forked from Bos55/nix-config
Compare commits
2 commits
5c94a11c37
...
c55843ffa7
| Author | SHA1 | Date | |
|---|---|---|---|
| c55843ffa7 | |||
| 17c5d0ee48 |
16 changed files with 290 additions and 50 deletions
51
.github/workflows/build.yml
vendored
51
.github/workflows/build.yml
vendored
|
|
@ -1,43 +1,40 @@
|
||||||
name: "Build"
|
name: Build
|
||||||
|
|
||||||
on:
|
on:
|
||||||
pull_request:
|
|
||||||
push:
|
push:
|
||||||
|
branches:
|
||||||
|
- main
|
||||||
|
- 'test-*'
|
||||||
|
pull_request:
|
||||||
|
|
||||||
jobs:
|
jobs:
|
||||||
determine-hosts:
|
# Job to find all hosts that should be built
|
||||||
name: "Determining hosts to build"
|
get-hosts:
|
||||||
runs-on: ubuntu-latest
|
runs-on: ubuntu-latest
|
||||||
container: catthehacker/ubuntu:act-24.04
|
container: catthehacker/ubuntu:act-24.04
|
||||||
outputs:
|
outputs:
|
||||||
hosts: ${{ steps.hosts.outputs.hostnames }}
|
hosts: ${{ steps.set-hosts.outputs.hosts }}
|
||||||
steps:
|
steps:
|
||||||
- uses: actions/checkout@v5
|
- uses: actions/checkout@v4
|
||||||
- uses: https://github.com/cachix/install-nix-action@v31
|
- name: Install Nix
|
||||||
with:
|
uses: cachix/install-nix-action@v27
|
||||||
nix_path: nixpkgs=channel:nixos-unstable
|
- id: set-hosts
|
||||||
- name: "Determine hosts"
|
|
||||||
id: hosts
|
|
||||||
run: |
|
run: |
|
||||||
hostnames="$(nix eval .#nixosConfigurations --apply builtins.attrNames --json)"
|
# Extract host names from nixosConfigurations
|
||||||
printf "hostnames=%s\n" "${hostnames}" >> "${GITHUB_OUTPUT}"
|
HOSTS=$(nix eval .#nixosConfigurations --apply "builtins.attrNames" --json)
|
||||||
|
echo "hosts=$HOSTS" >> $GITHUB_OUTPUT
|
||||||
|
|
||||||
build:
|
build:
|
||||||
|
needs: get-hosts
|
||||||
runs-on: ubuntu-latest
|
runs-on: ubuntu-latest
|
||||||
container: catthehacker/ubuntu:act-24.04
|
container: catthehacker/ubuntu:act-24.04
|
||||||
needs: determine-hosts
|
|
||||||
strategy:
|
strategy:
|
||||||
|
fail-fast: false
|
||||||
matrix:
|
matrix:
|
||||||
hostname: [
|
host: ${{ fromJson(needs.get-hosts.outputs.hosts) }}
|
||||||
Development,
|
|
||||||
Testing
|
|
||||||
]
|
|
||||||
|
|
||||||
steps:
|
steps:
|
||||||
- uses: actions/checkout@v5
|
- uses: actions/checkout@v4
|
||||||
- uses: https://github.com/cachix/install-nix-action@v31
|
- name: Install Nix
|
||||||
with:
|
uses: cachix/install-nix-action@v27
|
||||||
nix_path: nixpkgs=channel:nixos-unstable
|
- name: Build NixOS configuration
|
||||||
- name: "Build host"
|
run: nix build .#nixosConfigurations.${{ matrix.host }}.config.system.build.toplevel
|
||||||
run: |
|
|
||||||
nix build ".#nixosConfigurations.${{ matrix.hostname }}.config.system.build.toplevel" --verbose
|
|
||||||
|
|
||||||
|
|
|
||||||
24
.github/workflows/check.yml
vendored
Normal file
24
.github/workflows/check.yml
vendored
Normal file
|
|
@ -0,0 +1,24 @@
|
||||||
|
name: Check
|
||||||
|
|
||||||
|
on:
|
||||||
|
push:
