Daholli/nixos-config
1
0
Fork 0
Code Issues 2 Pull requests Releases Packages Activity Actions

Compare commits

base: Daholli:a86a50f6c178e419b887e31d0bba5880812468fc
Branches Tags
Daholli:main
..
compare: Daholli:8ee3088b932324118e6d3b274ceda931539a85da
Branches Tags
Daholli:main

2 commits
a86a50f6c1 ... 8ee3088b93

Author SHA1 Message Date
Christoph Hollizeck
8ee3088b93
chore: update flake 2025-12-02 01:20:49 +01:00
Christoph Hollizeck
ad9862019c
security: start setting permissions on secrets properly 2025-12-02 01:18:47 +01:00
9 changed files with 90 additions and 26 deletions
Download patch file Download diff file Expand all files Collapse all files

2
.sops.yaml
View file

@ -7,6 +7,8 @@ creation_rules:
key_groups: key_groups:
- age: - age:
- *primary - *primary
- *loptland
- *nixberry
- path_regex: secrets/secrets-loptland.yaml$ - path_regex: secrets/secrets-loptland.yaml$
key_groups: key_groups:

6
flake.lock generated
View file

@ -1415,11 +1415,11 @@
}, },
"nixpkgs-master": { "nixpkgs-master": {
"locked": { "locked": {
"lastModified": 1764632834, "lastModified": 1764634416,
"narHash": "sha256-KbBASKZKUqFsw58rODQvYt+OVBVNsNJX8rx4VH4iveY=", "narHash": "sha256-yajUMe5K+aMelTc9pSInKnH+6yFz2bN/bZLSTsXT8OQ=",
"owner": "nixos", "owner": "nixos",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "d5fdfd55c2a43206af78a6c3094d7388a5690456", "rev": "c3385ea1e90c58755639bff061dfeeea9cbfba1c",
"type": "github" "type": "github"
}, },
"original": { "original": {

3
modules/base/system/nixdaemon.nix
View file

@ -40,7 +40,8 @@
"root" "root"
username username
] ]
++ lib.optional (builtins.hasAttr "native" config.services.gitea-actions-runner.instances) "gitea-runner"; ++ lib.optional (builtins.hasAttr "native" config.services.gitea-actions-runner.instances) "gitea-runner"
++ lib.optional config.services.hydra.enable "hydra hydra-www hydra-evaluator";
in in
{ {
nix-path = "nixpkgs=flake:nixpkgs"; nix-path = "nixpkgs=flake:nixpkgs";

2
modules/hosts/loptland/default.nix
View file

@ -79,7 +79,7 @@ topLevel: {
"hydra/remotebuild/private-key" = { "hydra/remotebuild/private-key" = {
inherit sopsFile; inherit sopsFile;
owner = config.systemd.services.hydra-queue-runner.serviceConfig.User; owner = config.systemd.services.hydra-queue-runner.serviceConfig.User;
mode = "4000"; mode = "0400";
}; };
}; };

2
modules/server/factorio-server.nix
View file

@ -35,7 +35,7 @@
"token": "${config.sops.placeholder."factorio/token"}" "token": "${config.sops.placeholder."factorio/token"}"
} }
''; '';
mode = "4000"; mode = "0400";
owner = "factorio"; owner = "factorio";
group = "factorio"; group = "factorio";
}; };

34
modules/server/hydra.nix
View file

@ -1,8 +1,18 @@
{ {
flake.modules.nixos.hydra = flake.modules.nixos.hydra =
{ ... }: { config, pkgs, ... }:
let let
httpPort = 2000; httpPort = 2000;
remotebuild-ssh-config = pkgs.writeTextFile {
name = "remotebuild-ssh-config";
text = ''
Host nixberry
IdentitiesOnly yes
IdentityFile ${config.sops.secrets."hydra/remotebuild/private-key".path}
User remotebuild
'';
};
in in
{ {
services.nix-serve = { services.nix-serve = {
@ -18,5 +28,27 @@
useSubstitutes = true; useSubstitutes = true;
}; };
systemd =
let
user = "hydra-queue-runner";
in
{
tmpfiles.rules = [
"d ${config.users.users.${user}.home}/.ssh 0700 ${user} ${user} -"
];
services.hydra-queue-runner = {
serviceConfig.ExecStartPre =
let
targetFile = "${config.users.users.${user}.home}/.ssh/config";
in
''
${pkgs.coreutils}/bin/ln -sf ${remotebuild-ssh-config} ${targetFile}
${pkgs.coreutils}/bin/chown ${user}:${user} ${targetFile}
'';
};
};
}; };
} }

