chore: update flake

security: start setting permissions on secrets properly
2025-12-02 01:00:38 +01:00 · 2025-12-01 23:53:27 +01:00
6 changed files with 52 additions and 43 deletions
--- a/flake.lock
+++ b/flake.lock
@ -146,11 +146,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1764350888,
-        "narHash": "sha256-6Rp18zavTlnlZzcoLoBTJMBahL2FycVkw2rAEs3cQvo=",
+        "lastModified": 1764627417,
+        "narHash": "sha256-D6xc3Rl8Ab6wucJWdvjNsGYGSxNjQHzRc2EZ6eeQ6l4=",
        "owner": "nix-community",
        "repo": "disko",
-        "rev": "2055a08fd0e2fd41318279a5355eb8a161accf26",
+        "rev": "5a88a6eceb8fd732b983e72b732f6f4b8269bef3",
        "type": "github"
      },
      "original": {
@ -1102,16 +1102,17 @@
        ]
      },
      "locked": {
-        "lastModified": 1764601009,
-        "narHash": "sha256-HjJyqKbxBoTM8QYo+Rw8htqXI/lVvgfieKiET20jscM=",
+        "lastModified": 1764618171,
+        "narHash": "sha256-+rEb55Uuz5GEwJXf9nWwNTDvWjDCGTzux68wgnnZLO8=",
        "owner": "nix-community",
        "repo": "nh",
-        "rev": "1e09253fabb56ce3b14a89f18685b7b0d4ffd200",
+        "rev": "f1d08030e1ca3829fa26f9bc720119b62f5b09f0",
        "type": "github"
      },
      "original": {
        "owner": "nix-community",
        "repo": "nh",
+        "rev": "f1d08030e1ca3829fa26f9bc720119b62f5b09f0",
        "type": "github"
      }
    },
@ -1414,11 +1415,11 @@
    },
    "nixpkgs-master": {
      "locked": {
-        "lastModified": 1764611609,
-        "narHash": "sha256-yU9BNcP0oadUKupw0UKmO9BKDOVIg9NStdJosEbXf8U=",
+        "lastModified": 1764632834,
+        "narHash": "sha256-KbBASKZKUqFsw58rODQvYt+OVBVNsNJX8rx4VH4iveY=",
        "owner": "nixos",
        "repo": "nixpkgs",
-        "rev": "8c29968b3a942f2903f90797f9623737c215737c",
+        "rev": "d5fdfd55c2a43206af78a6c3094d7388a5690456",
        "type": "github"
      },
      "original": {
@ -1661,11 +1662,11 @@
        "nixpkgs": "nixpkgs_4"
      },
      "locked": {
-        "lastModified": 1764381008,
-        "narHash": "sha256-s+/BuhPPSJHpPRcylqfW+3UFyYsHjAhKdtPSxusYn0U=",
+        "lastModified": 1764627443,
+        "narHash": "sha256-tO2JO1NNvKswm4KsioIDvsSjCjRZKuJTrLQSVpGn5Fk=",
        "owner": "simple-nixos-mailserver",
        "repo": "nixos-mailserver",
-        "rev": "76bd7a85e78a9b8295782a9cf719ec3489d8eb55",
+        "rev": "0d27ef29128e39bce87738b1b053eec99c4d0c3a",
        "type": "gitlab"
      },
      "original": {
--- a/flake.nix
+++ b/flake.nix
@ -31,7 +31,7 @@
    };

    nh-flake = {
-      url = "github:nix-community/nh";
+      url = "github:nix-community/nh/f1d08030e1ca3829fa26f9bc720119b62f5b09f0";
      inputs.nixpkgs.follows = "nixpkgs-unstable";
    };

