sops -> pass : cherry works (wip)

This commit is contained in:
Ingolf Wagner 2024-05-31 21:02:22 +02:00
parent 903674fd7c
commit 529fa4ad6a
No known key found for this signature in database
GPG key ID: 76BF5F1928B9618B
13 changed files with 60 additions and 151 deletions

View file

@ -670,22 +670,6 @@
"type": "github" "type": "github"
} }
}, },
"nixpkgs-stable": {
"locked": {
"lastModified": 1716655032,
"narHash": "sha256-kQ25DAiCGigsNR/Quxm3v+JGXAEXZ8I7RAF4U94bGzE=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "59a450646ec8ee0397f5fa54a08573e8240eb91f",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "release-23.11",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs_2": { "nixpkgs_2": {
"locked": { "locked": {
"lastModified": 1645527175, "lastModified": 1645527175,
@ -764,22 +748,6 @@
} }
}, },
"nixpkgs_7": { "nixpkgs_7": {
"locked": {
"lastModified": 1716651315,
"narHash": "sha256-iMgzIeedMqf30TXZ439zW3Yvng1Xm9QTGO+ZwG1IWSw=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "c5187508b11177ef4278edf19616f44f21cc8c69",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "nixpkgs-unstable",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs_8": {
"locked": { "locked": {
"lastModified": 1716968199, "lastModified": 1716968199,
"narHash": "sha256-vYbYTeWF4YMKYu6lHLQH+OagpubB9aZ1+V630h6qJr4=", "narHash": "sha256-vYbYTeWF4YMKYu6lHLQH+OagpubB9aZ1+V630h6qJr4=",
@ -873,18 +841,16 @@
}, },
"private_assets": { "private_assets": {
"locked": { "locked": {
"dirtyRev": "2526dc099d13a5a2151039543c0ccef98d3f1b7b-dirty",
"dirtyShortRev": "2526dc0-dirty",
"lastModified": 1716553175, "lastModified": 1716553175,
"narHash": "sha256-bR3s6w1CnBCDrgb7+ZUs5lyB7gpoREmh6IC7bLJCKVk=", "narHash": "sha256-xH2qgPBYnNHRSYTePMVI5Xqf0SKhInLBbkqG2Ad1rSA=",
"ref": "main",
"rev": "2526dc099d13a5a2151039543c0ccef98d3f1b7b",
"revCount": 23,
"type": "git", "type": "git",
"url": "ssh://forgejo@git.ingolf-wagner.de/palo/nixos-private-assets.git" "url": "file:///home/palo/dev/nixos/nixos-private-assets"
}, },
"original": { "original": {
"ref": "main",
"type": "git", "type": "git",
"url": "ssh://forgejo@git.ingolf-wagner.de/palo/nixos-private-assets.git" "url": "file:///home/palo/dev/nixos/nixos-private-assets"
} }
}, },
"retiolum": { "retiolum": {
@ -924,7 +890,6 @@
"private_assets": "private_assets", "private_assets": "private_assets",
"retiolum": "retiolum", "retiolum": "retiolum",
"secrets": "secrets", "secrets": "secrets",
"sops-nix": "sops-nix_2",
"srvos": "srvos", "srvos": "srvos",
"stylix": "stylix", "stylix": "stylix",
"taskshell": "taskshell" "taskshell": "taskshell"
@ -971,28 +936,9 @@
"type": "github" "type": "github"
} }
}, },
"sops-nix_2": {
"inputs": {
"nixpkgs": "nixpkgs_7",
"nixpkgs-stable": "nixpkgs-stable"
},
"locked": {
"lastModified": 1716692524,
"narHash": "sha256-sALodaA7Zkp/JD6ehgwc0UCBrSBfB4cX66uFGTsqeFU=",
"owner": "Mic92",
"repo": "sops-nix",
"rev": "962797a8d7f15ed7033031731d0bb77244839960",
"type": "github"
},
"original": {
"owner": "Mic92",
"repo": "sops-nix",
"type": "github"
}
},
"srvos": { "srvos": {
"inputs": { "inputs": {
"nixpkgs": "nixpkgs_8" "nixpkgs": "nixpkgs_7"
}, },
"locked": { "locked": {
"lastModified": 1717058062, "lastModified": 1717058062,