18
modules/users/cholli/default.nix
View file

@ -1,8 +1,4 @@
{ topLevel: {
config,
...
}:
{
flake = { flake = {
meta.users = { meta.users = {
cholli = { cholli = {
@ -22,12 +18,13 @@
modules = { modules = {
nixos.cholli = nixos.cholli =
{ pkgs, ... }: { config, pkgs, ... }:
{ {
programs.fish.enable = true; programs.fish.enable = true;
sops.secrets.passwordHash.neededForUsers = true;
users.users.cholli = { users.users.cholli = {
description = config.flake.meta.users.cholli.name; description = topLevel.config.flake.meta.users.cholli.name;
isNormalUser = true; isNormalUser = true;
createHome = true; createHome = true;
extraGroups = [ extraGroups = [
@ -39,13 +36,12 @@
"wheel" "wheel"
]; ];
shell = pkgs.fish; shell = pkgs.fish;
# TODO: fix this with sops hashedPasswordFile = config.sops.secrets.passwordHash.path;
initialPassword = "asdf";
openssh.authorizedKeys.keys = config.flake.meta.users.cholli.authorizedKeys; openssh.authorizedKeys.keys = topLevel.config.flake.meta.users.cholli.authorizedKeys;
}; };
nix.settings.trusted-users = [ config.flake.meta.users.cholli.username ]; nix.settings.trusted-users = [ topLevel.config.flake.meta.users.cholli.username ];
}; };

13
modules/users/root/default.nix
View file

@ -1,18 +1,15 @@
{ topLevel: {
config,
...
}:
{
flake = { flake = {
modules.nixos.root = modules.nixos.root =
{ pkgs, ... }: { config, pkgs, ... }:
{ {
programs.fish.enable = true; programs.fish.enable = true;
sops.secrets.passwordHash.neededForUsers = true;
users.users.root = { users.users.root = {
shell = pkgs.fish; shell = pkgs.fish;
openssh.authorizedKeys.keys = config.flake.meta.users.cholli.authorizedKeys; openssh.authorizedKeys.keys = topLevel.config.flake.meta.users.cholli.authorizedKeys;
initialPassword = "asdf1234"; hashedPasswordFile = config.sops.secrets.passwordHash.path;
}; };
}; };
}; };

