replace sops secrets with clan facts

This commit is contained in:
Ingolf Wagner 2024-06-02 21:38:48 +02:00
parent 8547a9c376
commit 80723667ce
No known key found for this signature in database
GPG key ID: 76BF5F1928B9618B
12 changed files with 70 additions and 99 deletions

View file

@ -129,17 +129,16 @@
"treefmt-nix": "treefmt-nix" "treefmt-nix": "treefmt-nix"
}, },
"locked": { "locked": {
"lastModified": 1717008015, "dirtyRev": "0993fe45f63e5d66dbbe9f72c7fd68c6ab6e7ea8-dirty",
"narHash": "sha256-dYP3/cqttXSBF6y6qAJqoUgzakpxRUrV0Ka9ktUh+n4=", "dirtyShortRev": "0993fe45-dirty",
"ref": "refs/heads/main", "lastModified": 1717340201,
"rev": "f1c02bbd4653917d6f7af03a77f45380f5a39b6d", "narHash": "sha256-7Ic5EvSIhqwhC0kZuQXHZut1joQFXx8IpyH1JvEA0zo=",
"revCount": 2928,
"type": "git", "type": "git",
"url": "https://git.clan.lol/clan/clan-core" "url": "file:///home/palo/dev/clan-core"
}, },
"original": { "original": {
"type": "git", "type": "git",
"url": "https://git.clan.lol/clan/clan-core" "url": "file:///home/palo/dev/clan-core"
} }
}, },
"clan-fact-generators": { "clan-fact-generators": {
@ -151,11 +150,11 @@
"nixpkgs": "nixpkgs" "nixpkgs": "nixpkgs"
}, },
"locked": { "locked": {
"lastModified": 1717333086, "lastModified": 1717355409,
"narHash": "sha256-tCxNISnHTsW8ie9Q7ZUmKpgvrZQ3yrM1OH2qiZz8h1Q=", "narHash": "sha256-vbLxKOgEAnYg/USlOubdWYSOCydmrm2dCI9Pqz5S+og=",
"owner": "mrvandalo", "owner": "mrvandalo",
"repo": "clan-fact-generators", "repo": "clan-fact-generators",
"rev": "9ebc512d865d157050b81c4d15e41403197dc447", "rev": "730c5d8e6c90917692f01739ca7e2f116deb02a3",
"type": "github" "type": "github"
}, },
"original": { "original": {

View file

@ -16,7 +16,7 @@
clan-core = { clan-core = {
url = "git+https://git.clan.lol/clan/clan-core"; url = "git+https://git.clan.lol/clan/clan-core";
#url = "git+file:///home/palo/dev/nixos/clan-core"; #url = "git+file:///home/palo/dev/clan-core";
inputs.nixpkgs.follows = "nixpkgs"; # Needed if your configuration uses nixpkgs unstable. inputs.nixpkgs.follows = "nixpkgs"; # Needed if your configuration uses nixpkgs unstable.
inputs.flake-parts.follows = "flake-parts"; inputs.flake-parts.follows = "flake-parts";
}; };
@ -199,7 +199,7 @@
]; ];
documentation.nixos.enable = true; documentation.nixos.enable = true;
clan.static-hosts.topLevelDomain = "bear"; clan.static-hosts.topLevelDomain = "bear";
clan.static-hosts.excludeHosts = lib.mkForce [ ]; #clan.static-hosts.excludeHosts = lib.mkForce [ ];
environment.systemPackages = [ environment.systemPackages = [
clan-core.packages.${pkgs.system}.clan-cli clan-core.packages.${pkgs.system}.clan-cli
]; ];
@ -219,7 +219,7 @@
# master key # master key
./nixos/assets/ssh/palo_rsa.pub ./nixos/assets/ssh/palo_rsa.pub
# backup key # backup key
"${config.clanCore.clanDir}/machines/chungus/facts/syncoid.ssh.id_ed25519.pub" "${config.clanCore.clanDir}/machines/chungus/facts/ssh.syncoid.id_ed25519.pub"
]; ];
}) })
# configure nix # configure nix

