nyancat/flake
1
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

nixos: minor adjustments to secrets, proxy, users

Browse source
This commit is contained in:
Guanran Wang 2023-09-21 05:23:10 +08:00
parent 04990550bb
commit 36bd037a03
Signed by: nyancat
SSH key fingerprint: SHA256:8oWGKciPALWut/6WA27oFKofX+6Wtc0gQnsefXLQx/8
6 changed files with 39 additions and 15 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

12
flake.nix
View file

@ -110,15 +110,23 @@
} }
sops-nix.nixosModules.sops sops-nix.nixosModules.sops
({ config, ... }:
{ {
sops = { sops = {
defaultSopsFile = ./secrets/secrets.yaml; defaultSopsFile = ./secrets/secrets.yaml;
age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ]; age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
secrets = { secrets = {
"clash-config" = { mode = "0444"; }; # readable "clash-config" = {
#mode = "0444"; # readable
owner = config.users.users."clash-meta".name;
group = config.users.users."clash-meta".group;
restartUnits = [ "clash-meta.service" ];
path = "/etc/clash-meta/config.yaml";
};
"user-password-guanranwang".neededForUsers = true;
}; };
}; };
} })
]; ];
}; };

18
nixos/networking/proxy.nix
View file

@ -16,15 +16,21 @@
serviceConfig = { serviceConfig = {
Type = "simple"; Type = "simple";
WorkingDirectory = "/etc/clash-meta"; WorkingDirectory = "/etc/clash-meta";
User = [ config.users.users."clash-meta".name ];
ExecStart = "${pkgs.clash-meta}/bin/clash-meta -d /etc/clash-meta"; ExecStart = "${pkgs.clash-meta}/bin/clash-meta -d /etc/clash-meta";
Restart = "on-failure"; Restart = "on-failure";
CapabilityBoundingSet = [
"CAP_NET_RAW"
"CAP_NET_ADMIN"
"CAP_NET_BIND_SERVICE"
];
AmbientCapabilities = [
"CAP_NET_RAW"
"CAP_NET_ADMIN"
"CAP_NET_BIND_SERVICE"
];
}; };
}; };
environment.etc = { environment.etc."clash-meta/metacubexd".source = ../../flakes/home-manager/guanranwang/common/dotfiles/config/clash/metacubexd;
"clash-meta/config.yaml".source = config.sops.secrets."clash-config".path;
"clash-meta/metacubexd" = {
source = ../../flakes/home-manager/guanranwang/common/dotfiles/config/clash/metacubexd;
};
};
} }

3
nixos/users/default.nix
View file

@ -3,6 +3,7 @@
{ {
imports = [ imports = [
./users.nix ./users.nix
./guanranwang.nix ./system-users.nix
./normal-users/guanranwang.nix
]; ];
} }

4
nixos/users/guanranwang.nix → nixos/users/normal-users/guanranwang.nix
View file

@ -1,11 +1,11 @@
{ pkgs, ... }: { pkgs, ... }:
{ {
users.users.guanranwang = { users.users."guanranwang" = {
isNormalUser = true; isNormalUser = true;
description = "Guanran Wang"; description = "Guanran Wang";
extraGroups = [ "wheel" "networkmanager" "tss" ]; # tss = access to tpm devices extraGroups = [ "wheel" "networkmanager" "tss" ]; # tss = access to tpm devices
#passwordFile = config.sops.secrets.password.path; #passwordFile = config.sops.secrets."user-password-guanranwang".path;
hashedPassword = "$y$j9T$D7kBBBGwxw1XmPApAHIsx/$hcB64v3/kvPB7nIM9wXFiaSSBfhSp9k/JQ4R9G3guk6"; hashedPassword = "$y$j9T$D7kBBBGwxw1XmPApAHIsx/$hcB64v3/kvPB7nIM9wXFiaSSBfhSp9k/JQ4R9G3guk6";
shell = pkgs.fish; shell = pkgs.fish;
packages = []; packages = [];

9
nixos/users/system-users.nix Normal file
View file

@ -0,0 +1,9 @@
{ ... }:
{
users.users."clash-meta" = {
isSystemUser = true;
group = "clash-meta";
};
users.groups.clash-meta = {};
}

8
secrets/secrets.yaml
View file

File diff suppressed because one or more lines are too long