From 529fa4ad6a51fb08c8c30c200f6b29bb51aeeff9 Mon Sep 17 00:00:00 2001 From: Ingolf Wagner Date: Fri, 31 May 2024 21:02:22 +0200 Subject: [PATCH] sops -> pass : cherry works (wip) --- flake.lock | 66 +++-------------------- flake.nix | 15 +++--- nixos/components/gui/default.nix | 2 +- nixos/components/gui/noti.nix | 1 + nixos/components/network/tinc/private.nix | 58 ++------------------ nixos/homes/palo/default.nix | 1 - nixos/homes/palo/yubikey.nix | 4 -- nixos/machines/cherry/configuration.nix | 23 ++++++-- nixos/machines/cherry/syncthing.nix | 4 -- nixos/machines/cherry/tinc.nix | 4 +- nixos/machines/cherry/wireguard.nix | 12 +++-- nixos/machines/chungus/sync-syncoid.nix | 17 +++--- nixos/machines/cream/configuration.nix | 4 -- 13 files changed, 60 insertions(+), 151 deletions(-) delete mode 100644 nixos/homes/palo/yubikey.nix diff --git a/flake.lock b/flake.lock index 048575d..e0f88c7 100644 --- a/flake.lock +++ b/flake.lock @@ -670,22 +670,6 @@ "type": "github" } }, - "nixpkgs-stable": { - "locked": { - "lastModified": 1716655032, - "narHash": "sha256-kQ25DAiCGigsNR/Quxm3v+JGXAEXZ8I7RAF4U94bGzE=", - "owner": "NixOS", - "repo": "nixpkgs", - "rev": "59a450646ec8ee0397f5fa54a08573e8240eb91f", - "type": "github" - }, - "original": { - "owner": "NixOS", - "ref": "release-23.11", - "repo": "nixpkgs", - "type": "github" - } - }, "nixpkgs_2": { "locked": { "lastModified": 1645527175, @@ -764,22 +748,6 @@ } }, "nixpkgs_7": { - "locked": { - "lastModified": 1716651315, - "narHash": "sha256-iMgzIeedMqf30TXZ439zW3Yvng1Xm9QTGO+ZwG1IWSw=", - "owner": "NixOS", - "repo": "nixpkgs", - "rev": "c5187508b11177ef4278edf19616f44f21cc8c69", - "type": "github" - }, - "original": { - "owner": "NixOS", - "ref": "nixpkgs-unstable", - "repo": "nixpkgs", - "type": "github" - } - }, - "nixpkgs_8": { "locked": { "lastModified": 1716968199, "narHash": "sha256-vYbYTeWF4YMKYu6lHLQH+OagpubB9aZ1+V630h6qJr4=", @@ -873,18 +841,16 @@ }, "private_assets": { "locked": { + "dirtyRev": "2526dc099d13a5a2151039543c0ccef98d3f1b7b-dirty", + "dirtyShortRev": "2526dc0-dirty", "lastModified": 1716553175, - "narHash": "sha256-bR3s6w1CnBCDrgb7+ZUs5lyB7gpoREmh6IC7bLJCKVk=", - "ref": "main", - "rev": "2526dc099d13a5a2151039543c0ccef98d3f1b7b", - "revCount": 23, + "narHash": "sha256-xH2qgPBYnNHRSYTePMVI5Xqf0SKhInLBbkqG2Ad1rSA=", "type": "git", - "url": "ssh://forgejo@git.ingolf-wagner.de/palo/nixos-private-assets.git" + "url": "file:///home/palo/dev/nixos/nixos-private-assets" }, "original": { - "ref": "main", "type": "git", - "url": "ssh://forgejo@git.ingolf-wagner.de/palo/nixos-private-assets.git" + "url": "file:///home/palo/dev/nixos/nixos-private-assets" } }, "retiolum": { @@ -924,7 +890,6 @@ "private_assets": "private_assets", "retiolum": "retiolum", "secrets": "secrets", - "sops-nix": "sops-nix_2", "srvos": "srvos", "stylix": "stylix", "taskshell": "taskshell" @@ -971,28 +936,9 @@ "type": "github" } }, - "sops-nix_2": { - "inputs": { - "nixpkgs": "nixpkgs_7", - "nixpkgs-stable": "nixpkgs-stable" - }, - "locked": { - "lastModified": 1716692524, - "narHash": "sha256-sALodaA7Zkp/JD6ehgwc0UCBrSBfB4cX66uFGTsqeFU=", - "owner": "Mic92", - "repo": "sops-nix", - "rev": "962797a8d7f15ed7033031731d0bb77244839960", - "type": "github" - }, - "original": { - "owner": "Mic92", - "repo": "sops-nix", - "type": "github" - } - }, "srvos": { "inputs": { - "nixpkgs": "nixpkgs_8" + "nixpkgs": "nixpkgs_7" }, "locked": { "lastModified": 1717058062, diff --git a/flake.nix b/flake.nix index cae495c..f595174 100644 --- a/flake.nix +++ b/flake.nix @@ -35,8 +35,6 @@ url = "git+https://git.ingolf-wagner.de/palo/polygon-art.git"; }; - sops-nix.url = "github:Mic92/sops-nix"; - home-manager-utils = { url = "github:mrvandalo/home-manager-utils"; inputs.home-manager.follows = "home-manager"; @@ -49,8 +47,8 @@ }; private_assets = { - #url = "git+file:///home/palo/dev/nixos/nixos-private-assets"; - url = "git+ssh://forgejo@git.ingolf-wagner.de/palo/nixos-private-assets.git?ref=main"; + url = "git+file:///home/palo/dev/nixos/nixos-private-assets"; + #url = "git+ssh://forgejo@git.ingolf-wagner.de/palo/nixos-private-assets.git?ref=main"; flake = true; }; @@ -119,7 +117,6 @@ , private_assets , retiolum , secrets - , sops-nix , srvos , stylix , taskshell @@ -183,10 +180,6 @@ imports = modules ++ defaultModules ++ [ ./nixos/machines/${name}/configuration.nix - # sops configuration - ({ lib, ... }: { - sops.defaultSopsFile = lib.mkForce "${secrets}/secrets/${name}.yaml"; - }) # clan core configuration ({ pkgs, ... }: { imports = [ @@ -196,6 +189,8 @@ inputs.clan-core.clanModules.zerotier-static-peers # Statically configure the host names of machines based on their respective zerotier-ip. inputs.clan-core.clanModules.static-hosts + # generate ssh host keys with facts + inputs.clan-core.clanModules.sshd ]; clan.static-hosts.topLevelDomain = "gummybear"; environment.systemPackages = [ @@ -331,6 +326,7 @@ nixos-hardware.nixosModules.framework-12th-gen-intel retiolum.nixosModules.retiolum private_assets.nixosModules.cream + private_assets.nixosModules.yubikey homeManagerModules stylixModules { home-manager.users.mainUser.gui.enable = true; } @@ -351,6 +347,7 @@ nixos-hardware.nixosModules.framework-13th-gen-intel homeManagerModules stylixModules + private_assets.nixosModules.yubikey { home-manager.users.mainUser.gui.enable = true; } { home-manager.users.mainUser = import ./nixos/homes/palo; diff --git a/nixos/components/gui/default.nix b/nixos/components/gui/default.nix index ec14126..b56602e 100644 --- a/nixos/components/gui/default.nix +++ b/nixos/components/gui/default.nix @@ -13,7 +13,7 @@ with lib; ./fonts.nix ./home-manager ./kmonad.nix - ./noti.nix + #./noti.nix ./pass.nix ./steam.nix ./suspend.nix diff --git a/nixos/components/gui/noti.nix b/nixos/components/gui/noti.nix index 63eaa0e..9fcdcbe 100644 --- a/nixos/components/gui/noti.nix +++ b/nixos/components/gui/noti.nix @@ -1,4 +1,5 @@ # notify me when a command is finished +# todo : secret managment is shit { config, pkgs, lib, ... }: with lib; { diff --git a/nixos/components/network/tinc/private.nix b/nixos/components/network/tinc/private.nix index 4eefe5d..8823d47 100644 --- a/nixos/components/network/tinc/private.nix +++ b/nixos/components/network/tinc/private.nix @@ -58,12 +58,15 @@ in { networking.firewall.trustedInterfaces = [ "tinc.${network}" ]; - sops.secrets.tinc_ed25519_key = { }; + clanCore.facts.services.tinc_private = { + secret."tinc_private.ed25519_key" = { }; + generator.script = ""; + }; # nix-shell -p tinc_pre --run "tinc --config . generate-keys 4096" services.tinc.networks = { ${network} = { - ed25519PrivateKeyFile = config.sops.secrets.tinc_ed25519_key.path; + ed25519PrivateKeyFile = config.clanCore.facts.services.tinc_private.secret."tinc_private.ed25519_key".path; interfaceType = "tap"; extraConfig = '' LocalDiscovery = yes @@ -127,55 +130,4 @@ in networking.extraHosts = concatStringsSep "\n" (mapAttrsToList (name: ip: "${ip} ${name}.${network}") (hosts // subDomains)); - services.openssh.knownHosts = { - "orbi" = { - hostNames = [ - "orbi.${network}" - hosts.orbi - "orbi" - "95.216.66.212" - "git.ingolf-wagner.de" - ]; - publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICTqV5ch4BokqDniDgCquRwfTz6aXXMTdZovIvqShfLV"; - }; - "robi" = { - hostNames = [ - "robi.