diff --git a/flake.nix b/flake.nix index cc3063f..e511de4 100644 --- a/flake.nix +++ b/flake.nix @@ -25,7 +25,7 @@ ... }: let - system = "x86_64-linux"; + system = utils.lib.system.x86_64-linux; lib = nixpkgs.lib; in utils.lib.mkFlake { @@ -75,7 +75,9 @@ ''; }) (lib.filterAttrs (_: isDeployable) self.nixosConfigurations); - checks = builtins.mapAttrs (_: lib: lib.deployChecks self.deploy) deploy-rs.lib; + checks = (builtins.mapAttrs (_: lib: lib.deployChecks self.deploy) deploy-rs.lib) // { + integration-test = import ./test/vm-test.nix { inherit self nixpkgs system; }; + }; outputsBuilder = channels: { formatter = channels.nixpkgs.alejandra; diff --git a/hosts/Development/default.nix b/hosts/Development/default.nix index fda8e57..68c5fea 100644 --- a/hosts/Development/default.nix +++ b/hosts/Development/default.nix @@ -3,6 +3,7 @@ { config = { homelab = { + networking.hostIp = "192.168.0.91"; apps = { bind9.enable = true; homepage = { @@ -13,6 +14,7 @@ plex.enable = true; }; virtualisation.guest.enable = true; + users.deploy.enable = true; }; networking = { @@ -36,7 +38,7 @@ interfaces.ens18 = { ipv4.addresses = [ { - address = "192.168.0.91"; + address = config.homelab.networking.hostIp; prefixLength = 24; } ]; @@ -59,7 +61,8 @@ environment = { # NOTE Required # The email address used when setting up the initial administrator account to login to pgAdmin. - PGADMIN_DEFAULT_EMAIL = "kmtl.hugo+pgadmin@gmail.com"; + # TODO Hugo: Populate 'pgadmin_email' in sops. + PGADMIN_DEFAULT_EMAIL = config.sops.placeholder.pgadmin_email or "pgadmin-admin@example.com"; # NOTE Required # The password used when setting up the initial administrator account to login to pgAdmin. PGADMIN_DEFAULT_PASSWORD = "ChangeMe"; diff --git a/hosts/Ingress/default.nix b/hosts/Ingress/default.nix index c0a3ac9..c16f151 100644 --- a/hosts/Ingress/default.nix +++ b/hosts/Ingress/default.nix @@ -2,7 +2,11 @@ { config = { - homelab.virtualisation.guest.enable = true; + homelab = { + networking.hostIp = "192.168.0.10"; + virtualisation.guest.enable = true; + users.deploy.enable = true; + }; networking = { hostName = "Ingress"; @@ -19,8 +23,8 @@ interfaces.ens18 = { ipv4.addresses = [ { - address = "192.168.0.10"; -prefixLength = 24; + address = config.homelab.networking.hostIp; + prefixLength = 24; } ]; }; @@ -39,6 +43,7 @@ prefixLength = 24; }; }; + security.acme = { acceptTerms = true; defaults = { @@ -46,7 +51,7 @@ prefixLength = 24; dnsPropagationCheck = true; dnsProvider = "cloudflare"; dnsResolver = "1.1.1.1:53"; - email = "tibo.depeuter@telenet.be"; + email = config.sops.placeholder.acme_email or "acme-email@example.com"; credentialFiles = { CLOUDFLARE_DNS_API_TOKEN_FILE = "/var/lib/secrets/depeuter-dev-cloudflare-api-token"; }; diff --git a/hosts/Isabel/default.nix b/hosts/Isabel/default.nix index 0a1f50f..f275b0e 100644 --- a/hosts/Isabel/default.nix +++ b/hosts/Isabel/default.nix @@ -165,7 +165,7 @@ providers: # Certificates "--certificatesresolvers.letsencrypt.acme.dnschallenge=true" "--certificatesresolvers.letsencrypt.acme.dnschallenge.provider=cloudflare" - "--certificatesresolvers.letsencrypt.acme.email=tibo.depeuter@telenet.be" + "--certificatesresolvers.letsencrypt.acme.email=${config.sops.placeholder.acme_email or "acme-email@example.com"}" "--certificatesresolvers.letsencrypt.acme.storage=/letsencrypt/acme.json" # Additional routes @@ -176,8 +176,8 @@ providers: # "8080:8080/tcp" # The Web UI (enabled by --api.insecure=true) ]; environment = { - # TODO Hide this! - "CLOUDFLARE_DNS_API_TOKEN" = "6Vz64Op_a6Ls1ljGeBxFoOVfQ-yB-svRbf6OyPv2"; + # TODO Hugo: Populate 'cloudflare_dns_token' in sops. + "CLOUDFLARE_DNS_API_TOKEN" = config.sops.placeholder.cloudflare_dns_token or "CLOUDFLARE_TOKEN_PLACEHOLDER"; }; environmentFiles = [ ]; diff --git a/modules/apps/gitea/default.nix b/modules/apps/gitea/default.nix index 0361bd5..34d52e4 100644 --- a/modules/apps/gitea/default.nix +++ b/modules/apps/gitea/default.nix @@ -496,7 +496,8 @@ in { #FORGEJO__mailer__CLIENT_KEY_FILE = "custom/mailer/key.pem"; # Mail from address, RFC 5322. This can be just an email address, or the # `"Name" ` format. - FORGEJO__mailer__FROM = ''"${title}" ''; + # TODO Hugo: Populate 'gitea_mailer_from' in sops. + FORGEJO__mailer__FROM = config.sops.placeholder.gitea_mailer_from or "git@example.com"; # Sometimes it is helpful to use a different address on the envelope. Set this to use # ENVELOPE_FROM as the from on the envelope. Set to `<>` to send an empty address. #FORGEJO__mailer__ENVELOPE_FROM = ""; diff --git a/modules/apps/traefik/default.nix b/modules/apps/traefik/default.nix