rrvsh/pantheon
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

refactor(sops): changed config around and centralised systems

Browse source
This commit is contained in:
Mohammad Rafiq 2025-03-26 22:00:57 +08:00
parent a5701f22d5
commit 48ce4ce44f
No known key found for this signature in database
11 changed files with 113 additions and 194 deletions
Download patch file Download diff file Expand all files Collapse all files

8
.sops.yaml
View file

@ -1,9 +1,9 @@
keys:
- &rafiq-nemesis-pub age15k23tac497yn9hnwvral66nd5hqtkengeck0fwlcdzm7gtqznafqxacsr3
- &rafiq-mellinoe-pub age1pgndhqw5exspuxzacmlzxhtdrxgcw3md6m4lmhmhzmmrq8e95spqextns2
- &rafiq age12l33pas8eptwjc7ewux3d8snyzfzwz0tn9qg5kw8le79fswmjgjqdjgyy6
- &nemesis age1sq4n2ywk6h94a0r5rye6vzkqy5x6ae736faqregz8u2ku8ttepeqqh5crh
creation_rules:
- path_regex: secrets/[^/]+\.(yaml|json|env|ini)$
key_groups:
- age:
- *rafiq-nemesis-pub
- *rafiq-mellinoe-pub
- *rafiq
- *nemesis

