tlaternet/tlaternet-server
1
0
Fork 0
Code Issues 9 Pull requests Releases Activity

WIP: Add sops

Browse source
This commit is contained in:
Tristan Daniël Maat 2022-01-18 18:59:50 +00:00
parent 9e9680ddf7
commit e9c9dbfa41
Signed by: tlater
GPG key ID: 49670FD774E43268
4 changed files with 62 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

7
.sops.yaml Normal file
View file

@ -0,0 +1,7 @@
keys:
- &tlater 535B61015823443941C744DD12264F6BBDFABA89
creation_rules:
- key_groups:
- pgp:
- *tlater

10
configuration/default.nix
View file

@ -34,6 +34,16 @@
time.timeZone = "Europe/London";
sops = {
gnupg = {
home = "/var/lib/sops";
sshKeyPaths = [ ];
};
defaultSopsFile = "/etc/sops/secrets.yaml";
validateSopsFiles = false;
};
users.users.tlater = {
isNormalUser = true;
extraGroups = [ "wheel" ];

21
flake.lock
View file

@ -73,6 +73,7 @@
"flake-utils": "flake-utils",
"nixos-hardware": "nixos-hardware",
"nixpkgs": "nixpkgs",
"sops-nix": "sops-nix",
"tlaternet-templates": "tlaternet-templates",
"tlaternet-webserver": "tlaternet-webserver"
}
@ -102,6 +103,26 @@
"type": "github"
}
},
"sops-nix": {
"inputs": {
"nixpkgs": [
"nixpkgs"
]
},
"locked": {
"lastModified": 1641374494,
"narHash": "sha256-a56G6Um43+0+n+yNYhRCh/mSvDdRVzQHSKcFaDEB9/8=",
"owner": "Mic92",
"repo": "sops-nix",
"rev": "7edb4b080023ef12f39262a3aa7aab31015a7a0e",
"type": "github"
},
"original": {
"owner": "Mic92",
"repo": "sops-nix",
"type": "github"
}
},
"tlaternet-templates": {
"inputs": {
"flake-utils": [

26
flake.nix
View file

@ -5,6 +5,10 @@
nixpkgs.url = "github:nixos/nixpkgs/nixos-21.11";
nixos-hardware.url = "github:nixos/nixos-hardware/master";
flake-utils.url = "github:numtide/flake-utils";
sops-nix = {
url = "github:Mic92/sops-nix";
inputs.nixpkgs.follows = "nixpkgs";
};
tlaternet-webserver = {
url = "git+https://gitea.tlater.net/tlaternet/tlaternet.git";
inputs = {
@ -21,8 +25,8 @@
};
};
outputs = { self, nixpkgs, nixos-hardware, flake-utils, tlaternet-webserver
, tlaternet-templates, ... }@inputs:
outputs = { self, nixpkgs, nixos-hardware, flake-utils, sops-nix
, tlaternet-webserver, tlaternet-templates, ... }@inputs:
let
overlays = [
(final: prev: {
@ -35,6 +39,7 @@
local-lib = self.lib.${prev.system};
};
})
sops-nix.overlay
];
in {
@ -44,6 +49,8 @@
inherit system;
modules = [
sops-nix.nixosModules.sops
({ modulesPath, ... }: {
imports = [ (modulesPath + "/profiles/headless.nix") ];
nixpkgs.overlays = overlays;
@ -61,6 +68,8 @@
inherit system;
modules = [
sops-nix.nixosModule
({ modulesPath, ... }: {
imports = [ (modulesPath + "/profiles/headless.nix") ];
nixpkgs.overlays = overlays;
@ -78,6 +87,13 @@
# can easily test locally with the VM.
services.nginx.domain = lib.mkOverride 99 "localhost";
# Use a default password for the grafana instance for
# easy testing.
services.grafana.security = {
adminPassword = "insecure";
adminPasswordFile = lib.mkOverride 99 null;
};
# # Set up VM settings to match real VPS
# virtualisation.memorySize = 3941;
# virtualisation.cores = 2;
@ -94,6 +110,8 @@
nixfmt
git-lfs
sops-init-gpg-key
# For the minecraft mod update script
(python3.withPackages (pypkgs:
with pypkgs; [
@ -107,6 +125,10 @@
# pyls-mypy
]))
];
# nativeBuildInputs = [ sops-import-keys-hook ]; Breaks the shellHook somehow
sopsPGPKeyDirs = [ "./keys/hosts/" "./keys/users/" ];
shellHook = ''
export QEMU_OPTS="-m 3941 -smp 2 -curses"
export QEMU_NET_OPTS="hostfwd=::3022-:2222,hostfwd=::3080-:80,hostfwd=::3443-:443,hostfwd=::3021-:2221,hostfwd=::25565-:25565"