tdpeuter/bos55-nix-config-cicd
1
Fork 0
forked from Bos55/nix-config
Code Pull requests 1 Releases Packages Activity Actions

feat(security): implement metadata redaction and sops-nix migration
Some checks failed
Build / Determining hosts to build (push) Failing after 12m41s
Details
Build / build (Development) (push) Has been cancelled
Details
Build / build (Testing) (push) Has been cancelled
Details

Browse source 
Migrated authorized SSH keys and personal metadata (emails, tokens) to sops-nix to prevent infrastructure fingerprinting. Introduced centralized secrets module with placeholder fallbacks.
This commit is contained in:
Tibo De Peuter 2026-03-17 19:41:31 +01:00
parent 731abd1d6f
commit 1c437333f3
Signed by: tdpeuter
GPG key ID: 38297DE43F75FFE2
11 changed files with 67 additions and 19 deletions
Download patch file Download diff file Expand all files Collapse all files

21
users/deploy/default.nix
View file

@ -3,7 +3,19 @@
let
cfg = config.homelab.users.deploy;
in {
options.homelab.users.deploy.enable = lib.mkEnableOption "user Deploy";
options.homelab.users.deploy = {
enable = lib.mkEnableOption "user Deploy";
authorizedKeys = lib.mkOption {
type = lib.types.listOf lib.types.str;
default = [];
description = ''
Additional SSH public keys authorized for the deploy user.
The CI runner key should be provided as a base key; personal
workstation keys can be appended here per host or globally.
'';
};
};
config = lib.mkIf cfg.enable {
users = {
@ -15,12 +27,15 @@ in {
isSystemUser = true;
home = "/var/empty";
shell = pkgs.bashInteractive;
openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPrG+ldRBdCeHEXrsy/qHXIJYg8xQXVuiUR0DxhFjYNg"
openssh.authorizedKeys.keyFiles = [
config.sops.secrets.user_keys_deploy.path
];
};
};
# Allow the deploy user to push closures to the nix store
nix.settings.trusted-users = [ "deploy" ];
security.sudo.extraRules = [
{
groups = [