35
secrets/secrets.yaml
View file

@ -1,35 +1,30 @@
hashed_password_rafiq: ENC[AES256_GCM,data:mdlOGpXDDm7HZQU9gi7+IL/UQxDgjD76LO3LYR1zQPNq6JFBHkNrPDZ0cUedHfkFwxXmr5VSdVfNSqSArq4v7bNuD8FfW/K43w==,iv:4FPbEWDc1XIeFqYPaK07zDwQqgGSrVTGRAcaIYzXQsg=,tag:MRN+0a0uELXBSyx9RDQA7A==,type:str]
rafiq-nemesis: ENC[AES256_GCM,data:W+739P+Q2PR3pFNXITIB1p2skE6woBweR92s+dCDBY2qovhI1HkP2eEKIAjkd4XT+re0HEA/LDOgxBEx4YB9GOHY/rgf7HI/8/MzevaU1UGSXTXAlDhRDj7GP7XV3BfmxOsAPgrDeca7rN7QHto9EXJiZRril9KIlFQhrHEljXvQQ0Hu1gAVdQoRuMjxk7KFlJ7FPUVq862Dgtwow5M2Lg69sMJdE/aW8uW//nkmvvLEpd7aen2LaDTxydiPHebLCEHEIG/0muexnxhqtuy0Emx0OISZwbL6G5IG2Oa65TvDg3ZKSvnlLpOvqYa1alAmscdkzw5xGIoVjDW+DIb67NrmB9MBeVF+g70g/TGBURCNU3ZysvpNueU5OAEExi3t6S32qzQFn0iAJXwuGnnZhsJMCU5wmGt/6PeYOt5wR7J8GtseK8jxs0/0FMtDGniR9lQwsp7WNFiB+OJHXrDm2/iG0GioUOWKayrpFp4yiGUXxAaETal7q1bFWsv/eYtWoz9QsToR9HE=,iv:IhnHuLY3oxtImw6DzJIbTb/Xrj6yablexVD29wZgRis=,tag:TT6xfdCL4vxx/Q5NsL3BUA==,type:str]
rafiq-mellinoe: ENC[AES256_GCM,data:1Ouj3GcmYfWsMmaQ1eDnbLuKk0BH2ec8yqYdA9kmKVIAX66IFnk9yMJd/2ECF7lAqx+Uqvul+f8xuNfXINTVgUQ1jQIT8FFbWzsAc6aJZbzWG79cdM90uQyJXOY/zVkDsYiL9UcVzIf26hjZqjarouyPhq7qtokatS1QgVFzDjQjhKOGyiaBVNElgFCdzXtzb3on6v381R3pCGePCjwBjEBuNTzXrqGgHs9FHjvga9z0Vry4bUKsZQvs/Vxa8QSX7+5jslEFk0bUmypBmg+Qv/89FbYHgMmfR2D26kZhVzxlXA4F7ZJvxeYbcOJw3r55SsQGwgB3Te08jG6rK8JFb7JahJ0qBm73ZJkH8y0bEXgNj9JwdNIoX4RnHy5ihgnmwK7GICD9jk6gXbzcbcohi6+ZcreCDKEhnYU9Y3mh8CwqwS+IafDTKFrHrJibikVTlPG7jcclaTWQiAvDjDHvHUnr360QmhFfUs8xGu7f+7aKYcAH6jSOLzPWCPQfp/w8ETq+bTd8DkulSGjmGRghJCxXOTk=,iv:hO2wQHi+hTqmM0c1UbJMqx1z/77G1rQ1R/R7GkI/yBU=,tag:NatoghXfI5/BHejnciFv4w==,type:str]
cargo_api_key: ENC[AES256_GCM,data:kZ2ic/3Ig2x1s4LJITanu1WsQ1MnQCC9Z6+kTzrHXmM+iBE=,iv:7wy6F5v1A1/N+ZorQat0lswDy+dgwdg/jlfYYIv8cWc=,tag:bfr/DVnFCUSWtXKlMkqZHg==,type:str]
cwp_jira_access_key: ENC[AES256_GCM,data:iGH1xqToAM72n8sZbTsrgL5azgRGWiwq4g7YSJcyhscZLAOW10nX9PHrQ9w=,iv:xR9zqg8vE2O7VuWvYYJSC9F3w2M1VY4JiD+4yxJA+4Q=,tag:DxhqjH/CjsJgZ/8d2Z/Ltg==,type:str]
cwp_jira_link: ENC[AES256_GCM,data:7sNEkUd1AoUA8H1pWtiB24/cJP7cC98Uk1XDrfnf17jv,iv:QlsCBybTegL4lokNhD5vRyoxQJVVskZ52gQJZWoz974=,tag:0oAYSqNvyF6qqZw4gF0Jgg==,type:str]
password: ENC[AES256_GCM,data:pbNp9qB92UiLv8S18L1Wr+wbiGahxyNbAsvhrJtZTJfQ9H2yyTH6QgfJNUN/hr/wTJFyEKg7E6c7XXh/a0hU4BhJ8QKIUPbHDw==,iv:0bEUOsXQ1tRPa9wfLGNEF4MeCBzvCMaRCbYWRRab6SY=,tag:EiWFVzxxHcQWtBkCL8cSYw==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age15k23tac497yn9hnwvral66nd5hqtkengeck0fwlcdzm7gtqznafqxacsr3
