From 632052e752becd11408ae909b8e70956cd259d64 Mon Sep 17 00:00:00 2001
From: seth <getchoo@tuta.io>
Date: Wed, 24 May 2023 06:53:12 -0400
Subject: atlas/p-body: enable github auth for wheel users

---
 hosts/atlas/default.nix         | 16 +++++++++++++++-
 hosts/p-body/default.nix        | 12 ++++++++++++
 hosts/p-body/hydra.nix          |  1 +
 secrets/hosts/atlas/authGH.age  | 15 +++++++++++++++
 secrets/hosts/p-body/authGH.age | 13 +++++++++++++
 secrets/secrets.nix             |  2 ++
 6 files changed, 58 insertions(+), 1 deletion(-)
 create mode 100644 secrets/hosts/atlas/authGH.age
 create mode 100644 secrets/hosts/p-body/authGH.age

diff --git a/hosts/atlas/default.nix b/hosts/atlas/default.nix
index 11db15e..0146b72 100644
--- a/hosts/atlas/default.nix
+++ b/hosts/atlas/default.nix
@@ -1,6 +1,7 @@
 {
   config,
   pkgs,
+  self,
   ...
 }: {
   imports = [
@@ -19,6 +20,13 @@
     hermetic = false;
   };
 
+  age.secrets.authGH = {
+    file = "${self}/secrets/hosts/${config.networking.hostName}/authGH.age";
+    mode = "440";
+    owner = config.users.users.root.name;
+    group = config.users.groups.wheel.name;
+  };
+
   boot = {
     binfmt.emulatedSystems = ["x86_64-linux" "i686-linux"];
     cleanTmpDir = true;
@@ -35,7 +43,13 @@
     hostName = "atlas";
   };
 
-  nix.settings.trusted-users = ["bob"];
+  nix = {
+    extraOptions = ''
+      !include ${config.age.secrets.authGH.path}
+    '';
+
+    settings.trusted-users = ["bob"];
+  };
 
   system.stateVersion = "22.11";
 
diff --git a/hosts/p-body/default.nix b/hosts/p-body/default.nix
index e303e36..e4368b4 100644
--- a/hosts/p-body/default.nix
+++ b/hosts/p-body/default.nix
@@ -3,6 +3,7 @@
   guzzle_api,
   modulesPath,
   pkgs,
+  self,
   ...
 }: {
   imports = [
@@ -25,6 +26,13 @@
     hermetic = false;
   };
 
+  age.secrets.authGH = {
+    file = "${self}/secrets/hosts/${config.networking.hostName}/authGH.age";
+    mode = "440";
+    owner = config.users.users.root.name;
+    inherit (config.users.users.hydra) group;
+  };
+
   getchoo.server.secrets.enable = true;
 
   networking = {
@@ -32,6 +40,10 @@
     hostName = "p-body";
   };
 
+  nix.extraOptions = ''
+    !include ${config.age.secrets.authGH.path}
+  '';
+
   services = {
     guzzle-api = {
       enable = true;
diff --git a/hosts/p-body/hydra.nix b/hosts/p-body/hydra.nix
index 115e077..5ed44e2 100644
--- a/hosts/p-body/hydra.nix
+++ b/hosts/p-body/hydra.nix
@@ -55,6 +55,7 @@ in {
   nix.settings.trusted-users = ["@${hydraGroup}"];
 
