rrvsh/pantheon
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

refactor(sops): changed config around and centralised systems

Browse source
This commit is contained in:
Mohammad Rafiq 2025-03-26 22:00:57 +08:00
parent a5701f22d5
commit 48ce4ce44f
No known key found for this signature in database
11 changed files with 113 additions and 194 deletions
Download patch file Download diff file Expand all files Collapse all files

8
.sops.yaml
View file

@ -1,9 +1,9 @@
keys: keys:
- &rafiq-nemesis-pub age15k23tac497yn9hnwvral66nd5hqtkengeck0fwlcdzm7gtqznafqxacsr3 - &rafiq age12l33pas8eptwjc7ewux3d8snyzfzwz0tn9qg5kw8le79fswmjgjqdjgyy6
- &rafiq-mellinoe-pub age1pgndhqw5exspuxzacmlzxhtdrxgcw3md6m4lmhmhzmmrq8e95spqextns2 - &nemesis age1sq4n2ywk6h94a0r5rye6vzkqy5x6ae736faqregz8u2ku8ttepeqqh5crh
creation_rules: creation_rules:
- path_regex: secrets/[^/]+\.(yaml|json|env|ini)$ - path_regex: secrets/[^/]+\.(yaml|json|env|ini)$
key_groups: key_groups:
- age: - age:
- *rafiq-nemesis-pub - *rafiq
- *rafiq-mellinoe-pub - *nemesis

