tlaternet/tlaternet-server
1
0
Fork 0
Code Issues 9 Pull requests Releases Activity

WIP: Add sops

Browse source
This commit is contained in:
Tristan Daniël Maat 2022-01-18 18:59:50 +00:00
parent 9e9680ddf7
commit e9c9dbfa41
Signed by: tlater
GPG key ID: 49670FD774E43268
4 changed files with 62 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

7
.sops.yaml Normal file
View file

@ -0,0 +1,7 @@
keys:
- &tlater 535B61015823443941C744DD12264F6BBDFABA89
creation_rules:
- key_groups:
- pgp:
- *tlater

10
configuration/default.nix
View file

@ -34,6 +34,16 @@
time.timeZone = "Europe/London"; time.timeZone = "Europe/London";
sops = {
gnupg = {
home = "/var/lib/sops";
sshKeyPaths = [ ];
};
defaultSopsFile = "/etc/sops/secrets.yaml";
validateSopsFiles = false;
};
users.users.tlater = { users.users.tlater = {
isNormalUser = true; isNormalUser = true;
extraGroups = [ "wheel" ]; extraGroups = [ "wheel" ];

21
flake.lock
View file

@ -73,6 +73,7 @@
"flake-utils": "flake-utils", "flake-utils": "flake-utils",
"nixos-hardware": "nixos-hardware", "nixos-hardware": "nixos-hardware",
"nixpkgs": "nixpkgs", "nixpkgs": "nixpkgs",
"sops-nix": "sops-nix",
"tlaternet-templates": "tlaternet-templates", "tlaternet-templates": "tlaternet-templates",
"tlaternet-webserver": "tlaternet-webserver" "tlaternet-webserver": "tlaternet-webserver"
} }
@ -102,6 +103,26 @@
"type": "github" "type": "github"
} }
}, },
"sops-nix": {
"inputs": {
"nixpkgs": [
"nixpkgs"
]
},
"locked": {
"lastModified": 1641374494,
"narHash": "sha256-a56G6Um43+0+n+yNYhRCh/mSvDdRVzQHSKcFaDEB9/8=",
"owner": "Mic92",
"repo": "sops-nix",
"rev": "7edb4b080023ef12f39262a3aa7aab31015a7a0e",
"type": "github"
},
"original": {
"owner": "Mic92",
"repo": "sops-nix",
"type": "github"
}
},
"tlaternet-templates": { "tlaternet-templates": {
"inputs": { "inputs": {
"flake-utils": [ "flake-utils": [

26
flake.nix
View file

@ -5,6 +5,10 @@
nixpkgs.url = "github:nixos/nixpkgs/nixos-21.11"; nixpkgs.url = "github:nixos/nixpkgs/nixos-21.11";
nixos-hardware.url = "github:nixos/nixos-hardware/master"; nixos-hardware.url = "github:nixos/nixos-hardware/master";
flake-utils.url = "github:numtide/flake-utils"; flake-utils.url = "github:numtide/flake-utils";
sops-nix = {
url = "github:Mic92/sops-nix";
inputs.nixpkgs.follows = "nixpkgs";
};
tlaternet-webserver = { tlaternet-webserver = {
url = "git+https://gitea.tlater.net/tlaternet/tlaternet.git"; url = "git+https://gitea.tlater.net/tlaternet/tlaternet.git";
inputs = { inputs = {
@ -21,8 +25,8 @@
}; };
}; };
outputs = { self, nixpkgs, nixos-hardware, flake-utils, tlaternet-webserver outputs = { self, nixpkgs, nixos-hardware, flake-utils, sops-nix
, tlaternet-templates, ... }@inputs: , tlaternet-webserver, tlaternet-templates, ... }@inputs:
let let
overlays = [ overlays = [
(final: prev: { (final: prev: {
@ -35,6 +39,7 @@
local-lib = self.lib.${prev.system}; local-lib = self.lib.${prev.system};
}; };
}) })
sops-nix.overlay
]; ];
in { in {
@ -44,6 +49,8 @@
inherit system; inherit system;
modules = [ modules = [
sops-nix.nixosModules.sops
({ modulesPath, ... }: { ({ modulesPath, ... }: {
imports = [ (modulesPath + "/profiles/headless.nix") ]; imports = [ (modulesPath + "/profiles/headless.nix") ];
nixpkgs.overlays = overlays; nixpkgs.overlays = overlays;
@ -61,6 +68,8 @@
inherit system; inherit system;
modules = [ modules = [
sops-nix.nixosModule
({ modulesPath, ... }: { ({ modulesPath, ... }: {
imports = [ (modulesPath + "/profiles/headless.nix") ]; imports = [ (modulesPath + "/profiles/headless.nix") ];
nixpkgs.overlays = overlays; nixpkgs.overlays = overlays;
@ -78,6 +87,13 @@
# can easily test locally with the VM. # can easily test locally with the VM.
services.nginx.domain = lib.mkOverride 99 "localhost"; services.nginx.domain = lib.mkOverride 99 "localhost";
# Use a default password for the grafana instance for
# easy testing.
services.grafana.security = {
adminPassword = "insecure";
adminPasswordFile = lib.mkOverride 99 null;
};
# # Set up VM settings to match real VPS # # Set up VM settings to match real VPS
# virtualisation.memorySize = 3941; # virtualisation.memorySize = 3941;
# virtualisation.cores = 2; # virtualisation.cores = 2;
@ -94,6 +110,8 @@
nixfmt nixfmt
git-lfs git-lfs
sops-init-gpg-key
# For the minecraft mod update script # For the minecraft mod update script
(python3.withPackages (pypkgs: (python3.withPackages (pypkgs:
with pypkgs; [ with pypkgs; [
@ -107,6 +125,10 @@
# pyls-mypy # pyls-mypy
])) ]))
]; ];
# nativeBuildInputs = [ sops-import-keys-hook ]; Breaks the shellHook somehow
sopsPGPKeyDirs = [ "./keys/hosts/" "./keys/users/" ];
shellHook = '' shellHook = ''
export QEMU_OPTS="-m 3941 -smp 2 -curses" export QEMU_OPTS="-m 3941 -smp 2 -curses"
export QEMU_NET_OPTS="hostfwd=::3022-:2222,hostfwd=::3080-:80,hostfwd=::3443-:443,hostfwd=::3021-:2221,hostfwd=::25565-:25565" export QEMU_NET_OPTS="hostfwd=::3022-:2222,hostfwd=::3080-:80,hostfwd=::3443-:443,hostfwd=::3021-:2221,hostfwd=::25565-:25565"