feat(odin): secrets management, system monitoring

.sops.yaml

@@ -0,0 +1,10 @@
+keys:
+  - &thomas 7A53D4C6B481F7711588D34FDE749C31D060A160
+  - &odin age17fg06ssdz089k7fhl5rkmkszj0we3an9frp9q6hdp5uuamxwhc4syzy02l
+creation_rules:
+  - path_regex: hosts/odin/secrets.yaml
+    key_groups:
+    - pgp:
+      - *thomas
+      age:
+      - *odin

hosts/odin/default.nix

@@ -5,11 +5,11 @@
     { config.facter.reportPath = ./facter.json; }
 
     outputs.modules.global.nix-config
+    inputs.sops-nix.nixosModules.sops
     inputs.impermanence.nixosModules.impermanence
     inputs.disko.nixosModules.disko
 
     ./disko.nix
-    # ./secrets.nix
     # ./services
   ];
 
@@ -17,6 +17,11 @@
   networking.hostName = "odin";
   networking.useDHCP = lib.mkDefault true;
 
+  sops.defaultSopsFile = ./secrets.yaml;
+  sops.secrets."thomas/password".neededForUsers = true;
+  sops.secrets."nullmailer/remotes".owner = config.services.nullmailer.user;
+
+
   # Boot configuration
   boot = {
     # Use systemd-boot for UEFI systems
@@ -125,7 +130,6 @@
       };
     };
 
-    # SSH configuration is managed in secrets.nix
     openssh = {
       enable = true;
       openFirewall = true;
@@ -134,25 +138,40 @@
         PermitRootLogin = "no";
         X11Forwarding = false;
       };
-      # hostKeys = [ ];
     };
 
     # System monitoring
-    # smartd = {
-    #   enable = true;
-    #   autodetect = true;
-    #   notifications.mail.enable = false; # Configure if you want email alerts
-    # };
-
-    # # Time synchronization
-    # timesyncd.enable = true;
-    #
-    # # Btrfs maintenance
-    # btrfs.autoScrub = {
-    #   enable = true;
-    #   interval = "monthly";
-    #   fileSystems = [ "/" ];
-    # };
+    smartd = {
+      enable = true;
+      autodetect = true;
+      notifications.test = true;
+      notifications.mail.enable = true;
+      notifications.mail.sender = "[email protected]";
+      notifications.mail.recipient = "I <[email protected]>";
+    };
+
+    nullmailer = {
+      enable = true;
+      setSendmail = true;
+      remotesFile = config.sops.secrets."nullmailer/remotes".path;
+      config = {
+        me = "odin.t5.st";
+        defaulthost = "odin.t5.st";
+        defaultdomain = "odin.t5.st";
+        allmailfrom = "[email protected]";
+        adminaddr = "[email protected]";
+      };
+    };
+
+    # Time synchronization
+    timesyncd.enable = true;
+
+    # Btrfs maintenance
+    btrfs.autoScrub = {
+      enable = true;
+      interval = "monthly";
+      fileSystems = [ "/" ];
+    };
 
     # Drive spin-down management
     # hdparm.devices = [
@@ -174,16 +193,6 @@
     # ];
   };
 
-  # # Automatic garbage collection
-  # nix = {
-  #   gc = {
-  #     automatic = true;
-  #     dates = "weekly";
-  #     options = "--delete-older-than 30d";
-  #   };
-  #   optimise.automatic = true;
-  # };
-
   # # Container runtime
   # virtualisation = {
   #   docker = {
@@ -238,7 +247,7 @@
       thomas = {
         isNormalUser = true;
         extraGroups = [ "wheel" "users" ];
-        hashedPassword = "$6$jO/t4PtMb4Ky.goy$2diW2qZjswUAVAzRQqOJ7wfGwD9QInJtUfQYEOOp8hkdhAy6wcccYfIG.gEQniStx7ZkxADNQxQ7pyfUiOqll.";
+        hashedPasswordFile = config.sops.secrets."thomas/password".path;
         openssh.authorizedKeys.keys = [
           "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC5o7LT5wPYWgI8Mvr6RKOv+BcsbQgU7PCw2hheVu17alwF1uFUsAYV5BVQu+uv9uEm/UDsCNhfM6TwI0A1prdmtBz4pKiwXbj7fcdp6DcVOgTsPfawbXEpivtJvlhEatyTsR26MjHKnqpT0BxPvj6Ug6pvRkCYW5d2bWXiY9murmAX6Q5kSyNunkB8PdRTH+S47f7eOdCJY63VBOkkiG8M7XyPwFCDTYiHhbMZcejIdY9mB6kYnMQVRHDznQWiQxrcaE1fD/TY3db9GDcOVoo2aDBOZX7WT2+me67sU8dEK9+nSyhWDzBbEs8knu87ZlKPFwhl4slenRniKhbf22OpicXArtEcjEj0GyDJH5e+ZCIQ4eSQanA7TxnKFlDuaf+Qqx55UT+ya4vJJeik7nkzbRHaE9IoWhhiOaOnaN6kHIxuxB6z7EL3Gk7f78+I/qBaj5df6fgnXM3JBXKa5bRH2wqoSetJAo6EGpEgmU2huB1ktiGlO7BlF5XwSw6cb/KT7NSIXhncgLkCzsDVXxecVQv1FnPISBcp3+ti01ADVf2trgpPDbNTWV40Rgiefie0o2fc6KWAFfum1j5N3WWU+XVVmRjDmKKHiEJBLNKDAe0rQf+tryPW4c5GIN7aFoB+8dYFAuUyLd7Fu3vhZdmcckN5ryHunEc0dKPIiuoVZw=="
         ];