feat: sops on dnscrypt

2024-03-17 00:19:54 +11:00 · 2024-03-17 00:19:54 +11:00 · debe0477d9
commit debe0477d9
parent e9133714ad
3 changed files with 14 additions and 8 deletions
--- a/nixos/hosts/common/nixos/packages.nix
+++ b/nixos/hosts/common/nixos/packages.nix
@ -13,7 +13,8 @@
    nixpkgs-fmt
    nil
    gh
+    sops
  ];
-   
+
  programs.mtr.enable = true;
 }
--- a/nixos/hosts/common/optional/dnscrypt-proxy2.nix
+++ b/nixos/hosts/common/optional/dnscrypt-proxy2.nix
@ -13,18 +13,22 @@
    dhcpcd.extraConfig = "nohook resolv.conf";
  };

+  config.users.users.dnscrypt.isSystemUser = true;
+  config.users.users.dnscrypt.group = "dnscrypt";
+  config.users.groups.dnscrypt = { };
+
  # configure secret for forwarding rules
  config.sops.secrets."system/networking/dnscrypt-proxy2/forwarding-rules".sopsFile = ./dnscrypt-proxy2.sops.yaml;
-  config.sops.secrets."system/networking/dnscrypt-proxy2/forwarding-rules".mode = "0440";
+  config.sops.secrets."system/networking/dnscrypt-proxy2/forwarding-rules".mode = "0444";
+  config.sops.secrets."system/networking/dnscrypt-proxy2/forwarding-rules".path = "/run/dnscrypt-forwarding-rules.txt";

  # Restart dnscrypt when secret changes
-  config.sops.secrets.monitoring_token.restartUnits = [ "dnscrypt-proxy2" ];
+  config.sops.secrets."system/networking/dnscrypt-proxy2/forwarding-rules".restartUnits = [ "dnscrypt-proxy2" ];

  config.services.dnscrypt-proxy2 = {
    enable = true;
    settings = {
      require_dnssec = true;
-
      forwarding_rules = config.sops.secrets."system/networking/dnscrypt-proxy2/forwarding-rules".path;

      server_names = [ "NextDNS-f6fe35" ];
--- a/nixos/hosts/nixosvm/hardware-configuration.nix
+++ b/nixos/hosts/nixosvm/hardware-configuration.nix
@ -12,18 +12,19 @@
  boot.extraModulePackages = [ ];

  fileSystems."/" =
-    { device = "/dev/disk/by-label/nixos";
+    {
+      device = "/dev/disk/by-label/nixos";
      fsType = "ext4";
    };

  fileSystems."/boot" =
-    { device = "/dev/disk/by-label/boot";
+    {
+      device = "/dev/disk/by-label/boot";
      fsType = "vfat";
    };

  swapDevices =
-    [ { device = "/dev/disk/b"; }
-    ];
+    [{ device = "/dev/sda2"; }];

  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
  # (the default) this is the recommended approach. When using systemd-networkd it's