password hash is now plain file in private repo.

2024-06-05 19:10:12 -05:00 · 2024-06-05 19:10:12 -05:00 · 7642191e98
parent 04783f1580
commit 7642191e98
10 changed files with 11 additions and 51 deletions
--- a/configs/nixos/common.nix
+++ b/configs/nixos/common.nix
@ -40,12 +40,15 @@

  programs.zsh.enable = lib.mkDefault true;
  environment.shells = lib.mkDefault [pkgs.zsh];
+  users.mutableUsers = false;
  users.users.${config.host.user} = {
    isNormalUser = true;
+    hashedPassword = lib.removeSuffix "\n" (builtins.readFile "${inputs.nix-secrets}/password-hash");
    description = config.host.fullName;
    shell = pkgs.zsh;
    extraGroups = ["wheel"];
  };
+  # users.users.root.password = lib.removeSuffix "\n" (builtins.readFile "${inputs.nix-secrets}/password-hash");

  imports = [
    ../../modules/hostopts.nix
--- a/configs/nixos/secrets.nix
+++ b/configs/nixos/secrets.nix
@ -11,7 +11,6 @@ in {
    inputs.sops-nix.nixosModules.sops
  ];
  sops = {
-    defaultSopsFile = "${secretsDirectory}/common.yaml";
    validateSopsFiles = false;
    age = {
      sshKeyPaths = ["/etc/ssh/ssh_host_ed25519_key"];
--- a/flake.lock
+++ b/flake.lock
@ -240,10 +240,10 @@
    "nix-secrets": {
      "flake": false,
      "locked": {
-        "lastModified": 1717523958,
-        "narHash": "sha256-fZzlvFG7fIGA4GIpMai8fdxeUU/bBxMacdDmDWN+Emk=",
+        "lastModified": 1717631148,
+        "narHash": "sha256-smVpy+sIKFUwBcRHjdLWVlrYqUqpfg2TJXuGqZJBXJM=",
        "ref": "refs/heads/main",
-        "rev": "23bdde0f479cdd6039555aee0680878249185715",
+        "rev": "631c6dbe7d5ea9589a7d20734a8b81a0bb872818",
        "shallow": true,
        "type": "git",
        "url": "ssh://git@git.venberg.xyz:7920/Gabe/nix-secrets.git"
--- a/hosts/archlaptop-vm/default.nix
+++ b/hosts/archlaptop-vm/default.nix
@ -18,7 +18,7 @@ inputs.nixpkgs.lib.nixosSystem {
    ../../configs/nixos/interactive-networking.nix
    ../../configs/nixos/i3
    ../../configs/nixos/sshd.nix
-    ./secrets.nix
+    ../../configs/nixos/secrets.nix
    ({
      config,
      pkgs,
@ -33,10 +33,8 @@ inputs.nixpkgs.lib.nixosSystem {
      };
      networking.hostName = "archlaptop-vm"; # Define your hostname.

-      users.mutableUsers = false;
      # Define a user account. Don't forget to set a password with ‘passwd’.
      users.users.${config.host.user} = {
-        hashedPasswordFile = config.sops.secrets.gv-password.path;
        packages = with pkgs; [firefox];
      };

--- a/hosts/archlaptop-vm/secrets.nix
+++ b/hosts/archlaptop-vm/secrets.nix
@ -1,14 +0,0 @@
-{
-  inputs,
-  config,
-  lib,
-  pkgs,
-  ...
-}: {
-  imports = [
-    ../../configs/nixos/secrets.nix
-  ];
-  sops.secrets.gv-password = {
-    neededForUsers = true;
-  };
-}
--- a/hosts/workstation-vm/default.nix
+++ b/hosts/workstation-vm/default.nix
@ -22,7 +22,7 @@ inputs.nixpkgs.lib.nixosSystem {
    ../../configs/nixos/i3
    ../../configs/nixos/common.nix
    ../../configs/nixos/sshd.nix
-    ./secrets.nix
+    ../../configs/nixos/secrets.nix
    ({
      config,
      pkgs,
@ -39,9 +39,7 @@ inputs.nixpkgs.lib.nixosSystem {
      };
      networking.hostName = "workstation-vm"; # Define your hostname.

-      users.mutableUsers = false;
      users.users.${config.host.user} = {
-        hashedPasswordFile = config.sops.secrets.gv-password.path;
        packages = with pkgs; [
          firefox
        ];
--- a/hosts/workstation-vm/secrets.nix
+++ b/hosts/workstation-vm/secrets.nix
@ -1,14 +0,0 @@
-{
-  inputs,
-  config,
-  lib,
-  pkgs,
-  ...
-}: {
-  imports = [
-    ../../configs/nixos/secrets.nix
-  ];
-  sops.secrets.gv-password = {
-    neededForUsers = true;
-  };
-}
--- a/6
+++ b/6
@ -3,17 +3,14 @@ default:

 nixos target=`hostname`:
    git add -AN
-    nix flake update nix-secrets
    sudo nixos-rebuild --flake .#{{target}} switch

 home-manager target=(`whoami`+"@"+`hostname`):
    git add -AN
-    nix flake update nix-secrets
    home-manager --flake .#{{target}} switch

 check:
    git add -AN
-    nix flake update nix-secrets
    nix flake check --keep-going

 bootstrap-home-manager target=(`whoami`+"@"+`hostname`):
@ -28,3 +25,6 @@ home-gc:

 nixos-gc:
    sudo nix-collect-garbage --delete-older-than 7d
+
+update-secrets:
+    nix flake update nix-secrets
--- a/packages/proxmox.nix
+++ b/packages/proxmox.nix
@ -24,11 +24,6 @@ inputs.nixos-generators.nixosGenerate {
      host.user = "gabe";
      host.fullName = "Gabe Venberg";

-      users.users.root.password = "nixos";
-      users.users.${config.host.user} = {
-        password = "nixos";
-      };
-
      home-manager.users.${config.host.user} = {
        inputs,
        osConfig,
--- a/packages/vm.nix
+++ b/packages/vm.nix
@ -24,11 +24,6 @@ inputs.nixos-generators.nixosGenerate {
      host.user = "gabe";
      host.fullName = "Gabe Venberg";

-      users.users.root.password = "nixos";
-      users.users.${config.host.user} = {
-        password = "nixos";
-      };
-
      home-manager.users.${config.host.user} = {
        inputs,
        osConfig,