init secrets

This commit is contained in:
makefu 2023-06-10 20:53:47 +02:00
parent 00ae5602b3
commit f0c524a6ac
13 changed files with 399 additions and 61 deletions

17
.sops.yaml Normal file
View file

@ -0,0 +1,17 @@
keys:
- &makefu F7B8DCE46BC6B0A8F95477C8563B8DFE2A0E2029
- &x_host age1hqe5hs2jz2fk5zvw346ajhwlagkheunacahpu42uruxu0nlnwy7qn9q5k6
creation_rules:
- path_regex: secrets/common.yaml$
key_groups:
- pgp:
- *makefu
- age:
- *x_host
# host secrets
- path_regex: 1systems/x/[^/]+\.yaml$
key_groups:
- pgp:
- *makefu
- age:
- *x_host

View file

@ -1,13 +1,14 @@
{ config, pkgs, lib, ... }:
{ config, pkgs, lib, self, ... }:
{
imports =
[
# ./x13
# ./x230
./x13
(self + "/2configs/default.nix")
## Common Hardware Components
#<nix-ld/modules/nix-ld.nix>
## <stockholm/makefu/2configs/hw/mceusb.nix>
## <stockholm/makefu/2configs/hw/rtl8812au.nix>
#<stockholm/makefu/2configs/hw/network-manager.nix>
@ -222,34 +223,32 @@
nixpkgs.config.allowUnfree = true;
nixpkgs.config.oraclejdk.accept_license = true;
environment.systemPackages = [ xxx ];
# configure pulseAudio to provide a HDMI sink as well
networking.firewall.enable = true;
networking.firewall.allowedUDPPorts = [ 665 26061 1514 ];
networking.firewall.trustedInterfaces = [ "vboxnet0" "enp0s25" ];
# krebs.build.host = config.krebs.hosts.x;
krebs.build.host = config.krebs.hosts.x;
#krebs.tinc.retiolum.connectTo = lib.mkForce [ "gum" ];
#krebs.tinc.retiolum.extraConfig = "AutoConnect = no";
# environment.variables = { GOROOT = [ "${pkgs.go.out}/share/go" ]; };
#state = [
# "/home/makefu/stockholm"
# "/home/makefu/.ssh/"
# "/home/makefu/.zsh_history"
# "/home/makefu/.bash_history"
# "/home/makefu/bin"
# "/home/makefu/.gnupg"
# "/home/makefu/.imapfilter"
# "/home/makefu/.mutt"
# "/home/makefu/docs"
# "/home/makefu/notes"
# "/home/makefu/.password-store"
# "/home/makefu/.secrets-pass"
# "/home/makefu/.config/syncthing"
#];
state = [
"/home/makefu/stockholm"
"/home/makefu/.ssh/"
"/home/makefu/.zsh_history"
"/home/makefu/.bash_history"
"/home/makefu/bin"
"/home/makefu/.gnupg"
"/home/makefu/.imapfilter"
"/home/makefu/.mutt"
"/home/makefu/docs"
"/home/makefu/notes"
"/home/makefu/.password-store"
"/home/makefu/.secrets-pass"
"/home/makefu/.config/syncthing"
];
# services.syncthing.user = lib.mkForce "makefu";
# services.syncthing.dataDir = lib.mkForce "/home/makefu/.config/syncthing/";

1
1systems/flake-x/result Symbolic link
View file

@ -0,0 +1 @@
/nix/store/svjw1v86maxhw6l7wy6s1p7rsxm7582i-nixos-vm

View file

@ -1,15 +1,18 @@
{ pkgs, lib, ... }:
{ pkgs, lib, nixos-hardware, self, ... }:
# new zfs deployment
{
imports = [
./zfs.nix
./input.nix
./disk.nix
./battery.nix
<stockholm/makefu/2configs/hw/bluetooth.nix>
<nixos-hardware/lenovo/thinkpad/l14/amd> # close enough
# <stockholm/makefu/2configs/hw/tpm.nix>
<stockholm/makefu/2configs/hw/ssd.nix>
# <stockholm/makefu/2configs/hw/xmm7360.nix>
(self + "/2configs/hw/bluetooth.nix")
(self + "/2configs/hw/tpm.nix")
(self + "/2configs/hw/ssd.nix")
# (self + "/2configs/hw/xmm7360.nix")
nixos-hardware.nixosModules.lenovo-thinkpad-l14-amd
];
boot.zfs.requestEncryptionCredentials = true;
networking.hostId = "f8b8e0a2";
@ -24,9 +27,7 @@
hardware.opengl.extraPackages = [ pkgs.amdvlk pkgs.rocm-opencl-icd pkgs.rocm-opencl-runtime ];
# For 32 bit applications
hardware.opengl.driSupport32Bit = true;
hardware.opengl.extraPackages32 = with pkgs; [
driversi686Linux.amdvlk
];
hardware.opengl.extraPackages32 = with pkgs; [ driversi686Linux.amdvlk ];
# is required for amd graphics support ( xorg wont boot otherwise )
#boot.kernelPackages = pkgs.linuxPackages_latest;
boot.kernelPackages = lib.mkForce pkgs.linuxPackages;