35
secrets/secrets.yaml
View file

@ -1,35 +1,30 @@
hashed_password_rafiq: ENC[AES256_GCM,data:mdlOGpXDDm7HZQU9gi7+IL/UQxDgjD76LO3LYR1zQPNq6JFBHkNrPDZ0cUedHfkFwxXmr5VSdVfNSqSArq4v7bNuD8FfW/K43w==,iv:4FPbEWDc1XIeFqYPaK07zDwQqgGSrVTGRAcaIYzXQsg=,tag:MRN+0a0uELXBSyx9RDQA7A==,type:str] password: ENC[AES256_GCM,data:pbNp9qB92UiLv8S18L1Wr+wbiGahxyNbAsvhrJtZTJfQ9H2yyTH6QgfJNUN/hr/wTJFyEKg7E6c7XXh/a0hU4BhJ8QKIUPbHDw==,iv:0bEUOsXQ1tRPa9wfLGNEF4MeCBzvCMaRCbYWRRab6SY=,tag:EiWFVzxxHcQWtBkCL8cSYw==,type:str]
rafiq-nemesis: ENC[AES256_GCM,data:W+739P+Q2PR3pFNXITIB1p2skE6woBweR92s+dCDBY2qovhI1HkP2eEKIAjkd4XT+re0HEA/LDOgxBEx4YB9GOHY/rgf7HI/8/MzevaU1UGSXTXAlDhRDj7GP7XV3BfmxOsAPgrDeca7rN7QHto9EXJiZRril9KIlFQhrHEljXvQQ0Hu1gAVdQoRuMjxk7KFlJ7FPUVq862Dgtwow5M2Lg69sMJdE/aW8uW//nkmvvLEpd7aen2LaDTxydiPHebLCEHEIG/0muexnxhqtuy0Emx0OISZwbL6G5IG2Oa65TvDg3ZKSvnlLpOvqYa1alAmscdkzw5xGIoVjDW+DIb67NrmB9MBeVF+g70g/TGBURCNU3ZysvpNueU5OAEExi3t6S32qzQFn0iAJXwuGnnZhsJMCU5wmGt/6PeYOt5wR7J8GtseK8jxs0/0FMtDGniR9lQwsp7WNFiB+OJHXrDm2/iG0GioUOWKayrpFp4yiGUXxAaETal7q1bFWsv/eYtWoz9QsToR9HE=,iv:IhnHuLY3oxtImw6DzJIbTb/Xrj6yablexVD29wZgRis=,tag:TT6xfdCL4vxx/Q5NsL3BUA==,type:str]
rafiq-mellinoe: ENC[AES256_GCM,data:1Ouj3GcmYfWsMmaQ1eDnbLuKk0BH2ec8yqYdA9kmKVIAX66IFnk9yMJd/2ECF7lAqx+Uqvul+f8xuNfXINTVgUQ1jQIT8FFbWzsAc6aJZbzWG79cdM90uQyJXOY/zVkDsYiL9UcVzIf26hjZqjarouyPhq7qtokatS1QgVFzDjQjhKOGyiaBVNElgFCdzXtzb3on6v381R3pCGePCjwBjEBuNTzXrqGgHs9FHjvga9z0Vry4bUKsZQvs/Vxa8QSX7+5jslEFk0bUmypBmg+Qv/89FbYHgMmfR2D26kZhVzxlXA4F7ZJvxeYbcOJw3r55SsQGwgB3Te08jG6rK8JFb7JahJ0qBm73ZJkH8y0bEXgNj9JwdNIoX4RnHy5ihgnmwK7GICD9jk6gXbzcbcohi6+ZcreCDKEhnYU9Y3mh8CwqwS+IafDTKFrHrJibikVTlPG7jcclaTWQiAvDjDHvHUnr360QmhFfUs8xGu7f+7aKYcAH6jSOLzPWCPQfp/w8ETq+bTd8DkulSGjmGRghJCxXOTk=,iv:hO2wQHi+hTqmM0c1UbJMqx1z/77G1rQ1R/R7GkI/yBU=,tag:NatoghXfI5/BHejnciFv4w==,type:str]
cargo_api_key: ENC[AES256_GCM,data:kZ2ic/3Ig2x1s4LJITanu1WsQ1MnQCC9Z6+kTzrHXmM+iBE=,iv:7wy6F5v1A1/N+ZorQat0lswDy+dgwdg/jlfYYIv8cWc=,tag:bfr/DVnFCUSWtXKlMkqZHg==,type:str]
cwp_jira_access_key: ENC[AES256_GCM,data:iGH1xqToAM72n8sZbTsrgL5azgRGWiwq4g7YSJcyhscZLAOW10nX9PHrQ9w=,iv:xR9zqg8vE2O7VuWvYYJSC9F3w2M1VY4JiD+4yxJA+4Q=,tag:DxhqjH/CjsJgZ/8d2Z/Ltg==,type:str]
cwp_jira_link: ENC[AES256_GCM,data:7sNEkUd1AoUA8H1pWtiB24/cJP7cC98Uk1XDrfnf17jv,iv:QlsCBybTegL4lokNhD5vRyoxQJVVskZ52gQJZWoz974=,tag:0oAYSqNvyF6qqZw4gF0Jgg==,type:str]
sops: sops:
kms: [] kms: []
gcp_kms: [] gcp_kms: []
azure_kv: [] azure_kv: []
hc_vault: [] hc_vault: []
age: age:
- recipient: age15k23tac497yn9hnwvral66nd5hqtkengeck0fwlcdzm7gtqznafqxacsr3 - recipient: age12l33pas8eptwjc7ewux3d8snyzfzwz0tn9qg5kw8le79fswmjgjqdjgyy6
enc: | enc: |
-----BEGIN AGE ENCRYPTED FILE----- -----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBVUktxTTd0RXo5TnNLSjZI YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBVaU5aQjB5aWlsSXBNOElh
YUkzMU5Gdml6d3ZNRjYrNlhWT0dOL0pOU1JrClg0Z0NNcGgvbHVORjFPcDFqVysy QTZqRnkxSVFibWRReFExTngrck5ZR2JRSHc0CmlFVUpMcXZUYitncFNqU016eU8r
RkQ4T09oOTdlcS9pbkJXTXBVR3ltaDQKLS0tIEw3SWRrVFdxbzROd3FMdjFuazBj UUhIQVR1OHNNajh1WGpaTG1aUFdzakEKLS0tIEk2MUhBVkUxNXRjbnVrb3pPdjlU
Y0pGUUJoWjFnaVhOeVRRdlErdHpWVjQKoVPKzPAGIA6qSqst4uPz1ol+srsBauIP K1l0QlZ6RDBQZlY0VUtXZXRpekNTelUKoDd6bqX2RNYUNKYBaferXO/FIRSTVXpn
ALfmuMtp1CfhKlsRH8qLZNFwJw/P9ZoQANz/oKvnG52EE+6Iak8rew== JrTPgC+e/f0XMIMcQCiSDmoiuGzEwChboyFAX0JQ7oBSfcGCDd6BEw==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
- recipient: age1pgndhqw5exspuxzacmlzxhtdrxgcw3md6m4lmhmhzmmrq8e95spqextns2 - recipient: age1sq4n2ywk6h94a0r5rye6vzkqy5x6ae736faqregz8u2ku8ttepeqqh5crh
enc: | enc: |
-----BEGIN AGE ENCRYPTED FILE----- -----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBCTU16Z2FvR1Y1TU5vMDZ1 YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBHSGxoM3pPbEU5Ym1mSG1u
dHorN0RSMy9aaVBoVm9HRnk1UUJPWTlQdURVCjVXaGZXekVidFdTVDk1WVI2S0hE Wi9laFlnUHNqVnFWOUt1cmUrbHNqQ1ZqMGlJCkNLcXUrTXBKbVlmL1NxbWNiR3Z2
R1F1cnhYZTROVll5bUNUNUhZb2IrYkkKLS0tIGNwMnlwcE5Tb1k0S0sxclJ6WUw5 ejBGOERrYWZvNi9kUlloTlRkY1dyL3MKLS0tIHVWcmxmN2grMjhkMmZVM3ZQTW9z
dGZmTEN0NWlnVExHczNYdHphbUJRaFEKEWtxkXbzZheNzX4tMirXa5mGrctwIdhv WEhyYk45Tkw4UGtvVjBtNUxBelAvTDAKS4vDgFOagPMcL9n7nuzyuRuMxRSM6zZ7
7T1dBHn2h3B5FUHe5RVgQpEJvQD6ed2AIeY6XSAkt7ofhUzHzMNGow== v7ktd9UmHo/UledQNXrJVi8UWNGX0h7xV163CUNKDqJcwVYrVnQCyA==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
lastmodified: "2025-03-24T19:58:38Z" lastmodified: "2025-03-26T13:53:07Z"
mac: ENC[AES256_GCM,data:5gGR1ikHTkAfcZarOpuus9jDgarFPbGEecs5rJUM6EcvKUsdk+x00iCiT7TNyAusf7qCQ85Lrl+EVb1XJ6qq7qOe+q+uIukKbs4mIftiz1w1dsQlFeo5QBjsLI8+7cCik92gAF6bBKzf+P1nZ0h9gMCbiVUiBEGkubRiEdwDnWg=,iv:gEflEBaZ/JgFuJCflaS4PbBC2/eWKSPDktk4Q4hicKA=,tag:+fuM6FhldSETQ/Cs9ANsow==,type:str] mac: ENC[AES256_GCM,data:kO8aTBApujS8ew7vPJlnfMEs6g73liZJ0OCjIVT+dalaAEIS6VM/uLiuVvMi2fL0gWZtsW46UbXrOoiUrMNXrC7Z5RZOhyLwpqE8B3PU5u1BLkBnLub+/391V+PSUjV0YohRGdvKt2Gmpy/c7bG13ltYk9FBP1yXuXwb3pDO4aw=,iv:cldmB2N/u90JVnyXoOW3zAdx+t9eLAdDqPqvxIycQD4=,tag:aXQ+FF2cg435nxPNvkb+7g==,type:str]
pgp: [] pgp: []
unencrypted_suffix: _unencrypted unencrypted_suffix: _unencrypted
version: 3.9.4 version: 3.9.4