--- a/modules/base/system/nixdaemon.nix
+++ b/modules/base/system/nixdaemon.nix
@ -40,8 +40,7 @@
              "root"
              username
            ]
-            ++ lib.optional (builtins.hasAttr "native" config.services.gitea-actions-runner.instances) "gitea-runner"
-            ++ lib.optional config.services.hydra.enable "hydra hydra-www hydra-evaluator hydra-queue-runner";
+            ++ lib.optional (builtins.hasAttr "native" config.services.gitea-actions-runner.instances) "gitea-runner";
          in
          {
            nix-path = "nixpkgs=flake:nixpkgs";
--- a/modules/hosts/loptland/default.nix
+++ b/modules/hosts/loptland/default.nix
@ -1,12 +1,7 @@
-{
-  config,
-  ...
-}:
-let
-in
-{
+topLevel: {
  flake.modules.nixos."hosts/loptland" =
    {
+      config,
      inputs,
      lib,
      pkgs,
@ -25,7 +20,7 @@ in
      environment.systemPackages = [ pkgs.dconf ];

      imports =
-        with config.flake.modules.nixos;
+        with topLevel.config.flake.modules.nixos;
        [
          (modulesPath + "/profiles/qemu-guest.nix")
          inputs.catppuccin.nixosModules.catppuccin
@ -50,7 +45,7 @@ in
        ++ [
          {
            home-manager.users.cholli = {
-              imports = with config.flake.modules.homeManager; [
+              imports = with topLevel.config.flake.modules.homeManager; [
                inputs.catppuccin.homeModules.catppuccin

                # components
@ -80,6 +75,14 @@ in
        443
      ];

+      sops.secrets = {
+        "hydra/remotebuild/private-key" = {
+          inherit sopsFile;
+          owner = config.systemd.services.hydra-queue-runner.serviceConfig.User;
+          mode = "4000";
+        };
+      };
+
      nix = {
        distributedBuilds = true;

@ -103,7 +106,7 @@ in
          {
            hostName = "nixberry";
            sshUser = "remotebuild";
-            sshKey = "/root/.ssh/remotebuild";
+            sshKey = config.sops.secrets."hydra/remotebuild/private-key".path;
            systems = [ "aarch64-linux" ];
            protocol = "ssh";

--- a/modules/server/factorio-server.nix
+++ b/modules/server/factorio-server.nix
@ -20,21 +20,25 @@
            inherit sopsFile;
          };
        };
-        templates."extraSettingsFile.json".content = ''
-          {
-            "name": "Pyanodons Holli",
-            "description": "Trying to run a factorio-headless-server on my nix system",
-            "tags": ["vanilla"],
-            "max_players": 10,
-            "game_password": "${config.sops.placeholder."factorio/game_password"}",
-            "allow_commands": "admins-only",
-            "autosave_slots": 5,
-            "ignore_player_limit_for_returning_players": true,
-            "username" : "${config.sops.placeholder."factorio/username"}",
-            "token": "${config.sops.placeholder."factorio/token"}"
-          }
-        '';
-        templates."extraSettingsFile.json".mode = "0444";
+        templates."extraSettingsFile.json" = {
+          content = ''
+            {
+              "name": "Pyanodons Holli",
+              "description": "Trying to run a factorio-headless-server on my nix system",
+              "tags": ["vanilla"],
+              "max_players": 10,
+              "game_password": "${config.sops.placeholder."factorio/game_password"}",
+              "allow_commands": "admins-only",
+              "autosave_slots": 5,
+              "ignore_player_limit_for_returning_players": true,
+              "username" : "${config.sops.placeholder."factorio/username"}",
+              "token": "${config.sops.placeholder."factorio/token"}"
+            }
+          '';
+          mode = "4000";
+          owner = "factorio";
+          group = "factorio";
+        };
      };