|
||||||
|
branches:
|
||||||
|
- '**'
|
||||||
|
pull_request:
|
||||||
|
|
||||||
|
jobs:
|
||||||
|
check:
|
||||||
|
runs-on: ubuntu-latest
|
||||||
|
container: catthehacker/ubuntu:act-24.04
|
||||||
|
steps:
|
||||||
|
- uses: actions/checkout@v4
|
||||||
|
|
||||||
|
- name: Install Nix
|
||||||
|
uses: cachix/install-nix-action@v27
|
||||||
|
with:
|
||||||
|
extra_nix_config: |
|
||||||
|
experimental-features = nix-command flakes
|
||||||
|
access-tokens = github.com=${{ secrets.GITHUB_TOKEN }}
|
||||||
|
|
||||||
|
- name: Flake check
|
||||||
|
run: nix flake check
|
||||||
81
.github/workflows/deploy.yml
vendored
Normal file
81
.github/workflows/deploy.yml
vendored
Normal file
|
|
@ -0,0 +1,81 @@
|
||||||
|
name: Deploy
|
||||||
|
|
||||||
|
on:
|
||||||
|
push:
|
||||||
|
branches:
|
||||||
|
- main
|
||||||
|
- 'test-*'
|
||||||
|
workflow_dispatch:
|
||||||
|
inputs:
|
||||||
|
mode:
|
||||||
|
description: 'Activation mode (switch, boot, test)'
|
||||||
|
default: 'switch'
|
||||||
|
required: true
|
||||||
|
|
||||||
|
jobs:
|
||||||
|
deploy:
|
||||||
|
runs-on: ubuntu-latest
|
||||||
|
container: catthehacker/ubuntu:act-24.04
|
||||||
|
steps:
|
||||||
|
- uses: actions/checkout@v4
|
||||||
|
|
||||||
|
- name: Install Nix
|
||||||
|
uses: cachix/install-nix-action@v27
|
||||||
|
with:
|
||||||
|
extra_nix_config: |
|
||||||
|
experimental-features = nix-command flakes
|
||||||
|
|
||||||
|
- name: Setup SSH
|
||||||
|
run: |
|
||||||
|
mkdir -p ~/.ssh
|
||||||
|
echo "${{ secrets.DEPLOY_SSH_KEY }}" > ~/.ssh/id_ed25519
|
||||||
|
chmod 600 ~/.ssh/id_ed25519
|
||||||
|
ssh-keyscan -H 192.168.0.0/24 >> ~/.ssh/known_hosts || true
|
||||||
|
# Disable strict host key checking for the local network if needed,
|
||||||
|
# or rely on known_hosts. For homelab, we can be slightly more relaxed
|
||||||
|
# but let's try to be secure.
|
||||||
|
echo "StrictHostKeyChecking no" >> ~/.ssh/config
|
||||||
|
|
||||||
|
- name: Verify Commit Signature
|
||||||
|
if: github.event.sender.login != 'renovate[bot]'
|
||||||
|
run: |
|
||||||
|
# TODO Hugo: Export your public GPG/SSH signing keys to a runner secret named 'TRUSTED_SIGNERS'.
|
||||||
|
# For GPG: gpg --export --armor <id> | base64 -w0
|
||||||
|
|
||||||
|
if [ -z "${{ secrets.TRUSTED_SIGNERS }}" ]; then
|
||||||
|
echo "::error::TRUSTED_SIGNERS secret is missing. Deployment aborted for safety."
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
|
||||||
|
# Implementation note: This step expects a keyring in the TRUSTED_SIGNERS secret.
|
||||||
|
# We use git to verify the signature of the current commit.
|
||||||
|
echo "${{ secrets.TRUSTED_SIGNERS }}" | base64 -d > /tmp/trusted_keys.gpg
|
||||||
|
gpg --import /tmp/trusted_keys.gpg
|
||||||
|
|
||||||
|
if ! git verify-commit HEAD; then
|
||||||
|
echo "::error::Commit signature verification failed. Only signed commits from trusted maintainers can be deployed."
