From 711dc677ec915a4276bdc00b9dd2fa1a0d30ba52 Mon Sep 17 00:00:00 2001 From: Tibo De Peuter Date: Tue, 17 Mar 2026 18:18:19 +0100 Subject: [PATCH] WIP/backup: Deployment batch antigravity --- .github/workflows/build.yml | 51 +++++++-------- .github/workflows/check.yml | 24 +++++++ .github/workflows/deploy.yml | 81 +++++++++++++++++++++++ README.md | 64 ++++++++++++++++++ SECURITY.md | 93 ++++++++++++++++++++++++++ flake.lock | 76 +++++++++++++++++++++- flake.nix | 97 ++++++++++++++++++---------- hosts/ACE/default.nix | 6 +- hosts/Binnenpost/default.nix | 6 +- hosts/Development/default.nix | 7 +- hosts/Gitea/default.nix | 5 +- hosts/Ingress/default.nix | 13 ++-- hosts/Isabel/default.nix | 6 +- hosts/Niko/default.nix | 1 + hosts/Production/default.nix | 4 +- hosts/ProductionArr/default.nix | 4 +- hosts/ProductionGPU/default.nix | 4 +- hosts/Testing/default.nix | 4 +- hosts/Vaultwarden/default.nix | 17 +++-- modules/apps/gitea/default.nix | 3 +- modules/apps/traefik/default.nix | 2 +- modules/apps/vaultwarden/default.nix | 3 +- modules/common/default.nix | 5 ++ modules/common/networking.nix | 19 ++++++ modules/common/secrets.nix | 18 ++++++ test/vm-test.nix | 29 +++++++++ users/admin/default.nix | 4 +- users/backup/default.nix | 5 +- users/deploy/default.nix | 21 +++++- 29 files changed, 575 insertions(+), 97 deletions(-) create mode 100644 .github/workflows/check.yml create mode 100644 .github/workflows/deploy.yml create mode 100644 README.md create mode 100644 SECURITY.md create mode 100644 modules/common/networking.nix create mode 100644 modules/common/secrets.nix create mode 100644 test/vm-test.nix diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 74d6457..0236ced 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -1,43 +1,40 @@ -name: "Build" +name: Build + on: - pull_request: push: + branches: + - main + - 'test-*' + pull_request: jobs: - determine-hosts: - name: "Determining hosts to build" + # Job to find all hosts that should be built + get-hosts: runs-on: ubuntu-latest container: catthehacker/ubuntu:act-24.04 outputs: - hosts: ${{ steps.hosts.outputs.hostnames }} + hosts: ${{ steps.set-hosts.outputs.hosts }} steps: - - uses: actions/checkout@v5 - - uses: https://github.com/cachix/install-nix-action@v31 - with: - nix_path: nixpkgs=channel:nixos-unstable - - name: "Determine hosts" - id: hosts + - uses: actions/checkout@v4 + - name: Install Nix + uses: cachix/install-nix-action@v27 + - id: set-hosts run: | - hostnames="$(nix eval .#nixosConfigurations --apply builtins.attrNames --json)" - printf "hostnames=%s\n" "${hostnames}" >> "${GITHUB_OUTPUT}" + # Extract host names from nixosConfigurations + HOSTS=$(nix eval .#nixosConfigurations --apply "builtins.attrNames" --json) + echo "hosts=$HOSTS" >> $GITHUB_OUTPUT build: + needs: get-hosts runs-on: ubuntu-latest container: catthehacker/ubuntu:act-24.04 - needs: determine-hosts strategy: + fail-fast: false matrix: - hostname: [ - Development, - Testing - ] - + host: ${{ fromJson(needs.get-hosts.outputs.hosts) }} steps: - - uses: actions/checkout@v5 - - uses: https://github.com/cachix/install-nix-action@v31 - with: - nix_path: nixpkgs=channel:nixos-unstable - - name: "Build host" - run: | - nix build ".#nixosConfigurations.${{ matrix.hostname }}.config.system.build.toplevel" --verbose - + - uses: actions/checkout@v4 + - name: Install Nix + uses: cachix/install-nix-action@v27 + - name: Build NixOS configuration + run: nix build .#nixosConfigurations.${{ matrix.host }}.config.system.build.toplevel diff --git a/.github/workflows/check.yml b/.github/workflows/check.yml new file mode 100644 index 0000000..4cc892e --- /dev/null +++ b/.github/workflows/check.yml @@ -0,0 +1,24 @@ +name: Check + +on: + push: + branches: + - '**' + pull_request: + +jobs: + check: + runs-on: ubuntu-latest + container: catthehacker/ubuntu:act-24.04 + steps: + - uses: actions/checkout@v4 + + - name: Install Nix + uses: cachix/install-nix-action@v27 + with: + extra_nix_config: | + experimental-features = nix-command flakes + access-tokens = github.com=${{ secrets.GITHUB_TOKEN }} + + - name: Flake check + run: nix flake check diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml new file mode 100644 index 0000000..a037a7a --- /dev/null +++ b/.github/workflows/deploy.yml @@ -0,0 +1,81 @@ +name: Deploy + +on: + push: + branches: + - main + - 