summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorseth <[email protected]>2024-02-28 07:31:21 -0500
committerseth <[email protected]>2024-02-28 07:31:21 -0500
commit4caa14d0416c8ac14e0ac617a1eec22b9df830f6 (patch)
treeab2a295461a046118841c046fc1d6a3b6bbf7c38
parented23d606f190aa20e620063ab65e78caf613b67c (diff)
nixos: remove root password
Diffstat
-rw-r--r--modules/nixos/archetypes/server.nix4
-rw-r--r--modules/nixos/base/users.nix4
-rw-r--r--modules/nixos/server/default.nix1
-rw-r--r--modules/nixos/server/host-user.nix (renamed from modules/nixos/traits/host-user.nix)10
-rw-r--r--modules/nixos/server/mixins/acme.nix23
-rw-r--r--modules/nixos/server/mixins/cloudflared.nix29
-rw-r--r--modules/nixos/traits/containers.nix46
-rw-r--r--modules/nixos/traits/default.nix1
-rw-r--r--modules/nixos/traits/tailscale.nix49
-rw-r--r--secrets/atlas/rootPassword.agebin405 -> 0 bytes
-rw-r--r--secrets/glados-wsl/rootPassword.agebin372 -> 0 bytes
-rw-r--r--secrets/glados/rootPassword.agebin372 -> 0 bytes
-rw-r--r--secrets/secrets.nix2
13 files changed, 90 insertions, 79 deletions
diff --git a/modules/nixos/archetypes/server.nix b/modules/nixos/archetypes/server.nix
index 3fdc0d2..cbac329 100644
--- a/modules/nixos/archetypes/server.nix
+++ b/modules/nixos/archetypes/server.nix
@@ -39,10 +39,6 @@ in {
ssh.enable = true;
};
- users = {
- hostUser.enable = true;
- };
-
zram.enable = true;
};
};
diff --git a/modules/nixos/base/users.nix b/modules/nixos/base/users.nix
index 8a554f5..507a82a 100644
--- a/modules/nixos/base/users.nix
+++ b/modules/nixos/base/users.nix
@@ -11,7 +11,7 @@ in {
enable = lib.mkEnableOption "base user configurations" // {default = true;};
defaultRoot = {
- enable = lib.mkEnableOption "default root user configuration" // {default = true;};
+ enable = lib.mkEnableOption "default root user configuration" // {default = false;};
manageSecrets =
lib.mkEnableOption "automatic secrets management"
// {
@@ -37,7 +37,7 @@ in {
};
})
- (lib.mkIf cfg.defaultRoot.manageSecrets {
+ (lib.mkIf (cfg.defaultRoot.enable && cfg.defaultRoot.manageSecrets) {
age.secrets = {
rootPassword.file = secretsDir + "/rootPassword.age";
};
diff --git a/modules/nixos/server/default.nix b/modules/nixos/server/default.nix
index 83ec0a8..1c23124 100644
--- a/modules/nixos/server/default.nix
+++ b/modules/nixos/server/default.nix
@@ -12,6 +12,7 @@ in {
};
imports = [
+ ./host-user.nix
./mixins
];
diff --git a/modules/nixos/traits/host-user.nix b/modules/nixos/server/host-user.nix
index 2da91d6..5aa1ce5 100644
--- a/modules/nixos/traits/host-user.nix
+++ b/modules/nixos/server/host-user.nix
@@ -1,15 +1,15 @@
{
config,
lib,
- pkgs,
secretsDir,
...
