first commit

2025-07-23 04:27:38 +02:00
commit caba04d493
18 changed files with 829 additions and 0 deletions
--- a/modules/optionnal/hosts/test-kvm.nix
+++ b/modules/optionnal/hosts/test-kvm.nix
@@ -0,0 +1,9 @@
+{
+  ...
+}:
+{
+  imports = [
+    ../sops-desktop.nix
+    ../sudo-nopasswd.nix
+  ];
+}
--- a/modules/optionnal/sops-desktop.nix
+++ b/modules/optionnal/sops-desktop.nix
@@ -0,0 +1,68 @@
+{
+  inputs,
+  username,
+  ...
+}:
+let
+  secretsPath = builtins.toString inputs.mysecrets;
+in
+{
+  sops = {
+    defaultSopsFile = "${secretsPath}/secrets.yaml";
+    age = {
+      sshKeyPaths = [
+        "/etc/ssh/ssh_host_ed25519_key"
+      ];
+      keyFile = "/var/lib/sops-nix/key.txt";
+      generateKey = true;
+    };
+
+    secrets = {
+      "ldap_password/beastie" = {
+      };
+      "users_password/beastie" = {
+        neededForUsers = true;
+      };
+      "ssh_keys/default_pub" = {
+        owner = "${username}";
+        mode = "0644";
+        path = "/home/${username}/.ssh/id_ed25519.pub";
+      };
+      "ssh_keys/default_priv" = {
+        owner = "${username}";
+        mode = "0600";
+        path = "/home/${username}/.ssh/id_ed25519";
+      };
+      "ssh_keys/ansible_pub" = {
+        owner = "${username}";
+        mode = "0644";
+        path = "/home/${username}/.ssh/id_ed25519_ansible.pub";
+      };
+      "ssh_keys/ansible_priv" = {
+        owner = "${username}";
+        mode = "0600";
+        path = "/home/${username}/.ssh/id_ed25519_ansible";
+      };
+      "ssh_keys/beastie_pub" = {
+        owner = "${username}";
+        mode = "0644";
+        path = "/home/${username}/.ssh/id_ed25519_beastie.pub";
+      };
+      "ssh_keys/beastie_priv" = {
+        owner = "${username}";
+        mode = "0600";
+        path = "/home/${username}/.ssh/id_ed25519_beastie";
+      };
+      "ssh_keys/gitea_semaphore_pub" = {
+        owner = "${username}";
+        mode = "0644";
+        path = "/home/${username}/.ssh/id_ed25519_gitea_semaphore.pub";
+      };
+      "ssh_keys/gitea_semaphore_priv" = {
+        owner = "${username}";
+        mode = "0600";
+        path = "/home/${username}/.ssh/id_ed25519_gitea_semaphore";
+      };
+    };
+  };
+}
--- a/modules/optionnal/sudo-nopasswd.nix
+++ b/modules/optionnal/sudo-nopasswd.nix
@@ -0,0 +1,24 @@
+{
+  username,
+  ...
+}:
+{
+  # https://dev.to/patimapoochai/how-to-edit-the-sudoers-file-in-nixos-with-examples-4k34
+  security.sudo = {
+    enable = true;
+    extraRules = [
+      {
+        users = [ "${username}" ];
+        host = "ALL";
+        runAs = "ALL:ALL";
+        commands = [
+          {
+            command = "ALL";
+            options = [ "NOPASSWD" ];
+          }
+        ];
+      }
+    ];
+    #extraConfig = "#includedir /etc/sudoers.d";
+  };
+}