View file

@ -36,25 +36,5 @@ with lib;
]; ];
## managed by home-manager now
#environment.shellInit = ''
# export GPG_TTY="$(tty)"
# gpg-connect-agent /bye
# export SSH_AUTH_SOCK="/run/user/$UID/gnupg/S.gpg-agent.ssh"
#'';
#programs = {
# ssh.startAgent = false;
# gnupg.agent = {
# enable = true;
# enableSSHSupport = true;
# };
#};
## managed by home-manager now
#security.pam.u2f.enable = true;
#security.pam.u2f.authFile = toString config.sops.secrets.yubikey_u2fAuthFile.path;
#sops.secrets.yubikey_u2fAuthFile = { };
}; };
} }

View file

@ -1,16 +1,11 @@
{ config, pkgs, lib, ... }: { { config, pkgs, lib, ... }: {
#sops.secrets.syncthing_cert = { };
#sops.secrets.syncthing_key = { };
services.syncthing = { services.syncthing = {
enable = true; enable = true;
openDefaultPorts = false; openDefaultPorts = false;
user = "palo"; user = "palo";
dataDir = "/home/palo/.syncthing"; dataDir = "/home/palo/.syncthing";
configDir = "/home/palo/.syncthing"; configDir = "/home/palo/.syncthing";
#cert = toString config.sops.secrets.syncthing_cert.path;
#key = toString config.sops.secrets.syncthing_key.path;
overrideFolders = true; overrideFolders = true;
folders = { folders = {

View file

@ -1,13 +1,28 @@
{ config, ... }: { config, factsGenerator, ... }:
{ {
sops.secrets.tinc_retiolum_ed25519_key = { };
sops.secrets.tinc_retiolum_rsa_key = { }; clanCore.facts.services.tinc_retiolum = factsGenerator.tinc { name = "retiolum"; };
networking.retiolum.port = 720; networking.retiolum.port = 720;
networking.retiolum.nodename = "sol"; networking.retiolum.nodename = "sol";
services.tinc.networks.retiolum = { services.tinc.networks.retiolum = {
ed25519PrivateKeyFile = config.sops.secrets.tinc_retiolum_ed25519_key.path; ed25519PrivateKeyFile = config.clanCore.facts.services.tinc_secret.secret."tinc.retiolum.ed25519_key.priv".path;
rsaPrivateKeyFile = config.sops.secrets.tinc_retiolum_rsa_key.path; rsaPrivateKeyFile = config.clanCore.facts.services.tinc_secret.secret."tinc.retiolum.rsa_key.priv".path;
}; };
#fileSystems."/retiolum/sicily" = {
# device = "//sicily.r/tonne";
# fsType = "cifs";
# options = [
# "guest"
# "nofail"
# "noauto"
# "ro"
# "rsize=16777216"
# "cache=loose"
# "x-systemd.after=network.target"
# ];
#};
} }

View file

@ -1,11 +1,7 @@
{ config, ... }: { config, factsGenerator, ... }:
{ {
# todo generator here clanCore.facts.services.wireguard = factsGenerator.wireguard { name = "wg0"; };
clanCore.facts.services.wireguard = {
secret."wireguard.private" = { };
generator.script = "";
};
# Enable WireGuard # Enable WireGuard
networking.wg-quick.interfaces = { networking.wg-quick.interfaces = {
@ -14,7 +10,7 @@
wg0 = { wg0 = {
address = [ "10.100.0.7/32" ]; address = [ "10.100.0.7/32" ];
listenPort = 51820; # to match firewall allowedUDPPorts (without this wg uses random port numbers) listenPort = 51820; # to match firewall allowedUDPPorts (without this wg uses random port numbers)
privateKeyFile = config.clanCore.facts.services.wireguard.secret."wireguard.private".path; privateKeyFile = config.clanCore.facts.services.wireguard.secret."wireguard.wg0.key".path;
mtu = 1280; mtu = 1280;

