From 643ecb1e14b3279c017ca60bf5b3a8782c26abb3 Mon Sep 17 00:00:00 2001 From: Antoine Thouvenin Date: Sat, 6 Aug 2022 22:31:18 +0200 Subject: [PATCH] nixos: backend server --- .gitignore | 8 +++++ configs/synchro.sh | 8 ++--- flake.nix | 16 ++++++++- nixos/.sops.yaml | 17 ++++++++++ nixos/README.md | 10 ++++++ nixos/backend/backend.nix | 59 +++++++++++++++++++++++++++++++++ nixos/backend/db.nix | 24 ++++++++++++++ nixos/backend/fic-admin.nix | 40 ++++++++++++++++++++++ nixos/backend/fic-backend.nix | 26 +++++++++++++++ nixos/backend/fic-dashboard.nix | 28 ++++++++++++++++ nixos/backend/fic-evdist.nix | 21 ++++++++++++ nixos/backend/fic-synchro.nix | 39 ++++++++++++++++++++++ nixos/bios.nix | 6 ++++ nixos/config-var.nix | 8 +++++ nixos/configuration.nix | 13 ++++++++ nixos/efi.nix | 5 +++ nixos/flake.nix | 45 +++++++++++++++++++++++++ nixos/locale.nix | 9 +++++ nixos/network.nix | 40 ++++++++++++++++++++++ nixos/packages.nix | 14 ++++++++ nixos/registry.nix | 7 ++++ nixos/secrets/deimos.yml | 44 ++++++++++++++++++++++++ nixos/secrets/phobos.yml | 45 +++++++++++++++++++++++++ nixos/users.nix | 15 +++++++++ 24 files changed, 542 insertions(+), 5 deletions(-) mode change 100644 => 100755 configs/synchro.sh create mode 100644 nixos/.sops.yaml create mode 100644 nixos/README.md create mode 100644 nixos/backend/backend.nix create mode 100644 nixos/backend/db.nix create mode 100644 nixos/backend/fic-admin.nix create mode 100644 nixos/backend/fic-backend.nix create mode 100644 nixos/backend/fic-dashboard.nix create mode 100644 nixos/backend/fic-evdist.nix create mode 100644 nixos/backend/fic-synchro.nix create mode 100644 nixos/bios.nix create mode 100644 nixos/config-var.nix create mode 100644 nixos/configuration.nix create mode 100644 nixos/efi.nix create mode 100644 nixos/flake.nix create mode 100644 nixos/locale.nix create mode 100644 nixos/network.nix create mode 100644 nixos/packages.nix create mode 100644 nixos/registry.nix create mode 100644 nixos/secrets/deimos.yml create mode 100644 nixos/secrets/phobos.yml create mode 100644 nixos/users.nix diff --git a/.gitignore b/.gitignore index e3798e7e..e80fe652 100644 --- a/.gitignore +++ b/.gitignore @@ -32,3 +32,11 @@ fickit-update-kernel fickit-update-squashfs.img result started + +# Standalone binaries +fic-admin +fic-backend +fic-dashboard +fic-frontend +fic-qa +fic-repochecker diff --git a/configs/synchro.sh b/configs/synchro.sh old mode 100644 new mode 100755 index b8dbab9d..7efb2d5c --- a/configs/synchro.sh +++ b/configs/synchro.sh @@ -4,19 +4,19 @@ # retrieves submissions BASEDIR="/srv" -FRONTEND_HOSTNAME="deimos" +FRONTEND_HOSTNAME="synchro@deimos" -SSH_OPTS="/usr/bin/ssh -p 22 -i ~/.ssh/id_ed25519 -o ControlMaster=auto -o ControlPath=/root/.ssh/%r@%h:%p -o ControlPersist=2 -o PasswordAuthentication=no -o StrictHostKeyChecking=no" +SSH_OPTS="ssh -p 22 -i ~/.ssh/id_ed25519 -o ControlMaster=auto -o ControlPath=/root/.ssh/%r@%h:%p -o