diff --git a/.sops.yaml b/.sops.yaml index 9aaeffa..ec6a5f0 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -9,3 +9,10 @@ creation_rules: - *primary - *aspi-ssh - *pianonix-ssh + + - path_regex: secrets/.+ + key_groups: + - age: + - *primary + - *aspi-ssh + - *pianonix-ssh diff --git a/modules/nixos/sops/default.nix b/modules/nixos/sops/default.nix index db7261d..a8abf86 100644 --- a/modules/nixos/sops/default.nix +++ b/modules/nixos/sops/default.nix @@ -41,6 +41,12 @@ in # List of defined secrets # They all become files linked inside the "/run/secrets/" directory + + sops.secrets."vnc-passwd" = { + owner = config.users.users.julian.name; + sopsFile = ../../../secrets/vnc-passwd; + format = "binary"; + }; sops.secrets."wifi/pianonix" = { }; sops.secrets."password/aspi" = { diff --git a/secrets/vnc-passwd b/secrets/vnc-passwd new file mode 100644 index 0000000..ef97d21 --- /dev/null +++ b/secrets/vnc-passwd @@ -0,0 +1,28 @@ +{ + "data": "ENC[AES256_GCM,data:13hToequR4A=,iv:U7a6mIOYanQjozPrL92edFrhdyuSJj14pqVa2tGE/zA=,tag:uyeE3dj7NTKPi0jNLkFMLA==,type:str]", + "sops": { + "kms": null, + "gcp_kms": null, + "azure_kv": null, + "hc_vault": null, + "age": [ + { + "recipient": "age1ee5udznhadk6m7jtglu4709rep080yjyd2ukzdl8jma4mm92y3psv0slpg", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBWWUp5TU9kWTNpa0s5TFRC\nK1hoc0d0K3JQYWN3VVVWM2JvemtieGo2UGpVCit5MUcvZldBZkNNZ3ZWTWRtd0Zx\nT3I4aTdUcitPRmhhV0htZlhEYjhRakUKLS0tIEdmYUI4N1g1Nkp3YzdtaHJybVcz\neFNwUnd0Vyt2MTBpRTZlMzZnNHJGd1EKy/0zXv9CPf5k0ky7TBGY9GbcIeQyPk1L\nKmMCuWMLX0yTGqB3M3/UNdoc4L0q//7keUZH5PlkxJbnu6IN3fE5qg==\n-----END AGE ENCRYPTED FILE-----\n" + }, + { + "recipient": "age1q8lc5340gz5xw2f57nglrss68wv0j0hf36py2pdtrl6ky3yrq9qqk0njr4", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBMdy9tZlZtNFJPRFNUUUNI\nUWtPZmZOY1V5SHc5bTZOZVluTUV6N3dlQWprClVqK2tKNFlBWHdyNDF1Q0d2bi9z\naldTTDdWYzZ6WmgrNHlZSDlTSU9SbmsKLS0tIDJZM2Y4ZDVmZk54eTZLOTU4Ui9X\nR3l3WDkwRWUyakFLdGZXeDJxRUJsaHMK6hgZ1KYe9qx4tO7RervEAKGjNHg4mi0E\nxx3I9P8MFzPiCVKG5ZNxRx25y7H4bQSRRtxIlXIhqzf2+5Q6U7/Hrw==\n-----END AGE ENCRYPTED FILE-----\n" + }, + { + "recipient": "age1hsmfz8fjxu83sax9lr487h8xr6cyge0apdq4zpge4c8jpcjj2cksj825ct", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA2cUg4dUlCY0IwS3pPeTF5\nZTVkRTkzaVBYTmh0MmYyaHlOaFRHSnk5dWs4CmhvaTlSOTFDQzZmbHVudXpwQitV\nQjhRQWl3OHNLVGJYMm1ObVEyQmhxS0kKLS0tIDJsZnN4K2pUOEdIYVg4ZlQ5Ujhn\nNlpGL1hMVXd5cWR2YkdIVmJiblMzR1EKJYS51sKQ/tBV7dv88pOxJhzHQGckoF8q\nwIioVjs9sm4JBgQqSIbVhXwnKl05IUkyAgw6LfsbSJz3nKe7lmmRpg==\n-----END AGE ENCRYPTED FILE-----\n" + } + ], + "lastmodified": "2024-12-01T16:14:57Z", + "mac": "ENC[AES256_GCM,data:zKz8OX1yi68Qn3X6HwdbgTCr/3ZVBh5Wz4KUACmWG3XhOEVi8uoDEdAxfKMDBqNzXLeDmxxTKj6TMLkk68ozDYJqu0OevVritnZqvBTr9VKGpMPBFN3DuaeqSZ6wjHGbce1iqO0kusnwopRbEWHmr/lZxiXTNgLPdN+p5Aszi54=,iv:resppfGPecKvKwqNwqecDBcXGhcTWSGZis8hf1jT0Us=,tag:V80P25Pr4HD9pUUrQHZSQg==,type:str]", + "pgp": null, + "unencrypted_suffix": "_unencrypted", + "version": "3.8.1" + } +} \ No newline at end of file diff --git a/systems/aarch64-linux/pianonix/default.nix b/systems/aarch64-linux/pianonix/default.nix index a5d1c18..4ca180b 100644 --- a/systems/aarch64-linux/pianonix/default.nix +++ b/systems/aarch64-linux/pianonix/default.nix @@ -66,6 +66,20 @@ user = "julian"; }; + systemd.services.x11vnc = { + description = "Run x11vnc server"; + after = [ "display-manager.service" ]; + wantedBy = [ "multi-user.target" ]; + serviceConfig = { + ExecStart = "${pkgs.x11vnc}/bin/x11vnc -rfbauth ${ + config.sops.secrets."vnc-passwd".path + } -forever -loop -noxdamage -repeat -rfbport 5900 -shared"; + User = config.users.users.julian.name; + Restart = "on-failure"; + Environment = "DISPLAY=:0"; + }; + }; + boot.loader.timeout = 1; # Set boot loader timeout to 1s programs.dconf.enable = true; @@ -134,15 +148,11 @@ mc ]; - # VNC server - # services.x2goserver.enable = true; + networking.firewall.enable = true; - # networking.firewall.enable = false; - - # networking.firewall.allowedTCPPorts = [ - # 8000 - # 5901 - # ]; + networking.firewall.allowedTCPPorts = [ + 5900 # for vnc + ]; # Disable the GNOME3/GDM auto-suspend feature that cannot be disabled in GUI! # If no user is logged in, the machine will power down after 20 minutes.