View file

@ -1,13 +1,12 @@
{ config, ... }: { config, factsGenerator, ... }:
{ {
sops.secrets.tinc_retiolum_ed25519_key = { }; clanCore.facts.services.tinc_retiolum = factsGenerator.tinc { name = "retiolum"; };
sops.secrets.tinc_retiolum_rsa_key = { };
networking.retiolum.port = 720; networking.retiolum.port = 720;
networking.retiolum.nodename = "centauri"; networking.retiolum.nodename = "centauri";
services.tinc.networks.retiolum = { services.tinc.networks.retiolum = {
ed25519PrivateKeyFile = config.sops.secrets.tinc_retiolum_ed25519_key.path; ed25519PrivateKeyFile = config.clanCore.facts.services.tinc_secret.secret."tinc.retiolum.ed25519_key.priv".path;
rsaPrivateKeyFile = config.sops.secrets.tinc_retiolum_rsa_key.path; rsaPrivateKeyFile = config.clanCore.facts.services.tinc_secret.secret."tinc.retiolum.rsa_key.priv".path;
}; };
} }

View file

@ -1,32 +1,32 @@
{ config, ... }: { config, factsGenerator, ... }:
{ {
sops.secrets.rsync_private_key = { }; clanCore.facts.services.rbackup = factsGenerator.ssh { name = "rbackup"; };
# todo : replace all of them with syncoid # todo : replace all of them with syncoid
rbackup.plans = { rbackup.plans = {
git = { git = {
sshKeyPath = config.sops.secrets.rsync_private_key.path; sshKeyPath = config.clanCore.facts.services.rbackup.secret."ssh.rbackup.id_ed25519".path;
src = "root@orbi:/var/lib/forgejo/"; src = "root@orbi:/var/lib/forgejo/";
dst = "/mirror/git"; dst = "/mirror/git";
}; };
taskwarrior = { taskwarrior = {
sshKeyPath = config.sops.secrets.rsync_private_key.path; sshKeyPath = config.clanCore.facts.services.rbackup.secret."ssh.rbackup.id_ed25519".path;
src = "root@orbi:/var/lib/taskserver/"; src = "root@orbi:/var/lib/taskserver/";
dst = "/mirror/taskwarrior"; dst = "/mirror/taskwarrior";
}; };
vaultwarden = { vaultwarden = {
sshKeyPath = config.sops.secrets.rsync_private_key.path; sshKeyPath = config.clanCore.facts.services.rbackup.secret."ssh.rbackup.id_ed25519".path;
src = "root@orbi:/var/lib/bitwarden_rs/"; src = "root@orbi:/var/lib/bitwarden_rs/";
dst = "/mirror/vaultwarden"; dst = "/mirror/vaultwarden";
}; };
radarr = { radarr = {
sshKeyPath = config.sops.secrets.rsync_private_key.path; sshKeyPath = config.clanCore.facts.services.rbackup.secret."ssh.rbackup.id_ed25519".path;
src = "root@orbi:/media/arr/radarr"; src = "root@orbi:/media/arr/radarr";
dst = "/media/arr/radarr"; dst = "/media/arr/radarr";
delete = false; delete = false;
}; };
sonarr = { sonarr = {
sshKeyPath = config.sops.secrets.rsync_private_key.path; sshKeyPath = config.clanCore.facts.services.rbackup.secret."ssh.rbackup.id_ed25519".path;
src = "root@orbi:/media/arr/sonarr"; src = "root@orbi:/media/arr/sonarr";
dst = "/media/arr/sonarr"; dst = "/media/arr/sonarr";
delete = false; delete = false;