   users.users = {
+    ${hostName}.extraGroups = [hydraGroup];
     hydra-queue-runner.extraGroups = [hydraGroup];
     hydra-www.extraGroups = [hydraGroup];
   };
diff --git a/secrets/hosts/atlas/authGH.age b/secrets/hosts/atlas/authGH.age
new file mode 100644
index 0000000..0a365ba
--- /dev/null
+++ b/secrets/hosts/atlas/authGH.age
@@ -0,0 +1,15 @@
+-----BEGIN AGE ENCRYPTED FILE-----
+YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IGxXSVVGUSBHNXla
+OEI4L3lnUFFHNk04T3dNenJlamswSTZUNkQrVHc3RTl4dktOMFVjClZzVW1yY0N4
+dWoyU2RxdnlMVklkV0xOWUFvV1JrTTBtSlY3ZHRBRm9iZXMKLT4gc3NoLWVkMjU1
+MTkgSTkyQTNRIHhLelRZNzFVNVVxQ0R3cDhrNExhRElkazVpM20yY0wzOTFnTEFl
+alMwRTQKbU91MGpsa0VySkpKQm5CK2Z4TWRzK1RqOU9JTUlPM2FBMlNMN00rbXZJ
+awotPiBcKzFpXC1ncmVhc2UgMiN4c3BGCi9kU1VOOHM5S2tTNlZvUDRXK2ZwdlV1
+ZG9tbVpGMHZnQWVBWTBKTksydURuM3NRK1gySjNVOFM4VUVScGF5MEsKbno2OFJ3
+UFQ2UmF0WERVRzlVb2ZwdC9SbFBSZzlQaENOZHQ5Vk1HMnNFNWVsSkxjaE9MWkVJ
+OTlrV2hZckxudQptMzgKLS0tIHNPN01KYlBpdzhCVnp0QnhZdGlVKzFZeDQwSTJE
+ODd5MUNBSElyVzErVFEKz0IjBotQR4Au43+wUA4BSBX67FCGqOWaHObYm6aMO7yW
+ALJYus9JF9Zb29mEUbxehaSF5J/RcAbcUwydn3RoY5JmhInNbsn/iu+LZ677o26j
+6bUshly+e7xY3I/29x/dgzCtwNUTc7Y/7YhW2V+8nv7gBCf8V2HNZAZKzo13NYfO
+QWD/Q2Fpe6O9TBZFgb+zFcZ2sno3nBWq
+-----END AGE ENCRYPTED FILE-----
diff --git a/secrets/hosts/p-body/authGH.age b/secrets/hosts/p-body/authGH.age
new file mode 100644
index 0000000..eb8a400
--- /dev/null
+++ b/secrets/hosts/p-body/authGH.age
@@ -0,0 +1,13 @@
+-----BEGIN AGE ENCRYPTED FILE-----
+YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IDJybTN3ZyB1cEdL
+Zk9kWEhzRGIrMkVQK3dvZWNvdjZrbW01b2dzaXBWL0pNZ2dLWHhrCk5SbVFheVYy
+d095WmZTNHV5VUs3djU3YnRTbFZZekpjbU15QkZrRkhyWVEKLT4gc3NoLWVkMjU1
+MTkgSTkyQTNRIGZNWU5yWTdNbXFXUjZJOUFlVUlMVW5iT1NiS2hxMU51djVlVlR5
+N0RnWDgKNG1rb0tpN2dmeHhCZUJvcVJ3WmorbUpDaWJEZk16dUkyejM5WDVsbWZs
+OAotPiBPLWdyZWFzZSBFClJ3bCtaaUl0dXBkNVFhZGtuamV6N0NuRDNNQVlPUmtY
+c3FGNnVuSldmbk5LZTY5TGhBCi0tLSBuWVV6Y1J0TW5SVkp6UDQ2U3ZUa1U1NTE5
+T2Vjano0K081YWx2bDBpcW44Ck9b/U1ShHbQEHQ5Jyk1HuLgKuosBlXkhnjUVmpP
+bLMwSC/kGw3mgX5SVmTdWiMbk4ibIRqXqeqZRruI80kkgXwQjuYG2aMvaO/A5+IR
+7o8J6b8Ycz6kAm7SR5oz2BWcPrkIMjNrZzc+Zf/PW89GxU2I/j7wDLjlgonhq+qr
+AobH5N3V9J3SIZ11SAwMjIKWnd6c5nSaLHTOEA==
+-----END AGE ENCRYPTED FILE-----
diff --git a/secrets/secrets.nix b/secrets/secrets.nix
index 4dc1cff..c525929 100644
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@@ -12,9 +12,11 @@ in {
   "hosts/atlas/rootPassword.age".publicKeys = atlas;
   "hosts/atlas/userPassword.age".publicKeys = atlas;
   "hosts/atlas/miniflux.age".publicKeys = atlas;
+  "hosts/atlas/authGH.age".publicKeys = atlas;
 
   "hosts/p-body/rootPassword.age".publicKeys = p-body;
   "hosts/p-body/userPassword.age".publicKeys = p-body;
   "hosts/p-body/p-body2atlas.age".publicKeys = p-body;
   "hosts/p-body/hydraGH.age".publicKeys = p-body;
+  "hosts/p-body/authGH.age".publicKeys = p-body;
 }
-- 
cgit v1.2.3