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
echo "Commit signature verified successfully."
|
||||||
|
|
||||||
|
- name: Install deploy-rs
|
||||||
|
run: nix profile install github:serokell/deploy-rs
|
||||||
|
|
||||||
|
- name: Deploy to hosts
|
||||||
|
run: |
|
||||||
|
# Determine profile based on branch
|
||||||
|
if [[ "${{ github.ref }}" == "refs/heads/main" ]]; then
|
||||||
|
# Main site: persistent deployment
|
||||||
|
deploy . --skip-checks --targets $(deploy . --list | grep '.system$' | tr '\n' ' ')
|
||||||
|
elif [[ "${{ github.ref }}" == "refs/heads/test-"* ]]; then
|
||||||
|
# Test branch: non-persistent deployment (test profile)
|
||||||
|
# The branch name should be test-<hostname>
|
||||||
|
HOSTNAME="${GITHUB_REF#refs/heads/test-}"
|
||||||
|
deploy .#${HOSTNAME}.test --skip-checks
|
||||||
|
fi
|
||||||
|
|
||||||
|
- name: Manual Deploy
|
||||||
|
if: github.event_name == 'workflow_dispatch'
|
||||||
|
run: |
|
||||||
|
# TODO: Implement manual dispatch logic if needed
|
||||||
|
deploy . --skip-checks
|
||||||
93
SECURITY.md
Normal file
93
SECURITY.md
Normal file
|
|
@ -0,0 +1,93 @@
|
||||||
|
# Security and Trust Model
|
||||||
|
|
||||||
|
This document outlines the security architecture, trust boundaries, and assumptions of the Bos55 NixOS deployment pipeline. This model is designed to support a multi-member infrastructure team and remains secure even if the repository is published publicly.
|
||||||
|
|
||||||
|
## Trust Zones
|
||||||
|
|
||||||
|
The system is partitioned into three distinct trust zones, each with specific controls to prevent lateral movement and privilege escalation.
|
||||||
|
|
||||||
|
### 🔴 Zone 1: Trusted Maintainers (Source of Truth)
|
||||||
|
* **Actors:** Infrastructure Team / Maintainers.
|
||||||
|
* **Capabilities:**
|
||||||
|
* Full access to the Git repository.
|
||||||
|
* Ownership of `sops-nix` master keys (GPG or Age).
|
||||||
|
* Direct root access to NixOS hosts via personal SSH keys for emergency maintenance.
|
||||||
|
* **Trust:** Root of trust. All changes must originate from or be approved by a Trusted Maintainer.
|
||||||
|
* **Security Controls:**
|
||||||
|
* **Signed Commits:** All contributions must be cryptographically signed by a trusted GPG/SSH key to be eligible for deployment.
|
||||||
|
- **MFA:** Hardware-based multi-factor authentication for repository access.
|
||||||
|
- **Metadata Redaction:** Sensitive identifiers like SSH `authorizedKeys` are stored in `sops-nix`. This prevents **infrastructure fingerprinting**, where an attacker could link your public keys to your personal identities or other projects.
|
||||||
|
|
||||||
|
### 🟡 Zone 2: CI/CD Pipeline (Automation Layer)
|
||||||
|
* **Actor:** GitHub Actions / Forgejo Runners.
|
||||||
|
* **Capabilities:**
|
||||||
|
* Builds Nix derivations from the repository.
|
||||||
|
* Access to the `DEPLOY_SSH_KEY` (allowing SSH access to the `deploy` user on target hosts).
|
||||||
|
* **Trusted Signers:** The public keys for verifying signatures are stored as a **Runner Secret** (`TRUSTED_SIGNERS`). This hides the identities of the infrastructure team even in a public repository.
|
||||||
|
* **NO ACCESS** to `sops-nix` decryption keys. Secrets remain encrypted during the build.
|
||||||
|
* **Security Controls:**
|
||||||
|
* **Signature Enforcement:** The `deploy.yml` workflow verifies the cryptographic signature of every maintainer commit. Deployment is aborted if the signature is missing or untrusted.
|
||||||
|
* **Sandboxing:** Runners execute in ephemeral, isolated containers.
|
||||||
|
* **Branch Protection:** Deployments to production (`main`) require approved Pull Requests.
|
||||||
|
* **Fork Protection:** CI workflows (and secrets) are explicitly disabled for forks.
|
||||||
|
|
||||||
|
### 🟢 Zone 3: Target NixOS Hosts (Runtime)
|
||||||
|
* **Actor:** Production, Testing, and Service nodes.
|
||||||
|
* **Capabilities:** Decrypt secrets locally using host-specific `age` keys.