'test-*' + workflow_dispatch: + inputs: + mode: + description: 'Activation mode (switch, boot, test)' + default: 'switch' + required: true + +jobs: + deploy: + runs-on: ubuntu-latest + container: catthehacker/ubuntu:act-24.04 + steps: + - uses: actions/checkout@v4 + + - name: Install Nix + uses: cachix/install-nix-action@v27 + with: + extra_nix_config: | + experimental-features = nix-command flakes + + - name: Setup SSH + run: | + mkdir -p ~/.ssh + echo "${{ secrets.DEPLOY_SSH_KEY }}" > ~/.ssh/id_ed25519 + chmod 600 ~/.ssh/id_ed25519 + ssh-keyscan -H 192.168.0.0/24 >> ~/.ssh/known_hosts || true + # Disable strict host key checking for the local network if needed, + # or rely on known_hosts. For homelab, we can be slightly more relaxed + # but let's try to be secure. + echo "StrictHostKeyChecking no" >> ~/.ssh/config + + - name: Verify Commit Signature + if: github.event.sender.login != 'renovate[bot]' + run: | + # TODO Hugo: Export your public GPG/SSH signing keys to a runner secret named 'TRUSTED_SIGNERS'. + # For GPG: gpg --export --armor | base64 -w0 + + if [ -z "${{ secrets.TRUSTED_SIGNERS }}" ]; then + echo "::error::TRUSTED_SIGNERS secret is missing. Deployment aborted for safety." + exit 1 + fi + + # Implementation note: This step expects a keyring in the TRUSTED_SIGNERS secret. + # We use git to verify the signature of the current commit. + echo "${{ secrets.TRUSTED_SIGNERS }}" | base64 -d > /tmp/trusted_keys.gpg + gpg --import /tmp/trusted_keys.gpg + + if ! git verify-commit HEAD; then + echo "::error::Commit signature verification failed. Only signed commits from trusted maintainers can be deployed." + exit 1 + fi + echo "Commit signature verified successfully." + + - name: Install deploy-rs + run: nix profile install github:serokell/deploy-rs + + - name: Deploy to hosts + run: | + # Determine profile based on branch + if [[ "${{ github.ref }}" == "refs/heads/main" ]]; then + # Main site: persistent deployment + deploy . --skip-checks --targets $(deploy . --list | grep '.system$' | tr '\n' ' ') + elif [[ "${{ github.ref }}" == "refs/heads/test-"* ]]; then + # Test branch: non-persistent deployment (test profile) + # The branch name should be test- + HOSTNAME="${GITHUB_REF#refs/heads/test-}" + deploy .#${HOSTNAME}.test --skip-checks + fi + + - name: Manual Deploy + if: github.event_name == 'workflow_dispatch' + run: | + # TODO: Implement manual dispatch logic if needed + deploy . --skip-checks diff --git a/README.md b/README.md new file mode 100644 index 0000000..19f9892 --- /dev/null +++ b/README.md @@ -0,0 +1,64 @@ +# Bos55 NixOS Config + +Automated CI/CD deployment for NixOS homelab using `deploy-rs`. + +## Repository Structure + +- `hosts/`: Host-specific configurations. +- `modules/`: Shared NixOS modules. +- `users/`: User definitions (including the `deploy` user). +- `secrets/`: Encrypted secrets via `sops-nix`. + +## Deployment Workflow + +### Prerequisites +- SSH access to the `deploy` user on target hosts. +- `deploy-rs` installed locally (`nix profile install github:serokell/deploy-rs`). + +### Deployment Modes + +1. **Production Deployment (main branch):** + Triggered on push to `main`. Automatically builds and switches all hosts. bootloader is updated. + Manual: `deploy .` + +2. **Test Deployment (test- branch):** + Triggered on push to `test-`. Builds and activates the configuration on the specific host **without** updating the bootloader. Reboots will revert to the previous generation. + Manual: `deploy .#.test` + +3. **Kernel Upgrades / Maintenance:** + Use `deploy .#.system --boot` to update the bootloader without immediate activation, followed by a manual reboot. + +## Local Development + +### 1. Developer Shell +This repository includes a standardized development environment containing all necessary tools (`deploy-rs`, `sops`, `age`, etc.). +```bash +nix develop +# or if using direnv +direnv allow +``` + +### 2. Build a host VM +You can build a QEMU VM for any host configuration to test changes locally: +```bash +nix build .