ControlPersist=2 -o PasswordAuthentication=no -o StrictHostKeyChecking=no" cd "${BASEDIR}" touch /tmp/stop # Establish first ssh connection for controlpersist socket, to avoid delay during time synchronization -${SSH_OPTS} ls > /dev/null +${SSH_OPTS} ${FRONTEND_HOSTNAME} ls > /dev/null # Synchronize the date one time -${SSH_OPTS} date -s @"$(date +%s)" +${SSH_OPTS} ${FRONTEND_HOSTNAME} date -s @"$(date +%s)" # Synchronize static files in a separate loop (to avoid submissions delays during file synchronization) while ! [ -f SETTINGS/stop ] || [ /tmp/stop -nt SETTINGS/stop ] diff --git a/flake.nix b/flake.nix index 4726eecf..c6188405 100644 --- a/flake.nix +++ b/flake.nix @@ -13,7 +13,7 @@ # Generate a version based on date version = builtins.substring 0 12 self.lastModifiedDate; - vendorSha256 = "sha256-n271oFjC13gelSNV1bZdr/KH724ewoOF1NZ6U7il56I="; + vendorSha256 = "sha256-itCvN/Z8DkUUdtx6At+4DyeJK8PgFJ/5A3G03VT4I2k"; overrideModAttrs = _ : { name = "fic-./.-${version}-go-modules"; }; # System types to support. @@ -56,6 +56,20 @@ subPackages = [ "dashboard" ]; }; + fic-synchro = pkgs.writeShellApplication { + name = "synchro"; + runtimeInputs = [ pkgs.rsync pkgs.openssh pkgs.coreutils ]; + text = '' + ${(builtins.readFile ./configs/synchro.sh)} + ''; + }; + + fic-configs = pkgs.stdenv.mkDerivation { + name = "configs"; + src = ./.; + installPhase = "mkdir -p $out/; cp -r configs/ $out/"; + }; + fic-frontend = pkgs.buildGoModule { pname = "frontend"; inherit version vendorSha256 overrideModAttrs; diff --git a/nixos/.sops.yaml b/nixos/.sops.yaml new file mode 100644 index 00000000..60d021e8 --- /dev/null +++ b/nixos/.sops.yaml @@ -0,0 +1,17 @@ +keys: + # Add key signature below + - &admin_antoine C8CEBB1753433CCCD2AF0638BD721F0A3BAE578C + + # Update this signature with phobos' + # Run the following line to get the fingerprint and the public key of Phobos + # ``` + # ssh root@phobos "cat /etc/ssh/ssh_host_rsa_key" | nix-shell -p ssh-to-pgp --run "ssh-to-pgp -o phobos.asc" + # ``` + # You have to import the key afterward using `gpg --import phobos.asc` + - &srv_phobos 9cb1fda8a56fa7ab852f666fc3592125321adf42 # replace this fingerprint with the new one `gpg --list-keys` +creation_rules: + - path: secrets/phobos.yaml + key_groups: + - pgp: + - *admin_antoine + - *srv_phobos diff --git a/nixos/README.md b/nixos/README.md new file mode 100644 index 00000000..4e755e3a --- /dev/null +++ b/nixos/README.md @@ -0,0 +1,10 @@ +# NixOS configuration + +## Building + +```bash +# For backend (Phobos) +nixos-rebuild switch --flake /path/to/flake.nix/directory/#phobos +# For frontend (Deimos) +nixos-rebuild switch --flake /path/to/flake.nix/directory/#deimos +``` diff --git a/nixos/backend/backend.nix b/nixos/backend/backend.nix new file mode 100644 index 00000000..07ab6ef9 --- /dev/null +++ b/nixos/backend/backend.nix @@ -0,0 +1,59 @@ +{ config, lib, pkgs, ... }: +{ + imports = [ + ./db.nix + ./fic-admin.nix + ./fic-backend.nix + ./fic-dashboard.nix + ./fic-evdist.nix + ./fic-synchro.nix + ]; + + config.sops = { + defaultSopsFile = ../secrets/phobos.yml; # We are currently in /nix/store/...