View file

@ -35,8 +35,6 @@
url = "git+https://git.ingolf-wagner.de/palo/polygon-art.git"; url = "git+https://git.ingolf-wagner.de/palo/polygon-art.git";
}; };
sops-nix.url = "github:Mic92/sops-nix";
home-manager-utils = { home-manager-utils = {
url = "github:mrvandalo/home-manager-utils"; url = "github:mrvandalo/home-manager-utils";
inputs.home-manager.follows = "home-manager"; inputs.home-manager.follows = "home-manager";
@ -49,8 +47,8 @@
}; };
private_assets = { private_assets = {
#url = "git+file:///home/palo/dev/nixos/nixos-private-assets"; url = "git+file:///home/palo/dev/nixos/nixos-private-assets";
url = "git+ssh://forgejo@git.ingolf-wagner.de/palo/nixos-private-assets.git?ref=main"; #url = "git+ssh://forgejo@git.ingolf-wagner.de/palo/nixos-private-assets.git?ref=main";
flake = true; flake = true;
}; };
@ -119,7 +117,6 @@
, private_assets , private_assets
, retiolum , retiolum
, secrets , secrets
, sops-nix
, srvos , srvos
, stylix , stylix
, taskshell , taskshell
@ -183,10 +180,6 @@
imports = modules ++ defaultModules ++ [ imports = modules ++ defaultModules ++ [
./nixos/machines/${name}/configuration.nix ./nixos/machines/${name}/configuration.nix
# sops configuration
({ lib, ... }: {
sops.defaultSopsFile = lib.mkForce "${secrets}/secrets/${name}.yaml";
})
# clan core configuration # clan core configuration
({ pkgs, ... }: { ({ pkgs, ... }: {
imports = [ imports = [
@ -196,6 +189,8 @@
inputs.clan-core.clanModules.zerotier-static-peers inputs.clan-core.clanModules.zerotier-static-peers
# Statically configure the host names of machines based on their respective zerotier-ip. # Statically configure the host names of machines based on their respective zerotier-ip.
inputs.clan-core.clanModules.static-hosts inputs.clan-core.clanModules.static-hosts
# generate ssh host keys with facts
inputs.clan-core.clanModules.sshd
]; ];
clan.static-hosts.topLevelDomain = "gummybear"; clan.static-hosts.topLevelDomain = "gummybear";
environment.systemPackages = [ environment.systemPackages = [
@ -331,6 +326,7 @@
nixos-hardware.nixosModules.framework-12th-gen-intel nixos-hardware.nixosModules.framework-12th-gen-intel
retiolum.nixosModules.retiolum retiolum.nixosModules.retiolum
private_assets.nixosModules.cream private_assets.nixosModules.cream
private_assets.nixosModules.yubikey
homeManagerModules homeManagerModules
stylixModules stylixModules
{ home-manager.users.mainUser.gui.enable = true; } { home-manager.users.mainUser.gui.enable = true; }
@ -351,6 +347,7 @@
nixos-hardware.nixosModules.framework-13th-gen-intel nixos-hardware.nixosModules.framework-13th-gen-intel
homeManagerModules homeManagerModules
stylixModules stylixModules
private_assets.nixosModules.yubikey
{ home-manager.users.mainUser.gui.enable = true; } { home-manager.users.mainUser.gui.enable = true; }
{ {
home-manager.users.mainUser = import ./nixos/homes/palo; home-manager.users.mainUser = import ./nixos/homes/palo;

View file

@ -13,7 +13,7 @@ with lib;
./fonts.nix ./fonts.nix
./home-manager ./home-manager
./kmonad.nix ./kmonad.nix
./noti.nix #./noti.nix
./pass.nix ./pass.nix
./steam.nix ./steam.nix
./suspend.nix ./suspend.nix

View file

@ -1,4 +1,5 @@
# notify me when a command is finished # notify me when a command is finished
# todo : secret managment is shit
{ config, pkgs, lib, ... }: { config, pkgs, lib, ... }:
with lib; with lib;
{ {

