From acb4dd1dfc20df79777edcd4c3eeefe2e1d78c8a Mon Sep 17 00:00:00 2001 From: sefidel Date: Wed, 15 Feb 2023 00:39:38 +0900 Subject: feat(nixos/kompakt): activate volatile root --- nixos/.sops.yaml | 6 ++++++ nixos/default.nix | 1 + nixos/kompakt/configuration.nix | 32 ++++++++++++++++++++------- nixos/kompakt/secrets/secrets.yaml | 44 ++++++++++++++++++++++++++++++++++++++ 4 files changed, 75 insertions(+), 8 deletions(-) create mode 100644 nixos/kompakt/secrets/secrets.yaml (limited to 'nixos') diff --git a/nixos/.sops.yaml b/nixos/.sops.yaml index f6cb8c7..bbcded6 100644 --- a/nixos/.sops.yaml +++ b/nixos/.sops.yaml @@ -1,9 +1,15 @@ keys: - &sefidel 387E2BF0402610B00A9CB7E689C80C5BD6DBE2B2 - &host_alpha c62b0336ff6e444e5f2041e8074ca855641a5b7f + - &host_kompakt 2994421e08233114879a5e49a760952464f8c4c3 creation_rules: - path_regex: alpha/secrets/[^/]+\.yaml$ key_groups: - pgp: - *sefidel - *host_alpha + - path_regex: kompakt/secrets/[^/]+\.yaml$ + key_groups: + - pgp: + - *sefidel + - *host_kompakt diff --git a/nixos/default.nix b/nixos/default.nix index 33bf06d..6618abc 100644 --- a/nixos/default.nix +++ b/nixos/default.nix @@ -29,6 +29,7 @@ nixpkgs = unstable-small; extraModules = [ inputs.sops-nix.nixosModules.sops + inputs.impermanence.nixosModules.impermanence ]; }; } diff --git a/nixos/kompakt/configuration.nix b/nixos/kompakt/configuration.nix index 581af1f..7202a03 100644 --- a/nixos/kompakt/configuration.nix +++ b/nixos/kompakt/configuration.nix @@ -26,6 +26,9 @@ networking.hostName = "kompakt"; # Define your hostname. networking.hostId = "9c8c0140"; + boot.initrd.postDeviceCommands = lib.mkAfter '' + zfs rollback -r rpool/local/root@blank + ''; # Pick only one of the below networking options. networking.wireless.iwd.enable = true; @@ -69,14 +72,22 @@ # Enable touchpad support (enabled default in most desktopManager). # services.xserver.libinput.enable = true; + sops.defaultSopsFile = ./secrets/secrets.yaml; + sops.secrets.root-password.neededForUsers = true; + sops.secrets.sefidel-password.neededForUsers = true; + + users.mutableUsers = false; + # Define a user account. Don't forget to set a password with ‘passwd’. - users.users.sefidel = { - isNormalUser = true; - shell = pkgs.zsh; - extraGroups = [ "wheel" ]; # Enable ‘sudo’ for the user. - initialPassword = "cube"; - packages = with pkgs; [ - ]; + users.users = { + root.passwordFile = config.sops.secrets.root-password.path; + sefidel = { + isNormalUser = true; + shell = pkgs.zsh; + passwordFile = config.sops.secrets.sefidel-password.path; + + extraGroups = [ "wheel" ]; # Enable ‘sudo’ for the user. + }; }; # List packages installed in system profile. To search, run: @@ -97,7 +108,12 @@ # List services that you want to enable: # Enable the OpenSSH daemon. - # services.openssh.enable = true; + services.openssh.enable = true; + + environment.persistence."