about summary refs log tree commit diff
diff options
context:
space:
mode:
authorsefidel <contact@sefidel.net>2023-02-15 00:39:38 +0900
committersefidel <contact@sefidel.net>2023-02-15 00:39:38 +0900
commitacb4dd1dfc20df79777edcd4c3eeefe2e1d78c8a (patch)
tree3a593c25ca00f245d1741bebaf59981fcc13a646
parentdd34ba371aeb5a17960a58d418007a5083279957 (diff)
downloadnixrc-acb4dd1dfc20df79777edcd4c3eeefe2e1d78c8a.tar.gz
nixrc-acb4dd1dfc20df79777edcd4c3eeefe2e1d78c8a.zip
feat(nixos/kompakt): activate volatile root
-rw-r--r--nixos/.sops.yaml6
-rw-r--r--nixos/default.nix1
-rw-r--r--nixos/kompakt/configuration.nix32
-rw-r--r--nixos/kompakt/secrets/secrets.yaml44
4 files changed, 75 insertions, 8 deletions
diff --git a/nixos/.sops.yaml b/nixos/.sops.yaml
index f6cb8c7..bbcded6 100644
--- a/nixos/.sops.yaml
+++ b/nixos/.sops.yaml
@@ -1,9 +1,15 @@
 keys:
   - &sefidel 387E2BF0402610B00A9CB7E689C80C5BD6DBE2B2
   - &host_alpha c62b0336ff6e444e5f2041e8074ca855641a5b7f
+  - &host_kompakt 2994421e08233114879a5e49a760952464f8c4c3
 creation_rules:
   - path_regex: alpha/secrets/[^/]+\.yaml$
     key_groups:
     - pgp:
       - *sefidel
       - *host_alpha
+  - path_regex: kompakt/secrets/[^/]+\.yaml$
+    key_groups:
+      - pgp:
+        - *sefidel
+        - *host_kompakt
diff --git a/nixos/default.nix b/nixos/default.nix
index 33bf06d..6618abc 100644
--- a/nixos/default.nix
+++ b/nixos/default.nix
@@ -29,6 +29,7 @@
     nixpkgs = unstable-small;
     extraModules = [
       inputs.sops-nix.nixosModules.sops
+      inputs.impermanence.nixosModules.impermanence
     ];
   };
 }
diff --git a/nixos/kompakt/configuration.nix b/nixos/kompakt/configuration.nix
index 581af1f..7202a03 100644
--- a/nixos/kompakt/configuration.nix
+++ b/nixos/kompakt/configuration.nix
@@ -26,6 +26,9 @@
   networking.hostName = "kompakt"; # Define your hostname.
   networking.hostId = "9c8c0140";
 
+  boot.initrd.postDeviceCommands = lib.mkAfter ''
+    zfs rollback -r rpool/local/root@blank
+  '';
 
   # Pick only one of the below networking options.
   networking.wireless.iwd.enable = true;
@@ -69,14 +72,22 @@
   # Enable touchpad support (enabled default in most desktopManager).
   # services.xserver.libinput.enable = true;
 
+  sops.defaultSopsFile = ./secrets/secrets.yaml;
+  sops.secrets.root-password.neededForUsers = true;
+  sops.secrets.sefidel-password.neededForUsers = true;
+
+  users.mutableUsers = false;
+
   # Define a user account. Don't forget to set a password with ‘passwd’.
-  users.users.sefidel = {
-    isNormalUser = true;
-    shell = pkgs.zsh;
-    extraGroups = [ "wheel" ]; # Enable ‘sudo’ for the user.
-    initialPassword = "cube";
-    packages = with pkgs; [
-    ];
+  users.users = {
+    root.passwordFile = config.sops.secrets.root-password.path;
+    sefidel = {
+      isNormalUser = true;
+      shell = pkgs.zsh;
+      passwordFile = config.sops.secrets.sefidel-password.path;
+
+      extraGroups = [ "wheel" ]; # Enable ‘sudo’ for the user.
+    };
   };
 
   # List packages installed in system profile. To search, run:
@@ -97,7 +108,12 @@
   # List services that you want to enable:
 
   # Enable the OpenSSH daemon.
-  # services.openssh.enable = true;
+  services.openssh.enable = true;
+
+  environment.persistence."/persist".directories = [
+    "/etc/ssh"
+    "/etc/nixos"
+  ];
 