-source/backend/ + secrets.phobos_ssh = { mode = "0400"; }; + # You may need to manualy remove `/run/secrets` if modified + }; + + config.system.activationScripts = { + # Create /var/lib/fic/** directories + makeFicDirs = lib.stringAfter [ "var" ] '' + mkdir -p /var/lib/fic/dashboard; + mkdir -p /var/lib/fic/files; + mkdir -p /var/lib/fic/pki; + mkdir -p /var/lib/fic/raw_files; + mkdir -p /var/lib/fic/settings; + mkdir -p /var/lib/fic/settingsdist; + mkdir -p /var/lib/fic/ssh; + mkdir -p /var/lib/fic/submissions; + mkdir -p /var/lib/fic/sync; + mkdir -p /var/lib/fic/teams; + mkdir -p /var/log/frontend; + ''; + # Create docker network + createDockerNetworkPhobos = + let + docker = config.virtualisation.oci-containers.backend; + dockerBin = "${pkgs.${docker}}/bin/${docker}"; + in + '' + ${dockerBin} network inspect phobos-lan >/dev/null 2>&1 \ + || ${dockerBin} network create phobos-lan --subnet 172.18.0.0/24 + ''; + }; + + config = { + networking.hostName = "phobos"; + + # This is needed to install fic related pkgs + nixpkgs.config.allowUnfree = true; + + # To switch, remove `phobos-lan` from the networks before running nixos-rebuild + # ``` + # ${dockerBin} network rm phobos-lan + # ``` + virtualisation.docker.enable = true; + virtualisation.podman.enable = false; + virtualisation.oci-containers.backend = "docker"; + }; +} diff --git a/nixos/backend/db.nix b/nixos/backend/db.nix new file mode 100644 index 00000000..135529f9 --- /dev/null +++ b/nixos/backend/db.nix @@ -0,0 +1,24 @@ +{ config, ... }: +{ + config.virtualisation.oci-containers.containers.mariadb = { + image = "mariadb:latest"; + cmd = [ + "/bin/bash" + "/usr/local/bin/docker-entrypoint.sh" + "mysqld" + ]; + ports = [ "3306:3306" ]; + extraOptions = [ "--network=phobos-lan" "--ip=172.18.0.42" ]; + environment = { + MYSQL_DATABASE = "fic"; + MYSQL_USER = "fic"; + MYSQL_PASSWORD = "fic"; + MYSQL_RANDOM_ROOT_PASSWORD = "yes"; + }; + volumes = [ + "/etc/hosts:/etc/hosts:ro" + "/etc/mysql/conf.d:/etc/mysql/conf.d:ro" + "/var/lib/fic/mysql:/var/lib/mysql" + ]; + }; +} diff --git a/nixos/backend/fic-admin.nix b/nixos/backend/fic-admin.nix new file mode 100644 index 00000000..2001945c --- /dev/null +++ b/nixos/backend/fic-admin.nix @@ -0,0 +1,40 @@ +{ config, inputs, pkgs, ... }: +{ + config.virtualisation.oci-containers.containers.fic-admin = { + image = "fic-admin:latest"; + imageFile = pkgs.dockerTools.buildImage { + name = "fic-admin"; + tag = "latest"; + created = "now"; + config = { + Cmd = [ "${inputs.ficpkgs.packages.x86_64-linux.fic-admin}/bin/admin" ]; + }; + }; + autoStart = true; + cmd = [ + "${inputs.ficpkgs.packages.x86_64-linux.fic-admin}/bin/admin" + "-4real" + "-bind=0.0.0.0:8081" + "-baseurl=/admin/" + "-localimport=/mnt/fic" + "-timestampCheck=/srv/submissions" + ]; + ports = [ "8081:8081" ]; + extraOptions = [ "--network=phobos-lan" "--ip=172.18.0.40" ]; + environment = { + MYSQL_HOST = "db"; + FICCA_PASS = "jee8AhloAith1aesCeQu5ahgIegaeM4K"; + }; + volumes = [ + "/etc/hosts:/etc/hosts:ro" + "/var/lib/fic/raw_files:/mnt/fic" + "/var/lib/fic/dashboard:/srv/DASHBOARD" + "/var/lib/fic/files:/srv/FILES" + "/var/lib/fic/pki:/srv/PKI" + "/var/lib/fic/teams:/srv/TEAMS" + "/var/lib/fic/settings:/srv/SETTINGS" + "/var/lib/fic/sync:/srv/SYNC" + "/var/lib/fic/submissions:/srv/submissions:ro" + ]; + }; +} diff --git a/nixos/backend/fic-backend.nix b/nixos/backend/fic-backend.nix new file mode 100644 index 00000000..2df55c9f --- /dev/null +++ b/nixos/backend/fic-backend.nix @@ -0,0 +1,26 @@ +{ config, inputs, pkgs, ... }: +{ + config.virtualisation.oci-containers.containers.fic-backend = { + image = "fic-backend:latest"; + imageFile = pkgs.dockerTools.buildImage { + name = "fic-backend"; + tag = "latest"; + created = "now"; + config = { + Cmd = [ "${inputs.ficpkgs.packages.x86_64-linux.fic-backend}/bin/backend" ]; + }; + }; + autoStart = true; + environment = { + MYSQL_HOST = "db"; + }; + workdir = "/srv"; + extraOptions = [ "--network=phobos-lan" "--ip=172.18.0.41" ]; + volumes = [ + "/etc/hosts:/etc/hosts:ro" + "/var/lib/fic/teams:/srv/TEAMS" + "/var/lib/fic/settingsdist:/srv/SETTINGSDIST:ro" + "/var/lib/fic/submissions:/srv/submissions" + ]; + }; +} diff --git a/nixos/backend/fic-dashboard.nix b/nixos/backend/fic-dashboard.nix new file mode 100644 index 00000000..60e76fde --- /dev/null +++ b/nixos/backend/fic-dashboard.nix @@ -0,0 +1,28 @@ +{ config, inputs, pkgs, ... }: +{ + config.virtualisation.oci-containers.containers.fic-dashboard = { + image = "fic-dashboard:latest"; + imageFile = pkgs.dockerTools.buildImage { + name = "fic-dashboard"; + tag = "latest"; + created = "now"; + config = { + Cmd = [ "${inputs.ficpkgs.packages.x86_64-linux.fic-dashboard}/bin/dashboard" ]; + }; + }; + autoStart = true; + cmd = [ + "${inputs.ficpkgs.packages.x86_64-linux.fic-dashboard}/bin/dashboard" + "-bind=:8082" + "-restrict-to-ips=/srv/DASHBOARD/restricted-ips.json" + ]; + ports = [ "8082:8082" ]; + volumes = [ + "/etc/hosts:/etc/hosts:ro" + "/var/lib/fic/dashboard:/srv/DASHBOARD:ro" + "/var/lib/fic/files:/srv/FILES:ro" + "/var/lib/fic/teams:/srv/TEAMS:ro" + "/var/lib/fic/settingsdist:/srv/SETTINGSDIST:ro" + ]; + }; +} diff --git a/nixos/backend/fic-evdist.nix b/nixos/backend/fic-evdist.nix new file mode 100644 index 00000000..f229a895 --- /dev/null +++ b/nixos/backend/fic-evdist.nix @@ -0,0 +1,21 @@ +{ config, inputs, pkgs, ... }: +{ + config.virtualisation.oci-containers.containers.fic-evdist = { + image = "fic-evdist:latest"; + imageFile = pkgs.dockerTools.buildImage { + name = "fic-evdist"; + tag = "latest"; + created = "now"; + config = { + Cmd = [ "${inputs.ficpkgs.packages.x86_64-linux.fic-evdist}/bin/evdist" ]; + }; + }; + autoStart = true; + workdir = "/srv"; + volumes = [ + "/etc/hosts:/etc/hosts:ro" + "/var/lib/fic/settings:/srv/SETTINGS" + "/var/lib/fic/settingsdist:/srv/SETTINGSDIST" + ]; + }; +} diff --git a/nixos/backend/fic-synchro.nix b/nixos/backend/fic-synchro.nix new file mode 100644 index 00000000..777a599d --- /dev/null +++ b/nixos/backend/fic-synchro.nix @@ -0,0 +1,39 @@ +{ config, inputs, pkgs, ... }: +{ + config.virtualisation.oci-containers.containers.fic-synchro = + { + image = "fic-synchro:latest"; + imageFile = pkgs.dockerTools.buildImage { + name = "fic-synchro"; + tag = "latest"; + created = "now"; + copyToRoot = pkgs.buildEnv { + name = "packagelist"; + paths = [ pkgs.coreutils pkgs.openssh pkgs.rsync ]; + }; + config = { + Cmd = [ "${inputs.ficpkgs.packages.x86_64-linux.fic-synchro}/bin/synchro" ]; + }; + runAsRoot = '' + #!${pkgs.runtimeShell} + ${pkgs.dockerTools.shadowSetup} + mkdir -p /tmp/ + chmod a+rwx /tmp/ + ''; + }; + autoStart = true; + extraOptions = [ "--network=phobos-lan" "--ip=172.18.0.43" ]; + volumes = [ + "/etc/hosts:/etc/hosts:ro" + "/var/lib/fic/ssh:/etc/ssh:ro" + "${config.sops.secrets.phobos_ssh.path}:/root/.ssh/id_ed25519:ro" + "/var/lib/fic/files:/srv/FILES:ro" + #"/var/lib/fic/pki/ca.key:/srv/PKI/ca.key:ro" + "/var/lib/fic/pki/shared:/srv/PKI/shared:ro" + "/var/lib/fic/settingsdist:/srv/SETTINGSDIST:ro" + "/var/lib/fic/submissions:/srv/submissions" + "/var/lib/fic/teams:/srv/TEAMS:ro" + "/var/log/frontend:/var/log/frontend" + ]; + }; +} diff --git a/nixos/bios.nix b/nixos/bios.nix new file mode 100644 index 00000000..ed1b84ce --- /dev/null +++ b/nixos/bios.nix @@ -0,0 +1,6 @@ +{}: +{ + boot.loader.grub.enable = true; + boot.loader.grub.version = 2; + boot.loader.grub.device = "/dev/vda"; +} diff --git a/nixos/config-var.nix b/nixos/config-var.nix new file mode 100644 index 00000000..63a0587e --- /dev/null +++ b/nixos/config-var.nix @@ -0,0 +1,8 @@ +{ + efi = false; + prod = false; + ip = { + deimos = "10.10.10.2"; + phobos = "10.10.10.1"; + }; +} diff --git a/nixos/configuration.nix b/nixos/configuration.nix new file mode 100644 index 00000000..25140b49 --- /dev/null +++ b/nixos/configuration.nix @@ -0,0 +1,13 @@ +{ config, pkgs, ... }: +{ + imports = [ + ./hardware-configuration.nix + ./locale.nix + ./network.nix + ./packages.nix + ./registry.nix + ./users.nix + ] ++ (if (import ../config-var.nix).efi then [ ./efi.nix ] else [ ./bios.nix ]); + + system.stateVersion = "22.05"; +} diff --git a/nixos/efi.nix b/nixos/efi.nix new file mode 100644 index 00000000..c9b80f2d --- /dev/null +++ b/nixos/efi.nix @@ -0,0 +1,5 @@ +{}: +{ + boot.loader.systemd-boot.enable = true; + boot.loader.efi.canTouchEfiVariables = true; +} diff --git a/nixos/flake.nix b/nixos/flake.nix new file mode 100644 index 00000000..ddea475a --- /dev/null +++ b/nixos/flake.nix @@ -0,0 +1,45 @@ +{ + description = "Fic Servers Nix Configuration"; + + inputs = { + nixpkgs = { url = "github:nixos/nixpkgs/nixos-unstable"; }; + ficpkgs = { + # Vendor hash of fic-server's flake.nix must be up to date + #url = "git+https://git.nemunai.re/fic/server"; + # For local testing only + url = "/root/fic-server"; + + inputs.nixpkgs.follows = "nixpkgs"; + }; + sops-nix = { + url = "github:thouveninantoine/sops-nix"; + inputs.nixpkgs.follows = "nixpkgs"; + }; + }; + + outputs = inputs: { + nixosConfigurations = + let + common_modules = [ + ./configuration.nix + inputs.sops-nix.nixosModules.sops + "${inputs.nixpkgs}/nixos/modules/installer/cd-dvd/installation-cd-base.nix" + ]; + in + { + phobos = inputs.nixpkgs.lib.nixosSystem { + system = "x86_64-linux"; + modules = [ + ./backend/backend.nix + ] ++ common_modules; + specialArgs = { inherit inputs; }; + }; + deimos = inputs.nixpkgs.lib.nixosSystem { + system = "x86_64-linux"; + modules = [ + ] ++ common_modules; + specialArgs = { inherit inputs; }; + }; + }; + }; +} diff --git a/nixos/locale.nix b/nixos/locale.nix new file mode 100644 index 00000000..5e1713df --- /dev/null +++ b/nixos/locale.nix @@ -0,0 +1,9 @@ +{ ... }: +{ + time.timeZone = "Europe/Paris"; + i18n.defaultLocale = "fr_FR.UTF-8"; + console = { + font = "Lat2-Terminus16"; + keyMap = "fr"; + }; +} diff --git a/nixos/network.nix b/nixos/network.nix new file mode 100644 index 00000000..16ab36e8 --- /dev/null +++ b/nixos/network.nix @@ -0,0 +1,40 @@ +{ ... }: +{ + networking.useDHCP = false; + networking.interfaces.eno1.useDHCP = true; + networking.interfaces.enp1s0.useDHCP = true; + + networking.extraHosts = '' + ${(import ./config-var.nix).ip.phobos} phobos + + 172.18.0.40 admin + 172.18.0.41 backend + 172.18.0.42 db + 172.18.0.43 synchro + + ${(import ./config-var.nix).ip.deimos} deimos + + 172.18.1.2 nginx + 172.18.1.3 frontend + 172.18.1.4 auth + + 127.0.0.1 localhost + ::1 localhost ip6-localhost ip6-loopback + fe00::0 ip6-localnet + ff00::0 ip6-mcastprefix + ff02::1 ip6-allnodes + ff02::2 ip6-allrouters + ''; + + services.openssh = { + enable = true; + passwordAuthentication = false; + listenAddresses = [ + { addr = "0.0.0.0"; port = 2222; } + ]; + }; + + networking.firewall.allowedTCPPorts = [ 22 2222 ]; + + systemd.services.sshd.after = [ "network-interfaces.target" ]; +} diff --git a/nixos/packages.nix b/nixos/packages.nix new file mode 100644 index 00000000..2ac709d2 --- /dev/null +++ b/nixos/packages.nix @@ -0,0 +1,14 @@ +{ pkgs, ... }: +{ + nix = { + package = pkgs.nixFlakes; + extraOptions = '' + experimental-features = nix-command flakes + ''; + }; + environment.systemPackages = with pkgs; [ + btop + git + neovim + ]; +} diff --git a/nixos/registry.nix b/nixos/registry.nix new file mode 100644 index 00000000..005ec5a3 --- /dev/null +++ b/nixos/registry.nix @@ -0,0 +1,7 @@ +{ ... }: +{ + services.dockerRegistry = { + enable = true; + listenAddress = "127.0.0.1"; + }; +} diff --git a/nixos/secrets/deimos.yml b/nixos/secrets/deimos.yml new file mode 100644 index 