36
secrets/secrets.yaml Normal file
View file

@ -0,0 +1,36 @@
passwordHash: ENC[AES256_GCM,data:T1rPJ5PhicrB54KxuTF2VT9i54uOngZnp1dS1xE/2qiuVUNUmYDrtryCk3nupJx9IVf0XqymQ3ut9A6YD1NjGvCBN+Klk2aevA==,iv:u9tpn9VAwn4yrChxICV6KgHFnvV5rpwKq6WWBjwntEk=,tag:sU9GebazI7gNuLSNO4Sjww==,type:str]
remotebuild:
private-key: ENC[AES256_GCM,data:kLF+Mo5EIS5mu8be0nDVRTAb7mzt6dtEL56aG4mV2BxLRcyUZXs7eCbj7j7sOpjqz0k8m+1lHAouvNjyzxANeH10/R3Fy3GZqeWtgJSOEQE3biZaD3dqz0e3Gv3ib/Y0yNYTafosCmn6CmPIsVfiE/dfS1oM2Ksrf/AQ3ufPKIdV0h+p5SK6LnhpBqxgIf7s3MFbBzR+iEgxn1jnmCLaoVqNXhO2tmQqgmRHyh2kHruFj9ZwUi6mWDBie7zX7qlOt/m9p5QN/v5KWn4CfMDWzMlSTYdjEd6lUlP8UC35MJafVT59ioF+ueqePhr4DyDR7d+Cg6Z/iNHWiSH1z17p4Rxt3D4IAverqcd1i8c92C8S4NJKvtWRyfMgZMB3/iG2ZqrLcJXlxrZZKZ9X5B+y5a0Ljb+Vg00V68ktFISt7vAsK79Qy/QjHCotXY0uugkeaGnxS1qhig5tmXdxD+OKk/cJt0kqYEyUFKVQf9unr6xaD2IuOkFKyp/fYhU5LfS0uiAt99ENrfNrIRdHAsUvgWW6Sq7qSVmjkLfU,iv:mlYWlmFT0Ybmn26Spqri5E9zRkrBweV6bWvvByLnIvs=,tag:tdB7dw+GMnr5/8fXoem10w==,type:str]
sops:
age:
- recipient: age1pc92kl38mfr0j68dxww7tpzvqp3lpw6lwfylj6hn2k3rf4rddgtsjxdx47
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBQcXozOHRMMkpwR1Q2K1pW
L01QSzduUTRjZ3haZjMvaGJOQW0zaytadWdNCnkxa0VXWFdwMjRaTkJoalVDZUgw
OFdnMjRIU1pmek12OXkyUkR1a1BVUzgKLS0tIGZpM1Era3RHWDQ3ek9ZOEpIWmxo
QVBvT1RZUGlMNnM0cTNMaGI4aW9ES28KVoBcR+oDhu3oT3Gbau+0mkFOQujjSdWg
Ytyo6vhJPQU0tyWUkAC1BHmKmfmiV4qjQEVIZRD+8gl4Tw2v8kwSTw==
-----END AGE ENCRYPTED FILE-----
- recipient: age13xshg5e6ucvnu3vqgn344mxpk5kcqutv2lf4gdffvwadq0ku5ewqy4cck6
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBneGlDK2xRVkxzRzd4emZC
djI3MkY4NndLZjZjZkFiaDk2TU55SEtTM1c4CkVQTms4WVJWZ2ZjMTI4d1ZmT0FS
M2ZLZ1NiZGdWL0VyZXdEK1BrV3VBRG8KLS0tIEdWQnR4bHhxN1d0VDg0VUlScnZL
U1F5aXZVd1lvVFVJOFBBSGFLM2U1aXcK8tKAdnvtPIer6XUsm3Ls+raMTUYAhFDz
PEJtm1X3j/UI4+xdGC6V60KQA4uUl/hSzAY6NDkKVsDW3AHv/whW1Q==
-----END AGE ENCRYPTED FILE-----
- recipient: age1mje6kvzzxl6slgpj4rtvmzz3dej3kdq9v85uu69xjcqy6947de6sue05z9
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBrK2FaOTI1djRhTjdxNWJJ
SG9lSGM4MEdvUkpoN1dBTHhHVk9nU1V5RHlZCnlxTitGZ3J0cU95L3RXcGJadzda
V0hTdnRpQmxDVUVWbk13M0FET1NHYTAKLS0tIHBjcTVTMHNWcW5naWNXQmJyKzlC
QUFsdmlYay9lLzF2YWJHVUlBOUhDaHcKKXKuk3ki8WYSrg2YVtaB4PliR/LFy390
gvCdS/LwqBJlDAwwtOoml7gtgPmn4bACO3z8XnrLfpctDdYgDkqcgQ==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2025-12-01T23:30:01Z"
mac: ENC[AES256_GCM,data:XSGqMKs3XVupy2wf5E1M8eFVwXlkQndY6Gw2aYV/tJ7WhKX3ToYHqDujUjCKE5S2dPZjT0i9wJD//LcC3lPAEbKlyCExBhHxuQjT44GuRyORNiT+ET5bLL0ilrG3U+DxvYCjFkhIZpTPZHG7E6lC2ch5DHyVCSsl/pjZ+/ZrA4Q=,iv:ZHsE8r4a2XkZS7nvvWF024/Xpv42C04M7D22z2LYgwk=,tag:XOm5TCvivijISw3+ItBvKA==,type:str]
unencrypted_suffix: _unencrypted
version: 3.11.0