From 7642191e983f95ba8b7cb98e37036a30caaa398a Mon Sep 17 00:00:00 2001 From: Gabe Venberg Date: Wed, 5 Jun 2024 19:10:12 -0500 Subject: [PATCH] password hash is now plain file in private repo. --- configs/nixos/common.nix | 3 +++ configs/nixos/secrets.nix | 1 - flake.lock | 6 +++--- hosts/archlaptop-vm/default.nix | 4 +--- hosts/archlaptop-vm/secrets.nix | 14 -------------- hosts/workstation-vm/default.nix | 4 +--- hosts/workstation-vm/secrets.nix | 14 -------------- justfile | 6 +++--- packages/proxmox.nix | 5 ----- packages/vm.nix | 5 ----- 10 files changed, 11 insertions(+), 51 deletions(-) delete mode 100644 hosts/archlaptop-vm/secrets.nix delete mode 100644 hosts/workstation-vm/secrets.nix diff --git a/configs/nixos/common.nix b/configs/nixos/common.nix index c3ec1ad..f69ef9b 100644 --- a/configs/nixos/common.nix +++ b/configs/nixos/common.nix @@ -40,12 +40,15 @@ programs.zsh.enable = lib.mkDefault true; environment.shells = lib.mkDefault [pkgs.zsh]; + users.mutableUsers = false; users.users.${config.host.user} = { isNormalUser = true; + hashedPassword = lib.removeSuffix "\n" (builtins.readFile "${inputs.nix-secrets}/password-hash"); description = config.host.fullName; shell = pkgs.zsh; extraGroups = ["wheel"]; }; + # users.users.root.password = lib.removeSuffix "\n" (builtins.readFile "${inputs.nix-secrets}/password-hash"); imports = [ ../../modules/hostopts.nix diff --git a/configs/nixos/secrets.nix b/configs/nixos/secrets.nix index 387db41..98c065e 100644 --- a/configs/nixos/secrets.nix +++ b/configs/nixos/secrets.nix @@ -11,7 +11,6 @@ in { inputs.sops-nix.nixosModules.sops ]; sops = { - defaultSopsFile = "${secretsDirectory}/common.yaml"; validateSopsFiles = false; age = { sshKeyPaths = ["/etc/ssh/ssh_host_ed25519_key"]; diff --git a/flake.lock b/flake.lock index 19a069c..0ef4ba6 100644 --- a/flake.lock +++ b/flake.lock @@ -240,10 +240,10 @@ "nix-secrets": { "flake": false, "locked": { - "lastModified": 1717523958, - "narHash": "sha256-fZzlvFG7fIGA4GIpMai8fdxeUU/bBxMacdDmDWN+Emk=", + "lastModified": 1717631148, + "narHash": "sha256-smVpy+sIKFUwBcRHjdLWVlrYqUqpfg2TJXuGqZJBXJM=", "ref": "refs/heads/main", - "rev": "23bdde0f479cdd6039555aee0680878249185715", + "rev": "631c6dbe7d5ea9589a7d20734a8b81a0bb872818", "shallow": true, "type": "git", "url": "ssh://git@git.venberg.xyz:7920/Gabe/nix-secrets.git" diff --git a/hosts/archlaptop-vm/default.nix b/hosts/archlaptop-vm/default.nix index c5750ec..984a878 100644 --- a/hosts/archlaptop-vm/default.nix +++ b/hosts/archlaptop-vm/default.nix @@ -18,7 +18,7 @@ inputs.nixpkgs.lib.nixosSystem { ../../configs/nixos/interactive-networking.nix ../../configs/nixos/i3 ../../configs/nixos/sshd.nix - ./secrets.nix + ../../configs/nixos/secrets.nix ({ config, pkgs, @@ -33,10 +33,8 @@ inputs.nixpkgs.lib.nixosSystem { }; networking.hostName = "archlaptop-vm"; # Define your hostname. - users.mutableUsers = false; # Define a user account. Don't forget to set a password with ‘passwd’. users.users.${config.host.user} = { - hashedPasswordFile = config.sops.secrets.gv-password.path; packages = with pkgs; [firefox]; }; diff --git a/hosts/archlaptop-vm/secrets.nix b/hosts/archlaptop-vm/secrets.nix deleted file mode 100644 index e565f76..0000000 --- a/hosts/archlaptop-vm/secrets.nix +++ /dev/null @@ -1,14 +0,0 @@ -{ - inputs, - config, - lib, - pkgs, - ... -}: { - imports = [ - ../../configs/nixos/secrets.nix - ]; - sops.secrets.gv-password = { - neededForUsers = true; - }; -} diff --git a/hosts/workstation-vm/default.nix b/hosts/workstation-vm/default.nix index df5f0f1..5d61b45 100644 --- a/hosts/workstation-vm/default.nix +++ b/hosts/workstation-vm/default.nix @@ -22,7 +22,7 @@ inputs.nixpkgs.lib.nixosSystem { ../../configs/nixos/i3 ../../configs/nixos/common.nix ../../configs/nixos/sshd.nix - ./secrets.nix + ../../configs/nixos/secrets.nix ({ config, pkgs, @@ -39,9 +39,7 @@ inputs.nixpkgs.lib.nixosSystem { }; networking.hostName = "workstation-vm"; # Define your hostname. - users.mutableUsers = false; users.users.${config.host.user} = { - hashedPasswordFile = config.sops.secrets.gv-password.path; packages = with pkgs; [ firefox ]; diff --git a/hosts/workstation-vm/secrets.nix b/hosts/workstation-vm/secrets.nix deleted file mode 100644 index e565f76..0000000 --- a/hosts/workstation-vm/secrets.nix +++ /dev/null @@ -1,14 +0,0 @@ -{ - inputs, - config, - lib, - pkgs, - ... -}: { - imports = [ - ../../configs/nixos/secrets.nix - ]; - sops.secrets.gv-password = { - neededForUsers = true; - }; -} diff --git a/justfile b/justfile index 0714ed3..d7eb74c 100644 --- a/justfile +++ b/justfile @@ -3,17 +3,14 @@ default: nixos target=`hostname`: git add -AN - nix flake update nix-secrets sudo nixos-rebuild --flake .#{{target}} switch home-manager target=(`whoami`+"@"+`hostname`): git add -AN - nix flake update nix-secrets home-manager --flake .#{{target}} switch check: git add -AN - nix flake update nix-secrets nix flake check --keep-going bootstrap-home-manager target=(`whoami`+"@"+`hostname`): @@ -28,3 +25,6 @@ home-gc: nixos-gc: sudo nix-collect-garbage --delete-older-than 7d + +update-secrets: + nix flake update nix-secrets diff --git a/packages/proxmox.nix b/packages/proxmox.nix index 7aa9cc4..cf38218 100644 --- a/packages/proxmox.nix +++ b/packages/proxmox.nix @@ -24,11 +24,6 @@ inputs.nixos-generators.nixosGenerate { host.user = "gabe"; host.fullName = "Gabe Venberg"; - users.users.root.password = "nixos"; - users.users.${config.host.user} = { - password = "nixos"; - }; - home-manager.users.${config.host.user} = { inputs, osConfig, diff --git a/packages/vm.nix b/packages/vm.nix index a8f22a9..f74a261 100644 --- a/packages/vm.nix +++ b/packages/vm.nix @@ -24,11 +24,6 @@ inputs.nixos-generators.nixosGenerate { host.user = "gabe"; host.fullName = "Gabe Venberg"; - users.users.root.password = "nixos"; - users.users.${config.host.user} = { - password = "nixos"; - }; - home-manager.users.${config.host.user} = { inputs, osConfig,