   # Open ports in the firewall.
   # networking.firewall.allowedTCPPorts = [ ... ];
diff --git a/nixos/kompakt/secrets/secrets.yaml b/nixos/kompakt/secrets/secrets.yaml
new file mode 100644
index 0000000..07ea330
--- /dev/null
+++ b/nixos/kompakt/secrets/secrets.yaml
@@ -0,0 +1,44 @@
+root-password: ENC[AES256_GCM,data:PooKfuWKW4bCIOAXmLvWIrQX5R+Qo6AQedpe6RWNIP+c9qpcSdNOegu/vFAqyywjS/O9kUMKp2DY9lZUFClv3RCJzz1G9hdLxg==,iv:hONLcKyjIo58ogPwA8Us9TUEyrKhJpcGl0L0QBjiVZk=,tag:AzHz3no1bkoTRnDTXO77ZQ==,type:str]
+sefidel-password: ENC[AES256_GCM,data:L/uWtnd+HFvDNf1A5pEUN6lPw1x6HDcy9iJe4PDvN+8nPEk7nqj1OdachjtnA809q3zRHH6p8nXiVlphCEXYjNUe149KFTy58Q==,iv:if1B0QNMsDnhdEGbUVOmrTKIeuY4Mwxb6Y4TNyNd/E4=,tag:b/srjVDBjlz0Mbmm38FK7A==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age: []
+    lastmodified: "2023-02-14T15:38:07Z"
+    mac: ENC[AES256_GCM,data:suADqphFpyzsv6Jjr3OoBYttKNQGBcmfG1eV8D+Vats4xbtWj6OdMO4xXC96YXs90v/BIREsoFR4gZTolxQPNK3fTTU9PlFp1nRKOBIxxXW1Chvg8RW2CVFwonDvSC2WqktPf9U8fCH5KFsXjCc0zNaxiWVME/Ya8gchjGE0EWA=,iv:3KBanBiSWpKs7Kyn26eedVUM5EMjlUA4+wvxiPWVeJ8=,tag:ARBsXlCYlAxN8IUrVDwnPg==,type:str]
+    pgp:
+        - created_at: "2023-02-14T15:37:11Z"
+          enc: |
+            -----BEGIN PGP MESSAGE-----
+
+            hF4Dr9flwPWa1q8SAQdAhA3eEV9YzTu8XpBdPm7wk/5mdxlS1I9NBVcAb3lFNBIw
+            Oexdn/amZmWG4o9GXfuoDWeqIm3BjqtjW1RKPoguMIyD9raXFRe6uefSrwSpm9KY
+            0l4BZ01mANMQGeZ/UeIovGkHQb7xgYhAeyB7JxUzkwX5J+ztdIkBmcs/WiwJ7ZFn
+            66IdyzySGFUiEVKT1x4oFS/YhHO5BbinK6uvLrvzA28ee2f9xEkPvItYeVIG5zLu
+            =MgEm
+            -----END PGP MESSAGE-----
+          fp: 387E2BF0402610B00A9CB7E689C80C5BD6DBE2B2
+        - created_at: "2023-02-14T15:37:11Z"
+          enc: |
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMA6dglSRk+MTDAQ/+J2yQQ8uEyC2fzQKRJC+4TUXbD1vMryNaY/pl4xkfurjT
+            PEMcQqRj7tx//kpqTgYCYJaCdqolGJJhcWBWEZKbpQApnz6zq6CjCYhB5iNFXu1+
+            ORyinu6m4P3r5BgstjhFQh6P9ruM7PzRQEm6DYZh788IrTFUq4v4YUJ4b4mEttrN
+            QfBF05EoDVlOeP31ErfAQqVU/7ErByt0CF2OSMDwwc76QFbYIozaLLvrY6zkeudn
+            po2ZI1mgjHxvDogJ6zT0sNcUrSgSsUuw3+EAItjgI7MdlCGxJxPZDmSOI3rDt7Hz
+            QaqdeIxR4dW3yulk13FrhYfhmRzJZJwcHHcGEqoP5RcPydNJkwlgs0WK7Ty62vhC
+            3UkWUC9gtPntipdQc6/JLFbzjowij5G+vz0YEY/icUuQ0Y6cwqlAjKjv04jVjLxX
+            wa1xPTm930XyjhQEgB643FKmpWakRnK3dDC4XH+P6CrqybFqWJ1WtOQh3pR2IE0A
+            0Ww+suqpeweQ05vQD5njlzhy/i2sgSXYm/hwOnhoSAir1L+3ZBQanHwmah0SyBKQ
+            AUlznGxNU0iXEaNjO4TsRteK35CPxNFZMrFrxFbpqQX0GolXIpjMwxRdVrA2kVmo
+            sxxB5vfoIbBfJZThfq8iNugu9omwAvHF2lESwdcN5ZAAXvtXn0vJSsYWL6nD+hDS
+            WAHt7zY9VZvgRxmQafjp5dLdJz7E08Q/tTCmiB/Sc2Rov2Euf/J3aXUzobLBHVwJ
+            /2TIDjJOhuIRKkQp+C0vqCBnCb4oFEAYkOUSzy8JqLbNamW+cb/3zsk=
+            =eQJv
+            -----END PGP MESSAGE-----
+          fp: 2994421e08233114879a5e49a760952464f8c4c3
+    unencrypted_suffix: _unencrypted
+    version: 3.7.3