From 8def445ac0484b359c536315c0852c735ef4b0c0 Mon Sep 17 00:00:00 2001 From: Gonne Date: Tue, 24 Jun 2025 16:14:42 +0200 Subject: [PATCH 1/3] Enable cleartext diffs for SOPS secrets --- .gitattributes | 1 + README.md | 2 ++ 2 files changed, 3 insertions(+) create mode 100644 .gitattributes diff --git a/.gitattributes b/.gitattributes new file mode 100644 index 0000000..6cbe6fb --- /dev/null +++ b/.gitattributes @@ -0,0 +1 @@ +*.secrets.yaml diff=sopsdiffer diff --git a/README.md b/README.md index a756522..62bf3fa 100644 --- a/README.md +++ b/README.md @@ -233,6 +233,8 @@ If the accessing process is not root it must be member of the group `config.user for systemd services this can be archived by setting `serviceConfig.SupplementaryGroups = [ config.users.groups.keys.name ];` it the service configuration. +For cleartext diffs configure your local clone with `git config diff.sopsdiffer.textconv "sops decrypt"` (see [Github](https://github.com/getsops/sops?tab=readme-ov-file#showing-diffs-in-cleartext-in-git)). + ## impermanence These machines are setup with `"/"` as a tmpfs. This is there to keep the machines clean. So no clutter in home From 91763734eeb0d6b3acbee3492d7152c8a458f51e Mon Sep 17 00:00:00 2001 From: Dennis Frieberg Date: Sun, 30 Mar 2025 17:55:57 +0200 Subject: [PATCH 2/3] hardware config --- nixos/machines/cthulhu/configuration.nix | 25 ++++++++++++ .../cthulhu/hardware-configuration.nix | 39 +++++++++++++++++++ 2 files changed, 64 insertions(+) create mode 100644 nixos/machines/cthulhu/configuration.nix create mode 100644 nixos/machines/cthulhu/hardware-configuration.nix diff --git a/nixos/machines/cthulhu/configuration.nix b/nixos/machines/cthulhu/configuration.nix new file mode 100644 index 0000000..bcb21aa --- /dev/null +++ b/nixos/machines/cthulhu/configuration.nix @@ -0,0 +1,25 @@ +{ + imports = [ + ./hardware-configuration.nix + ../../roles + ../../roles/vm.nix + ../../modules/vmNetwork.nix + ]; + + # System configuration here + + networking.hostName = "cthulhu"; + vmNetwork.ipv4 = "192.168.0.16"; + system.stateVersion = "25.05"; + + sops.secrets = { + backupKey = { + sopsFile = ./backupKey.secrets.yaml; + owner = "root"; + group = "root"; + mode = "0400"; + }; + }; + # TODO for the network rework, make a central record of hostnames to ip adresses where every + # machine can read out their ip address and also this machine +} diff --git a/nixos/machines/cthulhu/hardware-configuration.nix b/nixos/machines/cthulhu/hardware-configuration.nix new file mode 100644 index 0000000..aa0a0fb --- /dev/null +++ b/nixos/machines/cthulhu/hardware-configuration.nix @@ -0,0 +1,39 @@ +{ + lib, + pkgs, + ... +}: { + imports = []; + + fileSystems."/" = { + device = "root"; + fsType = "tmpfs"; + options = ["size=1G" "mode=755"]; + }; + fileSystems."/persist" = { + device = "/dev/disk/by-label/nixos"; + fsType = "btrfs"; + options = ["subvol=persist"]; + neededForBoot = true; + }; + fileSystems."/boot" = { + device = "/dev/disk/by-label/boot"; + fsType = "ext4"; + }; + fileSystems."/nix" = { + device = "/dev/disk/by-label/nixos"; + fsType = "btrfs"; + options = ["subvol=nix"]; + }; + fileSystems."/var/www" = { + device = "/dev/disk/by-label/cthulhu-website-"; # The trailing - is part of the name, i suspect it was meant to be longer + fsType = "ext4"; + }; + # nix puts the caching folder under /var/cache/nginx + fileSystems."/var/cache/nginx" = { + device = "/dev/disk/by-label/cthulhu"; + fsType = "ext4"; + }; + + nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; +} From 41d7652cb4d5e9e54d4c72ef91b7fa004754ffff Mon Sep 17 00:00:00 2001 From: Dennis Frieberg Date: Sun, 30 Mar 2025 17:55:57 +0200 Subject: [PATCH 3/3] hardware config --- nixos/machines/cthulhu/configuration.nix | 25 ++++++++++++ .../cthulhu/hardware-configuration.nix | 39 +++++++++++++++++++ 2 files changed, 64 insertions(+) create mode 100644 nixos/machines/cthulhu/configuration.nix create mode 100644 nixos/machines/cthulhu/hardware-configuration.nix diff --git a/nixos/machines/cthulhu/configuration.nix b/nixos/machines/cthulhu/configuration.nix new file mode 100644 index 0000000..bcb21aa --- /dev/null +++ b/nixos/machines/cthulhu/configuration.nix @@ -0,0 +1,25 @@ +{ + imports = [ + ./hardware-configuration.nix + ../../roles + ../../roles/vm.nix + ../../modules/vmNetwork.nix + ]; + + # System configuration here + + networking.hostName = "cthulhu"; + vmNetwork.ipv4 = "192.168.0.16"; + system.stateVersion = "25.05"; + + sops.secrets = { + backupKey = { + sopsFile = ./backupKey.secrets.yaml; + owner = "root"; + group = "root"; + mode = "0400"; + }; + }; + # TODO for the network rework, make a central record of hostnames to ip adresses where every + # machine can read out their ip address and also this machine +} diff --git a/nixos/machines/cthulhu/hardware-configuration.nix b/nixos/machines/cthulhu/hardware-configuration.nix new file mode 100644 index 0000000..aa0a0fb --- /dev/null +++ b/nixos/machines/cthulhu/hardware-configuration.nix @@ -0,0 +1,39 @@ +{ + lib, + pkgs, + ... +}: { + imports = []; + + fileSystems."/" = { + device = "root"; + fsType = "tmpfs"; + options = ["size=1G" "mode=755"]; + }; + fileSystems."/persist" = { + device = "/dev/disk/by-label/nixos"; + fsType = "btrfs"; + options = ["subvol=persist"]; + neededForBoot = true; + }; + fileSystems."/boot" = { + device = "/dev/disk/by-label/boot"; + fsType = "ext4"; + }; + fileSystems."/nix" = { + device = "/dev/disk/by-label/nixos"; + fsType = "btrfs"; + options = ["subvol=nix"]; + }; + fileSystems."/var/www" = { + device = "/dev/disk/by-label/cthulhu-website-"; # The trailing - is part of the name, i suspect it was meant to be longer + fsType = "ext4"; + }; + # nix puts the caching folder under /var/cache/nginx + fileSystems."/var/cache/nginx" = { + device = "/dev/disk/by-label/cthulhu"; + fsType = "ext4"; + }; + + nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; +}