sops -> pass : cherry works (wip)

2024-05-31 21:02:22 +02:00 · 2024-05-31 21:02:22 +02:00 · 529fa4ad6a
commit 529fa4ad6a
parent 903674fd7c
13 changed files with 60 additions and 151 deletions
--- a/flake.lock
+++ b/flake.lock
@ -670,22 +670,6 @@
        "type": "github"
      }
    },
    "nixpkgs-stable": {
      "locked": {
        "lastModified": 1716655032,
        "narHash": "sha256-kQ25DAiCGigsNR/Quxm3v+JGXAEXZ8I7RAF4U94bGzE=",
        "owner": "NixOS",
        "repo": "nixpkgs",
        "rev": "59a450646ec8ee0397f5fa54a08573e8240eb91f",
        "type": "github"
      },
      "original": {
        "owner": "NixOS",
        "ref": "release-23.11",
        "repo": "nixpkgs",
        "type": "github"
      }
    },
    "nixpkgs_2": {
      "locked": {
        "lastModified": 1645527175,
@ -764,22 +748,6 @@
      }
    },
    "nixpkgs_7": {
      "locked": {
        "lastModified": 1716651315,
        "narHash": "sha256-iMgzIeedMqf30TXZ439zW3Yvng1Xm9QTGO+ZwG1IWSw=",
        "owner": "NixOS",
        "repo": "nixpkgs",
        "rev": "c5187508b11177ef4278edf19616f44f21cc8c69",
        "type": "github"
      },
      "original": {
        "owner": "NixOS",
        "ref": "nixpkgs-unstable",
        "repo": "nixpkgs",
        "type": "github"
      }
    },
    "nixpkgs_8": {
      "locked": {
        "lastModified": 1716968199,
        "narHash": "sha256-vYbYTeWF4YMKYu6lHLQH+OagpubB9aZ1+V630h6qJr4=",
@ -873,18 +841,16 @@
    },
    "private_assets": {
      "locked": {
        "dirtyRev": "2526dc099d13a5a2151039543c0ccef98d3f1b7b-dirty",
        "dirtyShortRev": "2526dc0-dirty",
        "lastModified": 1716553175,
-        "narHash": "sha256-bR3s6w1CnBCDrgb7+ZUs5lyB7gpoREmh6IC7bLJCKVk=",
+        "narHash": "sha256-xH2qgPBYnNHRSYTePMVI5Xqf0SKhInLBbkqG2Ad1rSA=",
        "ref": "main",
        "rev": "2526dc099d13a5a2151039543c0ccef98d3f1b7b",
        "revCount": 23,
        "type": "git",
-        "url": "ssh://forgejo@git.ingolf-wagner.de/palo/nixos-private-assets.git"
+        "url": "file:///home/palo/dev/nixos/nixos-private-assets"
      },
      "original": {
        "ref": "main",
        "type": "git",
-        "url": "ssh://forgejo@git.ingolf-wagner.de/palo/nixos-private-assets.git"
+        "url": "file:///home/palo/dev/nixos/nixos-private-assets"
      }
    },
    "retiolum": {
@ -924,7 +890,6 @@
        "private_assets": "private_assets",
        "retiolum": "retiolum",
        "secrets": "secrets",
        "sops-nix": "sops-nix_2",
        "srvos": "srvos",
        "stylix": "stylix",
        "taskshell": "taskshell"
@ -971,28 +936,9 @@
        "type": "github"
      }
    },
    "sops-nix_2": {
      "inputs": {
        "nixpkgs": "nixpkgs_7",
        "nixpkgs-stable": "nixpkgs-stable"
      },
      "locked": {
        "lastModified": 1716692524,
        "narHash": "sha256-sALodaA7Zkp/JD6ehgwc0UCBrSBfB4cX66uFGTsqeFU=",
        "owner": "Mic92",
        "repo": "sops-nix",
        "rev": "962797a8d7f15ed7033031731d0bb77244839960",
        "type": "github"
      },
      "original": {
        "owner": "Mic92",
        "repo": "sops-nix",
        "type": "github"
      }
    },
    "srvos": {
      "inputs": {
-        "nixpkgs": "nixpkgs_8"
+        "nixpkgs": "nixpkgs_7"
      },
      "locked": {
        "lastModified": 1717058062,
--- a/flake.nix
+++ b/flake.nix
@ -35,8 +35,6 @@
      url = "git+https://git.ingolf-wagner.de/palo/polygon-art.git";
    };
    sops-nix.url = "github:Mic92/sops-nix";
    home-manager-utils = {
      url = "github:mrvandalo/home-manager-utils";