|
||||||
|
* **Trust:** Consumers of builds. They trust Zone 2 only for the pushing of store paths and triggering activation scripts.
|
||||||
|
* **Security Controls:**
|
||||||
|
* **Restricted `deploy` User:** The SSH user for automation is non-root. Sudo access is strictly policed via `sudoers` rules to allow only `nix-env` and `switch-to-configuration`.
|
||||||
|
* **Immutable Store:** Building on Nix ensures that the system state is derived from a cryptographically hashed store, preventing unauthorized local modifications from persisting across reboots.
|
||||||
|
|
||||||
|
---
|
||||||
|
|
||||||
|
## Security Assumptions & Policies
|
||||||
|
|
||||||
|
### 1. Public Repository Safety
|
||||||
|
The repository is designed to be safe for public viewing. No unencrypted secrets should ever be committed. The deployment pipeline is protected against "malicious contributors" via:
|
||||||
|
- **Mandatory PR Reviews:** No code can reach the `main` branch without peer review.
|
||||||
|
- **Secret Scoping:** Deployment keys are only available to authorized runs on protected branches.
|
||||||
|
|
||||||
|
### 2. Supply Chain & Dependencies
|
||||||
|
- **Flake Lockfiles:** All dependencies (Nixpkgs, `deploy-rs`, etc.) are pinned to specific git revisions.
|
||||||
|
- **Renovate Bot:** Automated version upgrades allow for consistent tracking of upstream changes, though they require manual review or successful status checks for minor/patch versions.
|
||||||
|
|
||||||
|
### 3. Signed Commit Enforcement
|
||||||
|
To prevent "force-push" attacks or runner compromises from injecting malicious code into the history, the pipeline should be configured to only deploy commits signed by a known "Trusted Maintainer" key. This ensures that even if a git account is compromised, the attacker cannot deploy code without the physical/cryptographic signing key.
|
||||||
|
|
||||||
|
---
|
||||||
|
|
||||||
|
## Trust Boundary Diagram
|
||||||
|
|
||||||
|
```mermaid
|
||||||
|
graph TD
|
||||||
|
subgraph "Zone 1: Trusted Workstations"
|
||||||
|
DEV["Maintainers (Team)"]
|
||||||
|
SOPS_KEYS["Master SOPS Keys"]
|
||||||
|
SIGN_KEYS["Signing Keys (GPG/SSH)"]
|
||||||
|
end
|
||||||
|
|
||||||
|
subgraph "Zone 2: CI/CD Runner (Sandboxed)"
|
||||||
|
CI["Automated Runner"]
|
||||||
|
SSH_KEY["Deploy SSH Key"]
|
||||||
|
end
|
||||||
|
|
||||||
|
subgraph "Zone 3: NixOS Target Hosts"
|
||||||
|
HOST["Target Host"]
|
||||||
|
HOST_AGE["Host Age Key"]
|
||||||
|
end
|
||||||
|
|
||||||
|
DEV -- "Signed Push / PR" --> CI
|
||||||
|
CI -- "Push Store Paths & Activate" --> HOST
|
||||||
|
HOST_AGE -- "Local Decrypt" --> HOST
|
||||||
|
|
||||||
|
style DEV fill:#f96,stroke:#333
|
||||||
|
style CI fill:#ff9,stroke:#333
|
||||||
|
style HOST fill:#9f9,stroke:#333
|
||||||
|
```
|
||||||
|
|
||||||
|
## Security Best Practices for Maintainers
|
||||||
|
|
||||||
|
1. **Keep Master Keys Offline:** Never store `sops-nix` master keys on the CI runner or public servers.
|
||||||
|
2. **Audit Runner Logs:** Periodically review CI execution logs for unexpected behavior.
|
||||||
|
3. **Rotate Deployment Keys:** Rotate the `DEPLOY_SSH_KEY` if maintainer membership changes significantly.
|
||||||
|
|
@ -25,7 +25,7 @@
|
||||||
...
|
...
