mission cleanup secrets
This commit is contained in:
parent
a68fbfe71e
commit
069aea5226
15 changed files with 35 additions and 42 deletions
4
.git-crypt/.gitattributes
vendored
4
.git-crypt/.gitattributes
vendored
|
@ -1,4 +0,0 @@
|
||||||
# Do not edit this file. To specify the files to encrypt, create your own
|
|
||||||
# .gitattributes file in the directory where your files are.
|
|
||||||
* !filter !diff
|
|
||||||
*.gpg binary
|
|
Binary file not shown.
1
.gitattributes
vendored
1
.gitattributes
vendored
|
@ -1 +0,0 @@
|
||||||
/secrets.nix filter=git-crypt diff=git-crypt
|
|
|
@ -1,3 +1,3 @@
|
||||||
{ ... }: {
|
{ ... }: {
|
||||||
imports = [ ./nix.nix ./sops.nix ./users.nix ];
|
imports = [ ./nix.nix ./secrets.nix ./users.nix ];
|
||||||
}
|
}
|
||||||
|
|
|
@ -2,8 +2,8 @@
|
||||||
sops = {
|
sops = {
|
||||||
defaultSopsFile = ../secrets.yaml;
|
defaultSopsFile = ../secrets.yaml;
|
||||||
age = {
|
age = {
|
||||||
keyFile = "/persist/sops/age/keys.txt";
|
keyFile = "/persist/secrets/sops/age/keys.txt";
|
||||||
sshKeyPaths = [ "/persist/system/etc/ssh/keys/ssh_host_ed25519_key" ];
|
sshKeyPaths = [ "/persist/secrets/ssh/keys/ssh_host_ed25519_key" ];
|
||||||
};
|
};
|
||||||
secrets = {
|
secrets = {
|
||||||
"passwd/root" = {
|
"passwd/root" = {
|
||||||
|
@ -18,6 +18,11 @@
|
||||||
group = config.users.users.root.group;
|
group = config.users.users.root.group;
|
||||||
neededForUsers = true;
|
neededForUsers = true;
|
||||||
};
|
};
|
||||||
|
"wireguard/psk" = {
|
||||||
|
mode = "400";
|
||||||
|
owner = config.users.users.root.name;
|
||||||
|
group = config.users.users.root.group;
|
||||||
|
};
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
}
|
}
|
|
@ -39,7 +39,6 @@
|
||||||
,
|
,
|
||||||
} @ inputs:
|
} @ inputs:
|
||||||
let
|
let
|
||||||
secrets = import ./secrets.nix;
|
|
||||||
packages = system: import nixpkgs {
|
packages = system: import nixpkgs {
|
||||||
inherit system;
|
inherit system;
|
||||||
config = {
|
config = {
|
||||||
|
@ -54,7 +53,7 @@
|
||||||
Skipper = nixpkgs.lib.nixosSystem rec {
|
Skipper = nixpkgs.lib.nixosSystem rec {
|
||||||
system = "x86_64-linux";
|
system = "x86_64-linux";
|
||||||
pkgs = packages system;
|
pkgs = packages system;
|
||||||
specialArgs = inputs // { inherit secrets; extra-packages = (extra-packages system); };
|
specialArgs = inputs // { extra-packages = (extra-packages system); };
|
||||||
modules = [
|
modules = [
|
||||||
{
|
{
|
||||||
system.configurationRevision = nixpkgs.lib.mkIf (self ? rev) self.rev;
|
system.configurationRevision = nixpkgs.lib.mkIf (self ? rev) self.rev;
|
||||||
|
@ -71,7 +70,7 @@
|
||||||
home-manager = {
|
home-manager = {
|
||||||
useUserPackages = true;
|
useUserPackages = true;
|
||||||
useGlobalPkgs = true;
|
useGlobalPkgs = true;
|
||||||
extraSpecialArgs = inputs // { inherit secrets; extra-packages = (extra-packages system); };
|
extraSpecialArgs = inputs // { extra-packages = (extra-packages system); };
|
||||||
users.adtya = _: {
|
users.adtya = _: {
|
||||||
imports = [
|
imports = [
|
||||||
impermanence.nixosModules.home-manager.impermanence
|
impermanence.nixosModules.home-manager.impermanence
|
||||||
|
@ -95,7 +94,6 @@
|
||||||
devShells.default = pkgs.mkShell {
|
devShells.default = pkgs.mkShell {
|
||||||
buildInputs = with pkgs; [
|
buildInputs = with pkgs; [
|
||||||
git
|
git
|
||||||
git-crypt
|
|
||||||
statix
|
statix
|
||||||
sops
|
sops
|
||||||
age
|
age
|
||||||
|
|
BIN
home/secrets.nix
BIN
home/secrets.nix
Binary file not shown.
