diff options
author | makefu <github@syntax-fehler.de> | 2023-06-10 20:53:47 +0200 |
---|---|---|
committer | makefu <github@syntax-fehler.de> | 2023-06-10 21:23:44 +0200 |
commit | f0c524a6ac40e153117caf11431d5c7a2edcd3f8 (patch) | |
tree | cdd834261a93bc85cca453101ab11d4e8b2b4a18 /2configs | |
parent | 00ae5602b3f7f2b73ff8fa7f58e622f162d1281f (diff) |
init secrets
Diffstat (limited to '2configs')
-rw-r--r-- | 2configs/default.nix | 23 | ||||
-rw-r--r-- | 2configs/gui/gnome.nix | 1 | ||||
-rw-r--r-- | 2configs/minimal.nix | 3 | ||||
-rw-r--r-- | 2configs/secrets/user-passwords.nix | 14 |
4 files changed, 24 insertions, 17 deletions
diff --git a/2configs/default.nix b/2configs/default.nix index b54e32a82..e2e10aad2 100644 --- a/2configs/default.nix +++ b/2configs/default.nix @@ -1,13 +1,9 @@ { config, lib, pkgs, ... }: -with import <stockholm/lib>; +with lib; { imports = [ - { - users.users = - mapAttrs (_: h: { hashedPassword = h; }) - (import <secrets/hashedPasswords.nix>); - } + ./secrets/user-passwords.nix ./editor/vim.nix ./binary-cache/nixos.nix ./minimal.nix @@ -16,9 +12,7 @@ with import <stockholm/lib>; # users are super important users.users = { - root = { - openssh.authorizedKeys.keys = [ config.krebs.users.makefu.pubkey ]; - }; + root.openssh.authorizedKeys.keys = [ config.krebs.users.makefu.pubkey ]; makefu = { uid = 9001; group = "users"; @@ -27,10 +21,10 @@ with import <stockholm/lib>; isNormalUser = true; useDefaultShell = true; extraGroups = [ "wheel" ]; - openssh.authorizedKeys.keys = [ config.krebs.users.makefu.pubkey ]; + openssh.authorizedKeys.keys = [ config.krebs.users.makefu.pubkey ]; }; }; - nix.settings.trusted-users = [ config.krebs.build.user.name ]; + # nix.settings.trusted-users = [ config.krebs.build.user.name ]; nix.settings.experimental-features = [ "flakes" "nix-command" ]; boot.kernelPackages = lib.mkDefault pkgs.linuxPackages; @@ -39,13 +33,12 @@ with import <stockholm/lib>; krebs = { enable = true; - - dns.providers.lan = "hosts"; + # dns.providers.lan = "hosts"; build.user = config.krebs.users.makefu; }; - boot.tmpOnTmpfs = true; + boot.tmp.useTmpfs = true; environment.systemPackages = with pkgs; [ jq @@ -91,6 +84,6 @@ with import <stockholm/lib>; defaults.email = "letsencrypt@syntax-fehler.de"; acceptTerms = true; }; - system.stateVersion = lib.mkDefault "20.03"; + system.stateVersion = lib.mkDefault "23.05"; services.postgresql.package = pkgs.postgresql_14; } diff --git a/2configs/gui/gnome.nix b/2configs/gui/gnome.nix index 44ba2dd67..aa71c72ac 100644 --- a/2configs/gui/gnome.nix +++ b/2configs/gui/gnome.nix @@ -14,6 +14,7 @@ in #}; }; programs.dconf.enable = true; + home-manager.users.${mainUser}.dconf = { enable = true; settings = { diff --git a/2configs/minimal.nix b/2configs/minimal.nix index 0334422c8..04c997b54 100644 --- a/2configs/minimal.nix +++ b/2configs/minimal.nix @@ -7,14 +7,13 @@ # the only true timezone (even after the the removal of DST) time.timeZone = "Europe/Berlin"; - networking.hostName = lib.mkIf (lib.hasAttr "host" config.krebs.build) config.krebs.build.host.name; + # networking.hostName = lib.mkIf (lib.hasAttr "host" config.krebs.build) config.krebs.build.host.name; # we use gpg if necessary (or nothing at all) programs.ssh.startAgent = false; # all boxes look the same nix.settings.sandbox = true; - nix.settings.cores = 0; # until https://github.com/NixOS/nixpkgs/pull/50440 is in stable # we configure users via nix users.mutableUsers = false; diff --git a/2configs/secrets/user-passwords.nix b/2configs/secrets/user-passwords.nix new file mode 100644 index 000000000..68d94e9fa --- /dev/null +++ b/2configs/secrets/user-passwords.nix @@ -0,0 +1,14 @@ +{ config, ... }: +{ + sops.defaultSopsFile = ../../secrets/common.yaml; + sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ]; + + sops.secrets = { + "passwd/makefu".neededForUsers = true; + "passwd/root".neededForUsers = true; + }; + users.users = { + makefu.passwordFile = config.sops.secrets."passwd/makefu".path; + root.passwordFile = config.sops.secrets."passwd/root".path; + }; +} |