${network}" - hosts.robi - "robi" - "144.76.13.147" - "taskd.ingolf-wagner.de" - ]; - publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIK2PGX6cZuBUGX4VweMzi0aRh4uQ61yngCzZGcK3w5XV"; - }; - "sterni.${network}" = { - hostNames = [ "sterni.${network}" hosts.sterni ]; - publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEQRH4gzT4vWSx3KN80ePPYhSPZRUae/qSyEym6pJTht"; - }; - "cream.${network}" = { - hostNames = [ "cream.${network}" hosts.cream ]; - publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIConHiCL7INgAhuN6Z9TqP0zP+xNpdV7+OHwUca4IRDD"; - }; - "cherry.${network}" = { - hostNames = [ "cherry.${network}" hosts.cream ]; - publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEUXkewyZ94A7CeCyVvN0KCqPn+8x1BZaGWMAojlfCXO"; - }; - "pepe.${network}" = { - hostNames = [ "pepe.${network}" hosts.pepe ]; - publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJPlva+Vdj8WmQPlbQLN3qicMz5AAsyTzK53BincxtAz"; - }; - "chungus.${network}" = { - hostNames = [ "chungus.${network}" hosts.chungus ]; - publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIP9jrbOJbgapreRjttyOKWv5vxGMThn7kAwlk8WnSyL9"; - }; - "bobi.${network}" = { - hostNames = [ "bobi.${network}" hosts.bobi ]; - publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIK0haepNVEaocfWh6kwVc4QsSg2iqO5k+hjarphBqMVk"; - }; - "mobi.${network}" = { - hostNames = [ "mobi.${network}" hosts.mobi ]; - publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE3G7TwCoxcVfwhGL0913RtacEeokqKtufhzzkCxpPxk"; - }; - }; - } diff --git a/nixos/homes/palo/default.nix b/nixos/homes/palo/default.nix index 6cbfd6d..1591db2 100644 --- a/nixos/homes/palo/default.nix +++ b/nixos/homes/palo/default.nix @@ -12,7 +12,6 @@ ./stylix.nix ./taskwarrior.nix ./tmux.nix - ./yubikey.nix ./zellij.nix ]; diff --git a/nixos/homes/palo/yubikey.nix b/nixos/homes/palo/yubikey.nix deleted file mode 100644 index 62a87eb..0000000 --- a/nixos/homes/palo/yubikey.nix +++ /dev/null @@ -1,4 +0,0 @@ -{ pkgs, osConfig, ... }: -{ - pam.yubico.authorizedYubiKeys.path = toString osConfig.sops.secrets.yubikey_u2fAuthFile.path; -} diff --git a/nixos/machines/cherry/configuration.nix b/nixos/machines/cherry/configuration.nix index e7a2176..cb0ed09 100644 --- a/nixos/machines/cherry/configuration.nix +++ b/nixos/machines/cherry/configuration.nix @@ -19,8 +19,25 @@ ]; - sops.secrets.pushover_user_key = { }; - sops.secrets.pushover_api_key = { }; + #clanCore.facts.services = + # let + # promptKey = key: + # { + # ${key} = { + # secret."${key}" = { }; + # generator = { + # prompt = key; + # path = with pkgs; [ gnused ]; + # script = '' + # echo "$prompt_value" | sed -n '1 p' > $secrets/${key} + # ''; + # }; + # }; + # }; + # in + # (promptKey "pushover.user_key") // + # (promptKey "pushover.api_key"); + components.gui.enable = true; components.mainUser.enable = true; @@ -36,8 +53,6 @@ #components.monitor.opentelemetry.exporter.debug = "logs"; - sops.secrets.yubikey_u2fAuthFile = { }; - home-manager.users.mainUser.home.sessionPath = [ "$HOME/.timewarrior/scripts" ]; home-manager.users.mainUser.bugwarrior.config = { general = { diff --git a/nixos/machines/cherry/syncthing.nix b/nixos/machines/cherry/syncthing.nix index 02ba6d1..c18bf6e 100644 --- a/nixos/machines/cherry/syncthing.nix +++ b/nixos/machines/cherry/syncthing.nix @@ -1,7 +1,5 @@ { config, pkgs, lib, ... }: { - #sops.secrets.syncthing_cert = { }; - #sops.secrets.syncthing_key = { }; services.syncthing = { enable = true; @@ -9,8 +7,6 @@ user = "palo"; dataDir = "/home/palo/.syncthing"; configDir = "/home/palo/.syncthing"; - #cert = toString config.sops.secrets.syncthing_cert.path; - #key = toString