From 069aea5226f61ce05bb94f82f477b8bdccf27b6e Mon Sep 17 00:00:00 2001
From: Adithya Nair <adtya@adtya.xyz>
Date: Thu, 20 Jun 2024 19:41:06 +0530
Subject: [PATCH] mission cleanup secrets

---
 .git-crypt/.gitattributes                     |   4 ---
 ...E4F5AB1B82BE45B4229CC243A5E25AA5A27849.gpg | Bin 726 -> 0 bytes
 .gitattributes                                |   1 -
 common/default.nix                            |   2 +-
 common/{sops.nix => secrets.nix}              |   9 ++++--
 flake.nix                                     |   6 ++--
 home/secrets.nix                              | Bin 155 -> 141 bytes
 hosts/skipper/persistence.nix                 |   4 ---
 hosts/skipper/secureboot.nix                  |   6 +++-
 hosts/skipper/security.nix                    |   2 +-
 hosts/skipper/services/ssh.nix                |   4 +--
 hosts/skipper/wireguard.nix                   |  26 +++++++++---------
 secrets.nix                                   | Bin 177 -> 0 bytes
 secrets.nix.example                           |   7 -----
 secrets.yaml                                  |   6 ++--
 15 files changed, 35 insertions(+), 42 deletions(-)
 delete mode 100644 .git-crypt/.gitattributes
 delete mode 100644 .git-crypt/keys/default/0/51E4F5AB1B82BE45B4229CC243A5E25AA5A27849.gpg
 delete mode 100644 .gitattributes
 rename common/{sops.nix => secrets.nix} (63%)
 delete mode 100644 secrets.nix
 delete mode 100644 secrets.nix.example

diff --git a/.git-crypt/.gitattributes b/.git-crypt/.gitattributes
deleted file mode 100644
index 665b10e..0000000
--- a/.git-crypt/.gitattributes
+++ /dev/null
@@ -1,4 +0,0 @@
-# Do not edit this file.  To specify the files to encrypt, create your own
-# .gitattributes file in the directory where your files are.
-* !filter !diff
-*.gpg binary
diff --git a/.git-crypt/keys/default/0/51E4F5AB1B82BE45B4229CC243A5E25AA5A27849.gpg b/.git-crypt/keys/default/0/51E4F5AB1B82BE45B4229CC243A5E25AA5A27849.gpg
deleted file mode 100644
index f6443e94cafb1450c3bbd7b42bfa4e8cc14372fc..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001

literal 726
zcmV;{0xA840t^E;AaOv@5hsQL5CFwg;>{x~O7kWkb8GN%tQ~qUs?QLMK3Pi5%ctw+
zdvFa?9qb-<w}tvhyK)407AweQBwdJ`w6D$naEe9aYZK}L<w&7U42IDULraC4xA|?E
zX7e_S+85hLtpE5D14S2-fM@Nktq{N5N@IA&5Bapg-h&@nzK2r1$)<lH%zc?{oJiQP
zVpku24yNTt@s*=ME=?6nolX>qS?m`a8M`ZZ;xL*z{USN4hV^4Zw@m6ePR~sp5KD}_
zF<qChv>hMi2$`c6$d!>h4v9htNK+tlSS;(1M`t9H2YfS`lq1xQQwR9A;ttb$l>1W6
zlhg=7Rz-i?^N)^5W@B@Xrd_>^(m%jUs8e;q!wKaI+Uu^7DEHrQ|8|^ww7|L|KdHEP
z@gSSv-#8je740g`_OpN0Rq|$osVNFptaN&iV}zjIgQQN7&3!p;%J65(I>&ie%MRoa
zL3mo*2hXB64o8JhO@T*^g(!p+UwBZ0B+D6}Ak0NCVK@N6`Mgp72ysP64fYZ{e^LRi
z8T&=f9RLn(nVwISL49DA>YC$%6>lIqd-QZT0xh%&lRc+vxB1Pz6omTl;yj04m0uIi
z30^l&eAC=)bFjhkWuxRG<3GH~Rr@^)CKeb?aPTa4>m74d@W_}CC5D3>=hDKY-m2^(
zYzLgFI2v?mo~8N%%u>?81OZlblk_>GuN{2L9gYRN(JQnem0RI?RP${^rdRf6p0`Pj
zc-jM{R}XsN7~dl56-RJNt7T~t+LVo9=Me)b-G@(Np5fMl@W}>RjBTo2ALjiq_aWJ{
zsjQ^wDXool)<I#czM9tDf#D0kfg4;^ALqLnYXNF+_Q7sZ+q`+wr$JR=#<50CCo_`I
zYt+Xw$$`7w8xR!_X0AXD`x+?EVGRz&E$W-7X2q~gwD+lK+G4)?mq@#l&>aT|0yM-{
I7;}^Z^(*9EWdHyG