00000000..47be46d0 --- /dev/null +++ b/nixos/secrets/deimos.yml @@ -0,0 +1,44 @@ +phobos_ssh_pub: ENC[AES256_GCM,data:tDmHLPJMuELIU9kU1pCLFL+F6r5YBnkoYqut2RmFmsih4VrSEyfhn8tP+0rnR6k5d/GLhqHkzBuniXhyEGbQ0G/IYmBnJBUpyQFBdnOzCVhrNzQtM2s5zwu5ges=,iv:Ymnw+2BIh7YaoM+8iepOQpUs4heISCwuMdkrS8OWiJg=,tag:IsyoQKp7i+8q9OgH8Dkf5Q==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: [] + lastmodified: "2022-09-05T13:14:03Z" + mac: ENC[AES256_GCM,data:NOoNbhyfEmB2aSQrxltZsxt1NQhl+pT9N9hdW/8a/s3VSgEQGt2teRFrqLg5hYOjlDvd4mYoeAOcG7LCkSjzOUdXj8BZYFmxbkEQGKf5n2s8ile8Qr0WofbaMP9nYCBq7R0qL4KPnhoGY6DAzGUULER13mLJKnC6wBueBr0nuio=,iv:e00tosd8DMkuSGLl4Y/SHHSWpqc+ibX2XALglN5sG2s=,tag:xK2Sk+hp77PHU++ew7IXUA==,type:str] + pgp: + - created_at: "2022-08-27T22:15:58Z" + enc: | + -----BEGIN PGP MESSAGE----- + + hF4DhKTlqbJ4OtgSAQdApKk6z/OCHK0Rkaqxd2F27AabN365lxZ2ms8MUGcOVHQw + //9xS2VQqUb2uRT4eEblZuJpNRntFWRHt63AKa31U3cnooysfm+zT4/VdbFF3oqL + 1GgBCQIQ0qDqs10qB+l7uNJJQm7cMecKWsHkDgP9Zj5P0zBR2A81FfZPApC9Jofl + 442PMWoi5GS7CVu4P3WiqGOR+XSX7I6Ih4S/EYsAD338JM4Pll5qps175njNbzqj + wvJf/ONbQR+QYQ== + =7Rq0 + -----END PGP MESSAGE----- + fp: 93A4B95A3623ED8F03CCEBD21ADC2C80A1289824 + - created_at: "2022-08-27T22:15:58Z" + enc: | + -----BEGIN PGP MESSAGE----- + + hQIMA8NZISUyGt9CAQ//d/OZBqdnhWrnF2SPCAp68KJuHgYuE/TitOhG2rNWo+UZ + +n8dzvGdzPmWRXQIIonWw1aVkuFd9I0jvJ7qSN+kYcq9sOAswdMwj6RyGSOyarfK + /XjdGnYRUvTcKKVz2M3Xq15flk5juxlYSmcGpGnDJpyeR3tXRHNRqxWCNFXKQwxR + FIJmCo3LQr87zuuOKl1QEhQ6n67edT7IKK3AQrVlLniNDKaWh6lgI3Q/OVJdJ2BU + yEDCVizRYCuBjQYM+rR9sdcaiK2P+44nw2sL5QNyyqHPnUCi38Cghb2g9EjYo+w1 + KH1335wgqATIiDjae+jGffnNQvxPMz8ZgxebMsqcOWs6NELF7yvHFwTv7sA0Dvkx + dyLraXNK3SUdz1ZLwEDPnYx/tsRMgUMTv80NA8FL4sFnNtBRlJ6mOc74YItFHzBi + errADMOllhFuPVl3yuC1j99HyxUeTNFnoukSi1kNs0dGr7N8+jvWQqIcJgMkv6Mo + P75retb3De5Bcx8XkRpxsN8In3fUUO0xyI2HQykf0ECEHRc7HdZn+2oD3yqk4fME + sp97lW448JslS9Rn4WGWA11TWrz8kUSv+1NOHan/bEkR5HWku8ETyKZTqAWRmwh5 + pCyEmMnjbNUNXA02PuxtNjTLZP2E4agdSs9oQ8MM4xOBIFdNkSLc72PjzcZ/uJjS + WAHdCpTZC393/TbeBdN8A2gmbctMRxdQF6Bilph665eUMml/07zndKF0nZYvlM4b + OkbPsz1zZ46xJRESmj5Ef3bbm7ANLrPzWJNPCKRpFdCBaUtuXMKT2T8= + =M7js + -----END PGP MESSAGE----- + fp: 9cb1fda8a56fa7ab852f666fc3592125321adf42 + unencrypted_suffix: _unencrypted + version: 3.7.3 diff --git a/nixos/secrets/phobos.yml b/nixos/secrets/phobos.yml new file mode 100644 index 00000000..7463477b --- /dev/null +++ b/nixos/secrets/phobos.yml @@ -0,0 +1,45 @@ +phobos_ssh: ENC[AES256_GCM,data:M9bJJRMwEODCkwpBijCkjCd/2Km/zUj1kSs/buHsuWeGi2qnv+cNq2AmE5T1yK4auawsZgQvvytFReUqpgCFPIkU7cWH5IuUm2gGZOS1bWpfR7HwoOQVMdkU/whqRi+Gj5PPzyS3RHLlDfUenVZVPoN7GHiRWf71PyVhlhKulIe1ZiaitF5msUIblSHW2flZgRePmnqBUULrfxK2ZkmDl5bnfQY2HNsyaNo9Qj372sQwDiComuMLmJBYIXBhrbucnjJIXNkAOmox7GGcM8rZy7QKhXloTNJM1SMbZJnLPSksRqOO/enM4Tda81GV9dJetFaxSMjgSoKhLDK2hDdUwpX4iGGpsl8S37O3VRmOXi/QlWApMpRWfanC3NFApFzIqOy+GoRtWysrKBJ6S7W/NDMdlBxZmeZHxxhVmwIkMG5mfIBrdiErHUX4xlawEdbwKnRT4zz3x1e+1Xm2CpKBSrE1FkUzRRtMnsLb5pw/WNJL9ueRsKG9Wf73VZvfKGdDeu4grGr2L6cRHwF2+JAj,iv:0pwaq3zOzdXJ89N9y1G0tjAtR/sYaI+rMMixPHQcSyA=,tag:yJkJ1wg3lUTEeSkZge0xZA==,type:str] +phobos_ssh.pub: ENC[AES256_GCM,data:YRMndy7eIL2YPbf2JEfT+KRIsZrazbuJHp6vRbJ0VEU+Bg/h1CSzJpYedls/+uCmkVpoxBvdjYHeCKtneyJCzkaDzJsUz+RcfrIGQEhake76X9omur9rTK/MJyI=,iv:OtacGQQUaIgDKLkTunOsqFfdh982T9yYH1RoYdvT7vo=,tag:/nNj/xjhnvgDUalOeY+4vA==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: [] + lastmodified: "2022-08-27T22:46:21Z" + mac: ENC[AES256_GCM,data:zwp5TcQFOJEG22qrQrJR/zCnLNw31Eeb7pI60fJRT/8rDYIqKguMcYbj+44fn3rRnLOQlvL0Pek2f41UlIb7LosNnoaTzTxoYBbgFRiliyII/epFXRINHrbyBEOp4Anc5445YoY/xmO9y3MLJYF9b31PVOFaAq1CJtbtfZXHCG8=,iv:OsnA+1KgwPwVacbjIbzAhKtap/lgEPpzS/i4NJGP0Qs=,tag:/Jvk62zVKHApNhBpgcH5sg==,type:str] + pgp: + - created_at: "2022-08-27T22:15:58Z" + enc: | + -----BEGIN PGP MESSAGE----- + + hF4DhKTlqbJ4OtgSAQdApKk6z/OCHK0Rkaqxd2F27AabN365lxZ2ms8MUGcOVHQw + //9xS2VQqUb2uRT4eEblZuJpNRntFWRHt63AKa31U3cnooysfm+zT4/VdbFF3oqL + 1GgBCQIQ0qDqs10qB+l7uNJJQm7cMecKWsHkDgP9Zj5P0zBR2A81FfZPApC9Jofl + 442PMWoi5GS7CVu4P3WiqGOR+XSX7I6Ih4S/EYsAD338JM4Pll5qps175njNbzqj + wvJf/ONbQR+QYQ== + =7Rq0 + -----END PGP MESSAGE----- + fp: 93A4B95A3623ED8F03CCEBD21ADC2C80A1289824 + - created_at: "2022-08-27T22:15:58Z" + enc: | + -----BEGIN PGP MESSAGE----- + + hQIMA8NZISUyGt9CAQ//d/OZBqdnhWrnF2SPCAp68KJuHgYuE/TitOhG2rNWo+UZ + +n8dzvGdzPmWRXQIIonWw1aVkuFd9I0jvJ7qSN+kYcq9sOAswdMwj6RyGSOyarfK + /XjdGnYRUvTcKKVz2M3Xq15flk5juxlYSmcGpGnDJpyeR3tXRHNRqxWCNFXKQwxR + FIJmCo3LQr87zuuOKl1QEhQ6n67edT7IKK3AQrVlLniNDKaWh6lgI3Q/OVJdJ2BU + yEDCVizRYCuBjQYM+rR9sdcaiK2P+44nw2sL5QNyyqHPnUCi38Cghb2g9EjYo+w1 + KH1335wgqATIiDjae+jGffnNQvxPMz8ZgxebMsqcOWs6NELF7yvHFwTv7sA0Dvkx + dyLraXNK3SUdz1ZLwEDPnYx/tsRMgUMTv80NA8FL4sFnNtBRlJ6mOc74YItFHzBi + errADMOllhFuPVl3yuC1j99HyxUeTNFnoukSi1kNs0dGr7N8+jvWQqIcJgMkv6Mo + P75retb3De5Bcx8XkRpxsN8In3fUUO0xyI2HQykf0ECEHRc7HdZn+2oD3yqk4fME + sp97lW448JslS9Rn4WGWA11TWrz8kUSv+1NOHan/bEkR5HWku8ETyKZTqAWRmwh5 + pCyEmMnjbNUNXA02PuxtNjTLZP2E4agdSs9oQ8MM4xOBIFdNkSLc72PjzcZ/uJjS + WAHdCpTZC393/TbeBdN8A2gmbctMRxdQF6Bilph665eUMml/07zndKF0nZYvlM4b + OkbPsz1zZ46xJRESmj5Ef3bbm7ANLrPzWJNPCKRpFdCBaUtuXMKT2T8= + =M7js + -----END PGP MESSAGE----- + fp: 9cb1fda8a56fa7ab852f666fc3592125321adf42 + unencrypted_suffix: _unencrypted + version: 3.7.3 diff --git a/nixos/users.nix b/nixos/users.nix new file mode 100644 index 00000000..a5aa9551 --- /dev/null +++ b/nixos/users.nix @@ -0,0 +1,15 @@ +{ ... }: +{ + users = { + mutableUsers = false; + users.fic = { + isNormalUser = true; + extraGroups = [ "wheel" ]; + openssh.authorizedKeys.keys = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILBoJRKGvhpJGYQfq+Ocp83nJixk8zz3cmzHOvLIW2C9 antoine.thouvenin" + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJdjG/+FTghcl+sgsAFM7kdBTbGIR9JycgpWeLGJt2ZV elie.brami" + ]; + hashedPassword = "$6$CuDkmaet$ZWh.KlzZe2EF2c23GErwdbsa1naByrNe15j7Jy3SuJZfEwGUV16QEkz9bcfzHtMteTjGRr8ixOtKYn.wV8e10."; + }; + }; +}