- recipient: age12l33pas8eptwjc7ewux3d8snyzfzwz0tn9qg5kw8le79fswmjgjqdjgyy6
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBVUktxTTd0RXo5TnNLSjZI
YUkzMU5Gdml6d3ZNRjYrNlhWT0dOL0pOU1JrClg0Z0NNcGgvbHVORjFPcDFqVysy
RkQ4T09oOTdlcS9pbkJXTXBVR3ltaDQKLS0tIEw3SWRrVFdxbzROd3FMdjFuazBj
Y0pGUUJoWjFnaVhOeVRRdlErdHpWVjQKoVPKzPAGIA6qSqst4uPz1ol+srsBauIP
ALfmuMtp1CfhKlsRH8qLZNFwJw/P9ZoQANz/oKvnG52EE+6Iak8rew==
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBVaU5aQjB5aWlsSXBNOElh
QTZqRnkxSVFibWRReFExTngrck5ZR2JRSHc0CmlFVUpMcXZUYitncFNqU016eU8r
UUhIQVR1OHNNajh1WGpaTG1aUFdzakEKLS0tIEk2MUhBVkUxNXRjbnVrb3pPdjlU
K1l0QlZ6RDBQZlY0VUtXZXRpekNTelUKoDd6bqX2RNYUNKYBaferXO/FIRSTVXpn
JrTPgC+e/f0XMIMcQCiSDmoiuGzEwChboyFAX0JQ7oBSfcGCDd6BEw==
-----END AGE ENCRYPTED FILE-----
- recipient: age1pgndhqw5exspuxzacmlzxhtdrxgcw3md6m4lmhmhzmmrq8e95spqextns2
- recipient: age1sq4n2ywk6h94a0r5rye6vzkqy5x6ae736faqregz8u2ku8ttepeqqh5crh
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBCTU16Z2FvR1Y1TU5vMDZ1
dHorN0RSMy9aaVBoVm9HRnk1UUJPWTlQdURVCjVXaGZXekVidFdTVDk1WVI2S0hE
R1F1cnhYZTROVll5bUNUNUhZb2IrYkkKLS0tIGNwMnlwcE5Tb1k0S0sxclJ6WUw5
dGZmTEN0NWlnVExHczNYdHphbUJRaFEKEWtxkXbzZheNzX4tMirXa5mGrctwIdhv
7T1dBHn2h3B5FUHe5RVgQpEJvQD6ed2AIeY6XSAkt7ofhUzHzMNGow==
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBHSGxoM3pPbEU5Ym1mSG1u
Wi9laFlnUHNqVnFWOUt1cmUrbHNqQ1ZqMGlJCkNLcXUrTXBKbVlmL1NxbWNiR3Z2
ejBGOERrYWZvNi9kUlloTlRkY1dyL3MKLS0tIHVWcmxmN2grMjhkMmZVM3ZQTW9z
WEhyYk45Tkw4UGtvVjBtNUxBelAvTDAKS4vDgFOagPMcL9n7nuzyuRuMxRSM6zZ7
v7ktd9UmHo/UledQNXrJVi8UWNGX0h7xV163CUNKDqJcwVYrVnQCyA==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2025-03-24T19:58:38Z"
mac: ENC[AES256_GCM,data:5gGR1ikHTkAfcZarOpuus9jDgarFPbGEecs5rJUM6EcvKUsdk+x00iCiT7TNyAusf7qCQ85Lrl+EVb1XJ6qq7qOe+q+uIukKbs4mIftiz1w1dsQlFeo5QBjsLI8+7cCik92gAF6bBKzf+P1nZ0h9gMCbiVUiBEGkubRiEdwDnWg=,iv:gEflEBaZ/JgFuJCflaS4PbBC2/eWKSPDktk4Q4hicKA=,tag:+fuM6FhldSETQ/Cs9ANsow==,type:str]
lastmodified: "2025-03-26T13:53:07Z"
mac: ENC[AES256_GCM,data:kO8aTBApujS8ew7vPJlnfMEs6g73liZJ0OCjIVT+dalaAEIS6VM/uLiuVvMi2fL0gWZtsW46UbXrOoiUrMNXrC7Z5RZOhyLwpqE8B3PU5u1BLkBnLub+/391V+PSUjV0YohRGdvKt2Gmpy/c7bG13ltYk9FBP1yXuXwb3pDO4aw=,iv:cldmB2N/u90JVnyXoOW3zAdx+t9eLAdDqPqvxIycQD4=,tag:aXQ+FF2cg435nxPNvkb+7g==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.9.4