View file

@ -58,12 +58,15 @@ in
{ {
networking.firewall.trustedInterfaces = [ "tinc.${network}" ]; networking.firewall.trustedInterfaces = [ "tinc.${network}" ];
sops.secrets.tinc_ed25519_key = { }; clanCore.facts.services.tinc_private = {
secret."tinc_private.ed25519_key" = { };
generator.script = "";
};
# nix-shell -p tinc_pre --run "tinc --config . generate-keys 4096" # nix-shell -p tinc_pre --run "tinc --config . generate-keys 4096"
services.tinc.networks = { services.tinc.networks = {
${network} = { ${network} = {
ed25519PrivateKeyFile = config.sops.secrets.tinc_ed25519_key.path; ed25519PrivateKeyFile = config.clanCore.facts.services.tinc_private.secret."tinc_private.ed25519_key".path;
interfaceType = "tap"; interfaceType = "tap";
extraConfig = '' extraConfig = ''
LocalDiscovery = yes LocalDiscovery = yes
@ -127,55 +130,4 @@ in
networking.extraHosts = concatStringsSep "\n" (mapAttrsToList (name: ip: "${ip} ${name}.${network}") (hosts // subDomains)); networking.extraHosts = concatStringsSep "\n" (mapAttrsToList (name: ip: "${ip} ${name}.${network}") (hosts // subDomains));
services.openssh.knownHosts = {
"orbi" = {
hostNames = [
"orbi.${network}"
hosts.orbi
"orbi"
"95.216.66.212"
"git.ingolf-wagner.de"
];
publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICTqV5ch4BokqDniDgCquRwfTz6aXXMTdZovIvqShfLV";
};
"robi" = {
hostNames = [
"robi.${network}"
hosts.robi
"robi"
"144.76.13.147"
"taskd.ingolf-wagner.de"
];
publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIK2PGX6cZuBUGX4VweMzi0aRh4uQ61yngCzZGcK3w5XV";
};
"sterni.${network}" = {
hostNames = [ "sterni.${network}" hosts.sterni ];
publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEQRH4gzT4vWSx3KN80ePPYhSPZRUae/qSyEym6pJTht";
};
"cream.${network}" = {
hostNames = [ "cream.${network}" hosts.cream ];
publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIConHiCL7INgAhuN6Z9TqP0zP+xNpdV7+OHwUca4IRDD";
};
"cherry.${network}" = {
hostNames = [ "cherry.${network}" hosts.cream ];
publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEUXkewyZ94A7CeCyVvN0KCqPn+8x1BZaGWMAojlfCXO";
};
"pepe.${network}" = {
hostNames = [ "pepe.${network}" hosts.pepe ];
publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJPlva+Vdj8WmQPlbQLN3qicMz5AAsyTzK53BincxtAz";
};
"chungus.${network}" = {
hostNames = [ "chungus.${network}" hosts.chungus ];
publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIP9jrbOJbgapreRjttyOKWv5vxGMThn7kAwlk8WnSyL9";
};
"bobi.${network}" = {
hostNames = [ "bobi.${network}" hosts.bobi ];
publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIK0haepNVEaocfWh6kwVc4QsSg2iqO5k+hjarphBqMVk";
};
"mobi.${network}" = {
hostNames = [ "mobi.${network}" hosts.mobi ];
publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE3G7TwCoxcVfwhGL0913RtacEeokqKtufhzzkCxpPxk";
};
};
} }

View file

@ -12,7 +12,6 @@
./stylix.nix ./stylix.nix
./taskwarrior.nix ./taskwarrior.nix
./tmux.nix ./tmux.nix
./yubikey.nix
./zellij.nix ./zellij.nix
]; ];

View file

@ -1,4 +0,0 @@
{ pkgs, osConfig, ... }:
{
pam.yubico.authorizedYubiKeys.path = toString osConfig.sops.secrets.yubikey_u2fAuthFile.path;
}

View file

@ -19,8 +19,25 @@
]; ];
sops.secrets.pushover_user_key = { }; #clanCore.facts.services =
sops.secrets.pushover_api_key = { }; # let
# promptKey = key:
# {
# ${key} = {
# secret."${key}" = { };
# generator = {
# prompt = key;
# path = with pkgs; [ gnused ];
# script = ''
# echo "$prompt_value" | sed -n '1 p' > $secrets/${key}
# '';
# };
# };
# };
# in
# (promptKey "pushover.user_key") //
# (promptKey "pushover.api_key");
components.gui.enable = true; components.gui.enable = true;
components.mainUser.enable = true; components.mainUser.enable = true;
@ -36,8 +53,6 @@
#components.monitor.opentelemetry.exporter.debug = "logs"; #components.monitor.opentelemetry.exporter.debug = "logs";
sops.secrets.yubikey_u2fAuthFile = { };
home-manager.users.mainUser.home.sessionPath = [ "$HOME/.timewarrior/scripts" ]; home-manager.users.mainUser.home.sessionPath = [ "$HOME/.timewarrior/scripts" ];
home-manager.users.mainUser.bugwarrior.config = { home-manager.users.mainUser.bugwarrior.config = {
general = { general = {

View file

@ -1,7 +1,5 @@
{ config, pkgs, lib, ... }: { { config, pkgs, lib, ... }: {
#sops.secrets.syncthing_cert = { };
#sops.secrets.syncthing_key = { };
services.syncthing = { services.syncthing = {
enable = true; enable = true;
@ -9,8 +7,6 @@
user = "palo"; user = "palo";
dataDir = "/home/palo/.syncthing"; dataDir = "/home/palo/.syncthing";
configDir = "/home/palo/.syncthing"; configDir = "/home/palo/.syncthing";
#cert = toString config.sops.secrets.syncthing_cert.path;
#key = toString config.sops.secrets.syncthing_key.path;
overrideFolders = true; overrideFolders = true;
settings.folders = { settings.folders = {

