nixos: minor adjustments to secrets, proxy, users
This commit is contained in:
parent
04990550bb
commit
36bd037a03
6 changed files with 39 additions and 15 deletions
12
flake.nix
12
flake.nix
|
@ -110,15 +110,23 @@
|
|||
}
|
||||
|
||||
sops-nix.nixosModules.sops
|
||||
({ config, ... }:
|
||||
{
|
||||
sops = {
|
||||
defaultSopsFile = ./secrets/secrets.yaml;
|
||||
age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
|
||||
secrets = {
|
||||
"clash-config" = { mode = "0444"; }; # readable
|
||||
"clash-config" = {
|
||||
#mode = "0444"; # readable
|
||||
owner = config.users.users."clash-meta".name;
|
||||
group = config.users.users."clash-meta".group;
|
||||
restartUnits = [ "clash-meta.service" ];
|
||||
path = "/etc/clash-meta/config.yaml";
|
||||
};
|
||||
"user-password-guanranwang".neededForUsers = true;
|
||||
};
|
||||
};
|
||||
}
|
||||
})
|
||||
];
|
||||
};
|
||||
|
||||
|
|
|
@ -16,15 +16,21 @@
|
|||
serviceConfig = {
|
||||
Type = "simple";
|
||||
WorkingDirectory = "/etc/clash-meta";
|
||||
User = [ config.users.users."clash-meta".name ];
|
||||
ExecStart = "${pkgs.clash-meta}/bin/clash-meta -d /etc/clash-meta";
|
||||
Restart = "on-failure";
|
||||
CapabilityBoundingSet = [
|
||||
"CAP_NET_RAW"
|
||||
"CAP_NET_ADMIN"
|
||||
"CAP_NET_BIND_SERVICE"
|
||||
];
|
||||
AmbientCapabilities = [
|
||||
"CAP_NET_RAW"
|
||||
"CAP_NET_ADMIN"
|
||||
"CAP_NET_BIND_SERVICE"
|
||||
];
|
||||
};
|
||||
};
|
||||
|
||||
environment.etc = {
|
||||
"clash-meta/config.yaml".source = config.sops.secrets."clash-config".path;
|
||||
"clash-meta/metacubexd" = {
|
||||
source = ../../flakes/home-manager/guanranwang/common/dotfiles/config/clash/metacubexd;
|
||||
};
|
||||
};
|
||||
environment.etc."clash-meta/metacubexd".source = ../../flakes/home-manager/guanranwang/common/dotfiles/config/clash/metacubexd;
|
||||
}
|
|
@ -3,6 +3,7 @@
|
|||
{
|
||||
imports = [
|
||||
./users.nix
|
||||
./guanranwang.nix
|
||||
./system-users.nix
|
||||
./normal-users/guanranwang.nix
|
||||
];
|
||||
}
|
|
@ -1,11 +1,11 @@
|
|||
{ pkgs, ... }:
|
||||
|
||||
{
|
||||
users.users.guanranwang = {
|
||||
users.users."guanranwang" = {
|
||||
isNormalUser = true;
|
||||
description = "Guanran Wang";
|
||||
extraGroups = [ "wheel" "networkmanager" "tss" ]; # tss = access to tpm devices
|
||||
#passwordFile = config.sops.secrets.password.path;
|
||||
#passwordFile = config.sops.secrets."user-password-guanranwang".path;
|
||||
hashedPassword = "$y$j9T$D7kBBBGwxw1XmPApAHIsx/$hcB64v3/kvPB7nIM9wXFiaSSBfhSp9k/JQ4R9G3guk6";
|
||||
shell = pkgs.fish;
|
||||
packages = [];
|
9
nixos/users/system-users.nix
Normal file
9
nixos/users/system-users.nix
Normal file
|
@ -0,0 +1,9 @@
|
|||
{ ... }:
|
||||
|
||||
{
|
||||
users.users."clash-meta" = {
|
||||
isSystemUser = true;
|
||||
group = "clash-meta";
|
||||
};
|
||||
users.groups.clash-meta = {};
|
||||
}
|
File diff suppressed because one or more lines are too long
Loading…
Reference in a new issue