106
systems/modules/common.nix
View file

@ -1,80 +1,94 @@
{
inputs,
pkgs,
config,
...
}:
{
imports = [
./networking.nix
./shell.nix
./stylix.nix
./sops.nix
./pipewire.nix
./programs/tailscale.nix
./programs/zsh.nix
inputs.nix-index-database.nixosModules.nix-index
inputs.sops-nix.nixosModules.sops
];
users.mutableUsers = false; # Always reset users on system activation
users.users.rafiq = {
isNormalUser = true;
description = "rafiq";
hashedPasswordFile = config.sops.secrets.hashed_password_rafiq.path;
hashedPasswordFile = config.sops.secrets.password.path;
extraGroups = [
"networkmanager"
"wheel"
];
openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILv8HqazE294YdyGaXK6q2EniDlTpGaUL071kk9+W0GJ rafiq@nemesis"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICbZfOYt6zydLyO4f9JAsxb1i6kHAjYzqa0SOqef6MKM rafiq@orpheus"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILdsZyY3gu8IGB8MzMnLdh+ClDxQQ2RYG9rkeetIKq8n rafiq"
];
};
environment = {
sessionVariables = {
CWP_JIRA_ACCESS_KEY_FILE = config.sops.secrets.cwp_jira_access_key.path;
CWP_JIRA_LINK_FILE = config.sops.secrets.cwp_jira_link.path;
};
systemPackages = with pkgs; [
git
];
};
security.sudo.wheelNeedsPassword = false;
# Enable basic fonts for reasonable Unicode coverage
fonts.enableDefaultPackages = true;
nixpkgs.config.allowUnfree = true;
nix.settings.experimental-features = [
nix = {
settings.experimental-features = [
"nix-command"
"flakes"
"pipe-operators"
];
nix.settings.trusted-users = [
"root"
"@wheel"
# Add binary caches to avoid having to compile them
settings = {
substituters = [
"https://hyprland.cachix.org"
"https://cuda-maintainers.cachix.org"
"https://nix-community.cachix.org"
"https://nvf.cachix.org"
"https://yazi.cachix.org"
];
trusted-public-keys = [
"hyprland.cachix.org-1:a7pgxzMz7+chwVL3/pzj6jIBMioiJM7ypFP8PwtkuGc="
"cuda-maintainers.cachix.org-1:0dq3bujKpuEPMCX6U4WylrUDZ9JyUG0VpVZa7CNfq5E="
"nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs="
"nvf.cachix.org-1:GMQWiUhZ6ux9D5CvFFMwnc2nFrUHTeGaXRlVBXo+naI="
"yazi.cachix.org-1:Dcdz63NZKfvUCbDGngQDAZq6kOroIrFoyO064uvLh8k="
];
};
};
time.timeZone = "Asia/Singapore";
i18n.defaultLocale = "en_SG.UTF-8";
i18n.extraLocaleSettings = {
LC_ADDRESS = "en_SG.UTF-8";
LC_IDENTIFICATION = "en_SG.UTF-8";
LC_MEASUREMENT = "en_SG.UTF-8";
LC_MONETARY = "en_SG.UTF-8";
LC_NAME = "en_SG.UTF-8";
LC_NUMERIC = "en_SG.UTF-8";
LC_PAPER = "en_SG.UTF-8";
LC_TELEPHONE = "en_SG.UTF-8";
LC_TIME = "en_SG.UTF-8";
};
nix.gc = {
automatic = true;
dates = "daily";
options = "-d";
};
programs.nix-index-database.comma.enable = true;
networking = {
networkmanager.enable = true;
networkmanager.wifi.backend = "iwd";
# Configures a simple stateful firewall.
# By default, it doesn't allow any incoming connections.
firewall = {
enable = true;
allowedTCPPorts = [
22 # SSH
];
allowedUDPPorts = [ ];
};
interfaces.enp12s0.wakeOnLan.policy = [
"phy"
"unicast"
"multicast"
"broadcast"
"arp"
"magic"
"secureon"
];
interfaces.enp12s0.wakeOnLan.enable = true;
};
services.openssh.enable = true;
sops = {
defaultSopsFile = ../../secrets/secrets.yaml;
age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
secrets.password.neededForUsers = true;
};
}

29
systems/modules/desktop.nix
View file

@ -1,7 +1,34 @@
{ inputs, ... }:
{
imports = [
../../themes/cursors/banana-cursor.nix
../../themes/darkviolet.nix
../../themes/fonts/sauce-code-pro.nix
./programs/getty.nix
./programs/hyprland.nix
./programs/hyprlock.nix
./programs/getty.nix
inputs.stylix.nixosModules.stylix
];
# Enable basic fonts for reasonable Unicode coverage
fonts.enableDefaultPackages = true;
stylix = {
enable = true;
image = ../../media/wallpaper.jpg;
homeManagerIntegration.autoImport = false;
homeManagerIntegration.followSystem = false;
};
security.rtkit.enable = true;
services.pipewire = {
enable = true;
extraConfig = { };
jack.enable = true;
pulse.enable = true;
alsa = {
enable = true;
support32Bit = true;
};
};
}