      inputs.home-manager.follows = "home-manager";
@ -49,8 +47,8 @@
    };
    private_assets = {
-      #url = "git+file:///home/palo/dev/nixos/nixos-private-assets";
+      url = "git+file:///home/palo/dev/nixos/nixos-private-assets";
-      url = "git+ssh://forgejo@git.ingolf-wagner.de/palo/nixos-private-assets.git?ref=main";
+      #url = "git+ssh://forgejo@git.ingolf-wagner.de/palo/nixos-private-assets.git?ref=main";
      flake = true;
    };
@ -119,7 +117,6 @@
    , private_assets
    , retiolum
    , secrets
    , sops-nix
    , srvos
    , stylix
    , taskshell
@ -183,10 +180,6 @@
          imports = modules ++ defaultModules ++ [
            ./nixos/machines/${name}/configuration.nix
            # sops configuration
            ({ lib, ... }: {
              sops.defaultSopsFile = lib.mkForce "${secrets}/secrets/${name}.yaml";
            })
            # clan core configuration
            ({ pkgs, ... }: {
              imports = [
@ -196,6 +189,8 @@
                inputs.clan-core.clanModules.zerotier-static-peers
                # Statically configure the host names of machines based on their respective zerotier-ip.
                inputs.clan-core.clanModules.static-hosts
                # generate ssh host keys with facts
                inputs.clan-core.clanModules.sshd
              ];
              clan.static-hosts.topLevelDomain = "gummybear";
              environment.systemPackages = [
@ -331,6 +326,7 @@
              nixos-hardware.nixosModules.framework-12th-gen-intel
              retiolum.nixosModules.retiolum
              private_assets.nixosModules.cream
              private_assets.nixosModules.yubikey
              homeManagerModules
              stylixModules
              { home-manager.users.mainUser.gui.enable = true; }
@ -351,6 +347,7 @@
              nixos-hardware.nixosModules.framework-13th-gen-intel
              homeManagerModules
              stylixModules
              private_assets.nixosModules.yubikey
              { home-manager.users.mainUser.gui.enable = true; }
              {
                home-manager.users.mainUser = import ./nixos/homes/palo;
--- a/nixos/components/gui/default.nix
+++ b/nixos/components/gui/default.nix
@ -13,7 +13,7 @@ with lib;
    ./fonts.nix
    ./home-manager
    ./kmonad.nix
-    ./noti.nix
+    #./noti.nix
    ./pass.nix
    ./steam.nix
    ./suspend.nix
--- a/nixos/components/gui/noti.nix
+++ b/nixos/components/gui/noti.nix
@ -1,4 +1,5 @@
 # notify me when a command is finished
 # todo : secret managment is shit
 { config, pkgs, lib, ... }:
 with lib;
 {
--- a/nixos/components/network/tinc/private.nix
+++ b/nixos/components/network/tinc/private.nix
@ -58,12 +58,15 @@ in
 {
  networking.firewall.trustedInterfaces = [ "tinc.${network}" ];
-  sops.secrets.tinc_ed25519_key = { };
+  clanCore.facts.services.tinc_private = {
    secret."tinc_private.ed25519_key" = { };
    generator.script = "";
  };
  #  nix-shell -p tinc_pre --run "tinc --config . generate-keys 4096"
  services.tinc.networks = {
    ${network} = {
-      ed25519PrivateKeyFile = config.sops.secrets.tinc_ed25519_key.path;
+      ed25519PrivateKeyFile = config.clanCore.facts.services.tinc_private.secret."tinc_private.ed25519_key".path;
      interfaceType = "tap";
      extraConfig = ''
        LocalDiscovery = yes
@ -127,55 +130,4 @@ in
  networking.extraHosts = concatStringsSep "\n" (mapAttrsToList (name: ip: "${ip} ${name}.${network}") (hosts // subDomains));
  services.openssh.knownHosts = {
    "orbi" = {
      hostNames = [
        "orbi.${network}"
        hosts.orbi
        "orbi"