|
@ -3,10 +3,7 @@ _: {
|
||||||
hideMounts = true;
|
hideMounts = true;
|
||||||
directories = [
|
directories = [
|
||||||
"/etc/NetworkManager/system-connections"
|
"/etc/NetworkManager/system-connections"
|
||||||
"/etc/secureboot"
|
|
||||||
"/etc/ssh/keys"
|
|
||||||
"/etc/systemd/nspawn"
|
"/etc/systemd/nspawn"
|
||||||
"/etc/wireguard"
|
|
||||||
"/root/.local/share/nix"
|
"/root/.local/share/nix"
|
||||||
"/var/cache/fwupd"
|
"/var/cache/fwupd"
|
||||||
"/var/lib/bluetooth"
|
"/var/lib/bluetooth"
|
||||||
|
@ -24,7 +21,6 @@ _: {
|
||||||
];
|
];
|
||||||
files = [
|
files = [
|
||||||
"/etc/machine-id"
|
"/etc/machine-id"
|
||||||
"/etc/u2f_keys"
|
|
||||||
];
|
];
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
|
|
@ -2,12 +2,16 @@
|
||||||
, pkgs
|
, pkgs
|
||||||
, ...
|
, ...
|
||||||
}: {
|
}: {
|
||||||
|
environment.etc."secureboot" = {
|
||||||
|
mode = "symlink";
|
||||||
|
source = "/persist/secrets/secureboot";
|
||||||
|
};
|
||||||
boot = {
|
boot = {
|
||||||
bootspec.enable = true;
|
bootspec.enable = true;
|
||||||
loader.systemd-boot.enable = lib.mkForce false;
|
loader.systemd-boot.enable = lib.mkForce false;
|
||||||
lanzaboote = {
|
lanzaboote = {
|
||||||
enable = true;
|
enable = true;
|
||||||
pkiBundle = "/persist/system/etc/secureboot";
|
pkiBundle = "/persist/secrets/secureboot";
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
environment.systemPackages = with pkgs; [
|
environment.systemPackages = with pkgs; [
|
||||||
|
|
|
@ -8,7 +8,7 @@
|
||||||
};
|
};
|
||||||
u2f = {
|
u2f = {
|
||||||
enable = true;
|
enable = true;
|
||||||
authFile = "/etc/u2f_keys";
|
authFile = "/persist/secrets/u2f/u2f_keys";
|
||||||
cue = true;
|
cue = true;
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
|
@ -8,11 +8,11 @@ _: {
|
||||||
};
|
};
|
||||||
hostKeys = [
|
hostKeys = [
|
||||||
{
|
{
|
||||||
path = "/persist/system/etc/ssh/keys/ssh_host_ed25519_key";
|
path = "/persist/secrets/ssh/keys/ssh_host_ed25519_key";
|
||||||
type = "ed25519";
|
type = "ed25519";
|
||||||
}
|
}
|
||||||
{
|
{
|
||||||
path = "/persist/system/etc/ssh/keys/ssh_host_rsa_key";
|
path = "/persist/secrets/ssh/keys/ssh_host_rsa_key";
|
||||||