View file

@ -1,4 +1,7 @@
{ disk ? "/dev/sda", ... }: {
{ ... }:
let
disk = "/dev/nvme0n1";
in {
disko.devices = {
disk = {
nvme = {

View file

@ -1,13 +1,9 @@
{ config, lib, pkgs, ... }:
with import <stockholm/lib>;
with lib;
{
imports = [
{
users.users =
mapAttrs (_: h: { hashedPassword = h; })
(import <secrets/hashedPasswords.nix>);
}
./secrets/user-passwords.nix
./editor/vim.nix
./binary-cache/nixos.nix
./minimal.nix
@ -16,9 +12,7 @@ with import <stockholm/lib>;
# users are super important
users.users = {
root = {
openssh.authorizedKeys.keys = [ config.krebs.users.makefu.pubkey ];
};
root.openssh.authorizedKeys.keys = [ config.krebs.users.makefu.pubkey ];
makefu = {
uid = 9001;
group = "users";
@ -27,10 +21,10 @@ with import <stockholm/lib>;
isNormalUser = true;
useDefaultShell = true;
extraGroups = [ "wheel" ];
openssh.authorizedKeys.keys = [ config.krebs.users.makefu.pubkey ];
openssh.authorizedKeys.keys = [ config.krebs.users.makefu.pubkey ];
};
};
nix.settings.trusted-users = [ config.krebs.build.user.name ];
# nix.settings.trusted-users = [ config.krebs.build.user.name ];
nix.settings.experimental-features = [ "flakes" "nix-command" ];
boot.kernelPackages = lib.mkDefault pkgs.linuxPackages;
@ -39,13 +33,12 @@ with import <stockholm/lib>;
krebs = {
enable = true;
dns.providers.lan = "hosts";
# dns.providers.lan = "hosts";
build.user = config.krebs.users.makefu;
};
boot.tmpOnTmpfs = true;
boot.tmp.useTmpfs = true;
environment.systemPackages = with pkgs; [
jq
@ -91,6 +84,6 @@ with import <stockholm/lib>;
defaults.email = "letsencrypt@syntax-fehler.de";
acceptTerms = true;
};
system.stateVersion = lib.mkDefault "20.03";
system.stateVersion = lib.mkDefault "23.05";
services.postgresql.package = pkgs.postgresql_14;
}

View file

@ -14,6 +14,7 @@ in
#};
};
programs.dconf.enable = true;
home-manager.users.${mainUser}.dconf = {
enable = true;
settings = {

View file

@ -7,14 +7,13 @@
# the only true timezone (even after the the removal of DST)
time.timeZone = "Europe/Berlin";
networking.hostName = lib.mkIf (lib.hasAttr "host" config.krebs.build) config.krebs.build.host.name;
# networking.hostName = lib.mkIf (lib.hasAttr "host" config.krebs.build) config.krebs.build.host.name;
# we use gpg if necessary (or nothing at all)
programs.ssh.startAgent = false;
# all boxes look the same
nix.settings.sandbox = true;
nix.settings.cores = 0; # until https://github.com/NixOS/nixpkgs/pull/50440 is in stable
# we configure users via nix
users.mutableUsers = false;

View file

@ -0,0 +1,14 @@
{ config, ... }:
{
sops.defaultSopsFile = ../../secrets/common.yaml;
sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
sops.secrets = {
"passwd/makefu".neededForUsers = true;
"passwd/root".neededForUsers = true;
};
users.users = {
makefu.passwordFile = config.sops.secrets."passwd/makefu".path;
root.passwordFile = config.sops.secrets."passwd/root".path;
};
}