114
systems/modules/common.nix
View file

@ -1,80 +1,94 @@
{ {
inputs, inputs,
pkgs,
config, config,
... ...
}: }:
{ {
imports = [ imports = [
./networking.nix ./programs/tailscale.nix
./shell.nix ./programs/zsh.nix
./stylix.nix
./sops.nix
./pipewire.nix
inputs.nix-index-database.nixosModules.nix-index inputs.nix-index-database.nixosModules.nix-index
inputs.sops-nix.nixosModules.sops
]; ];
users.mutableUsers = false; # Always reset users on system activation users.mutableUsers = false; # Always reset users on system activation
users.users.rafiq = { users.users.rafiq = {
isNormalUser = true; isNormalUser = true;
description = "rafiq"; description = "rafiq";
hashedPasswordFile = config.sops.secrets.hashed_password_rafiq.path; hashedPasswordFile = config.sops.secrets.password.path;
extraGroups = [ extraGroups = [
"networkmanager" "networkmanager"
"wheel" "wheel"
]; ];
openssh.authorizedKeys.keys = [ openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILv8HqazE294YdyGaXK6q2EniDlTpGaUL071kk9+W0GJ rafiq@nemesis" "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILdsZyY3gu8IGB8MzMnLdh+ClDxQQ2RYG9rkeetIKq8n rafiq"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICbZfOYt6zydLyO4f9JAsxb1i6kHAjYzqa0SOqef6MKM rafiq@orpheus"
]; ];
}; };
environment = {
sessionVariables = {
CWP_JIRA_ACCESS_KEY_FILE = config.sops.secrets.cwp_jira_access_key.path;
CWP_JIRA_LINK_FILE = config.sops.secrets.cwp_jira_link.path;
};
systemPackages = with pkgs; [
git
];
};
security.sudo.wheelNeedsPassword = false;
# Enable basic fonts for reasonable Unicode coverage
fonts.enableDefaultPackages = true;
nixpkgs.config.allowUnfree = true; nixpkgs.config.allowUnfree = true;
nix.settings.experimental-features = [ nix = {
"nix-command" settings.experimental-features = [
"flakes" "nix-command"
]; "flakes"
nix.settings.trusted-users = [ "pipe-operators"
"root" ];
"@wheel"
]; # Add binary caches to avoid having to compile them
settings = {
substituters = [
"https://hyprland.cachix.org"
"https://cuda-maintainers.cachix.org"
"https://nix-community.cachix.org"
"https://nvf.cachix.org"
"https://yazi.cachix.org"
];
trusted-public-keys = [
"hyprland.cachix.org-1:a7pgxzMz7+chwVL3/pzj6jIBMioiJM7ypFP8PwtkuGc="
"cuda-maintainers.cachix.org-1:0dq3bujKpuEPMCX6U4WylrUDZ9JyUG0VpVZa7CNfq5E="
"nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs="
"nvf.cachix.org-1:GMQWiUhZ6ux9D5CvFFMwnc2nFrUHTeGaXRlVBXo+naI="
"yazi.cachix.org-1:Dcdz63NZKfvUCbDGngQDAZq6kOroIrFoyO064uvLh8k="
];
};
};
time.timeZone = "Asia/Singapore"; time.timeZone = "Asia/Singapore";
i18n.defaultLocale = "en_SG.UTF-8"; i18n.defaultLocale = "en_SG.UTF-8";
i18n.extraLocaleSettings = {
LC_ADDRESS = "en_SG.UTF-8";
LC_IDENTIFICATION = "en_SG.UTF-8";
LC_MEASUREMENT = "en_SG.UTF-8";
LC_MONETARY = "en_SG.UTF-8";
LC_NAME = "en_SG.UTF-8";
LC_NUMERIC = "en_SG.UTF-8";
LC_PAPER = "en_SG.UTF-8";
LC_TELEPHONE = "en_SG.UTF-8";
LC_TIME = "en_SG.UTF-8";
};
nix.gc = {
automatic = true;
dates = "daily";
options = "-d";
};
programs.nix-index-database.comma.enable = true; programs.nix-index-database.comma.enable = true;
networking = {
networkmanager.enable = true;
networkmanager.wifi.backend = "iwd";
# Configures a simple stateful firewall.
# By default, it doesn't allow any incoming connections.
firewall = {
enable = true;
allowedTCPPorts = [
22 # SSH
];
allowedUDPPorts = [ ];
};
interfaces.enp12s0.wakeOnLan.policy = [
"phy"
"unicast"
"multicast"
"broadcast"
"arp"
"magic"
"secureon"
];
interfaces.enp12s0.wakeOnLan.enable = true;
};
services.openssh.enable = true;
sops = {
defaultSopsFile = ../../secrets/secrets.yaml;
age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
secrets.password.neededForUsers = true;
};
} }

29
systems/modules/desktop.nix
View file

@ -1,7 +1,34 @@
{ inputs, ... }:
{ {
imports = [ imports = [
../../themes/cursors/banana-cursor.nix
../../themes/darkviolet.nix
../../themes/fonts/sauce-code-pro.nix
./programs/getty.nix
./programs/hyprland.nix ./programs/hyprland.nix
./programs/hyprlock.nix ./programs/hyprlock.nix
./programs/getty.nix inputs.stylix.nixosModules.stylix
]; ];
# Enable basic fonts for reasonable Unicode coverage
fonts.enableDefaultPackages = true;
stylix = {
enable = true;
image = ../../media/wallpaper.jpg;
homeManagerIntegration.autoImport = false;
homeManagerIntegration.followSystem = false;
};
security.rtkit.enable = true;
services.pipewire = {
enable = true;
extraConfig = { };
jack.enable = true;
pulse.enable = true;
alsa = {
enable = true;
support32Bit = true;
};
};
} }

