diff --git a/.sops.yaml b/.sops.yaml index d27c351..b9f9fcd 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -10,3 +10,4 @@ creation_rules: - *admin_fw - *server_desktop - *server_macmini + - *server_legacy diff --git a/maskiner/legacy/configuration.nix b/maskiner/legacy/configuration.nix index 43ae211..fe89677 100644 --- a/maskiner/legacy/configuration.nix +++ b/maskiner/legacy/configuration.nix @@ -10,7 +10,7 @@ ... }: let - theme = "latte"; + theme = "mocha"; in { imports = [ diff --git a/moduler/base.nix b/moduler/base.nix index 6cbc735..43087ca 100644 --- a/moduler/base.nix +++ b/moduler/base.nix @@ -6,6 +6,9 @@ ... }: { + sops.defaultSopsFile = ../secrets/sops.yaml; + sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ]; + nixpkgs = { config = { allowUnfree = true; @@ -49,11 +52,8 @@ efi = { canTouchEfiVariables = true; }; - systemd-boot.enable = true; - grub = { - efiSupport = true; - efiInstallAsRemovable = true; - device = "nodev"; + systemd-boot = { + enable = true; }; }; }; @@ -67,10 +67,19 @@ fi ''; }; - environment.etc = lib.mapAttrs' (name: value: { - name = "nix/path/${name}"; - value.source = value.flake; - }) config.nix.registry; + environment = { + etc = lib.mapAttrs' (name: value: { + name = "nix/path/${name}"; + value.source = value.flake; + }) config.nix.registry; + + sessionVariables = { + EDITOR = "nvim"; + VISUAL = "nvim"; + TERM = "xterm-256color"; + }; + + }; virtualisation = { docker = { @@ -79,12 +88,6 @@ }; }; - environment.sessionVariables = { - EDITOR = "nvim"; - VISUAL = "nvim"; - TERM = "xterm-256color"; - }; - time.timeZone = "Europe/Stockholm"; fonts.packages = with pkgs; [ @@ -108,12 +111,9 @@ console.keyMap = "sv-latin1"; - programs.bat = { - enable = true; - }; - services.tailscale.enable = true; networking = { + nftables.enable = true; networkmanager.enable = true; firewall = { checkReversePath = "loose"; diff --git a/moduler/users.nix b/moduler/users.nix index 3307570..9d979d0 100644 --- a/moduler/users.nix +++ b/moduler/users.nix @@ -4,11 +4,13 @@ ... }: { + sops.secrets.user-password = { }; users = { defaultUserShell = pkgs.bash; + mutableUsers = false; users = { fw = { - initialPassword = "password"; + hashedPasswordFile = config.sops.secrets.user-password.path; isNormalUser = true; description = "Fredrik Wastring"; extraGroups = [ @@ -20,7 +22,7 @@ ]; openssh.authorizedKeys = { keys = [ - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFpJBGPIfPB1BwSG7aoKqwfccyZSaU7J3xpJ8behMp9N fw@core" + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFpJBGPIfPB1BwSG7aoKqwfccyZSaU7J3xpJ8behMp9N fw@core" ]; }; }; diff --git a/secrets/sops.yaml b/secrets/sops.yaml index aaf955a..868f185 100644 --- a/secrets/sops.yaml +++ b/secrets/sops.yaml @@ -6,36 +6,46 @@ smtp_password: ENC[AES256_GCM,data:h1K973qeehIIATdoqFhrLiY7XiU=,iv:ltrsG9KZ8rQuS forgejo-admin-password: ENC[AES256_GCM,data:FuDfqjeQ2T5KcOO1BQ==,iv:ueX7XjbiChuwfYm1B/MJvJaYdWbCmoIs91lj9h9uFYE=,tag:qUszDTRZklwSKrS0PpJhTA==,type:str] forgejo-runner-token: ENC[AES256_GCM,data:1AUeTy5Sqoa4u5L/TGjt/v69p2xF/mp0oXVv08TA+squzRVW9/t40xfY2yD8HQ==,iv:uWf9jKIIsajh362vY2NBw8od+iOFGfIQ7NJVFgjWlBw=,tag:hCOzvSKoDbKCGceqNkRx7g==,type:str] gotify_password: ENC[AES256_GCM,data:Tl9T9yxKSyiemmc5B7kCdwYYHB9anenBg8epFNGqu7sa8YfaZNH9HfTdBtqELIcAkkyfoJUj9tOhxcfa1lDasahJC/8VF0jx6tjsgmTJORAwQa/8,iv:bEtG/ICTqqK3E+YXysDLV/uyawoeILKH+mQXTLOcWpk=,tag:dPqm74eH/Gt9Eg0lv2ptEw==,type:str] +user-password: ENC[AES256_GCM,data:cngHqB2IQXVvSMwm5KJeq6wOQMQ4z/DWap3YMyahq2fz8R2CKHackaNY4K3dltXKSLv5zdelyHMf4u7gzuPTMO1yNRIG99C9Yg==,iv:6WZ/dUQwn6+TPXnSEvDVS0DZz0oz7vMvKAioqYzvf0c=,tag:xVoCF0L490nZi/xYTI0klw==,type:str] sops: age: - recipient: age1jeyw96795qu52swmtkjqgr2w3g4vxc43ckc5r4hlwpje23ptnfwsheah0s enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBqdUw2TU9XcEFlTkxnT0lj - S2lodU5BQ1U0QU11ZmcrZUNJWEVNSERPK2trCnZHVDZxR3FVckdsdGNTVTJ5aE9p - SlhuV2NldHN3c0xOR1prMlM3SEhJNEEKLS0tIC9YaS8zcEVqMW1jWUFBTXBVbGFG - bzMxUUY2ODZhaUtjSUJjM3BWVjU5cDQKx5PhabRSkrIvKhYnvkjc2chQeEXcb2xd - mta6liWOXfn2VRnWAeEKCIJq/x6wNSBsNeQK0IRWxPGNCfJdtoos4w== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBudE1wcXlEU0VNTEUranB2 + ZDV5Vm9kdmU1RXBVOWdpLzdRR0NPQTZsUG13CklMYlJ0RXo5VnBGMzc2MUh4bTlM + Ny8zQzlhVGZhQWRRUFlwOGhPS2ZjQ28KLS0tIGFmUnVQRXhDTlZ2WjZ2K2N2WlhQ + MmR4WVhJVUwvRHdYNTdyd2Y2cUZ6Z2MKVP+HttSFnJ/IlEk3/YBzlV7xDADa/MKr + xtQQH4tSMFASNuoRZvADJ7evauei9Az63qD9vawUuOHc1wwr7ZWc2A== -----END AGE ENCRYPTED FILE----- - recipient: age106ml0ssx0p24dvfamp322myzka4wzeze9yhzyvtptp9c6fmmru6slswh2x enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBjNkxwMksxV21tVDJSL0JI - dGc1UEJZS3VvNTh3WnZkTW9LeFpqSGwzVVdVCnIzOW1oTnFvSnZRUWhvdzIzdVlB - OUlBTU1DeHplS0RRTkc1MlNIZk9DVzAKLS0tIHZxcmVqbGlVMm9Bai9VRW9qc0xS - bEVJNU5NbXgvNTBzN202MTdQeHlUeEkKIV3jTYkl8/3C1TQA+AjYpmjLZc7TgFI6 - ZkhP/CzYcPoRt4KHOrY/cROPAPDj4uki3RF+yyTxAsTKn8BBLSRjxQ== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBIMjJOM3NkUVdaZldnOVNa + MlBQUy9ZOUEvUXZxUzhodUZJM1l3MVBaKzBrClY5SUFFMHp0T1RJTzNXTHl1Qm1t + U01ZQ1lOVE1RTTFqMHhWcnA5MnVUR2MKLS0tIHREQzFZaFBJSFlvRzI5ZTU2RjJo + VGt2VmdYZlVpQWl2Rjh1NERXVzBXSWMKIT4CMDoEvT+vwZF2suMy3NCeLhSnLjdo + bQOMwNdTqnpAhYdNTRtyEe6SwGaPahLEbH1uX3cgBE8ULL4ylV0TZg== -----END AGE ENCRYPTED FILE----- - recipient: age1dql5lwetk39a9y8ummfgjx3aym02yn205lxk389k6q0tu9y3ff4s94l66t enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBsYktrK1BmZjhQY216MWxH - aHJBRGFHMWVXQWUrZS90dEpQeXZzU1grWm1VClhnTVYrR2tabU5LWFc1ZmgwY1dF - M0lFOU1hd1gxTFJPaDBGV2hIbW16WWsKLS0tIExCSGVPM1Jsb1R1VFNTTXRpalBK - OU8yT0cvcnZMMXphMFVHSXpHNjc4dEkKyXiwholsJthB9O7onb0buF6qHNVNZA3s - A2+HSl5P0HCyaZhDIDBFdaUL2r0CHKOPCN3Lrd5+Rirnx48RnDxwBA== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAvMTZFOVV0Nk4xbzgzRFhn + R3VKN1IzL01HUmovNlJ3SVlvcmVQWWYyZlNVCmR2V1M0c1pDSnZubFBJZ2pvY2FN + ZG1iT0NFenBadHJyclVkcG1KcERiQ0EKLS0tIDlacDFzanNQVjdPTlFaNnhXa1VV + WnpRZmllcWcvOGNqOGwzbHl0aU5KUjgKM8EaFEIfmj1DT3p1SLHf4paww0jm06WI + lsiCx2/Udi1MDM541KkBvCV5riktxgU4Lu2vF5b4RnuS95g/8G58wA== -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-10-18T13:28:36Z" - mac: ENC[AES256_GCM,data:EaPrjK/m7g+8Vu6vDEzE5nObAWmMXwDEarFEiaoEXh4/tBcAjdhNaYPpGUhfh0NSppTFbkr2ZZKm+m9rTO1J8IeBZMC0FfcFu+34Mz1sL6mozBZX8nynIW3V9bbPKaq2mPd4To1HmphdIpRj72xzYzIzL5fJQxmT8Q4hI6qa5wk=,iv:PvMl479LK7v5hKJ5Ho/kPyajQ/49H+8UqVTre48NxqU=,tag:IE9QCsnhmzamkgX21OCLFA==,type:str] + - recipient: age1kf93dpuqhu0a90s49sszgw64mn32hwgrm8suv799ca4ngrkecpqs8ljzk8 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBkOTF6NXAzcktDRjhTaGdW + S3dDakhxZzNPR1QyVnZ4dXU4cVJLaWk2S1drCjFLNmdtLzFxRkJWWmhmeVZOUjA3 + VDhudVFOWjBkblRJSEhyMC93NUNHTEEKLS0tIGZBeENxallvTXB4VWcrdHhOeUpv + ay84Q2w0NFlVb0FaNkxKN2t1UDVhejgKx+0w5vbpNzCRRaT/wQRO3JGkIbmn+NvE + ZI78XtBJvAwAY6P0tm01rC1wRDGA86wCu52CaOH7cro2zDk/ipZe5g== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2025-11-23T20:46:06Z" + mac: ENC[AES256_GCM,data:eI8l+uMRZgS4w/73TN6e4b1wrkyhpNj/HKl1+znEmNyybrwdHLBOxu5XZ9cBA9UbFuZm/U3UxhKLiZncu1bWuFT7eS3IcG/G3wVHyPJR1psJ1Gi+zp1455AUhclRXYc9lEqMe34m9LW+JnXcf3LNQAOJOkits45GS35WhFt/6bI=,iv:qmlB/ehisy4Sw9b1mAvstJ/jHZgUhiHDNr6xHp1z57E=,tag:utTSn3qdufYBQP20WQmiwg==,type:str] unencrypted_suffix: _unencrypted version: 3.11.0