View file

@ -1,25 +1,26 @@
{ lib }:
{ lib, ... }:
# krebs emulation layer
{
options = with lib.types;{
krebs.hosts = mkOption {
default = {};
type = attrsOf anything;
};
options = with lib; with types;{
#krebs.enable = mkEnableOption "krebs";
#krebs.hosts = mkOption {
# default = {};
# type = attrsOf anything;
#};
krebs.build = mkOption {
default = {};
type = attrsOf anything;
};
krebs.users = mkOption {
default = {};
type = attrsOf anything;
};
#krebs.users = mkOption {
# default = {};
# type = attrsOf anything;
#};
};
config = {
users.makefu = {
krebs.users.makefu = {
name = "makefu";
mail = "makefu@x.r";
pubkey = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCl3RTOHd5DLiVeUbUr/GSiKoRWknXQnbkIf+uNiFO+XxiqZVojPlumQUVhasY8UzDzj9tSDruUKXpjut50FhIO5UFAgsBeMJyoZbgY/+R+QKU00Q19+IiUtxeFol/9dCO+F4o937MC0OpAC10LbOXN/9SYIXueYk3pJxIycXwUqhYmyEqtDdVh9Rx32LBVqlBoXRHpNGPLiswV2qNe0b5p919IGcslzf1XoUzfE3a3yjk/XbWh/59xnl4V7Oe7+iQheFxOT6rFA30WYwEygs5As//ZYtxvnn0gA02gOnXJsNjOW9irlxOUeP7IOU6Ye3WRKFRR0+7PS+w8IJLag2xb makefu@x";
};
}
};
}

200
flake.lock Normal file
View file

@ -0,0 +1,200 @@
{
"nodes": {
"disko": {
"inputs": {
"nixpkgs": [
"nixpkgs"
]
},
"locked": {
"lastModified": 1686222354,
"narHash": "sha256-dtqnAwzucKZv54dTrLetIXhOavUrCsdqOe+JtFH9riE=",
"owner": "nix-community",
"repo": "disko",
"rev": "5d9f362aecd7a4c2e8a3bf2afddb49051988cab9",
"type": "github"
},
"original": {
"owner": "nix-community",
"repo": "disko",
"type": "github"
}
},
"flake-parts": {
"inputs": {
"nixpkgs-lib": [
"nixpkgs"
]
},
"locked": {
"lastModified": 1685662779,
"narHash": "sha256-cKDDciXGpMEjP1n6HlzKinN0H+oLmNpgeCTzYnsA2po=",
"owner": "hercules-ci",
"repo": "flake-parts",
"rev": "71fb97f0d875fd4de4994dfb849f2c75e17eb6c3",
"type": "github"
},
"original": {
"owner": "hercules-ci",
"repo": "flake-parts",
"type": "github"
}
},
"home-manager": {
"inputs": {
"nixpkgs": [
"nixpkgs"
]
},
"locked": {
"lastModified": 1686391840,
"narHash": "sha256-5S0APl6Mfm6a37taHwvuf11UHnAX0+PnoWQbsYbMUnc=",
"owner": "nix-community",
"repo": "home-manager",
"rev": "0144ac418ef633bfc9dbd89b8c199ad3a617c59f",
"type": "github"
},
"original": {
"owner": "nix-community",
"repo": "home-manager",
"type": "github"
}
},
"nix-ld": {
"inputs": {
"nixpkgs": [
"nixpkgs"
],
"utils": "utils"
},
"locked": {
"lastModified": 1682533818,
"narHash": "sha256-2Fzjk3jL7rlyLjPKWy05zU8SGm04M3mbzohk51vkw3Y=",
"owner": "Mic92",
"repo": "nix-ld",
"rev": "29f15b1f7e37810689974ef169496c51f6403a1b",
"type": "github"
},
"original": {
"owner": "Mic92",
"repo": "nix-ld",
"type": "github"
}
},
"nix-writers": {
"flake": false,
"locked": {
"lastModified": 1677612737,
"narHash": "sha256-UaCKZ4PbMZU6UZH7XNFcjRtd5jheswl66rjZDBfQgp8=",
"ref": "refs/heads/master",
"rev": "66a1f6833464bbb121b6d94247ad769f277351f8",
"revCount": 39,
"type": "git",
"url": "https://cgit.krebsco.de/nix-writers"
},
"original": {
"type": "git",
"url": "https://cgit.krebsco.de/nix-writers"
}
},
"nixos-hardware": {
"locked": {
"lastModified": 1686217350,
"narHash": "sha256-Nb9b3m/GEK8jyFsYfUkXGsqj6rH05GgJ2QWcNNbK7dw=",
"owner": "NixOS",
"repo": "nixos-hardware",
"rev": "e4b34b90f27696ec3965fa15dcbacc351293dc67",
"type": "github"
},
"original": {
"owner": "NixOS",
"repo": "nixos-hardware",
"type": "github"
}
},
"nixpkgs": {
"locked": {
"lastModified": 1686331006,
"narHash": "sha256-hElRDWUNG655aqF0awu+h5cmDN+I/dQcChRt2tGuGGU=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "85bcb95aa83be667e562e781e9d186c57a07d757",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "nixos-23.05",
"repo": "nixpkgs",
"type": "github"
}
},
"root": {
"inputs": {
"disko": "disko",
"flake-parts": "flake-parts",
"home-manager": "home-manager",
"nix-ld": "nix-ld",
"nixos-hardware": "nixos-hardware",
"nixpkgs": "nixpkgs",
"sops-nix": "sops-nix",
"stockholm": "stockholm"
}
},
"sops-nix": {
"inputs": {
"nixpkgs": [
"nixpkgs"
],
"nixpkgs-stable": []
},
"locked": {
"lastModified": 1685848844,
"narHash": "sha256-Iury+/SVbAwLES76QJSiKFiQDzmf/8Hsq8j54WF2qyw=",
"owner": "Mic92",
"repo": "sops-nix",
"rev": "a522e12ee35e50fa7d902a164a9796e420e6e75b",
"type": "github"
},
"original": {
"owner": "Mic92",
"repo": "sops-nix",
"type": "github"
}
},
"stockholm": {
"inputs": {
"nix-writers": "nix-writers",
"nixpkgs": [
"nixpkgs"
]
},
"locked": {
"lastModified": 1686400260,
"narHash": "sha256-nW2GqH3yYZl5XRYHN4MpaaO4r01GNEMSPjklJmdIUic=",
"path": "/home/makefu/stockholm-flakes",
"type": "path"
},
"original": {
"path": "/home/makefu/stockholm-flakes",
"type": "path"
}
},
"utils": {
"locked": {
"lastModified": 1667395993,
"narHash": "sha256-nuEHfE/LcWyuSWnS8t12N1wc105Qtau+/OdUAjtQ0rA=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "5aed5285a952e0b949eb3ba02c12fa4fcfef535f",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "flake-utils",
"type": "github"
}
}
},
"root": "root",
"version": 7
}

