From 23e3b9d76b2e2240de4418b8df735e5de9d1f0a7 Mon Sep 17 00:00:00 2001 From: Matt Nish-Lapidus Date: Sun, 13 Apr 2025 14:46:32 -0400 Subject: [PATCH] server --- .sops.yaml | 1 + flake.lock | 12 ++--- hosts/eddie/configuration.nix | 5 ++ hosts/emenel-services/configuration.nix | 67 +++++++++++++++++++++++-- hosts/emenel-services/secrets.yaml | 16 ++++++ modules/system/forgejo.nix | 44 ++++++++++++++++ modules/system/sops-config.nix | 1 - 7 files changed, 136 insertions(+), 10 deletions(-) create mode 100644 hosts/emenel-services/secrets.yaml diff --git a/.sops.yaml b/.sops.yaml index 0ec3027..ea00d48 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -1,5 +1,6 @@ keys: - &emenel_eddie age10k8v6pfm3p7cmsgn6wu5ufpcquqgpvqh76l23xf326et55dacc0qlr8fe8 + - &root_services-nixos age1eg4u9d90r64a7gesg778cgx8pkcxkh4wjkddz299u6lelpc6yypsgza06c creation_rules: - path_regex: secrets.yaml$ key_groups: diff --git a/flake.lock b/flake.lock index 7e5dc1a..c770593 100644 --- a/flake.lock +++ b/flake.lock @@ -90,11 +90,11 @@ "nixpkgs-stable": "nixpkgs-stable" }, "locked": { - "lastModified": 1744535716, - "narHash": "sha256-GUYB6p5v1RlI9gpaqh2E0a0dxikhta5UqZpE4/IwuGQ=", + "lastModified": 1744564581, + "narHash": "sha256-3oYyf8uwhgjvHqa82QqYJJcdertKL/WGYM4cXREKE3o=", "owner": "nix-community", "repo": "emacs-overlay", - "rev": "147f6b98f17b0d66866eb8923a6ae6fe9c23b65e", + "rev": "1997c83d637f2ab52651826d90099e1e1561bab7", "type": "github" }, "original": { @@ -967,11 +967,11 @@ }, "nixpkgs-stable": { "locked": { - "lastModified": 1744309437, - "narHash": "sha256-QZnNHM823am8apCqKSPdtnzPGTy2ZB4zIXOVoBp5+W0=", + "lastModified": 1744440957, + "narHash": "sha256-FHlSkNqFmPxPJvy+6fNLaNeWnF1lZSgqVCl/eWaJRc4=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "f9ebe33a928b5d529c895202263a5ce46bdf12f7", + "rev": "26d499fc9f1d567283d5d56fcf367edd815dba1d", "type": "github" }, "original": { diff --git a/hosts/eddie/configuration.nix b/hosts/eddie/configuration.nix index 41cb76b..e2be884 100644 --- a/hosts/eddie/configuration.nix +++ b/hosts/eddie/configuration.nix @@ -346,6 +346,11 @@ ]; }; + security.sudo = { + enable = true; + wheelNeedsPassword = false; + }; + security.polkit.enable = true; security.rtkit.enable = true; security.pam.services.swaylock = { }; diff --git a/hosts/emenel-services/configuration.nix b/hosts/emenel-services/configuration.nix index 59ef00e..f67c403 100644 --- a/hosts/emenel-services/configuration.nix +++ b/hosts/emenel-services/configuration.nix @@ -2,19 +2,61 @@ imports = with nix-config.nixosModules; [ ./hardware-configuration.nix - ./networking.nix # generated at runtime by nixos-infect ./disko-config.nix forgejo ]; + nixpkgs = { + config = { + allowUnfree = true; + }; + overlays = builtins.attrValues nix-config.overlays ++ [ + inputs.nh.overlays.default + ]; + }; + + nix = { + settings = { + experimental-features = [ + "nix-command" + "flakes" + ]; + substituters = [ + "https://nix-community.cachix.org" + "https://cache.garnix.io" + ]; + trusted-public-keys = [ + "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs=" + "cache.garnix.io:CTFPyKSLcx5RMJKfLo5EEPUObbA78b0YQ2DTCJXqr9g=" + ]; + }; + + channel.enable = false; # remove nix-channel related tools & configs, we use flakes instead. + }; + + sops = { + age.keyFile = "/home/emenel/.config/sops/age/keys.txt"; # must have no password! + age.generateKey = true; + defaultSopsFile = ./secrets.yaml; + secrets = { + forgejo_emenel = {}; + }; + }; + + # Set your time zone. + time.timeZone = "America/Toronto"; + + # Select internationalisation properties. + i18n.defaultLocale = "en_CA.UTF-8"; + boot.tmp.cleanOnBoot = true; boot.loader.grub.enable = true; zramSwap.enable = true; networking.hostName = "services-nixos"; networking.domain = ""; + networking.useDHCP = true; services.openssh.enable = true; - users.users.root.openssh.authorizedKeys.keys = [''ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGbzcaEyzlGJkDL8EMcVmrAWRlyYtilTjpIR2VGxkMHo'' ''ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFvtBCUQEi7r6mXdaULEaMMvGH1IWZBX9tXpjbIECar2'' ]; environment.systemPackages = with