55
systems/modules/networking.nix
View file

@ -1,55 +0,0 @@
#
# Common networking settings for all machines.
# Anything system-specific should not be here.
#
{
imports = [
./programs/tailscale.nix
];
networking = {
networkmanager.enable = true;
networkmanager.wifi.backend = "iwd";
# Configures a simple stateful firewall.
# By default, it doesn't allow any incoming connections.
firewall = {
enable = true;
allowedTCPPorts = [
22 # SSH
];
allowedUDPPorts = [ ];
};
interfaces.enp12s0.wakeOnLan.policy = [
"phy"
"unicast"
"multicast"
"broadcast"
"arp"
"magic"
"secureon"
];
interfaces.enp12s0.wakeOnLan.enable = true;
};
# Add binary caches to avoid having to compile them
nix.settings = {
substituters = [
"https://hyprland.cachix.org"
"https://cuda-maintainers.cachix.org"
"https://nix-community.cachix.org"
"https://nvf.cachix.org"
"https://yazi.cachix.org"
];
trusted-public-keys = [
"hyprland.cachix.org-1:a7pgxzMz7+chwVL3/pzj6jIBMioiJM7ypFP8PwtkuGc="
"cuda-maintainers.cachix.org-1:0dq3bujKpuEPMCX6U4WylrUDZ9JyUG0VpVZa7CNfq5E="
"nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs="
"nvf.cachix.org-1:GMQWiUhZ6ux9D5CvFFMwnc2nFrUHTeGaXRlVBXo+naI="
"yazi.cachix.org-1:Dcdz63NZKfvUCbDGngQDAZq6kOroIrFoyO064uvLh8k="
];
};
services.openssh.enable = true;
}

13
systems/modules/pipewire.nix
View file

@ -1,13 +0,0 @@
{
security.rtkit.enable = true;
services.pipewire = {
enable = true;
extraConfig = { };
jack.enable = true;
pulse.enable = true;
alsa = {
enable = true;
support32Bit = true;
};
};
}

5
systems/modules/shell.nix
View file

@ -1,5 +0,0 @@
{
imports = [
./programs/zsh.nix
];
}

23
systems/modules/sops.nix
View file

@ -1,23 +0,0 @@
{ inputs, config, ... }:
{
imports = [ inputs.sops-nix.nixosModules.sops ];
sops = {
defaultSopsFile = ../../secrets/secrets.yaml;
age.sshKeyPaths = [
"/home/rafiq/.ssh/id_ed25519"
"/home/rafiq/.ssh/rafiq-master"
];
secrets = {
hashed_password_rafiq = {
neededForUsers = true;
};
cwp_jira_access_key = { };
cwp_jira_link = { };
cargo_api_key = {
mode = "0440";
owner = config.users.users.rafiq.name;
group = config.users.users.rafiq.group;
};
};
};
}

15
systems/modules/stylix.nix
View file

@ -1,15 +0,0 @@
{ inputs, pkgs, ... }:
{
imports = [
inputs.stylix.nixosModules.stylix
../../themes/darkviolet.nix
../../themes/fonts/sauce-code-pro.nix
../../themes/cursors/banana-cursor.nix
];
stylix = {
enable = true;
image = ../../media/wallpaper.jpg;
homeManagerIntegration.autoImport = false;
homeManagerIntegration.followSystem = false;
};
}

8
systems/nemesis.nix
View file

@ -1,4 +1,5 @@
{pkgs, ...}: { { pkgs, ... }:
{
imports = [ imports = [
./hw-nemesis.nix ./hw-nemesis.nix
./modules/common.nix ./modules/common.nix
@ -10,10 +11,5 @@
networking.hostName = "nemesis"; networking.hostName = "nemesis";
system.stateVersion = "24.11"; system.stateVersion = "24.11";
boot.binfmt.emulatedSystems = ["wasm32-wasi" "x86_64-windows" "aarch64-linux"];
boot.kernelPackages = pkgs.linuxPackages_latest; boot.kernelPackages = pkgs.linuxPackages_latest;
boot.kernelModules = ["dm_crypt"];
boot.plymouth = {
enable = true;
};
} }

2
users/modules/programs/zsh.nix
View file

@ -17,8 +17,6 @@
'' ''
# Bind CTRL+Backspace to delete whole word # Bind CTRL+Backspace to delete whole word
bindkey '^H' backward-kill-word bindkey '^H' backward-kill-word
# Set Cargo Registry Token
export CARGO_REGISTRY_TOKEN="$(cat ${osConfig.sops.secrets.cargo_api_key.path})"
export SYSTEM_TYPE="${type}" export SYSTEM_TYPE="${type}"
''; '';
# TODO: Look into whether we need to add the history attribute # TODO: Look into whether we need to add the history attribute