75
flake.nix Normal file
View file

@ -0,0 +1,75 @@
{
inputs = {
nixpkgs.url = "github:NixOS/nixpkgs/nixos-23.05";
sops-nix.url = "github:Mic92/sops-nix";
sops-nix.inputs.nixpkgs.follows = "nixpkgs";
sops-nix.inputs.nixpkgs-stable.follows = "";
nixos-hardware.url = "github:NixOS/nixos-hardware";
home-manager.url = "github:nix-community/home-manager";
home-manager.inputs.nixpkgs.follows = "nixpkgs";
disko.url = "github:nix-community/disko";
disko.inputs.nixpkgs.follows = "nixpkgs";
flake-parts.url = "github:hercules-ci/flake-parts";
flake-parts.inputs.nixpkgs-lib.follows = "nixpkgs";
nix-ld.url = "github:Mic92/nix-ld";
nix-ld.inputs.nixpkgs.follows = "nixpkgs";
# stockholm.url = "git+https://cgit.lassul.us/stockholm?ref=flakeify";
stockholm.url = "path:///home/makefu/stockholm-flakes";
stockholm.inputs.nixpkgs.follows = "nixpkgs";
};
description = "Flakes of makefu";
outputs = { self, nixpkgs, disko, nixos-hardware, nix-ld, sops-nix, stockholm, ...}@inputs: let
in {
nixosModules =
let
inherit (nixpkgs) lib;
in builtins.listToAttrs
(map
(name: {name = lib.removeSuffix ".nix" name; value = import (./3modules + "/${name}");})
(lib.filter
(name: name != "default.nix" && !lib.hasPrefix "." name)
(lib.attrNames (builtins.readDir ./3modules))));
nixosConfigurations.x = nixpkgs.lib.nixosSystem rec {
system = "x86_64-linux";
specialArgs = {
inherit (inputs) nixos-hardware self stockholm;
pkgs = import nixpkgs {
inherit system;
config.allowUnfree = true;
overlays = [(self: super: { stockholm.lib = stockholm.lib; })] ;
};
};
modules = [
disko.nixosModules.disko
nix-ld.nixosModules.nix-ld
sops-nix.nixosModules.sops
stockholm.nixosModules.krebs
stockholm.nixosModules.hosts
stockholm.nixosModules.users
stockholm.nixosModules.build
stockholm.nixosModules.dns
stockholm.nixosModules.kartei
stockholm.nixosModules.sitemap
self.nixosModules.state
#self.nixosModules.krebs
./1systems/flake-x/config.nix
];
};
};
}