|
||||||
}:
|
}:
|
||||||
let
|
let
|
||||||
system = "x86_64-linux";
|
system = utils.lib.system.x86_64-linux;
|
||||||
lib = nixpkgs.lib;
|
lib = nixpkgs.lib;
|
||||||
in
|
in
|
||||||
utils.lib.mkFlake {
|
utils.lib.mkFlake {
|
||||||
|
|
@ -75,7 +75,9 @@
|
||||||
'';
|
'';
|
||||||
}) (lib.filterAttrs (_: isDeployable) self.nixosConfigurations);
|
}) (lib.filterAttrs (_: isDeployable) self.nixosConfigurations);
|
||||||
|
|
||||||
checks = builtins.mapAttrs (_: lib: lib.deployChecks self.deploy) deploy-rs.lib;
|
checks = (builtins.mapAttrs (_: lib: lib.deployChecks self.deploy) deploy-rs.lib) // {
|
||||||
|
integration-test = import ./test/vm-test.nix { inherit self nixpkgs system; };
|
||||||
|
};
|
||||||
|
|
||||||
outputsBuilder = channels: {
|
outputsBuilder = channels: {
|
||||||
formatter = channels.nixpkgs.alejandra;
|
formatter = channels.nixpkgs.alejandra;
|
||||||
|
|
|
||||||
|
|
@ -3,6 +3,7 @@
|
||||||
{
|
{
|
||||||
config = {
|
config = {
|
||||||
homelab = {
|
homelab = {
|
||||||
|
networking.hostIp = "192.168.0.91";
|
||||||
apps = {
|
apps = {
|
||||||
bind9.enable = true;
|
bind9.enable = true;
|
||||||
homepage = {
|
homepage = {
|
||||||
|
|
@ -13,6 +14,7 @@
|
||||||
plex.enable = true;
|
plex.enable = true;
|
||||||
};
|
};
|
||||||
virtualisation.guest.enable = true;
|
virtualisation.guest.enable = true;
|
||||||
|
users.deploy.enable = true;
|
||||||
};
|
};
|
||||||
|
|
||||||
networking = {
|
networking = {
|
||||||
|
|
@ -36,7 +38,7 @@
|
||||||
interfaces.ens18 = {
|
interfaces.ens18 = {
|
||||||
ipv4.addresses = [
|
ipv4.addresses = [
|
||||||
{
|
{
|
||||||
address = "192.168.0.91";
|
address = config.homelab.networking.hostIp;
|
||||||
prefixLength = 24;
|
prefixLength = 24;
|
||||||
}
|
}
|
||||||
];
|
];
|
||||||
|
|
@ -59,7 +61,8 @@
|
||||||
environment = {
|
environment = {
|
||||||
# NOTE Required
|
# NOTE Required
|
||||||
# The email address used when setting up the initial administrator account to login to pgAdmin.
|
# The email address used when setting up the initial administrator account to login to pgAdmin.
|
||||||
PGADMIN_DEFAULT_EMAIL = "kmtl.hugo+pgadmin@gmail.com";
|
# TODO Hugo: Populate 'pgadmin_email' in sops.
|
||||||
|
PGADMIN_DEFAULT_EMAIL = config.sops.placeholder.pgadmin_email or "pgadmin-admin@example.com";