/persist".directories = [ + "/etc/ssh" + "/etc/nixos" + ]; # Open ports in the firewall. # networking.firewall.allowedTCPPorts = [ ... ]; diff --git a/nixos/kompakt/secrets/secrets.yaml b/nixos/kompakt/secrets/secrets.yaml new file mode 100644 index 0000000..07ea330 --- /dev/null +++ b/nixos/kompakt/secrets/secrets.yaml @@ -0,0 +1,44 @@ +root-password: ENC[AES256_GCM,data:PooKfuWKW4bCIOAXmLvWIrQX5R+Qo6AQedpe6RWNIP+c9qpcSdNOegu/vFAqyywjS/O9kUMKp2DY9lZUFClv3RCJzz1G9hdLxg==,iv:hONLcKyjIo58ogPwA8Us9TUEyrKhJpcGl0L0QBjiVZk=,tag:AzHz3no1bkoTRnDTXO77ZQ==,type:str] +sefidel-password: ENC[AES256_GCM,data:L/uWtnd+HFvDNf1A5pEUN6lPw1x6HDcy9iJe4PDvN+8nPEk7nqj1OdachjtnA809q3zRHH6p8nXiVlphCEXYjNUe149KFTy58Q==,iv:if1B0QNMsDnhdEGbUVOmrTKIeuY4Mwxb6Y4TNyNd/E4=,tag:b/srjVDBjlz0Mbmm38FK7A==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: [] + lastmodified: "2023-02-14T15:38:07Z" + mac: ENC[AES256_GCM,data:suADqphFpyzsv6Jjr3OoBYttKNQGBcmfG1eV8D+Vats4xbtWj6OdMO4xXC96YXs90v/BIREsoFR4gZTolxQPNK3fTTU9PlFp1nRKOBIxxXW1Chvg8RW2CVFwonDvSC2WqktPf9U8fCH5KFsXjCc0zNaxiWVME/Ya8gchjGE0EWA=,iv:3KBanBiSWpKs7Kyn26eedVUM5EMjlUA4+wvxiPWVeJ8=,tag:ARBsXlCYlAxN8IUrVDwnPg==,type:str] + pgp: + - created_at: "2023-02-14T15:37:11Z" + enc: | + -----BEGIN PGP MESSAGE----- + + hF4Dr9flwPWa1q8SAQdAhA3eEV9YzTu8XpBdPm7wk/5mdxlS1I9NBVcAb3lFNBIw + Oexdn/amZmWG4o9GXfuoDWeqIm3BjqtjW1RKPoguMIyD9raXFRe6uefSrwSpm9KY + 0l4BZ01mANMQGeZ/UeIovGkHQb7xgYhAeyB7JxUzkwX5J+ztdIkBmcs/WiwJ7ZFn + 66IdyzySGFUiEVKT1x4oFS/YhHO5BbinK6uvLrvzA28ee2f9xEkPvItYeVIG5zLu + =MgEm + -----END PGP MESSAGE----- + fp: 387E2BF0402610B00A9CB7E689C80C5BD6DBE2B2 + - created_at: "2023-02-14T15:37:11Z" + enc: | + -----BEGIN PGP MESSAGE----- + + hQIMA6dglSRk+MTDAQ/+J2yQQ8uEyC2fzQKRJC+4TUXbD1vMryNaY/pl4xkfurjT + PEMcQqRj7tx//kpqTgYCYJaCdqolGJJhcWBWEZKbpQApnz6zq6CjCYhB5iNFXu1+ + ORyinu6m4P3r5BgstjhFQh6P9ruM7PzRQEm6DYZh788IrTFUq4v4YUJ4b4mEttrN + QfBF05EoDVlOeP31ErfAQqVU/7ErByt0CF2OSMDwwc76QFbYIozaLLvrY6zkeudn + po2ZI1mgjHxvDogJ6zT0sNcUrSgSsUuw3+EAItjgI7MdlCGxJxPZDmSOI3rDt7Hz + QaqdeIxR4dW3yulk13FrhYfhmRzJZJwcHHcGEqoP5RcPydNJkwlgs0WK7Ty62vhC + 3UkWUC9gtPntipdQc6/JLFbzjowij5G+vz0YEY/icUuQ0Y6cwqlAjKjv04jVjLxX + wa1xPTm930XyjhQEgB643FKmpWakRnK3dDC4XH+P6CrqybFqWJ1WtOQh3pR2IE0A + 0Ww+suqpeweQ05vQD5njlzhy/i2sgSXYm/hwOnhoSAir1L+3ZBQanHwmah0SyBKQ + AUlznGxNU0iXEaNjO4TsRteK35CPxNFZMrFrxFbpqQX0GolXIpjMwxRdVrA2kVmo + sxxB5vfoIbBfJZThfq8iNugu9omwAvHF2lESwdcN5ZAAXvtXn0vJSsYWL6nD+hDS + WAHt7zY9VZvgRxmQafjp5dLdJz7E08Q/tTCmiB/Sc2Rov2Euf/J3aXUzobLBHVwJ + /2TIDjJOhuIRKkQp+C0vqCBnCb4oFEAYkOUSzy8JqLbNamW+cb/3zsk= + =eQJv + -----END PGP MESSAGE----- + fp: 2994421e08233114879a5e49a760952464f8c4c3 + unencrypted_suffix: _unencrypted + version: 3.7.3 -- cgit 1.4.1