34
secrets/common.yaml Normal file
View file

@ -0,0 +1,34 @@
passwd:
makefu: ENC[AES256_GCM,data:Z3b+aYQtENF0g/iSpQRSy2lxh2qToT7YfHDVDOPfpVaiSPdoFA0jEyWQ0Vk70AVNMQa7wPrXjbMLKdfTmnS7mKzc9Ivjr8gA9lSfcs3L8MY+Y0fSAtuoPJncIcvt1uL+pLUvSow7hHWg8A==,iv:H9RS2U6WjCIJ2GySw2QdXm4538wvTgVYVU3/hNEUCME=,tag:RT3OK41TZgmOtNEFz19Eug==,type:str]
root: ENC[AES256_GCM,data:nxxIQPFgZu8YyI8HASuO0Tj7ABWxnqcPOztSGEk0R6YZCYMeOeoTgyH2/Wa325ul3iry8vnDsbBa+2S2Y0b+oV/wnPgIoa7LKjHYlIseCArB/LD9+oi8XRkJbsQSISEmoMyobmYc5SysNg==,iv:wkMyMkeL8hrTIG9PUrqwBnrUY92U9OotkP9rz9zKs5A=,tag:xiazIbBkR8505qrOsWn26Q==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age: []
lastmodified: "2023-06-10T17:34:46Z"
mac: ENC[AES256_GCM,data:0Fyw+XASLLE2MhvJJ0mR0zvdu2YiGv2Ud4Fq34/RdRCx0+S+9qhwQbe93M6F7ZN4udeHQj4Nory3dg3nJlABQY2DDS3BXhA9OX7SR8p5SJ9uKWNwhpavBXPBgzU381NJNB+2KX/KByszkGRJ4DS8QQ5ELWn+9guLdvPPitAjbs8=,iv:wTzFPC+I4g3CDU6lqS9GBHHdYmAAqUCf2nTjJDAdSO4=,tag:OnByw19WU0cOx6lHvJcq6Q==,type:str]
pgp:
- created_at: "2023-06-10T17:32:09Z"
enc: |-
-----BEGIN PGP MESSAGE-----
wcFMA9JutVRDNegnARAAm0iApGGZ3oT5K1WbIgbTSglPpyOl92GYojEh+0w0AU/1
6+s2uSBO/7/fIRFOObLeK0TojHX2rJhwD6Q6+M7A2Lei3RYURZvwjL0A5IhTCBUd
pYIsGrEURshz7yOVKiqrTnjIWxfmkBjCIeukLbhKyW+mMD2O1WhDloUnCHtviXNa
W8S8TTnRg9r36hUYjnP7tp9PWAmJZpcP8QpGoeYJwxQN9/Yp9czg70X5pcTz9IXO
MIgXMKFgj/ShfMgKdUjI8N80IG+b8DOQWpkVJGduUJd2JT5TpFKIuqLpbMbnKGhz
Jso4s6cV9ZX+ZC/NId46idAlhODBiiEd8lKydq8uYh/W4UcRqz4q7nYtyb541cWz
hNVO4DRDWGW2U7dabhmtHHaNB1OxzbeRh3+xto7pMkxCGXZ9NX5D+ARgDagTEW+6
D7aqqxH6gykoZdDKd8u22iJVEoHdqRcoFUXNtr4ETIpjzzMWvOqhwe8CcdA6ySjF
Pm27TpCKVEJOWTWEz0/AaQhdBz6WLI7W5ldaFDOt3f7/OTxzg8GApGwDyXydWKHl
2/kn9pbGhgvYjTSfK17NwhSQicQznRjXR7XMv1Vh6vs7IeMEZ/eUFJkGSLyxquza
Fa7+2gJL/cA1x2Vh81h3bb0QxELM/RnV+mpdpNAIlxlQxU4uq+lw5iJTJrr58mHS
UQHaIaiBd21CACz79Yb0TgJTSSjoYVgv7bbYk1KMfk6hlegF2FN7txe4RHVs7yVi
Myv/27m1bKuwlrXqbxbzvy8hF845y7WUd6T0UEBkBTxKFw==
=i/3A
-----END PGP MESSAGE-----
fp: F7B8DCE46BC6B0A8F95477C8563B8DFE2A0E2029
unencrypted_suffix: _unencrypted
version: 3.7.3