|
||||||
# NOTE Required
|
# NOTE Required
|
||||||
# The password used when setting up the initial administrator account to login to pgAdmin.
|
# The password used when setting up the initial administrator account to login to pgAdmin.
|
||||||
PGADMIN_DEFAULT_PASSWORD = "ChangeMe";
|
PGADMIN_DEFAULT_PASSWORD = "ChangeMe";
|
||||||
|
|
|
||||||
|
|
@ -2,7 +2,11 @@
|
||||||
|
|
||||||
{
|
{
|
||||||
config = {
|
config = {
|
||||||
homelab.virtualisation.guest.enable = true;
|
homelab = {
|
||||||
|
networking.hostIp = "192.168.0.10";
|
||||||
|
virtualisation.guest.enable = true;
|
||||||
|
users.deploy.enable = true;
|
||||||
|
};
|
||||||
|
|
||||||
networking = {
|
networking = {
|
||||||
hostName = "Ingress";
|
hostName = "Ingress";
|
||||||
|
|
@ -19,8 +23,8 @@
|
||||||
interfaces.ens18 = {
|
interfaces.ens18 = {
|
||||||
ipv4.addresses = [
|
ipv4.addresses = [
|
||||||
{
|
{
|
||||||
address = "192.168.0.10";
|
address = config.homelab.networking.hostIp;
|
||||||
prefixLength = 24;
|
prefixLength = 24;
|
||||||
}
|
}
|
||||||
];
|
];
|
||||||
};
|
};
|
||||||
|
|
@ -39,6 +43,7 @@ prefixLength = 24;
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
|
|
||||||
security.acme = {
|
security.acme = {
|
||||||
acceptTerms = true;
|
acceptTerms = true;
|
||||||
defaults = {
|
defaults = {
|
||||||
|
|
@ -46,7 +51,7 @@ prefixLength = 24;
|
||||||
dnsPropagationCheck = true;
|
dnsPropagationCheck = true;
|
||||||
dnsProvider = "cloudflare";
|
dnsProvider = "cloudflare";
|
||||||
dnsResolver = "1.1.1.1:53";
|
dnsResolver = "1.1.1.1:53";
|
||||||
email = "tibo.depeuter@telenet.be";
|
email = config.sops.placeholder.acme_email or "acme-email@example.com";
|
||||||
credentialFiles = {
|
credentialFiles = {
|
||||||
CLOUDFLARE_DNS_API_TOKEN_FILE = "/var/lib/secrets/depeuter-dev-cloudflare-api-token";
|
CLOUDFLARE_DNS_API_TOKEN_FILE = "/var/lib/secrets/depeuter-dev-cloudflare-api-token";
|
||||||
};
|
};
|
||||||
|
|
|
||||||
|
|
@ -165,7 +165,7 @@ providers:
|
||||||
# Certificates
|
# Certificates
|
||||||
"--certificatesresolvers.letsencrypt.acme.dnschallenge=true"
|
"--certificatesresolvers.letsencrypt.acme.dnschallenge=true"
|
||||||
"--certificatesresolvers.letsencrypt.acme.dnschallenge.provider=cloudflare"
|
"--certificatesresolvers.letsencrypt.acme.dnschallenge.provider=cloudflare"
|
||||||
"--certificatesresolvers.letsencrypt.acme.email=tibo.depeuter@telenet.be"
|
"--certificatesresolvers.letsencrypt.acme.email=${config.sops.placeholder.acme_email or "acme-email@example.com"}"
|
||||||
"--certificatesresolvers.letsencrypt.acme.storage=/letsencrypt/acme.json"
|
"--certificatesresolvers.letsencrypt.acme.storage=/letsencrypt/acme.json"
|
||||||
|
|
||||||
# Additional routes
|
# Additional routes
|
||||||
|
|
@ -176,8 +176,8 @@ providers:
|
||||||
# "8080:8080/tcp" # The Web UI (enabled by --api.insecure=true)
|
# "8080:8080/tcp" # The Web UI (enabled by --api.insecure=true)
|
||||||
];
|
];
|
||||||
environment = {
|
environment = {
|
||||||
# TODO Hide this!
|
# TODO Hugo: Populate 'cloudflare_dns_token' in sops.
|
||||||
"CLOUDFLARE_DNS_API_TOKEN" = "6Vz64Op_a6Ls1ljGeBxFoOVfQ-yB-svRbf6OyPv2";
|
"CLOUDFLARE_DNS_API_TOKEN" = config.sops.placeholder.cloudflare_dns_token or "CLOUDFLARE_TOKEN_PLACEHOLDER";
|
||||||
};
|
};
|
||||||
environmentFiles = [
|
environmentFiles = [
|
||||||
];
|
];
|
||||||
|
|
|
||||||
|
|
@ -496,7 +496,8 @@ in {
|
||||||
#FORGEJO__mailer__CLIENT_KEY_FILE = "custom/mailer/key.pem";
|
#FORGEJO__mailer__CLIENT_KEY_FILE = "custom/mailer/key.pem";
|
||||||
# Mail from address, RFC 5322. This can be just an email address, or the
|
# Mail from address, RFC 5322. This can be just an email address, or the
|
||||||
# `"Name" <email@example.com>` format.
|
# `"Name" <email@example.com>` format.
|
||||||
FORGEJO__mailer__FROM = ''"${title}" <git@depeuter.dev>'';
