nixos: minor adjustments to secrets, proxy, users

2023-09-21 05:23:10 +08:00 · 2023-09-21 05:23:10 +08:00 · 36bd037a03
commit 36bd037a03
parent 04990550bb
6 changed files with 39 additions and 15 deletions
--- a/flake.nix
+++ b/flake.nix
@ -110,15 +110,23 @@
          }

          sops-nix.nixosModules.sops
+          ({ config, ... }:
          {
            sops = {
              defaultSopsFile = ./secrets/secrets.yaml;
              age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
              secrets = {
-                "clash-config" = { mode = "0444"; }; # readable
+                "clash-config" = {
+                  #mode = "0444"; # readable
+                  owner = config.users.users."clash-meta".name;
+                  group = config.users.users."clash-meta".group;
+                  restartUnits = [ "clash-meta.service" ];
+                  path = "/etc/clash-meta/config.yaml";
+                };
+                "user-password-guanranwang".neededForUsers = true;
              };
            };
-          }
+          })
        ];
      };

--- a/nixos/networking/proxy.nix
+++ b/nixos/networking/proxy.nix
@ -16,15 +16,21 @@
    serviceConfig = {
      Type = "simple";
      WorkingDirectory = "/etc/clash-meta";
+      User = [ config.users.users."clash-meta".name ];
      ExecStart = "${pkgs.clash-meta}/bin/clash-meta -d /etc/clash-meta";
      Restart = "on-failure";
+      CapabilityBoundingSet = [
+        "CAP_NET_RAW"
+        "CAP_NET_ADMIN"
+        "CAP_NET_BIND_SERVICE"
+      ];
+      AmbientCapabilities = [
+        "CAP_NET_RAW"
+        "CAP_NET_ADMIN"
+        "CAP_NET_BIND_SERVICE"
+      ];
    };
  };

-  environment.etc = {
-    "clash-meta/config.yaml".source = config.sops.secrets."clash-config".path;
-    "clash-meta/metacubexd" = {
-      source = ../../flakes/home-manager/guanranwang/common/dotfiles/config/clash/metacubexd;
-    };
-  };
+  environment.etc."clash-meta/metacubexd".source = ../../flakes/home-manager/guanranwang/common/dotfiles/config/clash/metacubexd;
 }
--- a/nixos/users/default.nix
+++ b/nixos/users/default.nix
@ -3,6 +3,7 @@
 {
  imports = [
    ./users.nix
-    ./guanranwang.nix
+    ./system-users.nix
+    ./normal-users/guanranwang.nix
  ];
 }
--- a/nixos/users/normal-users/guanranwang.nix
+++ b/nixos/users/normal-users/guanranwang.nix
@ -1,11 +1,11 @@
 { pkgs, ... }:

 {
-  users.users.guanranwang = {
+  users.users."guanranwang" = {
    isNormalUser = true;
    description = "Guanran Wang";
    extraGroups = [ "wheel" "networkmanager" "tss" ]; # tss = access to tpm devices
-    #passwordFile = config.sops.secrets.password.path;
+    #passwordFile = config.sops.secrets."user-password-guanranwang".path;
    hashedPassword = "$y$j9T$D7kBBBGwxw1XmPApAHIsx/$hcB64v3/kvPB7nIM9wXFiaSSBfhSp9k/JQ4R9G3guk6";
    shell = pkgs.fish;
    packages = [];
--- a/nixos/users/system-users.nix
+++ b/nixos/users/system-users.nix
@ -0,0 +1,9 @@
+{ ... }:
+
+{
+  users.users."clash-meta" = {
+    isSystemUser = true;
+    group = "clash-meta";
+  };
+  users.groups.clash-meta = {};
+}
--- a/secrets/secrets.yaml
+++ b/secrets/secrets.yaml