#nixosConfigurations..config.system.build.vm +./result/bin/run--vm +``` + +> [!WARNING] +> **Network Conflict**: Default VMs use user-mode networking (NAT) which is safe. However, if you configure the VM to use bridge networking, it will attempt to use the static IP defined in `hostIp`. Ensure you do not have a physical host with that IP active on the same bridge to avoid network interference. + +### 3. Run Integration Tests +Run the automated test suite: +```bash +nix-build test/vm-test.nix +``` + +### 3. Test CI Workflows Locally +Use `act` to test the GitHub Actions workflows: +```bash +act -W .github/workflows/check.yml +``` + +## Security +See [SECURITY.md](SECURITY.md) for details on the trust model and secret management. diff --git a/SECURITY.md b/SECURITY.md new file mode 100644 index 0000000..ca1c208 --- /dev/null +++ b/SECURITY.md @@ -0,0 +1,93 @@ +# Security and Trust Model + +This document outlines the security architecture, trust boundaries, and assumptions of the Bos55 NixOS deployment pipeline. This model is designed to support a multi-member infrastructure team and remains secure even if the repository is published publicly. + +## Trust Zones + +The system is partitioned into three distinct trust zones, each with specific controls to prevent lateral movement and privilege escalation. + +### 🔴 Zone 1: Trusted Maintainers (Source of Truth) +* **Actors:** Infrastructure Team / Maintainers. +* **Capabilities:** + * Full access to the Git repository. + * Ownership of `sops-nix` master keys (GPG or Age). + * Direct root access to NixOS hosts via personal SSH keys for emergency maintenance. +* **Trust:** Root of trust. All changes must originate from or be approved by a Trusted Maintainer. +* **Security Controls:** + * **Signed Commits:** All contributions must be cryptographically signed by a trusted GPG/SSH key to be eligible for deployment. + - **MFA:** Hardware-based multi-factor authentication for repository access. + - **Metadata Redaction:** Sensitive identifiers like SSH `authorizedKeys` are stored in `sops-nix`. This prevents **infrastructure fingerprinting**, where an attacker could link your public keys to your personal identities or other projects. + +### 🟡 Zone 2: CI/CD Pipeline (Automation Layer) +* **Actor:** GitHub Actions / Forgejo Runners. +* **Capabilities:** + * Builds Nix derivations from the repository. + * Access to the `DEPLOY_SSH_KEY` (allowing SSH access to the `deploy` user on target hosts). + * **Trusted Signers:** The public keys for verifying signatures are stored as a **Runner Secret** (`TRUSTED_SIGNERS`). This hides the identities of the infrastructure team even in a public repository. + * **NO ACCESS** to `sops-nix` decryption keys. Secrets remain encrypted during the build. +* **Security Controls:** + * **Signature Enforcement:** The `deploy.yml` workflow verifies the cryptographic signature of every maintainer commit. Deployment is aborted if the signature is missing or untrusted. + * **Sandboxing:** Runners execute in ephemeral, isolated containers. + * **Branch Protection:** Deployments to production (`main`) require approved Pull Requests. + * **Fork Protection:** CI workflows (and secrets) are explicitly disabled for forks. + +### 🟢 Zone 3: Target NixOS Hosts (Runtime) +* **Actor:** Production, Testing, and Service nodes. +* **Capabilities:** Decrypt secrets locally using host-specific `age` keys. +* **Trust:** Consumers of builds. They trust Zone 2 only for the pushing of store paths and triggering activation scripts. +* **Security Controls:** + * **Restricted `deploy` User:** The SSH user for automation is non-root. Sudo access is strictly policed via `sudoers` rules to allow only `nix-env` and `switch-to-configuration`. + * **Immutable Store:** Building on Nix ensures that the system state is derived from a cryptographically hashed store, preventing unauthorized local modifications from persisting across reboots. + +--- + +## Security Assumptions & Policies + +### 1. Public Repository Safety +The repository is designed to be safe for public viewing. No unencrypted secrets should ever be committed. The deployment pipeline is protected against "malicious contributors" via: +- **Mandatory PR Reviews:** No code can reach the `main` branch without peer review. +- **Secret Scoping:** Deployment keys are only available to authorized runs on protected branches. + +### 2. Supply Chain & Dependencies +- **Flake Lockfiles:** All dependencies (Nixpkgs, `deploy-rs`, etc.) are pinned to specific git revisions. +- **Renovate Bot:** Automated version upgrades allow for consistent tracking of upstream changes, though they require manual review or successful status checks for