Avery/NixOS
Avery/NixOS
1
0
Fork 0
Code Activity

Set up sops-nix

Browse source
This commit is contained in:
Avery 2024-04-03 23:27:14 +02:00
parent 84c3e5a976
commit ca41f6af9e
Signed by: Avery
GPG key ID: B684FD451B692E04
6 changed files with 132 additions and 10 deletions
Download patch file Download diff file Expand all files Collapse all files

7
.sops.yaml Normal file
View file

@ -0,0 +1,7 @@
keys:
- &avery age1rxn337tx2qxa8t5dxrxnnctza8g2awm24pq84nt2w2u72m8yx9lqus0qq9
creation_rules:
- path_regex: secrets/[^/]+\.(yaml|json|env|ini)$
key_groups:
- age:
- *avery

11
common/nixos.nix
View file

@ -19,12 +19,13 @@
users.avery = { users.avery = {
extraGroups = [ "wheel" ]; extraGroups = [ "wheel" ];
isNormalUser = true; isNormalUser = true;
hashedPasswordFile = config.sops.secrets.avery_password.path;
}; };
}; };
environment = { environment = {
shells = with pkgs; [ zsh ]; shells = with pkgs; [ zsh ];
systemPackages = with pkgs; [ git htop neovim ]; systemPackages = with pkgs; [ git htop neovim sops ];
}; };
programs.zsh.enable = true; programs.zsh.enable = true;
@ -43,4 +44,12 @@
}; };
services.openssh.enable = true; services.openssh.enable = true;
sops = {
secrets.avery_password = {
sopsFile = "/etc/nixos/secrets/hosts/common.yaml";
neededForUsers = true;
};
validateSopsFiles = false;
};
} }

52
flake.lock generated
View file

@ -138,11 +138,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1711868868, "lastModified": 1712016346,
"narHash": "sha256-QpZanlbVu6Gb2K96u3vgu0F2BvZD74+fOsIFWcYEXoY=", "narHash": "sha256-O2nO7pD+krq+4HgkLB4VThRtAucIPfXDs/jJqCGlK1w=",
"owner": "nix-community", "owner": "nix-community",
"repo": "home-manager", "repo": "home-manager",
"rev": "30f2ec39519f4f5a8a96af808c439e730c15aeab", "rev": "4be0464472675212654dedf3e021bd5f1d58b92f",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -209,6 +209,22 @@
"type": "github" "type": "github"
} }
}, },
"nixpkgs-stable": {
"locked": {
"lastModified": 1711819797,
"narHash": "sha256-tNeB6emxj74Y6ctwmsjtMlzUMn458sBmwnD35U5KIM4=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "2b4e3ca0091049c6fbb4908c66b05b77eaef9f0c",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "release-23.11",
"repo": "nixpkgs",
"type": "github"
}
},
"nixvim": { "nixvim": {
"inputs": { "inputs": {
"devshell": "devshell", "devshell": "devshell",
@ -222,11 +238,11 @@
"pre-commit-hooks": "pre-commit-hooks" "pre-commit-hooks": "pre-commit-hooks"
}, },
"locked": { "locked": {
"lastModified": 1711888895, "lastModified": 1712057047,
"narHash": "sha256-Hykv2DGC5EHzZ89+54w/zkit+CVGLRcdIgOWnB4zW5k=", "narHash": "sha256-o5KSQO82/sCgaaSsZONTeb+P47MXo0bbp+eID9I0CwI=",
"owner": "nix-community", "owner": "nix-community",
"repo": "nixvim", "repo": "nixvim",
"rev": "db6b61f117c83943f15289ced03674f81d08256a", "rev": "7baefc8aa587931827797db7fbd55a733179dc79",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -267,7 +283,29 @@
"inputs": { "inputs": {
"home-manager": "home-manager", "home-manager": "home-manager",
"nixpkgs": "nixpkgs", "nixpkgs": "nixpkgs",
"nixvim": "nixvim" "nixvim": "nixvim",
"sops-nix": "sops-nix"
}
},
"sops-nix": {
"inputs": {
"nixpkgs": [
"nixpkgs"
],
"nixpkgs-stable": "nixpkgs-stable"
},
"locked": {
"lastModified": 1711855048,
"narHash": "sha256-HxegAPnQJSC4cbEbF4Iq3YTlFHZKLiNTk8147EbLdGg=",
"owner": "Mic92",
"repo": "sops-nix",
"rev": "99b1e37f9fc0960d064a7862eb7adfb92e64fa10",
"type": "github"
},
"original": {
"owner": "Mic92",
"repo": "sops-nix",
"type": "github"
} }
}, },
"systems": { "systems": {

