgDkqcgQ== - -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-12-01T23:30:01Z" - mac: ENC[AES256_GCM,data:XSGqMKs3XVupy2wf5E1M8eFVwXlkQndY6Gw2aYV/tJ7WhKX3ToYHqDujUjCKE5S2dPZjT0i9wJD//LcC3lPAEbKlyCExBhHxuQjT44GuRyORNiT+ET5bLL0ilrG3U+DxvYCjFkhIZpTPZHG7E6lC2ch5DHyVCSsl/pjZ+/ZrA4Q=,iv:ZHsE8r4a2XkZS7nvvWF024/Xpv42C04M7D22z2LYgwk=,tag:XOm5TCvivijISw3+ItBvKA==,type:str] - unencrypted_suffix: _unencrypted - version: 3.11.0