diff --git a/.gitattributes b/.gitattributes
deleted file mode 100644
index 4569c0b..0000000
--- a/.gitattributes
+++ /dev/null
@@ -1 +0,0 @@
-/secrets.nix filter=git-crypt diff=git-crypt
diff --git a/common/default.nix b/common/default.nix
index 7947ddc..b69520c 100644
--- a/common/default.nix
+++ b/common/default.nix
@@ -1,3 +1,3 @@
 { ... }: {
-  imports = [ ./nix.nix ./sops.nix ./users.nix ];
+  imports = [ ./nix.nix ./secrets.nix ./users.nix ];
 }
diff --git a/common/sops.nix b/common/secrets.nix
similarity index 63%
rename from common/sops.nix
rename to common/secrets.nix
index aac4c6d..d8b6d6b 100644
--- a/common/sops.nix
+++ b/common/secrets.nix
@@ -2,8 +2,8 @@
   sops = {
     defaultSopsFile = ../secrets.yaml;
     age = {
-      keyFile = "/persist/sops/age/keys.txt";
-      sshKeyPaths = [ "/persist/system/etc/ssh/keys/ssh_host_ed25519_key" ];
+      keyFile = "/persist/secrets/sops/age/keys.txt";
+      sshKeyPaths = [ "/persist/secrets/ssh/keys/ssh_host_ed25519_key" ];
     };
     secrets = {
       "passwd/root" = {
@@ -18,6 +18,11 @@
         group = config.users.users.root.group;
         neededForUsers = true;
       };
+      "wireguard/psk" = {
+        mode = "400";
+        owner = config.users.users.root.name;
+        group = config.users.users.root.group;
+      };
     };
   };
 }
diff --git a/flake.nix b/flake.nix
index 9cab798..280d444 100644
--- a/flake.nix
+++ b/flake.nix
@@ -39,7 +39,6 @@
     ,
     } @ inputs:
     let
-      secrets = import ./secrets.nix;
       packages = system: import nixpkgs {
         inherit system;
         config = {
@@ -54,7 +53,7 @@
         Skipper = nixpkgs.lib.nixosSystem rec {
           system = "x86_64-linux";
           pkgs = packages system;
-          specialArgs = inputs // { inherit secrets; extra-packages = (extra-packages system); };
+          specialArgs = inputs // { extra-packages = (extra-packages system); };
           modules = [
             {
               system.configurationRevision = nixpkgs.lib.mkIf (self ? rev) self.rev;
@@ -71,7 +70,7 @@
               home-manager = {
                 useUserPackages = true;
                 useGlobalPkgs = true;
-                extraSpecialArgs = inputs // { inherit secrets; extra-packages = (extra-packages system); };
+                extraSpecialArgs = inputs // { extra-packages = (extra-packages system); };
                 users.adtya = _: {
                   imports = [
                     impermanence.nixosModules.home-manager.impermanence
@@ -95,7 +94,6 @@
       devShells.default = pkgs.mkShell {
         buildInputs = with pkgs; [
           git
-          git-crypt
           statix
           sops
           age
diff --git a/home/secrets.nix b/home/secrets.nix
index 91e9ebe4dd82856e0be73ca199a6245bc898ad22..6d3a9d5d7ed606dc69ea46b71cb0c6d110fd157c 100644
GIT binary patch
literal 141
zcmZXMF$%*l3;=h(LU=CH-qN*ehP<G4WFzdv!BQY0<nJY<Ti4_6b_jKfl5T*AaNJ>c
z0PB$O!Y?U|UhAy%PE46MMO)3I)};l8=P$=1AB?9w=5Dbr_EsDB+gN1E;A!TjqDIQ0
Lu_^r@AMS8pQ57*g

literal 155
zcmV;M0A&9FM@dveQdv+`07)^xYW=T<P}{DXzu3th>V!C?)g(C5GtWKQ>42%fJx_bt
z;gcM^ux&K-7y46+NPeX?;ylEY^Wb5f%--vjkJBTqCWb83ZX~30&@0sgUCI5-g20I#
zlB4kjF&USlrp2fcsUzvDGQ_bFQY>|a42s56#6&Qb?_9B0Mkf8nwi60gNhj8-=!ZLE
JAVjGHWx^5MP167X