type = "rsa";
|
type = "rsa";
|
||||||
bits = "4096";
|
bits = "4096";
|
||||||
}
|
}
|
||||||
|
|
|
@ -1,14 +1,4 @@
|
||||||
{ secrets, ... }:
|
{ config, ... }: {
|
||||||
let
|
|
||||||
wireguard_server = secrets.wireguard_server // {
|
|
||||||
persistentKeepalive = 20;
|
|
||||||
allowedIPs = [
|
|
||||||
"10.10.10.0/24"
|
|
||||||
"fd7c:585c:c4ae::0/64"
|
|
||||||
];
|
|
||||||
};
|
|
||||||
in
|
|
||||||
{
|
|
||||||
networking.firewall.trustedInterfaces = [ "wg0" ];
|
networking.firewall.trustedInterfaces = [ "wg0" ];
|
||||||
networking.wireguard = {
|
networking.wireguard = {
|
||||||
enable = true;
|
enable = true;
|
||||||
|
@ -19,10 +9,20 @@ in
|
||||||
"fd7c:585c:c4ae::2/64"
|
"fd7c:585c:c4ae::2/64"
|
||||||
];
|
];
|
||||||
listenPort = 51822;
|
listenPort = 51822;
|
||||||
privateKeyFile = "/persist/system/etc/wireguard/private.key";
|
privateKeyFile = "/persist/secrets/wireguard/private.key";
|
||||||
generatePrivateKeyFile = true;
|
generatePrivateKeyFile = true;
|
||||||
peers = [
|
peers = [
|
||||||
wireguard_server
|
{
|
||||||
|
name = "Proxy";
|
||||||
|
endpoint = "proxy.adtya.xyz:51821";
|
||||||
|
publicKey = "NNw/iDMCTq8mpHncrecEh4UlvtINX/UUDtCJf2ToFR4=";
|
||||||
|
presharedKeyFile = config.sops.secrets."wireguard/psk".path;
|
||||||
|
persistentKeepalive = 20;
|
||||||
|
allowedIPs = [
|
||||||
|
"10.10.10.0/24"
|
||||||
|
"fd7c:585c:c4ae::0/64"
|
||||||
|
];
|
||||||
|
}
|
||||||
];
|
];
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
BIN
secrets.nix
BIN
secrets.nix
Binary file not shown.
|
@ -1,7 +0,0 @@
|
||||||
{
|
|
||||||
wireguard_server = {
|
|
||||||
name = "<a name for the peer>;
|
|
||||||
endpoint = "<endpoint>:<port>";
|
|
||||||
publicKey = "<public key>";
|
|
||||||
};
|
|
||||||
}
|
|
|
@ -1,6 +1,8 @@
|
||||||
passwd:
|
passwd:
|
||||||
root: ENC[AES256_GCM,data:fEAYZXid9Im/TJrBXj9IOUCdqHT3NZ8GZvouX+RN/1PplH+imoGvjiMc+7AWxUwH28RYpKlFmrILrBSCFEvypX/IXuwx0Zq/uoTLEiP+NiDvSl+e1kvTbI5q19iSajmxU/mN67zTTmUbzA==,iv:MtX/dAEIsQFJc4KahJPbj+dELowLF0caea55/HZ3WWA=,tag:bkfqmLU+dCW+KNJ7RFoeFQ==,type:str]
|