9
flake.nix
View file

@ -11,16 +11,22 @@
url = "github:nix-community/nixvim"; url = "github:nix-community/nixvim";
inputs.nixpkgs.follows = "nixpkgs"; inputs.nixpkgs.follows = "nixpkgs";
}; };
sops-nix = {
url = "github:Mic92/sops-nix";
inputs.nixpkgs.follows = "nixpkgs";
};
}; };
outputs = { self, nixpkgs, home-manager, nixvim }@inputs: { outputs = { self, nixpkgs, home-manager, nixvim, sops-nix }@inputs: {
nixosConfigurations = { nixosConfigurations = {
totsugeki = nixpkgs.lib.nixosSystem { totsugeki = nixpkgs.lib.nixosSystem {
system = "x86_64-linux"; system = "x86_64-linux";
modules = [ modules = [
./common/nixos.nix ./common/nixos.nix
./hosts/totsugeki/nixos.nix ./hosts/totsugeki/nixos.nix
./hosts/greatyamada/services/forgejo.nix
home-manager.nixosModules.home-manager home-manager.nixosModules.home-manager
sops-nix.nixosModules.sops
{ {
home-manager.useUserPackages = true; home-manager.useUserPackages = true;
home-manager.users.avery = { home-manager.users.avery = {
@ -41,6 +47,7 @@
./common/nixos.nix ./common/nixos.nix
./hosts/greatyamada/nixos.nix ./hosts/greatyamada/nixos.nix
./hosts/greatyamada/services ./hosts/greatyamada/services
sops-nix.nixosModules.sops
]; ];
}; };
}; };

57
hosts/greatyamada/services/forgejo.nix Normal file
View file

@ -0,0 +1,57 @@
{ lib, pkgs, ... }:
let
forgejoConfigPath = "/var/lib/forgejo/custom/conf";
arrayToSecrets = elements:
builtins.listToAttrs (map (x: {
name = "forgejo/" + x;
value = {
path = "${forgejoConfigPath}/" + x;
owner = "forgejo";
};
}) elements);
in {
services = {
forgejo = {
enable = true;
settings = {
server = {
DOMAIN = "git.rcia.dev";
ROOT_URL = "https://git.rcia.dev";
HTTP_PORT = 3000;
DISABLE_SSH = true;
LFS_START_SERVER = true;
LFS_JWT_SECRET = "";
LFS_JWT_SECRET_URI = "file://${forgejoConfigPath}/lfs_jwt_secret";
};
security = {
INSTALL_LOCK = true;
INTERNAL_TOKEN = lib.mkForce "";
INTERNAL_TOKEN_URI = "file://${forgejoConfigPath}/internal_token";
SECRET_KEY = lib.mkForce "";
SECRET_KEY_URI = "file://${forgejoConfigPath}/secret_key";
};
oauth2 = {
JWT_SECRET = lib.mkForce "";
JWT_SECRET_URI = "file://${forgejoConfigPath}/oauth2_jwt_secret";
};
};
};
nginx = {
virtualHosts."git.rcia.dev" = {
locations."/" = {
proxyPass = "http://127.0.0.1:3000";
clientMaxBodySize = "200M";
};
};
};
};
systemd.services.forgejo.preStart = ''
${pkgs.forgejo}/bin/gitea migrate
'';
sops.secrets = arrayToSecrets [
"internal_token"
"lfs_jwt_secret"
"oauth2_jwt_secret"
"secret_key"
];
}

6
hosts/totsugeki/nixos.nix
View file

@ -99,8 +99,12 @@
}; };
udisks2.enable = true; udisks2.enable = true;
}; };
systemd = { services = { NetworkManager-wait-online.enable = false; }; }; systemd = { services = { NetworkManager-wait-online.enable = false; }; };
sops = {
defaultSopsFile = "/etc/nixos/secrets/hosts/totsugeki.yaml";
age.keyFile = "/home/avery/.config/sops/age/keys.txt";
};
system.stateVersion = "24.05"; system.stateVersion = "24.05";
} }