|
# TODO Hugo: Populate 'gitea_mailer_from' in sops.
|
||||||
|
FORGEJO__mailer__FROM = config.sops.placeholder.gitea_mailer_from or "git@example.com";
|
||||||
# Sometimes it is helpful to use a different address on the envelope. Set this to use
|
# Sometimes it is helpful to use a different address on the envelope. Set this to use
|
||||||
# ENVELOPE_FROM as the from on the envelope. Set to `<>` to send an empty address.
|
# ENVELOPE_FROM as the from on the envelope. Set to `<>` to send an empty address.
|
||||||
#FORGEJO__mailer__ENVELOPE_FROM = "";
|
#FORGEJO__mailer__ENVELOPE_FROM = "";
|
||||||
|
|
|
||||||
|
|
@ -72,7 +72,7 @@ in {
|
||||||
# Certificates
|
# Certificates
|
||||||
"--certificatesresolvers.letsencrypt.acme.dnschallenge=true"
|
"--certificatesresolvers.letsencrypt.acme.dnschallenge=true"
|
||||||
"--certificatesresolvers.letsencrypt.acme.dnschallenge.provider=cloudflare"
|
"--certificatesresolvers.letsencrypt.acme.dnschallenge.provider=cloudflare"
|
||||||
"--certificatesresolvers.letsencrypt.acme.email=tibo.depeuter@telenet.be"
|
"--certificatesresolvers.letsencrypt.acme.email=${config.sops.placeholder.acme_email or "acme-email@example.com"}"
|
||||||
"--certificatesresolvers.letsencrypt.acme.storage=/letsencrypt/acme.json"
|
"--certificatesresolvers.letsencrypt.acme.storage=/letsencrypt/acme.json"
|
||||||
];
|
];
|
||||||
volumes = [
|
volumes = [
|
||||||
|
|
|
||||||
|
|
@ -344,6 +344,7 @@ in {
|
||||||
# ORG_CREATION_USERS=none
|
# ORG_CREATION_USERS=none
|
||||||
## A comma-separated list means only those users can create orgs:
|
## A comma-separated list means only those users can create orgs:
|
||||||
# ORG_CREATION_USERS=admin1@example.com,admin2@example.com
|
# ORG_CREATION_USERS=admin1@example.com,admin2@example.com
|
||||||
|
# TODO Hugo: Redact org creation users if needed.
|
||||||
|
|
||||||
## Invitations org admins to invite users, even when signups are disabled
|
## Invitations org admins to invite users, even when signups are disabled
|
||||||
# INVITATIONS_ALLOWED=true
|
# INVITATIONS_ALLOWED=true
|
||||||
|
|
@ -590,7 +591,7 @@ in {
|
||||||
## To make sure the email links are pointing to the correct host, set the DOMAIN variable.
|
## To make sure the email links are pointing to the correct host, set the DOMAIN variable.
|
||||||
## Note: if SMTP_USERNAME is specified, SMTP_PASSWORD is mandatory
|
## Note: if SMTP_USERNAME is specified, SMTP_PASSWORD is mandatory
|
||||||
SMTP_HOST = "smtp.gmail.com";
|
SMTP_HOST = "smtp.gmail.com";
|
||||||
SMTP_FROM = "vault@depeuter.dev";
|
SMTP_FROM = config.sops.placeholder.vaultwarden_smtp_from or "vaultwarden@example.com";
|
||||||
SMTP_FROM_NAME = cfg.name;
|
SMTP_FROM_NAME = cfg.name;
|
||||||
# SMTP_USERNAME=username
|
# SMTP_USERNAME=username
|
||||||
# SMTP_PASSWORD=password
|
# SMTP_PASSWORD=password
|
||||||
|
|
|
||||||
18
modules/common/secrets.nix
Normal file
18
modules/common/secrets.nix
Normal file
|
|
@ -0,0 +1,18 @@
|
||||||
|
{ config, lib, ... }:
|
||||||
|
|
||||||
|
{
|
||||||
|
sops.secrets = {
|
||||||
|
# -- User Public Keys (Anti-Fingerprinting) --
|
||||||
|
"user_keys_admin" = { neededForUsers = true; };
|
||||||
|
"user_keys_deploy" = { neededForUsers = true; };
|
||||||
|
"user_keys_backup" = { neededForUsers = true; };
|
||||||
|
|
||||||
|
# -- Infrastructure Metadata --
|
||||||
|
# Hugo TODO: Populate these in your .sops.yaml / secrets file
|
||||||
|
"acme_email" = {};
|
||||||
|
"cloudflare_dns_token" = {};
|
||||||
|
"pgadmin_email" = {};
|
||||||
|
"gitea_mailer_from" = {};
|
||||||
|
"vaultwarden_smtp_from" = {};
|
||||||
|
};
|
||||||
|
}
|
||||||
|
|
@ -1,7 +1,6 @@
|
||||||
{ self, nixpkgs, ... }:
|
{ self, nixpkgs, system, ... }:
|
||||||
|
|
||||||
let
|
let
|
||||||
system = "x86_64-linux";
|
|
||||||
pkgs = nixpkgs.legacyPackages.${system};
|
pkgs = nixpkgs.legacyPackages.${system};
|
||||||
in
|
in
|
||||||
pkgs.nixosTest {
|
pkgs.nixosTest {
|
||||||
|
|
|
||||||
|
|
@ -26,7 +26,9 @@ in {
|
||||||
config.users.groups.wheel.name # Enable 'sudo' for the user.