View file

@ -4,7 +4,7 @@
tinc.private.enable = true; tinc.private.enable = true;
tinc.private.ipv4 = "10.23.42.29"; tinc.private.ipv4 = "10.23.42.29";
tinc.secret.enable = true; #tinc.secret.enable = true;
tinc.secret.ipv4 = "10.123.42.29"; #tinc.secret.ipv4 = "10.123.42.29";
} }

View file

@ -1,7 +1,11 @@
{ config, ... }: { config, ... }:
{ {
#networking.firewall.allowedUDPPorts = [ 51820 ];
sops.secrets.wireguard_private = { }; # todo generator here
clanCore.facts.services.wireguard = {
secret."wireguard.private" = { };
generator.script = "";
};
# Enable WireGuard # Enable WireGuard
networking.wg-quick.interfaces = { networking.wg-quick.interfaces = {
@ -10,12 +14,14 @@
wg0 = { wg0 = {
address = [ "10.100.0.7/32" ]; address = [ "10.100.0.7/32" ];
listenPort = 51820; # to match firewall allowedUDPPorts (without this wg uses random port numbers) listenPort = 51820; # to match firewall allowedUDPPorts (without this wg uses random port numbers)
privateKeyFile = config.sops.secrets.wireguard_private.path; privateKeyFile = config.clanCore.facts.services.wireguard.secret."wireguard.private".path;
mtu = 1280; mtu = 1280;
peers = [ peers = [
{ {
# robi # robi
# todo : use public facts here
publicKey = "uWR93xJe5oEbX3DsAYpOS9CuSg1VmXEQxJzdlJpe3DU="; publicKey = "uWR93xJe5oEbX3DsAYpOS9CuSg1VmXEQxJzdlJpe3DU=";
allowedIPs = [ "10.100.0.1/24" ]; allowedIPs = [ "10.100.0.1/24" ];
#endpoint = "ingolf-wagner.de:51820"; #endpoint = "ingolf-wagner.de:51820";

View file

@ -1,9 +1,14 @@
{ config, ... }: { config, ... }:
{ {
sops.secrets.syncoid_private_key = { clanCore.facts.services.syncoid = {
key = "rsync_private_key"; secret."syncoid.ssh.id_ed25519" = { };
owner = config.services.syncoid.user; public."syncoid.ssh.id_ed25519.pub" = { };
generator.path = with pkgs; [ coreutils openssh ];
generator.script = ''
ssh-keygen -t ed25519 -N "" -f $secrets/syncoid.ssh.id_ed25519
mv $secrets/ssh.id_ed25519.pub $facts/syncoid.ssh.id_ed25519.pub
'';
}; };
services.syncoid = { services.syncoid = {
@ -25,17 +30,17 @@
# remote # remote
commands.matrix-terranix = { commands.matrix-terranix = {
sshKey = config.sops.secrets.syncoid_private_key.path; sshKey = config.clanCore.facts.services.syncoid.secret."syncoid.ssh.id_ed25519".path;
source = "root@orbi:zroot/matrix-terranix"; source = "root@orbi:zroot/matrix-terranix";
target = "zraid/mirror/matrix-terranix"; # should not be created up front! target = "zraid/mirror/matrix-terranix"; # should not be created up front!
}; };
commands.nextcloud = { commands.nextcloud = {
sshKey = config.sops.secrets.syncoid_private_key.path; sshKey = config.clanCore.facts.services.syncoid.secret."syncoid.ssh.id_ed25519".path;
source = "root@orbi:zroot/nextcloud"; source = "root@orbi:zroot/nextcloud";
target = "zraid/mirror/nextcloud"; # should not be created up front! target = "zraid/mirror/nextcloud"; # should not be created up front!
}; };
commands.photoprism = { commands.photoprism = {
sshKey = config.sops.secrets.syncoid_private_key.path; sshKey = config.clanCore.facts.services.syncoid.secret."syncoid.ssh.id_ed25519".path;
source = "root@orbi:zmedia/photoprism"; source = "root@orbi:zmedia/photoprism";
target = "zraid/mirror/photoprism"; # should not be created up front! target = "zraid/mirror/photoprism"; # should not be created up front!
}; };

View file

@ -43,10 +43,6 @@
components.monitor.opentelemetry.exporter.endpoint = "10.100.0.1:4317"; # orbi components.monitor.opentelemetry.exporter.endpoint = "10.100.0.1:4317"; # orbi
components.monitor.exporters.zfs.enable = false; components.monitor.exporters.zfs.enable = false;
sops.secrets.yubikey_u2fAuthFile = { };
home-manager.users.mainUser.home.sessionPath = [ "$HOME/.timewarrior/scripts" ]; home-manager.users.mainUser.home.sessionPath = [ "$HOME/.timewarrior/scripts" ];
home-manager.users.mainUser.bugwarrior.config = { home-manager.users.mainUser.bugwarrior.config = {
general = { general = {