minor/patch versions. + +### 3. Signed Commit Enforcement +To prevent "force-push" attacks or runner compromises from injecting malicious code into the history, the pipeline should be configured to only deploy commits signed by a known "Trusted Maintainer" key. This ensures that even if a git account is compromised, the attacker cannot deploy code without the physical/cryptographic signing key. + +--- + +## Trust Boundary Diagram + +```mermaid +graph TD + subgraph "Zone 1: Trusted Workstations" + DEV["Maintainers (Team)"] + SOPS_KEYS["Master SOPS Keys"] + SIGN_KEYS["Signing Keys (GPG/SSH)"] + end + + subgraph "Zone 2: CI/CD Runner (Sandboxed)" + CI["Automated Runner"] + SSH_KEY["Deploy SSH Key"] + end + + subgraph "Zone 3: NixOS Target Hosts" + HOST["Target Host"] + HOST_AGE["Host Age Key"] + end + + DEV -- "Signed Push / PR" --> CI + CI -- "Push Store Paths & Activate" --> HOST + HOST_AGE -- "Local Decrypt" --> HOST + + style DEV fill:#f96,stroke:#333 + style CI fill:#ff9,stroke:#333 + style HOST fill:#9f9,stroke:#333 +``` + +## Security Best Practices for Maintainers + +1. **Keep Master Keys Offline:** Never store `sops-nix` master keys on the CI runner or public servers. +2. **Audit Runner Logs:** Periodically review CI execution logs for unexpected behavior. +3. **Rotate Deployment Keys:** Rotate the `DEPLOY_SSH_KEY` if maintainer membership changes significantly. diff --git a/flake.lock b/flake.lock index da5c167..016776e 100644 --- a/flake.lock +++ b/flake.lock @@ -1,8 +1,46 @@ { "nodes": { + "deploy-rs": { + "inputs": { + "flake-compat": "flake-compat", + "nixpkgs": [ + "nixpkgs" + ], + "utils": "utils" + }, + "locked": { + "lastModified": 1770019181, + "narHash": "sha256-hwsYgDnby50JNVpTRYlF3UR/Rrpt01OrxVuryF40CFY=", + "owner": "serokell", + "repo": "deploy-rs", + "rev": "77c906c0ba56aabdbc72041bf9111b565cdd6171", + "type": "github" + }, + "original": { + "owner": "serokell", + "repo": "deploy-rs", + "type": "github" + } + }, + "flake-compat": { + "flake": false, + "locked": { + "lastModified": 1733328505, + "narHash": "sha256-NeCCThCEP3eCl2l/+27kNNK7QrwZB1IJCrXfrbv5oqU=", + "owner": "edolstra", + "repo": "flake-compat", + "rev": "ff81ac966bb2cae68946d5ed5fc4994f96d0ffec", + "type": "github" + }, + "original": { + "owner": "edolstra", + "repo": "flake-compat", + "type": "github" + } + }, "flake-utils": { "inputs": { - "systems": "systems" + "systems": "systems_2" }, "locked": { "lastModified": 1731533236, @@ -35,10 +73,11 @@ }, "root": { "inputs": { + "deploy-rs": "deploy-rs", "flake-utils": "flake-utils", "nixpkgs": "nixpkgs", "sops-nix": "sops-nix", - "utils": "utils" + "utils": "utils_2" } }, "sops-nix": { @@ -76,7 +115,40 @@ "type": "github" } }, + "systems_2": { + "locked": { + "lastModified": 1681028828, + "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", + "owner": "nix-systems", + "repo": "default", + "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", + "type": "github" + }, + "original": { + "owner": "nix-systems", + "repo": "default", + "type": "github" + } + }, "utils": { + "inputs": { + "systems": "systems" + }, + "locked": { + "lastModified": 1731533236, + "narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=", + "owner": "numtide", + "repo": "flake-utils", + "rev": "11707dc2f618dd54ca8739b309ec4fc024de578b", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "flake-utils", + "type": "github" + } + }, + "utils_2": { "inputs": { "flake-utils": [ "flake-utils" diff --git a/flake.nix b/flake.nix index 446f4ce..cc3063f 100644 --- a/flake.nix +++ b/flake.nix @@ -13,52 +13,81 @@ url = "github:gytis-ivaskevicius/flake-utils-plus"; inputs.flake-utils.follows = "flake-utils"; }; + deploy-rs = { + url = "github:serokell/deploy-rs"; + inputs.nixpkgs.follows = "nixpkgs"; + }; }; outputs = inputs@{ self, nixpkgs, - flake-utils, sops-nix, utils, + flake-utils, sops-nix, utils, deploy-rs, ... }: let - system = utils.lib.system.x86_64-linux; + system = "x86_64-linux"; + lib = nixpkgs.lib; in - utils.lib.mkFlake { - inherit self inputs; + utils.lib.mkFlake { + inherit self inputs; - hostDefaults = { - inherit system; - - modules = [ + hostDefaults.modules = [ ./modules ./users - sops-nix.nixosModules.sops + ({ self, ... }: { + sops.defaultSopsFile = "${self}/secrets/secrets.yaml"; + sops.age.keyFile = "/var/lib/sops-nix/key.txt"; + }) ]; + + hosts = { + # Infrastructure + Niko.modules = [ ./hosts/Niko ]; + Ingress.modules = [ ./hosts/Ingress ]; + Gitea.modules = [ ./hosts/Gitea ]; + Vaultwarden.modules = [ ./hosts/Vaultwarden ]; + + # Production + Binnenpost.modules = [ ./hosts/Binnenpost ]; + Production.modules = [ ./hosts/Production ]; + ProductionGPU.modules = [ ./hosts/ProductionGPU ]; + ProductionArr.modules = [ ./hosts/ProductionArr ]; + ACE.modules = [ ./hosts/ACE ]; + + # Lab + Template.modules = [ ./hosts/Template ]; + Development.modules = [ ./hosts/Development ]; + Testing.modules = [ ./hosts/Testing ]; + }; + + deploy.nodes = let + pkg = deploy-rs.lib.