}: let
- cfg = config.traits.users.hostUser;
+ cfg = config.server.hostUser;
inherit (config.networking) hostName;
in {
- options.traits.users.hostUser = {
- enable = lib.mkEnableOption "${hostName} user configuration";
+ options.server.hostUser = {
+ enable = lib.mkEnableOption "${hostName} user configuration" // {default = config.server.enable;};
+
manageSecrets =
lib.mkEnableOption "automatic secrets management"
// {
@@ -22,7 +22,7 @@ in {
{
users.users.${hostName} = {
isNormalUser = true;
- shell = pkgs.bash;
+ extraGroups = ["wheel"];
};
}
diff --git a/modules/nixos/server/mixins/acme.nix b/modules/nixos/server/mixins/acme.nix
index 60703e6..0e4a6d6 100644
--- a/modules/nixos/server/mixins/acme.nix
+++ b/modules/nixos/server/mixins/acme.nix
@@ -23,23 +23,26 @@ in {
{
security.acme = {
acceptTerms = true;
- defaults =
- {
- email = "[email protected]";
- }
- // lib.optionalAttrs cfg.useDns {
- dnsProvider = "cloudflare";
- }
- // lib.optionalAttrs cfg.manageSecrets {
- credentialsFile = config.age.secrets.cloudflareApiKey.path;
- };
+ defaults = {
+ email = "[email protected]";
+ };
};
}
+ (lib.mkIf cfg.useDns {
+ security.acme.defaults = {
+ dnsProvider = "cloudflare";
+ };
+ })
+
(lib.mkIf cfg.manageSecrets {
age.secrets = {
cloudflareApiKey.file = secretsDir + "/cloudflareApiKey.age";
};
+
+ security.acme.defaults = {
+ credentialsFile = config.age.secrets.cloudflareApiKey.path;
+ };
})
]
);
diff --git a/modules/nixos/server/mixins/cloudflared.nix b/modules/nixos/server/mixins/cloudflared.nix
index 5f75a35..26c0714 100644
--- a/modules/nixos/server/mixins/cloudflared.nix
+++ b/modules/nixos/server/mixins/cloudflared.nix
@@ -9,6 +9,15 @@
in {
options.server.mixins.cloudflared = {
enable = lib.mkEnableOption "cloudflared mixin";
+ tunnelName = lib.mkOption {
+ type = lib.types.str;
+ default = "${config.networking.hostName}-nginx";
+ example = lib.literalExpression "my-tunnel";
+ description = lib.mdDoc ''
+ Name of the default tunnel being created
+ '';
+ };
+
manageSecrets =
lib.mkEnableOption "automatic secrets management"
// {
@@ -21,18 +30,12 @@ in {
{
services.cloudflared = {
enable = true;
- tunnels = {
- "${config.networking.hostName}-nginx" =
- {
- default = "http_status:404";
+ tunnels.${cfg.tunnelName} = {
+ default = "http_status:404";
- ingress = lib.genAttrs (builtins.attrNames nginx.virtualHosts) (
- _: {service = "http://localhost:${toString nginx.defaultHTTPListenPort}";}
- );
- }
- // lib.optionalAttrs cfg.manageSecrets {
- credentialsFile = config.age.secrets.cloudflaredCreds.path;
- };
+ ingress = lib.genAttrs (builtins.attrNames nginx.virtualHosts) (
+ _: {service = "http://localhost:${toString nginx.defaultHTTPListenPort}";}
+ );
};
};
}
@@ -44,6 +47,10 @@ in {
owner = "cloudflared";
group = "cloudflared";
};
+
+ services.cloudflared.tunnels.${cfg.tunnelName} = {
+ credentialsFile = config.age.secrets.cloudflaredCreds.path;
+ };
})
]
);
diff --git a/modules/nixos/traits/containers.nix b/modules/nixos/traits/containers.nix
index e309a89..10824eb 100644
--- a/modules/nixos/traits/containers.nix
+++ b/modules/nixos/traits/containers.nix
@@ -11,28 +11,30 @@ in {
enable = lib.mkEnableOption "containers support";
};
- config.virtualisation = lib.mkMerge [
- (lib.mkIf cfg.enable {
- podman = {
- enable = true;
- extraPackages = with pkgs; [podman-compose];
- autoPrune.enable = true;
- };
+ config.virtualisation = lib.mkIf cfg.enable (
+ lib.mkMerge [
+ {
+ podman = {
+ enable = true;
+ extraPackages = with pkgs; [podman-compose];
+ autoPrune.enable = true;