diff --git a/hosts/skipper/persistence.nix b/hosts/skipper/persistence.nix
index b0e6ba1..4b84755 100644
--- a/hosts/skipper/persistence.nix
+++ b/hosts/skipper/persistence.nix
@@ -3,10 +3,7 @@ _: {
     hideMounts = true;
     directories = [
       "/etc/NetworkManager/system-connections"
-      "/etc/secureboot"
-      "/etc/ssh/keys"
       "/etc/systemd/nspawn"
-      "/etc/wireguard"
       "/root/.local/share/nix"
       "/var/cache/fwupd"
       "/var/lib/bluetooth"
@@ -24,7 +21,6 @@ _: {
     ];
     files = [
       "/etc/machine-id"
-      "/etc/u2f_keys"
     ];
   };
 }
diff --git a/hosts/skipper/secureboot.nix b/hosts/skipper/secureboot.nix
index 6f9a169..e0ce67f 100644
--- a/hosts/skipper/secureboot.nix
+++ b/hosts/skipper/secureboot.nix
@@ -2,12 +2,16 @@
 , pkgs
 , ...
 }: {
+  environment.etc."secureboot" = {
+    mode = "symlink";
+    source = "/persist/secrets/secureboot";
+  };
   boot = {
     bootspec.enable = true;
     loader.systemd-boot.enable = lib.mkForce false;
     lanzaboote = {
       enable = true;
-      pkiBundle = "/persist/system/etc/secureboot";
+      pkiBundle = "/persist/secrets/secureboot";
     };
   };
   environment.systemPackages = with pkgs; [
diff --git a/hosts/skipper/security.nix b/hosts/skipper/security.nix
index 9581740..068726f 100644
--- a/hosts/skipper/security.nix
+++ b/hosts/skipper/security.nix
@@ -8,7 +8,7 @@
       };
       u2f = {
         enable = true;
-        authFile = "/etc/u2f_keys";
+        authFile = "/persist/secrets/u2f/u2f_keys";
         cue = true;
       };
     };
diff --git a/hosts/skipper/services/ssh.nix b/hosts/skipper/services/ssh.nix
index 420095f..2294cbf 100644
--- a/hosts/skipper/services/ssh.nix
+++ b/hosts/skipper/services/ssh.nix
@@ -8,11 +8,11 @@ _: {
     };
     hostKeys = [
       {
-        path = "/persist/system/etc/ssh/keys/ssh_host_ed25519_key";
+        path = "/persist/secrets/ssh/keys/ssh_host_ed25519_key";
         type = "ed25519";
       }
       {
-        path = "/persist/system/etc/ssh/keys/ssh_host_rsa_key";
+        path = "/persist/secrets/ssh/keys/ssh_host_rsa_key";
         type = "rsa";
         bits = "4096";
       }
diff --git a/hosts/skipper/wireguard.nix b/hosts/skipper/wireguard.nix
index ccb8f58..611f03c 100644
--- a/hosts/skipper/wireguard.nix
+++ b/hosts/skipper/wireguard.nix
@@ -1,14 +1,4 @@
-{ secrets, ... }:
-let
-  wireguard_server = secrets.wireguard_server // {
-    persistentKeepalive = 20;
-    allowedIPs = [
-      "10.10.10.0/24"
-      "fd7c:585c:c4ae::0/64"
-    ];
-  };
-in
-{
+{ config, ... }: {
   networking.firewall.trustedInterfaces = [ "wg0" ];
   networking.wireguard = {
     enable = true;
@@ -19,10 +9,20 @@ in
           "fd7c:585c:c4ae::2/64"
         ];
         listenPort = 51822;
-        privateKeyFile = "/persist/system/etc/wireguard/private.key";
+        privateKeyFile = "/persist/secrets/wireguard/private.key";
         generatePrivateKeyFile = true;
         peers = [
-          wireguard_server
+          {
+            name = "Proxy";
+            endpoint = "proxy.adtya.xyz:51821";
+            publicKey = "NNw/iDMCTq8mpHncrecEh4UlvtINX/UUDtCJf2ToFR4=";
+            presharedKeyFile = config.sops.secrets."wireguard/psk".path;
+            persistentKeepalive = 20;
+            allowedIPs = [
+              "10.10.10.0/24"
+              "fd7c:585c:c4ae::0/64"
+            ];
+          }
         ];
       };
     };
diff --git a/secrets.nix b/secrets.nix
deleted file mode 100644
index e0f0b18321ea07a5957aab69461045e1bfd4fd40..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001