|
config.users.groups.wheel.name # Enable 'sudo' for the user.
|
||||||
];
|
];
|
||||||
initialPassword = "ChangeMe";
|
initialPassword = "ChangeMe";
|
||||||
openssh.authorizedKeys.keys = cfg.authorizedKeys;
|
openssh.authorizedKeys.keyFiles = [
|
||||||
|
config.sops.secrets.user_keys_admin.path
|
||||||
|
];
|
||||||
packages = with pkgs; [
|
packages = with pkgs; [
|
||||||
curl
|
curl
|
||||||
git
|
git
|
||||||
|
|
|
||||||
|
|
@ -12,9 +12,8 @@ in {
|
||||||
extraGroups = [
|
extraGroups = [
|
||||||
"docker" # Allow access to the docker socket.
|
"docker" # Allow access to the docker socket.
|
||||||
];
|
];
|
||||||
openssh.authorizedKeys.keys = [
|
openssh.authorizedKeys.keyFiles = [
|
||||||
# Hugo
|
config.sops.secrets.user_keys_backup.path
|
||||||
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICms6vjhE9kOlqV5GBPGInwUHAfCSVHLI2Gtzee0VXPh"
|
|
||||||
];
|
];
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
|
||||||
|
|
@ -3,7 +3,19 @@
|
||||||
let
|
let
|
||||||
cfg = config.homelab.users.deploy;
|
cfg = config.homelab.users.deploy;
|
||||||
in {
|
in {
|
||||||
options.homelab.users.deploy.enable = lib.mkEnableOption "user Deploy";
|
options.homelab.users.deploy = {
|
||||||
|
enable = lib.mkEnableOption "user Deploy";
|
||||||
|
|
||||||
|
authorizedKeys = lib.mkOption {
|
||||||
|
type = lib.types.listOf lib.types.str;
|
||||||
|
default = [];
|
||||||
|
description = ''
|
||||||
|
Additional SSH public keys authorized for the deploy user.
|
||||||
|
The CI runner key should be provided as a base key; personal
|
||||||
|
workstation keys can be appended here per host or globally.
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
config = lib.mkIf cfg.enable {
|
config = lib.mkIf cfg.enable {
|
||||||
users = {
|
users = {
|
||||||
|
|
@ -15,12 +27,15 @@ in {
|
||||||
isSystemUser = true;
|
isSystemUser = true;
|
||||||
home = "/var/empty";
|
home = "/var/empty";
|
||||||
shell = pkgs.bashInteractive;
|
shell = pkgs.bashInteractive;
|
||||||
openssh.authorizedKeys.keys = [
|
openssh.authorizedKeys.keyFiles = [
|
||||||
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPrG+ldRBdCeHEXrsy/qHXIJYg8xQXVuiUR0DxhFjYNg"
|
config.sops.secrets.user_keys_deploy.path
|
||||||
];
|
];
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
|
# Allow the deploy user to push closures to the nix store
|
||||||
|
nix.settings.trusted-users = [ "deploy" ];
|
||||||
|
|
||||||
security.sudo.extraRules = [
|
security.sudo.extraRules = [
|
||||||
{
|
{
|
||||||
groups = [
|
groups = [
|
||||||
|
|
|
||||||
Loading…
Add table
Add a link
Reference in a new issue