+ };
- oci-containers.backend = "podman";
- })
-
- (let
- enable = lib.mkDefault (
- lib.elem "nvidia" (config.services.xserver.videoDrivers or [])
- );
- in
- if (options.virtualisation.containers ? cdi)
- then {
- containers.cdi.dynamic.nvidia = {inherit enable;};
+ oci-containers.backend = "podman";
}
- else {
- podman.enableNvidia = enable;
- })
- ];
+
+ (let
+ enable = lib.mkDefault (
+ lib.elem "nvidia" (config.services.xserver.videoDrivers or [])
+ );
+ in
+ if (options.virtualisation.containers ? cdi)
+ then {
+ containers.cdi.dynamic.nvidia = {inherit enable;};
+ }
+ else {
+ podman.enableNvidia = enable;
+ })
+ ]
+ );
}
diff --git a/modules/nixos/traits/default.nix b/modules/nixos/traits/default.nix
index 983edce..51682a3 100644
--- a/modules/nixos/traits/default.nix
+++ b/modules/nixos/traits/default.nix
@@ -3,7 +3,6 @@
./auto-upgrade.nix
./containers.nix
./home-manager.nix
- ./host-user.nix
./locale.nix
./secrets.nix
./tailscale.nix
diff --git a/modules/nixos/traits/tailscale.nix b/modules/nixos/traits/tailscale.nix
index b432ced..a7d8c06 100644
--- a/modules/nixos/traits/tailscale.nix
+++ b/modules/nixos/traits/tailscale.nix
@@ -16,33 +16,38 @@ in {
};
};
- config = lib.mkIf cfg.enable (lib.mkMerge [
- {
- networking.firewall =
- {
- trustedInterfaces = ["tailscale0"];
- }
- // lib.optionalAttrs cfg.ssh.enable {
- allowedTCPPorts = [22];
+ config = lib.mkIf cfg.enable (
+ lib.mkMerge [
+ {
+ networking.firewall = {
+ trustedInterfaces = [config.services.tailscale.interfaceName];
};
- services.tailscale =
- {
+ services.tailscale = {
enable = true;
openFirewall = true;
- }
- // lib.optionalAttrs cfg.ssh.enable {
+ };
+ }
+
+ (lib.mkIf cfg.ssh.enable {
+ networking.firewall = {
+ allowedTCPPorts = [22];
+ };
+
+ services.tailscale = {
extraUpFlags = ["--ssh"];
- }
- // lib.optionalAttrs cfg.manageSecrets {
- authKeyFile = config.age.secrets.tailscaleAuthKey.path;
};
- }
+ })
- (lib.mkIf cfg.manageSecrets {
- age.secrets = lib.mkIf cfg.manageSecrets {
- tailscaleAuthKey.file = "${secretsDir}/tailscaleAuthKey.age";
- };
- })
- ]);
+ (lib.mkIf cfg.manageSecrets {
+ age.secrets = lib.mkIf cfg.manageSecrets {
+ tailscaleAuthKey.file = "${secretsDir}/tailscaleAuthKey.age";
+ };
+
+ services.tailscale = {
+ authKeyFile = config.age.secrets.tailscaleAuthKey.path;
+ };
+ })
+ ]
+ );
}
diff --git a/secrets/atlas/rootPassword.age b/secrets/atlas/rootPassword.age
deleted file mode 100644
index be8197a..0000000
--- a/secrets/atlas/rootPassword.age
+++ /dev/null
Binary files differ
diff --git a/secrets/glados-wsl/rootPassword.age b/secrets/glados-wsl/rootPassword.age
deleted file mode 100644
index 6697c67..0000000
--- a/secrets/glados-wsl/rootPassword.age
+++ /dev/null
Binary files differ
diff --git a/secrets/glados/rootPassword.age b/secrets/glados/rootPassword.age
deleted file mode 100644
index ee98efe..0000000
--- a/secrets/glados/rootPassword.age
+++ /dev/null
Binary files differ
diff --git a/secrets/secrets.nix b/secrets/secrets.nix
index 097d007..0159806 100644
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@@ -10,7 +10,6 @@ let
owner = owners.getchoo;
pubkey = "age1n7tyxx63wpgnmwkzn7dmkm62jxel840rk3ye3vsultrszsfrwuzsawdzhq";
files = [
- "rootPassword.age"
"sethPassword.age"
];
};
@@ -25,7 +24,6 @@ let
pubkey = "age18eu3ya4ucd2yzdrpkpg7wrymrxewt8j3zj2p2rqgcjeruacp0dgqryp39z";
owner = owners.getchoo;
files = [
- "rootPassword.age"
"userPassword.age"
"miniflux.age"
"tailscaleAuthKey.age"
generated by cgit v1.2.3 (git 2.25.1) at 2025-12-06 09:39:38 +0000