1f9c2669a2
sops: - devShell provides ssh-to-age and sets SOPS_AGE_KEY_FILE to $REPO/.sops-age-key.txt (gitignored, generated locally). - .sops.yaml lists laptop + watcher recipients. The watcher recipient is derived from /etc/ssh/ssh_host_ed25519_key.pub via ssh-to-age, so the watcher decrypts using its SSH host key as the age identity at boot. - hosts/watcher/secrets.yaml holds an `example` placeholder; sops-install- secrets surfaces it at /run/secrets/example (root-only). Forgejo: - modules/forgejo.nix enables services.forgejo (sqlite + daily tar.gz dump), built-in SSH server on :2222, HTTP on 127.0.0.1:3000. - modules/website.nix adds the git.tyrolize.ch vhost reverse-proxying to localhost. Caddy gets a Let's Encrypt cert automatically. - terraform/infomaniak/watcher.tf opens :2222 v4+v6 in the security group. - Admin user `tyro` (role admin) created out-of-band via the gitea CLI. Both services live on the watcher. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
76 lines
2.2 KiB
Nix
76 lines
2.2 KiB
Nix
{ config, lib, pkgs, ... }: {
|
|
imports = [
|
|
../../modules/website.nix
|
|
../../modules/forgejo.nix
|
|
];
|
|
|
|
# sops-nix: encrypted secrets in ./secrets.yaml, decrypted at boot using
|
|
# the watcher's SSH host key as the age identity. Plaintext lands in
|
|
# /run/secrets/<name>, readable only by root by default. Edit with
|
|
# `sops hosts/watcher/secrets.yaml` from inside `nix develop`.
|
|
sops = {
|
|
defaultSopsFile = ./secrets.yaml;
|
|
age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
|
|
secrets.example = { }; # placeholder to confirm the pipeline works
|
|
};
|
|
|
|
# Boot, disk layout, and cloud-init are provided by:
|
|
# - openstack-config.nix (for nixos-rebuild on the live box), or
|
|
# - openstack-image.nix (when building the QCOW2 image)
|
|
# Both are wired in flake.nix.
|
|
|
|
system.stateVersion = "25.05";
|
|
|
|
networking.hostName = "watcher";
|
|
networking.firewall = {
|
|
enable = true;
|
|
allowedTCPPorts = [ 22 ]; # services like 80/443 added as they come online
|
|
};
|
|
|
|
time.timeZone = "Europe/Zurich";
|
|
i18n.defaultLocale = "en_US.UTF-8";
|
|
|
|
users.mutableUsers = false;
|
|
users.users.tyro = {
|
|
isNormalUser = true;
|
|
extraGroups = [ "wheel" ];
|
|
openssh.authorizedKeys.keys = [
|
|
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHC7oEcIquy/HWSHjA9N62FVKA6js4aOWu9q41Qp3nNj tyrolize@nixos"
|
|
];
|
|
};
|
|
|
|
services.openssh = {
|
|
enable = true;
|
|
settings = {
|
|
PasswordAuthentication = false;
|
|
KbdInteractiveAuthentication = false;
|
|
# openstack-config.nix defaults this to "prohibit-password" so cloud-init can
|
|
# inject the OpenStack keypair into root. We don't need it: the same key is
|
|
# already in users.users.tyro via the flake. Hard-disable root SSH.
|
|
PermitRootLogin = lib.mkForce "no";
|
|
};
|
|
};
|
|
|
|
security.sudo.wheelNeedsPassword = false;
|
|
|
|
environment.systemPackages = with pkgs; [
|
|
vim
|
|
git
|
|
htop
|
|
tmux
|
|
curl
|
|
wget
|
|
];
|
|
|
|
nix.settings = {
|
|
experimental-features = [ "nix-command" "flakes" ];
|
|
# Allow the tyro user to push pre-built closures from the laptop via
|
|
# `nixos-rebuild --target-host` without re-signing every store path.
|
|
trusted-users = [ "root" "@wheel" ];
|
|
};
|
|
nix.gc = {
|
|
automatic = true;
|
|
dates = "weekly";
|
|
options = "--delete-older-than 14d";
|
|
};
|
|
}
|