View file

@ -1,15 +1,7 @@
{ pkgs, config, ... }: { pkgs, config, factsGenerator, ... }:
{ {
clanCore.facts.services.syncoid = { clanCore.facts.services.syncoid = factsGenerator.ssh { name = "syncoid"; };
secret."syncoid.ssh.id_ed25519" = { };
public."syncoid.ssh.id_ed25519.pub" = { };
generator.path = with pkgs; [ coreutils openssh ];
generator.script = ''
ssh-keygen -t ed25519 -N "" -f $secrets/syncoid.ssh.id_ed25519
mv $secrets/syncoid.ssh.id_ed25519.pub $facts/syncoid.ssh.id_ed25519.pub
'';
};
services.syncoid = { services.syncoid = {
enable = true; enable = true;
@ -30,17 +22,17 @@
# remote # remote
commands.matrix-terranix = { commands.matrix-terranix = {
sshKey = config.clanCore.facts.services.syncoid.secret."syncoid.ssh.id_ed25519".path; sshKey = config.clanCore.facts.services.syncoid.secret."ssh.syncoid.id_ed25519".path;
source = "root@orbi:zroot/matrix-terranix"; source = "root@orbi:zroot/matrix-terranix";
target = "zraid/mirror/matrix-terranix"; # should not be created up front! target = "zraid/mirror/matrix-terranix"; # should not be created up front!
}; };
commands.nextcloud = { commands.nextcloud = {
sshKey = config.clanCore.facts.services.syncoid.secret."syncoid.ssh.id_ed25519".path; sshKey = config.clanCore.facts.services.syncoid.secret."ssh.syncoid.id_ed25519".path;
source = "root@orbi:zroot/nextcloud"; source = "root@orbi:zroot/nextcloud";
target = "zraid/mirror/nextcloud"; # should not be created up front! target = "zraid/mirror/nextcloud"; # should not be created up front!
}; };
commands.photoprism = { commands.photoprism = {
sshKey = config.clanCore.facts.services.syncoid.secret."syncoid.ssh.id_ed25519".path; sshKey = config.clanCore.facts.services.syncoid.secret."ssh.syncoid.id_ed25519".path;
source = "root@orbi:zmedia/photoprism"; source = "root@orbi:zmedia/photoprism";
target = "zraid/mirror/photoprism"; # should not be created up front! target = "zraid/mirror/photoprism"; # should not be created up front!
}; };

View file

@ -1,27 +1,27 @@
{ config, ... }: { config, factsGenerator, ... }:
{ {
sops.secrets.tinc_retiolum_ed25519_key = { };
sops.secrets.tinc_retiolum_rsa_key = { }; clanCore.facts.services.tinc_retiolum = factsGenerator.tinc { name = "retiolum"; };
networking.retiolum.port = 720; networking.retiolum.port = 720;
networking.retiolum.nodename = "sol"; networking.retiolum.nodename = "sol";
services.tinc.networks.retiolum = { services.tinc.networks.retiolum = {
ed25519PrivateKeyFile = config.sops.secrets.tinc_retiolum_ed25519_key.path; ed25519PrivateKeyFile = config.clanCore.facts.services.tinc_secret.secret."tinc.retiolum.ed25519_key.priv".path;
rsaPrivateKeyFile = config.sops.secrets.tinc_retiolum_rsa_key.path; rsaPrivateKeyFile = config.clanCore.facts.services.tinc_secret.secret."tinc.retiolum.rsa_key.priv".path;
}; };
fileSystems."/retiolum/sicily" = { #fileSystems."/retiolum/sicily" = {
device = "//sicily.r/tonne"; # device = "//sicily.r/tonne";
fsType = "cifs"; # fsType = "cifs";
options = [ # options = [
"guest" # "guest"
"nofail" # "nofail"
"noauto" # "noauto"
"ro" # "ro"
"rsize=16777216" # "rsize=16777216"
"cache=loose" # "cache=loose"
"x-systemd.after=network.target" # "x-systemd.after=network.target"
]; # ];
}; #};
} }

View file

@ -1,16 +1,11 @@
{ config, pkgs, lib, ... }: { { config, pkgs, lib, ... }: {
#sops.secrets.syncthing_cert = { };
#sops.secrets.syncthing_key = { };
services.syncthing = { services.syncthing = {
enable = true; enable = true;
openDefaultPorts = false; openDefaultPorts = false;
user = "palo"; user = "palo";
dataDir = "/home/palo/.syncthing"; dataDir = "/home/palo/.syncthing";
configDir = "/home/palo/.syncthing"; configDir = "/home/palo/.syncthing";
#cert = toString config.sops.secrets.syncthing_cert.path;
#key = toString config.sops.secrets.syncthing_key.path;
overrideFolders = true; overrideFolders = true;
folders = { folders = {

View file

@ -21,7 +21,7 @@
components.gui.enable = true; components.gui.enable = true;
components.gui.kmonad.enable = false; components.gui.kmonad.enable = false;
components.gui.style.enable = false; # installes nerd-fonts which seem not to work. components.gui.style.enable = false; # installes nerd-fonts which seem not to work.
components.gui.noti.enable = false; #components.gui.noti.enable = false;
components.terminal.enable = true; components.terminal.enable = true;
components.network.enable = true; components.network.enable = true;