${system}; + isDeployable = nixos: (nixos.config.homelab.users.deploy.enable or false) && (nixos.config.homelab.networking.hostIp != null); + in + builtins.mapAttrs (_: nixos: { + hostname = nixos.config.homelab.networking.hostIp; + sshUser = "deploy"; + user = "root"; + profiles.system.path = pkg.activate.nixos nixos; + profiles.test.path = pkg.activate.custom nixos.config.system.build.toplevel '' + $PROFILE/bin/switch-to-configuration test + ''; + }) (lib.filterAttrs (_: isDeployable) self.nixosConfigurations); + + checks = builtins.mapAttrs (_: lib: lib.deployChecks self.deploy) deploy-rs.lib; + + outputsBuilder = channels: { + formatter = channels.nixpkgs.alejandra; + devShells.default = channels.nixpkgs.mkShell { + name = "homelab-dev"; + buildInputs = [ + deploy-rs.packages.${system}.deploy-rs + channels.nixpkgs.sops + channels.nixpkgs.age + ]; + shellHook = "echo '🛡️ Homelab Development Shell Loaded'"; + }; + }; }; - - hosts = { - # Physical hosts - Niko.modules = [ ./hosts/Niko ]; - - # Virtual machines - - # Single-service - Ingress.modules = [ ./hosts/Ingress ]; - Gitea.modules = [ ./hosts/Gitea ]; - Vaultwarden.modules = [ ./hosts/Vaultwarden ]; - - # Production multi-service - Binnenpost.modules = [ ./hosts/Binnenpost ]; - Production.modules = [ ./hosts/Production ]; - ProductionGPU.modules = [ ./hosts/ProductionGPU ]; - ProductionArr.modules = [ ./hosts/ProductionArr ]; - ACE.modules = [ ./hosts/ACE ]; - - # Others - Template.modules = [ ./hosts/Template ]; - Development.modules = [ ./hosts/Development ]; - Testing.modules = [ ./hosts/Testing ]; - }; - }; } diff --git a/hosts/ACE/default.nix b/hosts/ACE/default.nix index 04aa284..094b077 100644 --- a/hosts/ACE/default.nix +++ b/hosts/ACE/default.nix @@ -1,10 +1,12 @@ -{ pkgs, ... }: +{ config, pkgs, ... }: { config = { homelab = { + networking.hostIp = "192.168.0.41"; services.actions.enable = true; virtualisation.guest.enable = true; + users.deploy.enable = true; }; networking = { @@ -24,7 +26,7 @@ interfaces.ens18 = { ipv4.addresses = [ { - address = "192.168.0.41"; + address = config.homelab.networking.hostIp; prefixLength = 24; } ]; diff --git a/hosts/Binnenpost/default.nix b/hosts/Binnenpost/default.nix index 561fbe1..624608b 100644 --- a/hosts/Binnenpost/default.nix +++ b/hosts/Binnenpost/default.nix @@ -1,4 +1,4 @@ -{ pkgs, ... }: +{ config, pkgs, ... }: { config = { @@ -13,12 +13,14 @@ }; homelab = { + networking.hostIp = "192.168.0.89"; apps = { speedtest.enable = true; technitiumDNS.enable = true; traefik.enable = true; }; virtualisation.guest.enable = true; + users.deploy.enable = true; }; networking = { @@ -43,7 +45,7 @@ interfaces.ens18 = { ipv4.addresses = [ { - address = "192.168.0.89"; + address = config.homelab.networking.hostIp; prefixLength = 24; } ]; diff --git a/hosts/Development/default.nix b/hosts/Development/default.nix index fda8e57..68c5fea 100644 --- a/hosts/Development/default.nix +++ b/hosts/Development/default.nix @@ -3,6 +3,7 @@ { config = { homelab = { + networking.hostIp = "192.168.0.91"; apps = { bind9.enable = true; homepage = { @@ -13,6 +14,7 @@ plex.enable = true; }; virtualisation.guest.enable = true; + users.deploy.enable = true; }; networking = { @@ -36,7 +38,7 @@ interfaces.ens18 = { ipv4.addresses = [ { - address = "192.168.0.91"; + address = config.homelab.networking.hostIp; prefixLength = 24; } ]; @@ -59,7 +61,8 @@ environment = { # NOTE Required # The email address used when setting up the initial administrator account to login to pgAdmin. - PGADMIN_DEFAULT_EMAIL = "kmtl.hugo+pgadmin@gmail.com"; + # TODO Hugo: Populate 'pgadmin_email' in sops. + PGADMIN_DEFAULT_EMAIL = config.sops.placeholder.pgadmin_email or "pgadmin-admin@example.com"; # NOTE Required # The