pkgs; [ wget @@ -24,9 +66,9 @@ rsync gnupg util-linux + git ]; - users.users.emenel = { openssh.authorizedKeys.keys = [''ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGbzcaEyzlGJkDL8EMcVmrAWRlyYtilTjpIR2VGxkMHo'' ''ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFvtBCUQEi7r6mXdaULEaMMvGH1IWZBX9tXpjbIECar2'' ]; @@ -43,6 +85,25 @@ ]; }; + security.sudo = { + enable = true; + wheelNeedsPassword = false; + }; + + programs.nh = { + enable = true; + clean = { + enable = true; + dates = "daily"; + extraArgs = "--keep 4"; + }; + flake = "/home/emenel/source/nixos-config"; + package = pkgs.nh; + }; + + + + system.stateVersion = "25.05"; # Did you read the comment? diff --git a/hosts/emenel-services/secrets.yaml b/hosts/emenel-services/secrets.yaml new file mode 100644 index 0000000..45a4757 --- /dev/null +++ b/hosts/emenel-services/secrets.yaml @@ -0,0 +1,16 @@ +forgejo_emenel: ENC[AES256_GCM,data:MRVA7m6FK3wZR7cUVAUq+m7LutgRjyCyfrZ27AnUWstTTiTXX8XyjmF+o3aZZDTNSd8KGhYjLInkJ8Yfu50k+YEkQbbb5Icy,iv:HpV+6+fYndqEkOcXV1CsbVfwOBNy9jcXMjtZWs9+x0o=,tag:io0/0X6sTD0s2Hp8S1zEUQ==,type:str] +sops: + age: + - recipient: age10k8v6pfm3p7cmsgn6wu5ufpcquqgpvqh76l23xf326et55dacc0qlr8fe8 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBYU3V0dndPTnhpenhaQVYv + aDV2eVl4Ujd1MjRkZUtXY1Q5RW1laHhncWp3CnlEQTlZb3NhUEVuaVBHVWNzbTQv + QmZNWE90aWx3d21lWk4waFFobGEzUFEKLS0tIERLQXM3V0pRVkNEbFpCeU9nZ3lE + cjFEbnNkZ1pTeTVWaVZMem1hQkpaZTQKTVytdDtekDO9fTDSS5kYLFQv2UaBpOaw + 4oaCbr4w7ipWImITphpQ0F5t6dxWSQ6cIpdXIf9eT3eVSVlBBC/wyw== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2025-04-13T17:11:18Z" + mac: ENC[AES256_GCM,data:qIQl4PKsIRG7+3M/OSp1VhUfs/T/3ORSr9bt29T5BahCBElrfEa+t2QBizO4gPxFJzFJN/sMZBXuobLP4qyNaV3/ECQ1qiipUYPA4ocZZYd9vkb5HjkzlDDiFyOwflUmq6Nt4n6/g46L4KA5LF2W/STczskaGfkbRpS1OJA0MBo=,iv:VWj7+cRjrQIKJGhgvrXAe/rUFlx4ZCpF+O3H1O6t9zQ=,tag:8mTG8hK/zYKlxTxfKQkapQ==,type:str] + unencrypted_suffix: _unencrypted + version: 3.10.1 diff --git a/modules/system/forgejo.nix b/modules/system/forgejo.nix index a1179b8..d01d8f8 100644 --- a/modules/system/forgejo.nix +++ b/modules/system/forgejo.nix @@ -9,7 +9,51 @@ server = { HTTP_PORT = 12345; }; + service.DISABLE_REGISTRATION = true; + actions = { + ENABLED = true; + DEFAULT_ACTIONS_URL = "github"; + }; + # mailer = { + # ENABLED = true; + # SMTP_ADDR = "mail.example.com"; + # FROM = "noreply@${srv.DOMAIN}"; + # USER = "noreply@${srv.DOMAIN}"; + # }; }; + # mailerPasswordFile = config.age.secrets.forgejo-mailer-password.path; }; + + # gitea-actions-runner = { + # package = pkgs.forgejo-actions-runner; + # instances.default = { + # enable = true; + # name = "monolith"; + # url = "https://git.example.com"; + # # Obtaining the path to the runner token file may differ + # # tokenFile should be in format TOKEN=, since it's EnvironmentFile for systemd + # tokenFile = config.age.secrets.forgejo-runner-token.path; + # labels = [ + # "ubuntu-latest:docker://node:16-bullseye" + # "ubuntu-22.04:docker://node:16-bullseye" + # "ubuntu-20.04:docker://node:16-bullseye" + # "ubuntu-18.04:docker://node:16-buster" + # ## optionally provide native execution on the host: + # # "native:host" + # ]; + # }; + # }; }; + +# sops.secrets.forgejo-admin-password.owner = "forgejo"; +# systemd.services.forgejo.preStart = let +# adminCmd = "${lib.getExe pkgs.forgejo} admin user"; +# pwd = config.sops.secrets.forgejo-admin-password; +# user = "emenel"; # Note, Forgejo doesn't allow creation of an account named "admin" +# in '' +# ${adminCmd} create --admin --email "root@localhost" --username ${user} --password "$(tr -d '\n' < ${pwd.path})" || true +# ## uncomment this line to change an admin user which was already created +# # ${adminCmd} change-password --username ${user} --password "$(tr -d '\n' < ${pwd.path})" || true +# ''; + } diff --git a/modules/system/sops-config.nix b/modules/system/sops-config.nix index 2bc1bcc..2d01604 100644 --- a/modules/system/sops-config.nix +++ b/modules/system/sops-config.nix @@ -41,6 +41,5 @@ password=${config.sops.placeholder.filez} source = config.sops.templates."media-server-secrets".path; }; }; - }; }