rolling update in 20240126

Signed-off-by: iosmanthus <[email protected]>

flake.nix

@@ -5,7 +5,7 @@
 
     master.url = "github:NixOS/nixpkgs";
 
-    sops-nix.url = "github:iosmanthus/sops-nix/nested-secrets";
+    sops-nix.url = "github:Mic92/sops-nix";
 
     home-manager = {
       url = "github:nix-community/home-manager";
@@ -20,6 +20,11 @@
     };
 
     jetbrains.url = "github:NixOS/nixpkgs/master";
+
+    nix-ld = {
+      url = "github:Mic92/nix-ld";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
   };
   outputs =
     { self
@@ -29,21 +34,23 @@
     , home-manager
     , sops-nix
     , berberman
+    , nix-ld
     , ...
-    }:
+    }@inputs:
     let
       this = import ./packages;
 
       mkWorkstationModules =
         system: [
           ./nixos/workstation
-          ./secrets/proxy
+          ./secrets/workstation
 
           self.nixosModules.system
           self.nixosModules.admin.iosmanthus
 
           sops-nix.nixosModules.sops
           home-manager.nixosModules.home-manager
+          nix-ld.nixosModules.nix-ld
 
           ({ config, ... }: {
             home-manager = {
@@ -93,15 +100,14 @@
           };
           packages = [
             "bat"
+            "brave"
             "discord"
             "docker"
             "eza"
             "fd"
             "feishu"
-            "firefox"
             "firmwareLinuxNonfree"
             "gh"
-            "google-chrome"
             "i3"
             "kitty"
             "lens"
@@ -127,7 +133,7 @@
           ];
         };
         jetbrains = this.branchOverlay {
-          branch = master;
+          branch = inputs.jetbrains;
           system = "x86_64-linux";
           config = { allowUnfree = true; };
           packages = [ "jetbrains" ];
@@ -203,6 +209,7 @@
             yapf
             gotools
             go_1_20
+            wgcf
           ];
         };
       });

modules/admin/default.nix

@@ -1,18 +1,22 @@
 {
-  iosmanthus = { pkgs, ... }: {
-    imports = [
-      ./options.nix
-    ];
-    admin = {
-      name = "iosmanthus";
-      email = "[email protected]";
-      shell = pkgs.zsh;
-      home = "/home/iosmanthus";
-      hashedPassword = "$6$vKbKYA/EtYlE8cAB$hRfeaahQG8JOE8r4FPE.VDQp0/XCgb.VlX5oPAoQxwoanr2GspYU1yBNgjvWYaSv8OpGlVN9YWwuoiSypLZzI1";
-      gpgPubKey = "0xDEE5BAABFE092169";
-      sshPubKey = ''
-        ecdsa-sha2-nistp521 AAAAE2VjZHNhLXNoYTItbmlzdHA1MjEAAAAIbmlzdHA1MjEAAACFBAE0CpL+RLwnpBp1VzD3VUZpCEOIb1U+R6Jyu/SBq+Msg+CRlxfJThUJY4ZGwp6/d+VPWuQQHvvQ6OoLQdV5Pa9xZAFYOUEDWjAnD16gh29aoVDFzv+sDt2wyA4WZfqydrFSD9QhP88RpcGAcHZXCjzaGT1tEOw2wIOgGs6P53Mrti46Yw==
-      '';
+  iosmanthus =
+    { pkgs
+    , config
+    , ...
+    }: {
+      imports = [
+        ./options.nix
+      ];
+      admin = rec {
+        name = "iosmanthus";
+        email = "[email protected]";
+        shell = pkgs.zsh;
+        home = "/home/iosmanthus";
+        hashedPasswordFile = config.sops.secrets."${name}/hashed-password".path;
+        gpgPubKey = "0xDEE5BAABFE092169";
+        sshPubKey = ''
+          ecdsa-sha2-nistp521 AAAAE2VjZHNhLXNoYTItbmlzdHA1MjEAAAAIbmlzdHA1MjEAAACFBAE0CpL+RLwnpBp1VzD3VUZpCEOIb1U+R6Jyu/SBq+Msg+CRlxfJThUJY4ZGwp6/d+VPWuQQHvvQ6OoLQdV5Pa9xZAFYOUEDWjAnD16gh29aoVDFzv+sDt2wyA4WZfqydrFSD9QhP88RpcGAcHZXCjzaGT1tEOw2wIOgGs6P53Mrti46Yw==
+        '';
+      };
     };
-  };
 }

modules/admin/options.nix

@@ -17,8 +17,8 @@ let
       shell = mkOption {
         type = types.package;
       };
-      hashedPassword = mkOption {
-        type = types.str;
+      hashedPasswordFile = mkOption {
+        type = types.path;
       };
       sshPubKey = mkOption {
         type = types.str;

modules/default.nix

@@ -26,7 +26,6 @@
       ./sing-box
       ./caddy
       ./subgen
-      #./promtail
     ];
   };
 }

nixos/aws-lightsail-0/caddy/default.nix

@@ -17,7 +17,7 @@
     content = ''
       ${config.sops.placeholder."caddy/virtual-host-a"} {
         tls {
-          dns cloudflare ${config.sops.placeholder."cloudflare-api-token"}
+          dns cloudflare ${config.sops.placeholder."cloudflare/api-token"}
         }
         log {
           level INFO
@@ -26,13 +26,44 @@
       }
       ${config.sops.placeholder."caddy/virtual-host-b"} {
         tls {
-          dns cloudflare ${config.sops.placeholder."cloudflare-api-token"}
+          dns cloudflare ${config.sops.placeholder."cloudflare/api-token"}
         }
         log {
           level INFO
         }
         reverse_proxy 127.0.0.1:8080
       }
+      ${config.sops.placeholder."caddy/virtual-host-c"} {
+        tls {
+          dns cloudflare ${config.sops.placeholder."cloudflare/api-token"}
+        }
+        log {
+          level INFO
+        }
+        # Uncomment to improve security (WARNING: only use if you understand the implications!)
+        # If you want to use FIDO2 WebAuthn, set X-Frame-Options to "SAMEORIGIN" or the Browser will block those requests
+        header / {
+        	# Enable HTTP Strict Transport Security (HSTS)
+        	Strict-Transport-Security "max-age=31536000;"
+        	# Disable cross-site filter (XSS)
+        	X-XSS-Protection "0"
+        	# Disallow the site to be rendered within a frame (clickjacking protection)
+        	X-Frame-Options "DENY"
+        	# Prevent search engines from indexing (optional)
+        	X-Robots-Tag "noindex, nofollow"
+        	# Disallow sniffing of X-Content-Type-Options
+        	X-Content-Type-Options "nosniff"
+        	# Server name removing
+        	-Server
+        	# Remove X-Powered-By though this shouldn't be an issue, better opsec to remove
+        	-X-Powered-By
+        	# Remove Last-Modified because etag is the same and is as effective
+        	-Last-Modified
+        }
+        reverse_proxy ${config.services.vaultwarden.config.ROCKET_ADDRESS}:${toString config.services.vaultwarden.config.ROCKET_PORT} {
+          header_up X-Real-IP {http.request.header.Cf-Connecting-Ip}
+        }
+      }
       :8080 {
         route /subgen/* {
           uri strip_prefix /subgen
@@ -62,5 +93,4 @@
       }
     '';
   };
-
 }