diff --git a/.git-crypt/.gitattributes b/.git-crypt/.gitattributes deleted file mode 100644 index 665b10e..0000000 --- a/.git-crypt/.gitattributes +++ /dev/null @@ -1,4 +0,0 @@ -# Do not edit this file. To specify the files to encrypt, create your own -# .gitattributes file in the directory where your files are. -* !filter !diff -*.gpg binary diff --git a/.git-crypt/keys/default/0/51E4F5AB1B82BE45B4229CC243A5E25AA5A27849.gpg b/.git-crypt/keys/default/0/51E4F5AB1B82BE45B4229CC243A5E25AA5A27849.gpg deleted file mode 100644 index f6443e9..0000000 Binary files a/.git-crypt/keys/default/0/51E4F5AB1B82BE45B4229CC243A5E25AA5A27849.gpg and /dev/null differ diff --git a/.gitattributes b/.gitattributes deleted file mode 100644 index 4569c0b..0000000 --- a/.gitattributes +++ /dev/null @@ -1 +0,0 @@ -/secrets.nix filter=git-crypt diff=git-crypt diff --git a/common/default.nix b/common/default.nix index 7947ddc..b69520c 100644 --- a/common/default.nix +++ b/common/default.nix @@ -1,3 +1,3 @@ { ... }: { - imports = [ ./nix.nix ./sops.nix ./users.nix ]; + imports = [ ./nix.nix ./secrets.nix ./users.nix ]; } diff --git a/common/sops.nix b/common/secrets.nix similarity index 63% rename from common/sops.nix rename to common/secrets.nix index aac4c6d..d8b6d6b 100644 --- a/common/sops.nix +++ b/common/secrets.nix @@ -2,8 +2,8 @@ sops = { defaultSopsFile = ../secrets.yaml; age = { - keyFile = "/persist/sops/age/keys.txt"; - sshKeyPaths = [ "/persist/system/etc/ssh/keys/ssh_host_ed25519_key" ]; + keyFile = "/persist/secrets/sops/age/keys.txt"; + sshKeyPaths = [ "/persist/secrets/ssh/keys/ssh_host_ed25519_key" ]; }; secrets = { "passwd/root" = { @@ -18,6 +18,11 @@ group = config.users.users.root.group; neededForUsers = true; }; + "wireguard/psk" = { + mode = "400"; + owner = config.users.users.root.name; + group = config.users.users.root.group; + }; }; }; } diff --git a/flake.nix b/flake.nix index 9cab798..280d444 100644 --- a/flake.nix +++ b/flake.nix @@ -39,7 +39,6 @@ , } @ inputs: let - secrets = import ./secrets.nix; packages = system: import nixpkgs { inherit system; config = { @@ -54,7 +53,7 @@ Skipper = nixpkgs.lib.nixosSystem rec { system = "x86_64-linux"; pkgs = packages system; - specialArgs = inputs // { inherit secrets; extra-packages = (extra-packages system); }; + specialArgs = inputs // { extra-packages = (extra-packages system); }; modules = [ { system.configurationRevision = nixpkgs.lib.mkIf (self ? rev) self.rev; @@ -71,7 +70,7 @@ home-manager = { useUserPackages = true; useGlobalPkgs = true; - extraSpecialArgs = inputs // { inherit secrets; extra-packages = (extra-packages system); }; + extraSpecialArgs = inputs // { extra-packages = (extra-packages