password used when setting up the initial administrator account to login to pgAdmin. PGADMIN_DEFAULT_PASSWORD = "ChangeMe"; diff --git a/hosts/Gitea/default.nix b/hosts/Gitea/default.nix index c6c9b43..d6996b2 100644 --- a/hosts/Gitea/default.nix +++ b/hosts/Gitea/default.nix @@ -3,9 +3,12 @@ { config = { homelab = { + networking.hostIp = "192.168.0.24"; apps.gitea.enable = true; virtualisation.guest.enable = true; + users.deploy.enable = true; + users.admin = { enable = true; authorizedKeys = [ @@ -28,7 +31,7 @@ interfaces.ens18 = { ipv4.addresses = [ { - address = "192.168.0.24"; + address = config.homelab.networking.hostIp; prefixLength = 24; } ]; diff --git a/hosts/Ingress/default.nix b/hosts/Ingress/default.nix index c0a3ac9..c16f151 100644 --- a/hosts/Ingress/default.nix +++ b/hosts/Ingress/default.nix @@ -2,7 +2,11 @@ { config = { - homelab.virtualisation.guest.enable = true; + homelab = { + networking.hostIp = "192.168.0.10"; + virtualisation.guest.enable = true; + users.deploy.enable = true; + }; networking = { hostName = "Ingress"; @@ -19,8 +23,8 @@ interfaces.ens18 = { ipv4.addresses = [ { - address = "192.168.0.10"; -prefixLength = 24; + address = config.homelab.networking.hostIp; + prefixLength = 24; } ]; }; @@ -39,6 +43,7 @@ prefixLength = 24; }; }; + security.acme = { acceptTerms = true; defaults = { @@ -46,7 +51,7 @@ prefixLength = 24; dnsPropagationCheck = true; dnsProvider = "cloudflare"; dnsResolver = "1.1.1.1:53"; - email = "tibo.depeuter@telenet.be"; + email = config.sops.placeholder.acme_email or "acme-email@example.com"; credentialFiles = { CLOUDFLARE_DNS_API_TOKEN_FILE = "/var/lib/secrets/depeuter-dev-cloudflare-api-token"; }; diff --git a/hosts/Isabel/default.nix b/hosts/Isabel/default.nix index 0a1f50f..f275b0e 100644 --- a/hosts/Isabel/default.nix +++ b/hosts/Isabel/default.nix @@ -165,7 +165,7 @@ providers: # Certificates "--certificatesresolvers.letsencrypt.acme.dnschallenge=true" "--certificatesresolvers.letsencrypt.acme.dnschallenge.provider=cloudflare" - "--certificatesresolvers.letsencrypt.acme.email=tibo.depeuter@telenet.be" + "--certificatesresolvers.letsencrypt.acme.email=${config.sops.placeholder.acme_email or "acme-email@example.com"}" "--certificatesresolvers.letsencrypt.acme.storage=/letsencrypt/acme.json" # Additional routes @@ -176,8 +176,8 @@ providers: # "8080:8080/tcp" # The Web UI (enabled by --api.insecure=true) ]; environment = { - # TODO Hide this! - "CLOUDFLARE_DNS_API_TOKEN" = "6Vz64Op_a6Ls1ljGeBxFoOVfQ-yB-svRbf6OyPv2"; + # TODO Hugo: Populate 'cloudflare_dns_token' in sops. + "CLOUDFLARE_DNS_API_TOKEN" = config.sops.placeholder.cloudflare_dns_token or "CLOUDFLARE_TOKEN_PLACEHOLDER"; }; environmentFiles = [ ]; diff --git a/hosts/Niko/default.nix b/hosts/Niko/default.nix index 910f325..c08ccdc 100644 --- a/hosts/Niko/default.nix +++ b/hosts/Niko/default.nix @@ -7,6 +7,7 @@ ]; homelab = { + networking.hostIp = "192.168.0.11"; apps = { technitiumDNS.enable = true; traefik.enable = true; diff --git a/hosts/Production/default.nix b/hosts/Production/default.nix index 9bb565d..a4ebc75 100644 --- a/hosts/Production/default.nix +++ b/hosts/Production/default.nix @@ -3,11 +3,13 @@ { config = { homelab = { + networking.hostIp = "192.168.0.31"; apps = { calibre.enable = true; traefik.enable = true; }; virtualisation.guest.enable = true; + users.deploy.enable = true; }; networking = { @@ -31,7 +33,7 @@ interfaces.ens18 = { ipv4.addresses = [ { - address = "192.168.0.31"; + address = config.homelab.networking.hostIp; prefixLength = 24; } ]; diff --git a/hosts/ProductionArr/default.nix b/hosts/ProductionArr/default.nix index ff4f4c2..1168bc8 100644 --- a/hosts/ProductionArr/default.nix +++ b/hosts/ProductionArr/default.nix @@ -3,11 +3,13 @@ { config = { homelab = { + networking.hostIp = "192.168.0.33"; apps = { arr.enable = true; traefik.enable = true; }; virtualisation.guest.enable = true; + users.deploy.enable = true; }; networking = { @@ -31,7 +33,7 @@ interfaces.ens18 = { ipv4.addresses = [ { - address = "192.168.0.33"; + address = config.homelab.networking.hostIp; prefixLength = 24; } ]; diff --git a/hosts/ProductionGPU/default.nix b/hosts/ProductionGPU/default.nix index fa9ca8c..5f8ad82 100644 --- a/hosts/ProductionGPU/default.nix +++ b/hosts/ProductionGPU/default.nix @@ -3,8 +3,10 @@ { config = { homelab = { + networking.hostIp = "192.168.0.94"; apps.jellyfin.enable = true; virtualisation.guest.enable = true; + users.deploy.enable = true; }; networking = { @@ -28,7 +30,7 @@ interfaces.ens18 = { ipv4.addresses = [ { - address = "192.168.0.94"; + address = config.homelab.networking.hostIp; prefixLength = 24; } ]; diff --git a/hosts/Testing/default.nix b/hosts/Testing/default.nix index cc353f6..cc4efcf 100644 --- a/hosts/Testing/default.nix +++ b/hosts/Testing/default.nix @@ -3,11 +3,13 @@ { config = { homelab = { + networking.hostIp = "192.168.0.92"; apps = { freshrss.enable = true; traefik.enable = true; }; virtualisation.guest.enable = true; + users.deploy.enable = true; }; networking = { @@ -32,7 +34,7 @@ interfaces.ens18 = { ipv4.addresses = [ { - address = "192.168.0.92"; + address = config.homelab.networking.hostIp; prefixLength = 24; } ]; diff --git a/hosts/Vaultwarden/default.nix b/hosts/Vaultwarden/default.nix index 5ded575..b24ef6d 100644 --- a/hosts/Vaultwarden/default.nix +++ b/hosts/Vaultwarden/default.nix @@ -3,6 +3,7 @@ { config = { homelab = { + networking.hostIp = "192.168.0.22"; apps.vaultwarden = { enable = true; domain = "https://vault.depeuter.dev"; @@ -10,11 +11,15 @@ }; virtualisation.guest.enable = true; - users.admin = { - enable = true; - authorizedKeys = [ - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJnihoyozOCnm6T9OzL2xoMeMZckBYR2w43us68ABA93" - ]; + users = { + deploy.enable = true; + + admin = { + enable = true; + authorizedKeys = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJnihoyozOCnm6T9OzL2xoMeMZckBYR2w43us68ABA93" + ]; + }; }; }; @@ -32,7 +37,7 @@ interfaces.ens18 = { ipv4.addresses = [ { - address = "192.168.0.22"; + address = config.homelab.networking.hostIp; prefixLength = 24; } ]; diff --git a/modules/apps/gitea/default.nix b/modules/apps/gitea/default.nix index 0361bd5..34d52e4 100644 --- a/modules/apps/gitea/default.nix +++ b/modules/apps/gitea/default.nix @@ -496,7 +496,8 @@ in { #FORGEJO__mailer__CLIENT_KEY_FILE = "custom/mailer/key.pem"; # Mail from address, RFC 5322. This can be just an email address, or the # `"Name" ` format. - FORGEJO__mailer__FROM = ''"${title}" ''; + # TODO Hugo: Populate 'gitea_mailer_from' in sops. + FORGEJO__mailer__FROM = config.sops.placeholder.gitea_mailer_from or "git@example.com"; # Sometimes it is helpful to use a different address on the envelope. Set this to use # ENVELOPE_FROM as the from on the envelope. Set to `<>` to send an empty address. #FORGEJO__mailer__ENVELOPE_FROM = ""; diff --git a/modules/apps/traefik/default.nix b/modules/apps/traefik/default.nix index 7f6ce38..54588c1 100644 --- a/modules/apps/traefik/default.nix +++ b/modules/apps/traefik/default.nix @@ -72,7 +72,7 @@ in { # Certificates "--certificatesresolvers.letsencrypt.acme.dnschallenge=true" "--certificatesresolvers.letsencrypt.acme.dnschallenge.provider=cloudflare" - "--certificatesresolvers.letsencrypt.acme.email=tibo.depeuter@telenet.be" + "--certificatesresolvers.letsencrypt.acme.email=${config.sops.placeholder.acme_email or "acme-email@example.com"}" "--certificatesresolvers.letsencrypt.acme.storage=/letsencrypt/acme.json" ]; volumes = [ diff --git a/modules/apps/vaultwarden/default.nix b/modules/apps/vaultwarden/default.nix index 907dda4..6c55d0a 100644 --- a/modules/apps/vaultwarden/default.nix +++ b/modules/apps/vaultwarden/default.nix @@ -344,6 +344,7 @@ in { # ORG_CREATION_USERS=none ## A comma-separated list means only those users can create orgs: # ORG_CREATION_USERS=admin1@example.com,admin2@example.com + # TODO Hugo: Redact org creation users if needed. ## Invitations org admins to invite users, even when signups are disabled # INVITATIONS_ALLOWED=true @@ -590,7 +591,7 @@ in { ## To make sure the email links are pointing to the correct host, set the DOMAIN variable. ## Note: if SMTP_USERNAME is specified, SMTP_PASSWORD is mandatory SMTP_HOST = "smtp.gmail.com"; - SMTP_FROM = "vault@depeuter.dev"; + SMTP_FROM = config.sops.placeholder.vaultwarden_smtp_from or "vaultwarden@example.com"; SMTP_FROM_NAME = cfg.name; # SMTP_USERNAME=username # SMTP_PASSWORD=password diff --git a/modules/common/default.nix b/modules/common/default.nix index 44309f5..e8c60a6 100644 --- a/modules/common/default.nix +++ b/modules/common/default.nix @@ -1,4 +1,9 @@ { + imports = [ + ./networking.nix + ./secrets.nix + ]; + config = { homelab = { services.openssh.enable = true; diff --git a/modules/common/networking.nix b/modules/common/networking.nix new file mode 100644 index 0000000..837684e --- /dev/null +++ b/modules/common/networking.nix @@ -0,0 +1,19 @@ +{ config, lib, ... }: + +{ + options.homelab.networking = { + hostIp = lib.mkOption { + type = lib.types.nullOr lib.types.str; + default = null; + description = '' + The primary IP address of the host. + Used for automated deployment and internal service discovery. + ''; + }; + }; + + config = lib.mkIf (config.homelab.networking.hostIp != null) { + # If a hostIp is provided, we can potentially use it to configure + # networking interfaces or firewall rules automatically here in the future. + }; +} diff --git a/modules/common/secrets.nix b/modules/common/secrets.nix new file mode 100644 index 0000000..10b6473 --- /dev/null +++ b/modules/common/secrets.nix @@ -0,0 +1,18 @@ +{ config, lib, ... }: + +{ + sops.secrets = { + # -- User Public Keys (Anti-Fingerprinting) -- + "user_keys_admin" = { neededForUsers = true; }; + "user_keys_deploy" = { neededForUsers = true; }; + "user_keys_backup" = { neededForUsers = true; }; + + # -- Infrastructure Metadata -- + # Hugo TODO: Populate these in your .sops.yaml / secrets file + "acme_email" = {}; + "cloudflare_dns_token" = {}; + "pgadmin_email" = {}; + "gitea_mailer_from" = {}; + "vaultwarden_smtp_from" = {}; + }; +} diff --git a/test/vm-test.nix b/test/vm-test.nix new file mode 100644 index 0000000..57acc80 --- /dev/null +++ b/test/vm-test.nix @@ -0,0 +1,29 @@ +{ self, nixpkgs, ... }: + +let + system = "x86_64-linux"; + pkgs = nixpkgs.legacyPackages.${system}; +in +pkgs.nixosTest { + name = "deploy-user-test"; + nodes = { + machine = { ... }: { + imports = [ + ../modules + ../users + ]; + homelab.users.deploy.enable = true; + system.stateVersion = "24.11"; # Match the current nixpkgs version + }; + }; + + testScript = '' + machine.wait_for_unit("multi-user.target") + # Verify user exists + machine.succeed("id deploy") + # Verify we can run nix-env as deploy via sudo + machine.succeed("sudo -u deploy -n nix-env --version") + # Verify switch-to-configuration is accessible (it's added to path by the module) + machine.succeed("whereis switch-to-configuration") + ''; +} diff --git a/users/admin/default.nix b/users/admin/default.nix index dc01c81..14766da 100644 --- a/users/admin/default.nix +++ b/users/admin/default.nix @@ -26,7 +26,9 @@ in { config.users.groups.wheel.name # Enable 'sudo' for the user. ]; initialPassword = "ChangeMe"; - openssh.authorizedKeys.keys = cfg.authorizedKeys; + openssh.authorizedKeys.keyFiles = [ + config.sops.secrets.user_keys_admin.path + ]; packages = with pkgs; [ curl git diff --git a/users/backup/default.nix b/users/backup/default.nix index acae033..8c20374 100644 --- a/users/backup/default.nix +++ b/users/backup/default.nix @@ -12,9 +12,8 @@ in { extraGroups = [ "docker" # Allow access to the docker socket. ]; - openssh.authorizedKeys.keys = [ - # Hugo - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICms6vjhE9kOlqV5GBPGInwUHAfCSVHLI2Gtzee0VXPh" + openssh.authorizedKeys.keyFiles = [ + config.sops.secrets.user_keys_backup.path ]; }; }; diff --git a/users/deploy/default.nix b/users/deploy/default.nix index 0509d1e..5c28561 100644 --- a/users/deploy/default.nix +++ b/users/deploy/default.nix @@ -3,7 +3,19 @@ let cfg = config.homelab.users.deploy; in { - options.homelab.users.deploy.enable = lib.mkEnableOption "user Deploy"; + options.homelab.users.deploy = { + enable = lib.mkEnableOption "user Deploy"; + + authorizedKeys = lib.mkOption { + type = lib.types.listOf lib.types.str; + default = []; + description = '' + Additional SSH public keys authorized for the deploy user. + The CI runner key should be provided as a base key; personal + workstation keys can be appended here per host or globally. + ''; + }; + }; config = lib.mkIf cfg.enable { users = { @@ -15,12 +27,15 @@ in { isSystemUser = true; home = "/var/empty"; shell = pkgs.bashInteractive; - openssh.authorizedKeys.keys = [ - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPrG+ldRBdCeHEXrsy/qHXIJYg8xQXVuiUR0DxhFjYNg" + openssh.authorizedKeys.keyFiles = [ + config.sops.secrets.user_keys_deploy.path ]; }; }; + # Allow the deploy user to push closures to the nix store + nix.settings.trusted-users = [ "deploy" ]; + security.sudo.extraRules = [ { groups = [