root: ENC[AES256_GCM,data:fEAYZXid9Im/TJrBXj9IOUCdqHT3NZ8GZvouX+RN/1PplH+imoGvjiMc+7AWxUwH28RYpKlFmrILrBSCFEvypX/IXuwx0Zq/uoTLEiP+NiDvSl+e1kvTbI5q19iSajmxU/mN67zTTmUbzA==,iv:MtX/dAEIsQFJc4KahJPbj+dELowLF0caea55/HZ3WWA=,tag:bkfqmLU+dCW+KNJ7RFoeFQ==,type:str]
|
||||||
adtya: ENC[AES256_GCM,data:ryjjreVHyt/oY4tJcJHZ8ZQNk/hq9UJFECwo65Pd/GTWw/V/0QxwhoPsuFrgrVRwZxmK+m52ZtGstarn6kSK0oqT7rqzu4u0UwgxzRiPOAzyGPCl9PbiMWUQyeh779q133E+GRw5hEih7A==,iv:o1C+5PSKYmXU61k1TOJWIw3dPWbGBQNwB+pa2X5m9ik=,tag:WSKUXPJmMudschBaYJsSrg==,type:str]
|
adtya: ENC[AES256_GCM,data:ryjjreVHyt/oY4tJcJHZ8ZQNk/hq9UJFECwo65Pd/GTWw/V/0QxwhoPsuFrgrVRwZxmK+m52ZtGstarn6kSK0oqT7rqzu4u0UwgxzRiPOAzyGPCl9PbiMWUQyeh779q133E+GRw5hEih7A==,iv:o1C+5PSKYmXU61k1TOJWIw3dPWbGBQNwB+pa2X5m9ik=,tag:WSKUXPJmMudschBaYJsSrg==,type:str]
|
||||||
|
wireguard:
|
||||||
|
psk: ENC[AES256_GCM,data:DmcnhcUtFfz3i6bhd0VZnjO2ySPhBkRNxXnzAZ9/eegLNz4A7pDFociQSkc=,iv:Ucr0YztJ9MCAPsbIh8z4CjD5Fb5K5UvPiTL2FMDJ1U0=,tag:EHu2yWJ42Tohiw5F24igLw==,type:str]
|
||||||
sops:
|
sops:
|
||||||
kms: []
|
kms: []
|
||||||
gcp_kms: []
|
gcp_kms: []
|
||||||
|
@ -25,8 +27,8 @@ sops:
|
||||||
MTdMRzR6anF4RzVBbnI5cnFPQmRpWmcKCiFOU74esinQsdc55Zwny5/VVNN2r3rq
|
MTdMRzR6anF4RzVBbnI5cnFPQmRpWmcKCiFOU74esinQsdc55Zwny5/VVNN2r3rq
|
||||||
19ZYyCVNuyTeOXxuvUvjPJeW2X+v9H6bvbg1sXMxb761Pm0VGYor+g==
|
19ZYyCVNuyTeOXxuvUvjPJeW2X+v9H6bvbg1sXMxb761Pm0VGYor+g==
|
||||||
-----END AGE ENCRYPTED FILE-----
|
-----END AGE ENCRYPTED FILE-----
|
||||||
lastmodified: "2024-06-16T16:15:25Z"
|
lastmodified: "2024-06-20T11:42:10Z"
|
||||||
mac: ENC[AES256_GCM,data:oV4M6ZIMuPwjUk9AfkrbGO6bSaLOSqSS8BhT1GzjZujaZou8+McBgvvuman6I3DeF0ZDaX7cDUU/CV3V3Pm/bfNUispamGW/kKaeZmYMKcUOkUKts7736F0BpaytZa8gdQYGvnS1uSgT41TisIJlVdqPgHDkkug5DR3s6EM/vj8=,iv:sPRORyWQU/p7vaRthmgA8/yBiYrcasOrdAP6vkaMWL8=,tag:sgeDQDpeUMHjOX0Yf9MnJw==,type:str]
|
mac: ENC[AES256_GCM,data:VfUis0iEwTtGZUyccYMLmZ//zHm18cMbutEsTqBkw3vZtBr+mKjAVoihSxVxlol035j5FlYL7T7w344c+q8AIAus4+XdeHqfQKlSuqHwE7h0ZcU94ywa2I7pnHZUU+DIdFfVkKfHwZdIT3GzZLOVvfZIqFik0oOBLuduC/UWQyY=,iv:vdGFGeuR7NeUH3UalKKCaoEoC7NKefSQYfLcH19U10E=,tag:AbJEzpV+fFpWH9tM5RNmtg==,type:str]
|
||||||
pgp: []
|
pgp: []
|
||||||
unencrypted_suffix: _unencrypted
|
unencrypted_suffix: _unencrypted
|
||||||
version: 3.8.1
|
version: 3.8.1
|
||||||
|
|
Loading…
Reference in a new issue