nixos: minor adjustments to secrets, proxy, users

This commit is contained in:
Guanran Wang 2023-09-21 05:23:10 +08:00
parent 04990550bb
commit 36bd037a03
Signed by: nyancat
SSH key fingerprint: SHA256:8oWGKciPALWut/6WA27oFKofX+6Wtc0gQnsefXLQx/8
6 changed files with 39 additions and 15 deletions

View file

@ -110,15 +110,23 @@
}
sops-nix.nixosModules.sops
({ config, ... }:
{
sops = {
defaultSopsFile = ./secrets/secrets.yaml;
age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
secrets = {
"clash-config" = { mode = "0444"; }; # readable
"clash-config" = {
#mode = "0444"; # readable
owner = config.users.users."clash-meta".name;
group = config.users.users."clash-meta".group;
restartUnits = [ "clash-meta.service" ];
path = "/etc/clash-meta/config.yaml";
};
"user-password-guanranwang".neededForUsers = true;
};
};
}
})
];
};

View file

@ -16,15 +16,21 @@
serviceConfig = {
Type = "simple";
WorkingDirectory = "/etc/clash-meta";
User = [ config.users.users."clash-meta".name ];
ExecStart = "${pkgs.clash-meta}/bin/clash-meta -d /etc/clash-meta";
Restart = "on-failure";
CapabilityBoundingSet = [
"CAP_NET_RAW"
"CAP_NET_ADMIN"
"CAP_NET_BIND_SERVICE"
];
AmbientCapabilities = [
"CAP_NET_RAW"
"CAP_NET_ADMIN"
"CAP_NET_BIND_SERVICE"
];
};
};
environment.etc = {
"clash-meta/config.yaml".source = config.sops.secrets."clash-config".path;
"clash-meta/metacubexd" = {
source = ../../flakes/home-manager/guanranwang/common/dotfiles/config/clash/metacubexd;
};
};
environment.etc."clash-meta/metacubexd".source = ../../flakes/home-manager/guanranwang/common/dotfiles/config/clash/metacubexd;
}

View file

@ -3,6 +3,7 @@
{
imports = [
./users.nix
./guanranwang.nix
./system-users.nix
./normal-users/guanranwang.nix
];
}

View file

@ -1,11 +1,11 @@
{ pkgs, ... }:
{
users.users.guanranwang = {
users.users."guanranwang" = {
isNormalUser = true;
description = "Guanran Wang";
extraGroups = [ "wheel" "networkmanager" "tss" ]; # tss = access to tpm devices
#passwordFile = config.sops.secrets.password.path;
#passwordFile = config.sops.secrets."user-password-guanranwang".path;
hashedPassword = "$y$j9T$D7kBBBGwxw1XmPApAHIsx/$hcB64v3/kvPB7nIM9wXFiaSSBfhSp9k/JQ4R9G3guk6";
shell = pkgs.fish;
packages = [];

View file

@ -0,0 +1,9 @@
{ ... }:
{
users.users."clash-meta" = {
isSystemUser = true;
group = "clash-meta";
};
users.groups.clash-meta = {};
}

File diff suppressed because one or more lines are too long