diff --git a/.sops.yaml b/.sops.yaml index 10d7d4c..a4ce7d2 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -7,6 +7,8 @@ creation_rules: key_groups: - age: - *primary + - *loptland + - *nixberry - path_regex: secrets/secrets-loptland.yaml$ key_groups: diff --git a/flake.lock b/flake.lock index c499aee..4026973 100644 --- a/flake.lock +++ b/flake.lock @@ -1415,11 +1415,11 @@ }, "nixpkgs-master": { "locked": { - "lastModified": 1764632834, - "narHash": "sha256-KbBASKZKUqFsw58rODQvYt+OVBVNsNJX8rx4VH4iveY=", + "lastModified": 1764634416, + "narHash": "sha256-yajUMe5K+aMelTc9pSInKnH+6yFz2bN/bZLSTsXT8OQ=", "owner": "nixos", "repo": "nixpkgs", - "rev": "d5fdfd55c2a43206af78a6c3094d7388a5690456", + "rev": "c3385ea1e90c58755639bff061dfeeea9cbfba1c", "type": "github" }, "original": { diff --git a/modules/base/system/nixdaemon.nix b/modules/base/system/nixdaemon.nix index 7989f60..de8e71a 100644 --- a/modules/base/system/nixdaemon.nix +++ b/modules/base/system/nixdaemon.nix @@ -40,7 +40,8 @@ "root" username ] - ++ lib.optional (builtins.hasAttr "native" config.services.gitea-actions-runner.instances) "gitea-runner"; + ++ lib.optional (builtins.hasAttr "native" config.services.gitea-actions-runner.instances) "gitea-runner" + ++ lib.optional config.services.hydra.enable "hydra hydra-www hydra-evaluator"; in { nix-path = "nixpkgs=flake:nixpkgs"; diff --git a/modules/hosts/loptland/default.nix b/modules/hosts/loptland/default.nix index 2681840..43d7925 100644 --- a/modules/hosts/loptland/default.nix +++ b/modules/hosts/loptland/default.nix @@ -79,7 +79,7 @@ topLevel: { "hydra/remotebuild/private-key" = { inherit sopsFile; owner = config.systemd.services.hydra-queue-runner.serviceConfig.User; - mode = "4000"; + mode = "0400"; }; }; diff --git a/modules/server/factorio-server.nix b/modules/server/factorio-server.nix index 4ae7fdc..a68a0d7 100644 --- a/modules/server/factorio-server.nix +++ b/modules/server/factorio-server.nix @@ -35,7 +35,7 @@ "token": "${config.sops.placeholder."factorio/token"}" } ''; - mode = "4000"; + mode = "0400"; owner = "factorio"; group = "factorio"; }; diff --git a/modules/server/hydra.nix b/modules/server/hydra.nix index 73495fd..a2d2a02 100644 --- a/modules/server/hydra.nix +++ b/modules/server/hydra.nix @@ -1,8 +1,18 @@ { flake.modules.nixos.hydra = - { ... }: + { config, pkgs, ... }: let httpPort = 2000; + + remotebuild-ssh-config = pkgs.writeTextFile { + name = "remotebuild-ssh-config"; + text = '' + Host nixberry + IdentitiesOnly yes + IdentityFile ${config.sops.secrets."hydra/remotebuild/private-key".path} + User remotebuild + ''; + }; in { services.nix-serve = { @@ -18,5 +28,27 @@ useSubstitutes = true; }; + systemd = + let + user = "hydra-queue-runner"; + in + { + tmpfiles.rules = [ + "d ${config.users.users.