      systemd.tmpfiles.rules = [
--- a/secrets/secrets-loptland.yaml
+++ b/secrets/secrets-loptland.yaml
@ -18,6 +18,8 @@ netcup:
 hydra:
    cachix:
        token: ENC[AES256_GCM,data:FqlJMfw7d1VfWhC+vI4SEMWzzADXK/np33fCsihq3wgC6nWNeTurNn1vDRLIRH+s6iT1C8Ni8iAAlndfUS5SPH6Ymswix9KuJCvYc8Jy+c8pPchYePtMQfv3dVe5a1i06b8I5c+MX8V7j2kaCijYDirnhiD0qlc8SW/mIyB5RNpAgKPTzLjLKJNSUkTGOWUnww==,iv:H2yQ5ioBVnezmhGHbJ7sAlXvUb2MUmHpQpS7f+nIph4=,tag:qvqsbgf2Y/PAd3s9ZFuxWA==,type:str]
+    remotebuild:
+        private-key: ENC[AES256_GCM,data:FqdXFj4/leKNtNJ1H1sBnb/Gnso9soaLtdUToMsx3O6LAn2smdkFrguY9EESm+o1nIBWwc1S2cE/sfH8FR89NWbyfCDTsQLHRIIEYMS2kKLv7hqqdsmyQojW38TnUYtSo5W1V9pdmeYuotUrM7bPmW/Io/7/G/vW6LxtI7Mx1qT7OXnyEJVYsvY6TtJitWO0/jGUAGOyvu/+YhV4yRmArM2kjT+iYb8/dN0HpqCwo6aLvY7ctAA6ggESciuovEtUMv19y+RpMUaHxloziM3SFz/GjXekrqtPGDkCUusSChXuhzfmZDoz4dzNnkKn8HsmxzByzaTyNH9kCxzNV7vULTKi6/O4ny64FOk6pjymz2Yv6pK+pm3tP2wrPwynn3C1giwFCGn+2Nazixj4g4wd5iSFwNeAsDbLU0b3YN/NgQv0TeKGXR01Xgqvt06vtAnkpu8byPBUX5cz15kJckeztVHYCQyz6Uthk6NN+ScLok1z3I7Vn37KsF0Ka7k22aPMwXLLKkfEneavT41x1VNBq7Nedf9EFjjUG8S7,iv:mTlEphmcoFMv7dxIeSpsi77e3CJULcXxcOF1Nq66mUM=,tag:K2aGpaw2xeEj8537kB/cGA==,type:str]
 sops:
    age:
        - recipient: age1pc92kl38mfr0j68dxww7tpzvqp3lpw6lwfylj6hn2k3rf4rddgtsjxdx47
@ -38,7 +40,7 @@ sops:
            czdSTjNGSEpURlZEUTlIaUtGQUk5cW8KvylMTgtmHNvGnN7DonAsYQZB31mVli75
            3OTN+mOetq2YNxh/Se7vqzwbZnshfTDk9nJi9bKZQhBt2nYR8eLRkg==
            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2025-04-30T16:13:29Z"
-    mac: ENC[AES256_GCM,data:KBJJJc30KARd79w7iTZ4DPwpgcZGTf3oE85xVO//KX8uq/rPPWuXBSwDGcIKlWGVpwiNbCqVvoH3DhKxJfKnuGKadK96xjv3KyIR2H8KMvhTQDXodt61ZyNERDEpa1HcuOemYpAe8W1cUzJkm1wxNublNYBdKz1kQKMQ43tgalk=,iv:wr+nqXKB5wW4VgIr1z61f+LXsw76mMs4kFAOYAkV+tk=,tag:m8uLg6HQhIL1oN1pWQoTAg==,type:str]
+    lastmodified: "2025-12-01T21:50:41Z"
+    mac: ENC[AES256_GCM,data:rtICn+ljt414EWhSmVqM3IttqBx07a+m0MHEADNQ7s3USSfq3oEXqfoA1Nt6nIF/ZjNYeebNW9hiiJcZw/Hh749p3Fdu64w63MUTwsBciT651DwNNHJHVGwELaU72nI8amtVln+Ka0VD58/cM0V4mcw+eNvfUS+ykUVZAqmOiHo=,iv:IlgqHdb1gtajBfWogN6EgZ1V6h7ToTR1cArP8jEYocg=,tag:bagJOpWoMSvsgmKT/LsAJg==,type:str]
    unencrypted_suffix: _unencrypted
-    version: 3.10.2
+    version: 3.11.0
Author	SHA1	Message	Date
forgjo-actions[bot]	a86a50f6c1	chore: update flake	2025-12-02 01:00:38 +01:00
Christoph Hollizeck	2adc358dec	security: start setting permissions on secrets properly	2025-12-01 23:53:27 +01:00