        "95.216.66.212"
        "git.ingolf-wagner.de"
      ];
      publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICTqV5ch4BokqDniDgCquRwfTz6aXXMTdZovIvqShfLV";
    };
    "robi" = {
      hostNames = [
        "robi.${network}"
        hosts.robi
        "robi"
        "144.76.13.147"
        "taskd.ingolf-wagner.de"
      ];
      publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIK2PGX6cZuBUGX4VweMzi0aRh4uQ61yngCzZGcK3w5XV";
    };
    "sterni.${network}" = {
      hostNames = [ "sterni.${network}" hosts.sterni ];
      publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEQRH4gzT4vWSx3KN80ePPYhSPZRUae/qSyEym6pJTht";
    };
    "cream.${network}" = {
      hostNames = [ "cream.${network}" hosts.cream ];
      publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIConHiCL7INgAhuN6Z9TqP0zP+xNpdV7+OHwUca4IRDD";
    };
    "cherry.${network}" = {
      hostNames = [ "cherry.${network}" hosts.cream ];
      publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEUXkewyZ94A7CeCyVvN0KCqPn+8x1BZaGWMAojlfCXO";
    };
    "pepe.${network}" = {
      hostNames = [ "pepe.${network}" hosts.pepe ];
      publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJPlva+Vdj8WmQPlbQLN3qicMz5AAsyTzK53BincxtAz";
    };
    "chungus.${network}" = {
      hostNames = [ "chungus.${network}" hosts.chungus ];
      publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIP9jrbOJbgapreRjttyOKWv5vxGMThn7kAwlk8WnSyL9";
    };
    "bobi.${network}" = {
      hostNames = [ "bobi.${network}" hosts.bobi ];
      publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIK0haepNVEaocfWh6kwVc4QsSg2iqO5k+hjarphBqMVk";
    };
    "mobi.${network}" = {
      hostNames = [ "mobi.${network}" hosts.mobi ];
      publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE3G7TwCoxcVfwhGL0913RtacEeokqKtufhzzkCxpPxk";
    };
  };
 }
--- a/nixos/homes/palo/default.nix
+++ b/nixos/homes/palo/default.nix
@ -12,7 +12,6 @@
    ./stylix.nix
    ./taskwarrior.nix
    ./tmux.nix
    ./yubikey.nix
    ./zellij.nix
  ];
--- a/nixos/homes/palo/yubikey.nix
+++ b/nixos/homes/palo/yubikey.nix
@ -1,4 +0,0 @@
 { pkgs, osConfig, ... }:
 {
  pam.yubico.authorizedYubiKeys.path = toString osConfig.sops.secrets.yubikey_u2fAuthFile.path;
 }
--- a/nixos/machines/cherry/configuration.nix
+++ b/nixos/machines/cherry/configuration.nix
@ -19,8 +19,25 @@
  ];
-  sops.secrets.pushover_user_key = { };
+  #clanCore.facts.services =
-  sops.secrets.pushover_api_key = { };
+  #  let
  #    promptKey = key:
  #      {
  #        ${key} = {
  #          secret."${key}" = { };
  #          generator = {
  #            prompt = key;
  #            path = with pkgs; [ gnused ];
  #            script = ''
  #              echo "$prompt_value" | sed -n '1 p' > $secrets/${key}
  #            '';
  #          };
  #        };
  #      };
  #  in
  #  (promptKey "pushover.user_key") //
  #  (promptKey "pushover.api_key");
  components.gui.enable = true;
  components.mainUser.enable = true;
@ -36,8 +53,6 @@
  #components.monitor.opentelemetry.exporter.debug = "logs";
  sops.secrets.yubikey_u2fAuthFile = { };
  home-manager.users.mainUser.home.sessionPath = [ "$HOME/.timewarrior/scripts" ];
  home-manager.users.mainUser.bugwarrior.config = {
    general = {
--- a/nixos/machines/cherry/syncthing.nix
+++ b/nixos/machines/cherry/syncthing.nix
@ -1,7 +1,5 @@
 { config, pkgs, lib, ... }: {
  #sops.secrets.syncthing_cert = { };
  #sops.secrets.syncthing_key = { };
  services.syncthing = {
    enable = true;
@ -9,8 +7,6 @@
    user = "palo";
    dataDir = "/home/palo/.syncthing";