index 7f6ce38..54588c1 100644 --- a/modules/apps/traefik/default.nix +++ b/modules/apps/traefik/default.nix @@ -72,7 +72,7 @@ in { # Certificates "--certificatesresolvers.letsencrypt.acme.dnschallenge=true" "--certificatesresolvers.letsencrypt.acme.dnschallenge.provider=cloudflare" - "--certificatesresolvers.letsencrypt.acme.email=tibo.depeuter@telenet.be" + "--certificatesresolvers.letsencrypt.acme.email=${config.sops.placeholder.acme_email or "acme-email@example.com"}" "--certificatesresolvers.letsencrypt.acme.storage=/letsencrypt/acme.json" ]; volumes = [ diff --git a/modules/apps/vaultwarden/default.nix b/modules/apps/vaultwarden/default.nix index 907dda4..6c55d0a 100644 --- a/modules/apps/vaultwarden/default.nix +++ b/modules/apps/vaultwarden/default.nix @@ -344,6 +344,7 @@ in { # ORG_CREATION_USERS=none ## A comma-separated list means only those users can create orgs: # ORG_CREATION_USERS=admin1@example.com,admin2@example.com + # TODO Hugo: Redact org creation users if needed. ## Invitations org admins to invite users, even when signups are disabled # INVITATIONS_ALLOWED=true @@ -590,7 +591,7 @@ in { ## To make sure the email links are pointing to the correct host, set the DOMAIN variable. ## Note: if SMTP_USERNAME is specified, SMTP_PASSWORD is mandatory SMTP_HOST = "smtp.gmail.com"; - SMTP_FROM = "vault@depeuter.dev"; + SMTP_FROM = config.sops.placeholder.vaultwarden_smtp_from or "vaultwarden@example.com"; SMTP_FROM_NAME = cfg.name; # SMTP_USERNAME=username # SMTP_PASSWORD=password diff --git a/modules/common/secrets.nix b/modules/common/secrets.nix new file mode 100644 index 0000000..10b6473 --- /dev/null +++ b/modules/common/secrets.nix @@ -0,0 +1,18 @@ +{ config, lib, ... }: + +{ + sops.secrets = { + # -- User Public Keys (Anti-Fingerprinting) -- + "user_keys_admin" = { neededForUsers = true; }; + "user_keys_deploy" = { neededForUsers = true; }; + "user_keys_backup" = { neededForUsers = true; }; + + # -- Infrastructure Metadata -- + # Hugo TODO: Populate these in your .sops.yaml / secrets file + "acme_email" = {}; + "cloudflare_dns_token" = {}; + "pgadmin_email" = {}; + "gitea_mailer_from" = {}; + "vaultwarden_smtp_from" = {}; + }; +} diff --git a/test/vm-test.nix b/test/vm-test.nix index 57acc80..e15b719 100644 --- a/test/vm-test.nix +++ b/test/vm-test.nix @@ -1,7 +1,6 @@ -{ self, nixpkgs, ... }: +{ self, nixpkgs, system, ... }: let - system = "x86_64-linux"; pkgs = nixpkgs.legacyPackages.${system}; in pkgs.nixosTest { diff --git a/users/admin/default.nix b/users/admin/default.nix index dc01c81..14766da 100644 --- a/users/admin/default.nix +++ b/users/admin/default.nix @@ -26,7 +26,9 @@ in { config.users.groups.wheel.name # Enable 'sudo' for the user. ]; initialPassword = "ChangeMe"; - openssh.authorizedKeys.keys = cfg.authorizedKeys; + openssh.authorizedKeys.keyFiles = [ + config.sops.secrets.user_keys_admin.path + ]; packages = with pkgs; [ curl git diff --git a/users/backup/default.nix b/users/backup/default.nix index acae033..8c20374 100644 --- a/users/backup/default.nix +++ b/users/backup/default.nix @@ -12,9 +12,8 @@ in { extraGroups = [ "docker" # Allow access to the docker socket. ]; - openssh.authorizedKeys.keys = [ - # Hugo - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICms6vjhE9kOlqV5GBPGInwUHAfCSVHLI2Gtzee0VXPh" + openssh.authorizedKeys.keyFiles = [ + config.sops.secrets.user_keys_backup.path ]; }; }; diff --git a/users/deploy/default.nix b/users/deploy/default.nix index 0509d1e..5c28561 100644 --- a/users/deploy/default.nix +++ b/users/deploy/default.nix @@ -3,7 +3,19 @@ let cfg = config.homelab.users.deploy; in { - options.homelab.users.deploy.enable = lib.mkEnableOption "user Deploy"; + options.homelab.users.deploy = { + enable = lib.mkEnableOption "user Deploy"; + + authorizedKeys = lib.mkOption { + type = lib.types.listOf lib.types.str; + default = []; + description = '' + Additional SSH public keys authorized for the deploy user. + The CI runner key should be provided as a base key; personal + workstation keys can be appended here per host or globally. + ''; + }; + }; config = lib.mkIf cfg.enable { users = { @@ -15,12 +27,15 @@ in { isSystemUser = true; home = "/var/empty"; shell = pkgs.bashInteractive; - openssh.authorizedKeys.keys = [ - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPrG+ldRBdCeHEXrsy/qHXIJYg8xQXVuiUR0DxhFjYNg" + openssh.authorizedKeys.keyFiles = [ + config.sops.secrets.user_keys_deploy.path ]; }; }; + # Allow the deploy user to push closures to the nix store + nix.settings.trusted-users = [ "deploy" ]; + security.sudo.extraRules = [ { groups = [