system); }; users.adtya = _: { imports = [ impermanence.nixosModules.home-manager.impermanence @@ -95,7 +94,6 @@ devShells.default = pkgs.mkShell { buildInputs = with pkgs; [ git - git-crypt statix sops age diff --git a/home/secrets.nix b/home/secrets.nix index 91e9ebe..6d3a9d5 100644 Binary files a/home/secrets.nix and b/home/secrets.nix differ diff --git a/hosts/skipper/persistence.nix b/hosts/skipper/persistence.nix index b0e6ba1..4b84755 100644 --- a/hosts/skipper/persistence.nix +++ b/hosts/skipper/persistence.nix @@ -3,10 +3,7 @@ _: { hideMounts = true; directories = [ "/etc/NetworkManager/system-connections" - "/etc/secureboot" - "/etc/ssh/keys" "/etc/systemd/nspawn" - "/etc/wireguard" "/root/.local/share/nix" "/var/cache/fwupd" "/var/lib/bluetooth" @@ -24,7 +21,6 @@ _: { ]; files = [ "/etc/machine-id" - "/etc/u2f_keys" ]; }; } diff --git a/hosts/skipper/secureboot.nix b/hosts/skipper/secureboot.nix index 6f9a169..e0ce67f 100644 --- a/hosts/skipper/secureboot.nix +++ b/hosts/skipper/secureboot.nix @@ -2,12 +2,16 @@ , pkgs , ... }: { + environment.etc."secureboot" = { + mode = "symlink"; + source = "/persist/secrets/secureboot"; + }; boot = { bootspec.enable = true; loader.systemd-boot.enable = lib.mkForce false; lanzaboote = { enable = true; - pkiBundle = "/persist/system/etc/secureboot"; + pkiBundle = "/persist/secrets/secureboot"; }; }; environment.systemPackages = with pkgs; [ diff --git a/hosts/skipper/security.nix b/hosts/skipper/security.nix index 9581740..068726f 100644 --- a/hosts/skipper/security.nix +++ b/hosts/skipper/security.nix @@ -8,7 +8,7 @@ }; u2f = { enable = true; - authFile = "/etc/u2f_keys"; + authFile = "/persist/secrets/u2f/u2f_keys"; cue = true; }; }; diff --git a/hosts/skipper/services/ssh.nix b/hosts/skipper/services/ssh.nix index 420095f..2294cbf 100644 --- a/hosts/skipper/services/ssh.nix +++ b/hosts/skipper/services/ssh.nix @@ -8,11 +8,11 @@ _: { }; hostKeys = [ { - path = "/persist/system/etc/ssh/keys/ssh_host_ed25519_key"; + path = "/persist/secrets/ssh/keys/ssh_host_ed25519_key"; type = "ed25519"; } { - path = "/persist/system/etc/ssh/keys/ssh_host_rsa_key"; + path = "/persist/secrets/ssh/keys/ssh_host_rsa_key"; type = "rsa"; bits = "4096"; } diff --git a/hosts/skipper/wireguard.nix b/hosts/skipper/wireguard.nix index ccb8f58..611f03c 100644 --- a/hosts/skipper/wireguard.nix +++ b/hosts/skipper/wireguard.nix @@ -1,14 +1,4 @@ -{ secrets, ... }: -let - wireguard_server = secrets.wireguard_server // { - persistentKeepalive = 20; - allowedIPs = [ - "10.10.10.0/24" - "fd7c:585c:c4ae::0/64" - ]; - }; -in -{ +{ config, ... }: { networking.firewall.trustedInterfaces = [ "wg0" ]; networking.wireguard = { enable = true; @@ -19,10 +9,20 @@ in "fd7c:585c:c4ae::2/64" ]; listenPort = 51822; - privateKeyFile = "/persist/system/etc/wireguard/private.key"; + privateKeyFile = "/persist/secrets/wireguard/private.key"; generatePrivateKeyFile = true; peers = [ - wireguard_server + { + name = "Proxy"; + endpoint = "proxy.adtya.xyz:51821"; + publicKey = "NNw/iDMCTq8mpHncrecEh4UlvtINX/UUDtCJf2ToFR4="; + presharedKeyFile = config.sops.secrets."wireguard/psk".path; + persistentKeepalive = 20; + allowedIPs = [ + "10.10.10.0/24" + "fd7c:585c:c4ae::0/64" + ]; + } ]; }; }; diff --git a/secrets.nix b/secrets.nix deleted file mode 100644 index e0f0b18..0000000 Binary files a/secrets.nix and /dev/null differ diff --git a/secrets.nix.example b/secrets.nix.example deleted file mode 100644 index 72fc95c..0000000 --- a/secrets.nix.example +++ /dev/null @@ -1,7 +0,0 @@ -{ - wireguard_server = { - name = "; - endpoint = ":"; - publicKey = ""; - }; -} diff --git a/secrets.yaml b/secrets.yaml index 2db31ff..eb313a4 100644 --- a/secrets.yaml +++ b/secrets.yaml @@ -1,6 +1,8 @@ passwd: root: ENC[AES256_GCM,data:fEAYZXid9Im/TJrBXj9IOUCdqHT3NZ8GZvouX+RN/1PplH+imoGvjiMc+7AWxUwH28RYpKlFmrILrBSCFEvypX/IXuwx0Zq/uoTLEiP+NiDvSl+e1kvTbI5q19iSajmxU/mN67zTTmUbzA==,iv:MtX/dAEIsQFJc4KahJPbj+dELowLF0caea55/HZ3WWA=,tag:bkfqmLU+dCW+KNJ7RFoeFQ==,type:str] adtya: ENC[AES256_GCM,data:ryjjreVHyt/oY4tJcJHZ8ZQNk/hq9UJFECwo65Pd/GTWw/V/0QxwhoPsuFrgrVRwZxmK+m52ZtGstarn6kSK0oqT7rqzu4u0UwgxzRiPOAzyGPCl9PbiMWUQyeh779q133E+GRw5hEih7A==,iv:o1C+5PSKYmXU61k1TOJWIw3dPWbGBQNwB+pa2X5m9ik=,tag:WSKUXPJmMudschBaYJsSrg==,type:str] +wireguard: + psk: ENC[AES256_GCM,data:DmcnhcUtFfz3i6bhd0VZnjO2ySPhBkRNxXnzAZ9/eegLNz4A7pDFociQSkc=,iv:Ucr0YztJ9MCAPsbIh8z4CjD5Fb5K5UvPiTL2FMDJ1U0=,tag:EHu2yWJ42Tohiw5F24igLw==,type:str] sops: kms: [] gcp_kms: [] @@ -25,8 +27,8 @@ sops: MTdMRzR6anF4RzVBbnI5cnFPQmRpWmcKCiFOU74esinQsdc55Zwny5/VVNN2r3rq 19ZYyCVNuyTeOXxuvUvjPJeW2X+v9H6bvbg1sXMxb761Pm0VGYor+g== -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-06-16T16:15:25Z" - mac: ENC[AES256_GCM,data:oV4M6ZIMuPwjUk9AfkrbGO6bSaLOSqSS8BhT1GzjZujaZou8+McBgvvuman6I3DeF0ZDaX7cDUU/CV3V3Pm/bfNUispamGW/kKaeZmYMKcUOkUKts7736F0BpaytZa8gdQYGvnS1uSgT41TisIJlVdqPgHDkkug5DR3s6EM/vj8=,iv:sPRORyWQU/p7vaRthmgA8/yBiYrcasOrdAP6vkaMWL8=,tag:sgeDQDpeUMHjOX0Yf9MnJw==,type:str] + lastmodified: "2024-06-20T11:42:10Z" + mac: ENC[AES256_GCM,data:VfUis0iEwTtGZUyccYMLmZ//zHm18cMbutEsTqBkw3vZtBr+mKjAVoihSxVxlol035j5FlYL7T7w344c+q8AIAus4+XdeHqfQKlSuqHwE7h0ZcU94ywa2I7pnHZUU+DIdFfVkKfHwZdIT3GzZLOVvfZIqFik0oOBLuduC/UWQyY=,iv:vdGFGeuR7NeUH3UalKKCaoEoC7NKefSQYfLcH19U10E=,tag:AbJEzpV+fFpWH9tM5RNmtg==,type:str] pgp: [] unencrypted_suffix: _unencrypted version: 3.8.1