    configDir = "/home/palo/.syncthing";
    #cert = toString config.sops.secrets.syncthing_cert.path;
    #key = toString config.sops.secrets.syncthing_key.path;
    overrideFolders = true;
    settings.folders = {
--- a/nixos/machines/cherry/tinc.nix
+++ b/nixos/machines/cherry/tinc.nix
@ -4,7 +4,7 @@
  tinc.private.enable = true;
  tinc.private.ipv4 = "10.23.42.29";
-  tinc.secret.enable = true;
+  #tinc.secret.enable = true;
-  tinc.secret.ipv4 = "10.123.42.29";
+  #tinc.secret.ipv4 = "10.123.42.29";
 }
--- a/nixos/machines/cherry/wireguard.nix
+++ b/nixos/machines/cherry/wireguard.nix
@ -1,7 +1,11 @@
 { config, ... }:
 {
-  #networking.firewall.allowedUDPPorts = [ 51820 ];
+
-  sops.secrets.wireguard_private = { };
+  # todo generator here
  clanCore.facts.services.wireguard = {
    secret."wireguard.private" = { };
    generator.script = "";
  };
  # Enable WireGuard
  networking.wg-quick.interfaces = {
@ -10,12 +14,14 @@
    wg0 = {
      address = [ "10.100.0.7/32" ];
      listenPort = 51820; # to match firewall allowedUDPPorts (without this wg uses random port numbers)
-      privateKeyFile = config.sops.secrets.wireguard_private.path;
+      privateKeyFile = config.clanCore.facts.services.wireguard.secret."wireguard.private".path;
      mtu = 1280;
      peers = [
        {
          # robi
          # todo : use public facts here
          publicKey = "uWR93xJe5oEbX3DsAYpOS9CuSg1VmXEQxJzdlJpe3DU=";
          allowedIPs = [ "10.100.0.1/24" ];
          #endpoint = "ingolf-wagner.de:51820";
--- a/nixos/machines/chungus/sync-syncoid.nix
+++ b/nixos/machines/chungus/sync-syncoid.nix
@ -1,9 +1,14 @@
 { config, ... }:
 {
-  sops.secrets.syncoid_private_key = {
+  clanCore.facts.services.syncoid = {
-    key = "rsync_private_key";
+    secret."syncoid.ssh.id_ed25519" = { };
-    owner = config.services.syncoid.user;
+    public."syncoid.ssh.id_ed25519.pub" = { };
    generator.path = with pkgs; [ coreutils openssh ];
    generator.script = ''
      ssh-keygen -t ed25519 -N "" -f $secrets/syncoid.ssh.id_ed25519
      mv $secrets/ssh.id_ed25519.pub $facts/syncoid.ssh.id_ed25519.pub
    '';
  };
  services.syncoid = {
@ -25,17 +30,17 @@
    # remote
    commands.matrix-terranix = {
-      sshKey = config.sops.secrets.syncoid_private_key.path;
+      sshKey = config.clanCore.facts.services.syncoid.secret."syncoid.ssh.id_ed25519".path;
      source = "root@orbi:zroot/matrix-terranix";
      target = "zraid/mirror/matrix-terranix"; # should not be created up front!
    };
    commands.nextcloud = {
-      sshKey = config.sops.secrets.syncoid_private_key.path;
+      sshKey = config.clanCore.facts.services.syncoid.secret."syncoid.ssh.id_ed25519".path;
      source = "root@orbi:zroot/nextcloud";
      target = "zraid/mirror/nextcloud"; # should not be created up front!
    };
    commands.photoprism = {
-      sshKey = config.sops.secrets.syncoid_private_key.path;
+      sshKey = config.clanCore.facts.services.syncoid.secret."syncoid.ssh.id_ed25519".path;
      source = "root@orbi:zmedia/photoprism";
      target = "zraid/mirror/photoprism"; # should not be created up front!
    };
--- a/nixos/machines/cream/configuration.nix
+++ b/nixos/machines/cream/configuration.nix
@ -43,10 +43,6 @@
  components.monitor.opentelemetry.exporter.endpoint = "10.100.0.1:4317"; # orbi
  components.monitor.exporters.zfs.enable = false;
  sops.secrets.yubikey_u2fAuthFile = { };
  home-manager.users.mainUser.home.sessionPath = [ "$HOME/.timewarrior/scripts" ];
  home-manager.users.mainUser.bugwarrior.config = {
    general = {