literal 177
zcmV;i08ak^M@dveQdv+`02RqAOrKKd<LA$PBvehk5CQP}--*9u7&m2%j$qg8>I4m}
zAg`N%7TcK?D_+X(?EwYI>#VuWwaMaY3tIahUubfY{dO)|8lnFbaxeEoqhc^rvE3)w
zdx9s&OpOS!2e~bzAE?`Gj>t3&2{bsi@>4|CN)ltTN6Z9AxUNzRvQH(~YL%y>FwhRK
fl;9aNxR7K{A?pWOqqZ)v4Tvm=)sUy3bF{5HvdL2Z

diff --git a/secrets.nix.example b/secrets.nix.example
deleted file mode 100644
index 72fc95c..0000000
--- a/secrets.nix.example
+++ /dev/null
@@ -1,7 +0,0 @@
-{
-  wireguard_server = {
-    name = "<a name for the peer>;
-    endpoint = "<endpoint>:<port>";
-    publicKey = "<public key>";
-  };
-}
diff --git a/secrets.yaml b/secrets.yaml
index 2db31ff..eb313a4 100644
--- a/secrets.yaml
+++ b/secrets.yaml
@@ -1,6 +1,8 @@
 passwd:
     root: ENC[AES256_GCM,data:fEAYZXid9Im/TJrBXj9IOUCdqHT3NZ8GZvouX+RN/1PplH+imoGvjiMc+7AWxUwH28RYpKlFmrILrBSCFEvypX/IXuwx0Zq/uoTLEiP+NiDvSl+e1kvTbI5q19iSajmxU/mN67zTTmUbzA==,iv:MtX/dAEIsQFJc4KahJPbj+dELowLF0caea55/HZ3WWA=,tag:bkfqmLU+dCW+KNJ7RFoeFQ==,type:str]
     adtya: ENC[AES256_GCM,data:ryjjreVHyt/oY4tJcJHZ8ZQNk/hq9UJFECwo65Pd/GTWw/V/0QxwhoPsuFrgrVRwZxmK+m52ZtGstarn6kSK0oqT7rqzu4u0UwgxzRiPOAzyGPCl9PbiMWUQyeh779q133E+GRw5hEih7A==,iv:o1C+5PSKYmXU61k1TOJWIw3dPWbGBQNwB+pa2X5m9ik=,tag:WSKUXPJmMudschBaYJsSrg==,type:str]
+wireguard:
+    psk: ENC[AES256_GCM,data:DmcnhcUtFfz3i6bhd0VZnjO2ySPhBkRNxXnzAZ9/eegLNz4A7pDFociQSkc=,iv:Ucr0YztJ9MCAPsbIh8z4CjD5Fb5K5UvPiTL2FMDJ1U0=,tag:EHu2yWJ42Tohiw5F24igLw==,type:str]
 sops:
     kms: []
     gcp_kms: []
@@ -25,8 +27,8 @@ sops:
             MTdMRzR6anF4RzVBbnI5cnFPQmRpWmcKCiFOU74esinQsdc55Zwny5/VVNN2r3rq
             19ZYyCVNuyTeOXxuvUvjPJeW2X+v9H6bvbg1sXMxb761Pm0VGYor+g==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-06-16T16:15:25Z"
-    mac: ENC[AES256_GCM,data:oV4M6ZIMuPwjUk9AfkrbGO6bSaLOSqSS8BhT1GzjZujaZou8+McBgvvuman6I3DeF0ZDaX7cDUU/CV3V3Pm/bfNUispamGW/kKaeZmYMKcUOkUKts7736F0BpaytZa8gdQYGvnS1uSgT41TisIJlVdqPgHDkkug5DR3s6EM/vj8=,iv:sPRORyWQU/p7vaRthmgA8/yBiYrcasOrdAP6vkaMWL8=,tag:sgeDQDpeUMHjOX0Yf9MnJw==,type:str]
+    lastmodified: "2024-06-20T11:42:10Z"
+    mac: ENC[AES256_GCM,data:VfUis0iEwTtGZUyccYMLmZ//zHm18cMbutEsTqBkw3vZtBr+mKjAVoihSxVxlol035j5FlYL7T7w344c+q8AIAus4+XdeHqfQKlSuqHwE7h0ZcU94ywa2I7pnHZUU+DIdFfVkKfHwZdIT3GzZLOVvfZIqFik0oOBLuduC/UWQyY=,iv:vdGFGeuR7NeUH3UalKKCaoEoC7NKefSQYfLcH19U10E=,tag:AbJEzpV+fFpWH9tM5RNmtg==,type:str]
     pgp: []
     unencrypted_suffix: _unencrypted
     version: 3.8.1