${user}.home}/.ssh 0700 ${user} ${user} -" + ]; + + services.hydra-queue-runner = { + + serviceConfig.ExecStartPre = + let + targetFile = "${config.users.users.${user}.home}/.ssh/config"; + in + '' + ${pkgs.coreutils}/bin/ln -sf ${remotebuild-ssh-config} ${targetFile} + ${pkgs.coreutils}/bin/chown ${user}:${user} ${targetFile} + ''; + }; + }; + }; } diff --git a/modules/users/cholli/default.nix b/modules/users/cholli/default.nix index 323184b..0e01d63 100644 --- a/modules/users/cholli/default.nix +++ b/modules/users/cholli/default.nix @@ -1,8 +1,4 @@ -{ - config, - ... -}: -{ +topLevel: { flake = { meta.users = { cholli = { @@ -22,12 +18,13 @@ modules = { nixos.cholli = - { pkgs, ... }: + { config, pkgs, ... }: { programs.fish.enable = true; + sops.secrets.passwordHash.neededForUsers = true; users.users.cholli = { - description = config.flake.meta.users.cholli.name; + description = topLevel.config.flake.meta.users.cholli.name; isNormalUser = true; createHome = true; extraGroups = [ @@ -39,13 +36,12 @@ "wheel" ]; shell = pkgs.fish; - # TODO: fix this with sops - initialPassword = "asdf"; + hashedPasswordFile = config.sops.secrets.passwordHash.path; - openssh.authorizedKeys.keys = config.flake.meta.users.cholli.authorizedKeys; + openssh.authorizedKeys.keys = topLevel.config.flake.meta.users.cholli.authorizedKeys; }; - nix.settings.trusted-users = [ config.flake.meta.users.cholli.username ]; + nix.settings.trusted-users = [ topLevel.config.flake.meta.users.cholli.username ]; }; diff --git a/modules/users/root/default.nix b/modules/users/root/default.nix index 99696b7..d092718 100644 --- a/modules/users/root/default.nix +++ b/modules/users/root/default.nix @@ -1,18 +1,15 @@ -{ - config, - ... -}: -{ +topLevel: { flake = { modules.nixos.root = - { pkgs, ... }: + { config, pkgs, ... }: { programs.fish.enable = true; + sops.secrets.passwordHash.neededForUsers = true; users.users.root = { shell = pkgs.fish; - openssh.authorizedKeys.keys = config.flake.meta.users.cholli.authorizedKeys; - initialPassword = "asdf1234"; + openssh.authorizedKeys.keys = topLevel.config.flake.meta.users.cholli.authorizedKeys; + hashedPasswordFile = config.sops.secrets.passwordHash.path; }; }; }; diff --git a/secrets/secrets.yaml b/secrets/secrets.yaml new file mode 100644 index 0000000..e81ca84 --- /dev/null +++ b/secrets/secrets.yaml @@ -0,0 +1,36 @@ +passwordHash: ENC[AES256_GCM,data:T1rPJ5PhicrB54KxuTF2VT9i54uOngZnp1dS1xE/2qiuVUNUmYDrtryCk3nupJx9IVf0XqymQ3ut9A6YD1NjGvCBN+Klk2aevA==,iv:u9tpn9VAwn4yrChxICV6KgHFnvV5rpwKq6WWBjwntEk=,tag:sU9GebazI7gNuLSNO4Sjww==,type:str] +remotebuild: + private-key: ENC[AES256_GCM,data:kLF+Mo5EIS5mu8be0nDVRTAb7mzt6dtEL56aG4mV2BxLRcyUZXs7eCbj7j7sOpjqz0k8m+1lHAouvNjyzxANeH10/R3Fy3GZqeWtgJSOEQE3biZaD3dqz0e3Gv3ib/Y0yNYTafosCmn6CmPIsVfiE/dfS1oM2Ksrf/AQ3ufPKIdV0h+p5SK6LnhpBqxgIf7s3MFbBzR+iEgxn1jnmCLaoVqNXhO2tmQqgmRHyh2kHruFj9ZwUi6mWDBie7zX7qlOt/m9p5QN/v5KWn4CfMDWzMlSTYdjEd6lUlP8UC35MJafVT59ioF+ueqePhr4DyDR7d+Cg6Z/iNHWiSH1z17p4Rxt3D4IAverqcd1i8c92C8S4NJKvtWRyfMgZMB3/iG2ZqrLcJXlxrZZKZ9X5B+y5a0Ljb+Vg00V68ktFISt7vAsK79Qy/QjHCotXY0uugkeaGnxS1qhig5tmXdxD+OKk/cJt0kqYEyUFKVQf9unr6xaD2IuOkFKyp/fYhU5LfS0uiAt99ENrfNrIRdHAsUvgWW6Sq7qSVmjkLfU,iv:mlYWlmFT0Ybmn26Spqri5E9zRkrBweV6bWvvByLnIvs=,tag:tdB7dw+GMnr5/8fXoem10w==,type:str] +sops: + age: + - recipient: age1pc92kl38mfr0j68dxww7tpzvqp3lpw6lwfylj6hn2k3rf4rddgtsjxdx47 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBQcXozOHRMMkpwR1Q2K1pW + L01QSzduUTRjZ3haZjMvaGJOQW0zaytadWdNCnkxa0VXWFdwMjRaTkJoalVDZUgw + OFdnMjRIU1pmek12OXkyUkR1a1BVUzgKLS0tIGZpM1Era3RHWDQ3ek9ZOEpIWmxo + QVBvT1RZUGlMNnM0cTNMaGI4aW9ES28KVoBcR+oDhu3oT3Gbau+0mkFOQujjSdWg + Ytyo6vhJPQU0tyWUkAC1BHmKmfmiV4qjQEVIZRD+8gl4Tw2v8kwSTw== + -----END AGE ENCRYPTED FILE----- + - recipient: age13xshg5e6ucvnu3vqgn344mxpk5kcqutv2lf4gdffvwadq0ku5ewqy4cck6 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBneGlDK2xRVkxzRzd4emZC + djI3MkY4NndLZjZjZkFiaDk2TU55SEtTM1c4CkVQTms4WVJWZ2ZjMTI4d1ZmT0FS + M2ZLZ1NiZGdWL0VyZXdEK1BrV3VBRG8KLS0tIEdWQnR4bHhxN1d0VDg0VUlScnZL + U1F5aXZVd1lvVFVJOFBBSGFLM2U1aXcK8tKAdnvtPIer6XUsm3Ls+raMTUYAhFDz + PEJtm1X3j/UI4+xdGC6V60KQA4uUl/hSzAY6NDkKVsDW3AHv/whW1Q== + -----END AGE ENCRYPTED FILE----- + - recipient: age1mje6kvzzxl6slgpj4rtvmzz3dej3kdq9v85uu69xjcqy6947de6sue05z9 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBrK2FaOTI1djRhTjdxNWJJ + SG9lSGM4MEdvUkpoN1dBTHhHVk9nU1V5RHlZCnlxTitGZ3J0cU95L3RXcGJadzda + V0hTdnRpQmxDVUVWbk13M0FET1NHYTAKLS0tIHBjcTVTMHNWcW5naWNXQmJyKzlC + QUFsdmlYay9lLzF2YWJHVUlBOUhDaHcKKXKuk3ki8WYSrg2YVtaB4PliR/LFy390 + gvCdS/LwqBJlDAwwtOoml7gtgPmn4bACO3z8XnrLfpctDdYgDkqcgQ== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2025-12-01T23:30:01Z" + mac: ENC[AES256_GCM,data:XSGqMKs3XVupy2wf5E1M8eFVwXlkQndY6Gw2aYV/tJ7WhKX3ToYHqDujUjCKE5S2dPZjT0i9wJD//LcC3lPAEbKlyCExBhHxuQjT44GuRyORNiT+ET5bLL0ilrG3U+DxvYCjFkhIZpTPZHG7E6lC2ch5DHyVCSsl/pjZ+/ZrA4Q=,iv:ZHsE8r4a2XkZS7nvvWF024/Xpv42C04M7D22z2LYgwk=,tag:XOm5TCvivijISw3+ItBvKA==,type:str] + unencrypted_suffix: _unencrypted + version: 3.11.0