config.sops.secrets.syncthing_key.path; overrideFolders = true; settings.folders = { diff --git a/nixos/machines/cherry/tinc.nix b/nixos/machines/cherry/tinc.nix index a2754ce..a0af53d 100644 --- a/nixos/machines/cherry/tinc.nix +++ b/nixos/machines/cherry/tinc.nix @@ -4,7 +4,7 @@ tinc.private.enable = true; tinc.private.ipv4 = "10.23.42.29"; - tinc.secret.enable = true; - tinc.secret.ipv4 = "10.123.42.29"; + #tinc.secret.enable = true; + #tinc.secret.ipv4 = "10.123.42.29"; } diff --git a/nixos/machines/cherry/wireguard.nix b/nixos/machines/cherry/wireguard.nix index bf3609c..4d89bd7 100644 --- a/nixos/machines/cherry/wireguard.nix +++ b/nixos/machines/cherry/wireguard.nix @@ -1,7 +1,11 @@ { config, ... }: { - #networking.firewall.allowedUDPPorts = [ 51820 ]; - sops.secrets.wireguard_private = { }; + + # todo generator here + clanCore.facts.services.wireguard = { + secret."wireguard.private" = { }; + generator.script = ""; + }; # Enable WireGuard networking.wg-quick.interfaces = { @@ -10,12 +14,14 @@ wg0 = { address = [ "10.100.0.7/32" ]; listenPort = 51820; # to match firewall allowedUDPPorts (without this wg uses random port numbers) - privateKeyFile = config.sops.secrets.wireguard_private.path; + privateKeyFile = config.clanCore.facts.services.wireguard.secret."wireguard.private".path; + mtu = 1280; peers = [ { # robi + # todo : use public facts here publicKey = "uWR93xJe5oEbX3DsAYpOS9CuSg1VmXEQxJzdlJpe3DU="; allowedIPs = [ "10.100.0.1/24" ]; #endpoint = "ingolf-wagner.de:51820"; diff --git a/nixos/machines/chungus/sync-syncoid.nix b/nixos/machines/chungus/sync-syncoid.nix index 1451e9e..666cbfe 100644 --- a/nixos/machines/chungus/sync-syncoid.nix +++ b/nixos/machines/chungus/sync-syncoid.nix @@ -1,9 +1,14 @@ { config, ... }: { - sops.secrets.syncoid_private_key = { - key = "rsync_private_key"; - owner = config.services.syncoid.user; + clanCore.facts.services.syncoid = { + secret."syncoid.ssh.id_ed25519" = { }; + public."syncoid.ssh.id_ed25519.pub" = { }; + generator.path = with pkgs; [ coreutils openssh ]; + generator.script = '' + ssh-keygen -t ed25519 -N "" -f $secrets/syncoid.ssh.id_ed25519 + mv $secrets/ssh.id_ed25519.pub $facts/syncoid.ssh.id_ed25519.pub + ''; }; services.syncoid = { @@ -25,17 +30,17 @@ # remote commands.matrix-terranix = { - sshKey = config.sops.secrets.syncoid_private_key.path; + sshKey = config.clanCore.facts.services.syncoid.secret."syncoid.ssh.id_ed25519".path; source = "root@orbi:zroot/matrix-terranix"; target = "zraid/mirror/matrix-terranix"; # should not be created up front! }; commands.nextcloud = { - sshKey = config.sops.secrets.syncoid_private_key.path; + sshKey = config.clanCore.facts.services.syncoid.secret."syncoid.ssh.id_ed25519".path; source = "root@orbi:zroot/nextcloud"; target = "zraid/mirror/nextcloud"; # should not be created up front! }; commands.photoprism = { - sshKey = config.sops.secrets.syncoid_private_key.path; + sshKey = config.clanCore.facts.services.syncoid.secret."syncoid.ssh.id_ed25519".path; source = "root@orbi:zmedia/photoprism"; target = "zraid/mirror/photoprism"; # should not be created up front! }; diff --git a/nixos/machines/cream/configuration.nix b/nixos/machines/cream/configuration.nix index 1cb5e6c..85dabd1 100644 --- a/nixos/machines/cream/configuration.nix +++ b/nixos/machines/cream/configuration.nix @@ -43,10 +43,6 @@ components.monitor.opentelemetry.exporter.endpoint = "10.100.0.1:4317"; # orbi components.monitor.exporters.zfs.enable = false; - - sops.secrets.yubikey_u2fAuthFile = { }; - - home-manager.users.mainUser.home.sessionPath = [ "$HOME/.timewarrior/scripts" ]; home-manager.users.mainUser.bugwarrior.config = { general = {