init secrets

4 files changed, 24 insertions, 17 deletions

diff --git a/2configs/default.nix b/2configs/default.nix
index b54e32a82..e2e10aad2 100644
--- a/2configs/default.nix
+++ b/2configs/default.nix
@@ -1,13 +1,9 @@
 { config, lib, pkgs, ... }:
 
-with import <stockholm/lib>;
+with lib;
 {
   imports = [
-    {
-      users.users =
-        mapAttrs (_: h: { hashedPassword = h; })
-                 (import <secrets/hashedPasswords.nix>);
-    }
+    ./secrets/user-passwords.nix
     ./editor/vim.nix
     ./binary-cache/nixos.nix
     ./minimal.nix
@@ -16,9 +12,7 @@ with import <stockholm/lib>;
 
   # users are super important
   users.users = {
-    root = {
-        openssh.authorizedKeys.keys = [ config.krebs.users.makefu.pubkey ];
-    };
+    root.openssh.authorizedKeys.keys = [ config.krebs.users.makefu.pubkey ];
     makefu = {
       uid = 9001;
       group = "users";
@@ -27,10 +21,10 @@ with import <stockholm/lib>;
       isNormalUser = true;
       useDefaultShell = true;
       extraGroups = [ "wheel" ];
-        openssh.authorizedKeys.keys = [ config.krebs.users.makefu.pubkey ];
+      openssh.authorizedKeys.keys = [ config.krebs.users.makefu.pubkey ];
     };
   };
-  nix.settings.trusted-users = [ config.krebs.build.user.name ];
+  # nix.settings.trusted-users = [ config.krebs.build.user.name ];
   nix.settings.experimental-features = [ "flakes" "nix-command" ];
 
   boot.kernelPackages = lib.mkDefault pkgs.linuxPackages;
@@ -39,13 +33,12 @@ with import <stockholm/lib>;
 
   krebs = {
     enable = true;
-
-    dns.providers.lan  = "hosts";
+  #   dns.providers.lan  = "hosts";
     build.user = config.krebs.users.makefu;
   };
 
 
-  boot.tmpOnTmpfs = true;
+  boot.tmp.useTmpfs = true;
 
   environment.systemPackages = with pkgs; [
       jq
@@ -91,6 +84,6 @@ with import <stockholm/lib>;
     defaults.email = "letsencrypt@syntax-fehler.de";
     acceptTerms = true;
   };
-  system.stateVersion = lib.mkDefault "20.03";
+  system.stateVersion = lib.mkDefault "23.05";
   services.postgresql.package = pkgs.postgresql_14;
 }
diff --git a/2configs/gui/gnome.nix b/2configs/gui/gnome.nix
index 44ba2dd67..aa71c72ac 100644
--- a/2configs/gui/gnome.nix
+++ b/2configs/gui/gnome.nix
@@ -14,6 +14,7 @@ in
     #};
   };
   programs.dconf.enable = true;
+
   home-manager.users.${mainUser}.dconf = {
     enable = true;
     settings = {
diff --git a/2configs/minimal.nix b/2configs/minimal.nix
index 0334422c8..04c997b54 100644
--- a/2configs/minimal.nix
+++ b/2configs/minimal.nix
@@ -7,14 +7,13 @@
   # the only true timezone (even after the the removal of DST)
   time.timeZone = "Europe/Berlin";
 
-  networking.hostName = lib.mkIf (lib.hasAttr "host" config.krebs.build) config.krebs.build.host.name;
+  # networking.hostName = lib.mkIf (lib.hasAttr "host" config.krebs.build) config.krebs.build.host.name;
 
   # we use gpg if necessary (or nothing at all)
   programs.ssh.startAgent = false;
 
   # all boxes look the same
   nix.settings.sandbox = true;
-  nix.settings.cores = 0; # until https://github.com/NixOS/nixpkgs/pull/50440 is in stable
   # we configure users via nix
   users.mutableUsers = false;
 
diff --git a/2configs/secrets/user-passwords.nix b/2configs/secrets/user-passwords.nix
new file mode 100644
index 000000000..68d94e9fa
--- /dev/null
+++ b/2configs/secrets/user-passwords.nix
@@ -0,0 +1,14 @@
+{ config, ... }:
+{
+  sops.defaultSopsFile = ../../secrets/common.yaml;
+  sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
+
+  sops.secrets = {
+    "passwd/makefu".neededForUsers = true;
+    "passwd/root".neededForUsers = true;
+  };
+  users.users = {
+    makefu.passwordFile = config.sops.secrets."passwd/makefu".path;
+    root.passwordFile = config.sops.secrets."passwd/root".path;
+  };
+}