55
systems/modules/networking.nix
View file

@ -1,55 +0,0 @@
#
# Common networking settings for all machines.
# Anything system-specific should not be here.
#
{
imports = [
./programs/tailscale.nix
];
networking = {
networkmanager.enable = true;
networkmanager.wifi.backend = "iwd";
# Configures a simple stateful firewall.
# By default, it doesn't allow any incoming connections.
firewall = {
enable = true;
allowedTCPPorts = [
22 # SSH
];
allowedUDPPorts = [ ];
};
interfaces.enp12s0.wakeOnLan.policy = [
"phy"
"unicast"
"multicast"
"broadcast"
"arp"
"magic"
"secureon"
];
interfaces.enp12s0.wakeOnLan.enable = true;
};
# Add binary caches to avoid having to compile them
nix.settings = {
substituters = [
"https://hyprland.cachix.org"
"https://cuda-maintainers.cachix.org"
"https://nix-community.cachix.org"
"https://nvf.cachix.org"
"https://yazi.cachix.org"
];
trusted-public-keys = [
"hyprland.cachix.org-1:a7pgxzMz7+chwVL3/pzj6jIBMioiJM7ypFP8PwtkuGc="
"cuda-maintainers.cachix.org-1:0dq3bujKpuEPMCX6U4WylrUDZ9JyUG0VpVZa7CNfq5E="
"nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs="
"nvf.cachix.org-1:GMQWiUhZ6ux9D5CvFFMwnc2nFrUHTeGaXRlVBXo+naI="
"yazi.cachix.org-1:Dcdz63NZKfvUCbDGngQDAZq6kOroIrFoyO064uvLh8k="
];
};
services.openssh.enable = true;
}

13
systems/modules/pipewire.nix
View file

@ -1,13 +0,0 @@
{
security.rtkit.enable = true;
services.pipewire = {
enable = true;
extraConfig = { };
jack.enable = true;
pulse.enable = true;
alsa = {
enable = true;
support32Bit = true;
};
};
}

5
systems/modules/shell.nix
View file

@ -1,5 +0,0 @@
{
imports = [
./programs/zsh.nix
];
}

23
systems/modules/sops.nix
View file

@ -1,23 +0,0 @@
{ inputs, config, ... }:
{
imports = [ inputs.sops-nix.nixosModules.sops ];
sops = {
defaultSopsFile = ../../secrets/secrets.yaml;
age.sshKeyPaths = [
"/home/rafiq/.ssh/id_ed25519"
"/home/rafiq/.ssh/rafiq-master"
];
secrets = {
hashed_password_rafiq = {
neededForUsers = true;
};
cwp_jira_access_key = { };
cwp_jira_link = { };
cargo_api_key = {
mode = "0440";
owner = config.users.users.rafiq.name;
group = config.users.users.rafiq.group;
};
};
};
}

15
systems/modules/stylix.nix
View file

@ -1,15 +0,0 @@
{ inputs, pkgs, ... }:
{
imports = [
inputs.stylix.nixosModules.stylix
../../themes/darkviolet.nix
../../themes/fonts/sauce-code-pro.nix
../../themes/cursors/banana-cursor.nix
];
stylix = {
enable = true;
image = ../../media/wallpaper.jpg;
homeManagerIntegration.autoImport = false;
homeManagerIntegration.followSystem = false;
};
}

8
systems/nemesis.nix
View file

@ -1,4 +1,5 @@
{pkgs, ...}: {
{ pkgs, ... }:
{
imports = [
./hw-nemesis.nix
./modules/common.nix
@ -10,10 +11,5 @@
networking.hostName = "nemesis";
system.stateVersion = "24.11";
boot.binfmt.emulatedSystems = ["wasm32-wasi" "x86_64-windows" "aarch64-linux"];
boot.kernelPackages = pkgs.linuxPackages_latest;
boot.kernelModules = ["dm_crypt"];
boot.plymouth = {
enable = true;
};
}

2
users/modules/programs/zsh.nix
View file

@ -17,8 +17,6 @@
''
# Bind CTRL+Backspace to delete whole word
bindkey '^H' backward-kill-word
# Set Cargo Registry Token
export CARGO_REGISTRY_TOKEN="$(cat ${osConfig.sops.secrets.cargo_api_key.path})"
export SYSTEM_TYPE="${type}"
'';
# TODO: Look into whether we need to add the history attribute