mission cleanup secrets

2024-06-20 19:41:06 +05:30 · 2024-06-20 19:41:06 +05:30 · 069aea5226
commit 069aea5226
parent a68fbfe71e
15 changed files with 35 additions and 42 deletions
--- a/.git-crypt/.gitattributes
+++ b/.git-crypt/.gitattributes
@ -1,4 +0,0 @@
-# Do not edit this file.  To specify the files to encrypt, create your own
-# .gitattributes file in the directory where your files are.
-* !filter !diff
-*.gpg binary
--- a/.git-crypt/keys/default/0/51E4F5AB1B82BE45B4229CC243A5E25AA5A27849.gpg
+++ b/.git-crypt/keys/default/0/51E4F5AB1B82BE45B4229CC243A5E25AA5A27849.gpg
--- a/.gitattributes
+++ b/.gitattributes
@ -1 +0,0 @@
-/secrets.nix filter=git-crypt diff=git-crypt
--- a/common/default.nix
+++ b/common/default.nix
@ -1,3 +1,3 @@
 { ... }: {
-  imports = [ ./nix.nix ./sops.nix ./users.nix ];
+  imports = [ ./nix.nix ./secrets.nix ./users.nix ];
 }
--- a/common/secrets.nix
+++ b/common/secrets.nix
@ -2,8 +2,8 @@
  sops = {
    defaultSopsFile = ../secrets.yaml;
    age = {
-      keyFile = "/persist/sops/age/keys.txt";
-      sshKeyPaths = [ "/persist/system/etc/ssh/keys/ssh_host_ed25519_key" ];
+      keyFile = "/persist/secrets/sops/age/keys.txt";
+      sshKeyPaths = [ "/persist/secrets/ssh/keys/ssh_host_ed25519_key" ];
    };
    secrets = {
      "passwd/root" = {
@ -18,6 +18,11 @@
        group = config.users.users.root.group;
        neededForUsers = true;
      };
+      "wireguard/psk" = {
+        mode = "400";
+        owner = config.users.users.root.name;
+        group = config.users.users.root.group;
+      };
    };
  };
 }
--- a/flake.nix
+++ b/flake.nix
@ -39,7 +39,6 @@
    ,
    } @ inputs:
    let
-      secrets = import ./secrets.nix;
      packages = system: import nixpkgs {
        inherit system;
        config = {
@ -54,7 +53,7 @@
        Skipper = nixpkgs.lib.nixosSystem rec {
          system = "x86_64-linux";
          pkgs = packages system;
-          specialArgs = inputs // { inherit secrets; extra-packages = (extra-packages system); };
+          specialArgs = inputs // { extra-packages = (extra-packages system); };
          modules = [
            {
              system.configurationRevision = nixpkgs.lib.mkIf (self ? rev) self.rev;
@ -71,7 +70,7 @@
              home-manager = {
                useUserPackages = true;
                useGlobalPkgs = true;
-                extraSpecialArgs = inputs // { inherit secrets; extra-packages = (extra-packages system); };
+                extraSpecialArgs = inputs // { extra-packages = (extra-packages system); };
                users.adtya = _: {
                  imports = [
                    impermanence.nixosModules.home-manager.impermanence
@ -95,7 +94,6 @@
      devShells.default = pkgs.mkShell {
        buildInputs = with pkgs; [
          git
-          git-crypt
          statix
          sops
          age
--- a/home/secrets.nix
+++ b/home/secrets.nix
--- a/hosts/skipper/persistence.nix
+++ b/hosts/skipper/persistence.nix
@ -3,10 +3,7 @@ _: {
    hideMounts = true;
    directories = [
      "/etc/NetworkManager/system-connections"
-      "/etc/secureboot"
-      "/etc/ssh/keys"
      "/etc/systemd/nspawn"
-      "/etc/wireguard"
      "/root/.local/share/nix"
      "/var/cache/fwupd"
      "/var/lib/bluetooth"
@ -24,7 +21,6 @@ _: {
    ];
    files = [
      "/etc/machine-id"
-      "/etc/u2f_keys"
    ];
  };
 }
--- a/hosts/skipper/secureboot.nix
+++ b/hosts/skipper/secureboot.nix
@ -2,12 +2,16 @@
 , pkgs
 , ...
 }: {
+  environment.etc."secureboot" = {
+    mode = "symlink";
+    source = "/persist/secrets/secureboot";
+  };
  boot = {
    bootspec.enable = true;
    loader.systemd-boot.enable = lib.mkForce false;
    lanzaboote = {
      enable = true;
-      pkiBundle = "/persist/system/etc/secureboot";
+      pkiBundle = "/persist/secrets/secureboot";
    };
  };
  environment.systemPackages = with pkgs; [
--- a/hosts/skipper/security.nix
+++ b/hosts/skipper/security.nix
@ -8,7 +8,7 @@
      };
      u2f = {
        enable = true;
-        authFile = "/etc/u2f_keys";
+        authFile = "/persist/secrets/u2f/u2f_keys";
        cue = true;
      };
    };
--- a/hosts/skipper/services/ssh.nix
+++ b/hosts/skipper/services/ssh.nix
@ -8,11 +8,11 @@ _: {
    };
    hostKeys = [
      {
-        path = "/persist/system/etc/ssh/keys/ssh_host_ed25519_key";
+        path = "/persist/secrets/ssh/keys/ssh_host_ed25519_key";
        type = "ed25519";
      }
      {
-        path = "/persist/system/etc/ssh/keys/ssh_host_rsa_key";
+        path = "/persist/secrets/ssh/keys/ssh_host_rsa_key";
        type = "rsa";
        bits = "4096";
      }
--- a/hosts/skipper/wireguard.nix
+++ b/hosts/skipper/wireguard.nix
@ -1,14 +1,4 @@
-{ secrets, ... }:
-let
-  wireguard_server = secrets.wireguard_server // {
-    persistentKeepalive = 20;
-    allowedIPs = [
-      "10.10.10.0/24"
-      "fd7c:585c:c4ae::0/64"
-    ];
-  };
-in
-{
+{ config, ... }: {
  networking.firewall.trustedInterfaces = [ "wg0" ];
  networking.wireguard = {
    enable = true;
@ -19,10 +9,20 @@ in
          "fd7c:585c:c4ae::2/64"
        ];
        listenPort = 51822;
-        privateKeyFile = "/persist/system/etc/wireguard/private.key";
+        privateKeyFile = "/persist/secrets/wireguard/private.key";
        generatePrivateKeyFile = true;
        peers = [
-          wireguard_server
+          {
+            name = "Proxy";
+            endpoint = "proxy.adtya.xyz:51821";
+            publicKey = "NNw/iDMCTq8mpHncrecEh4UlvtINX/UUDtCJf2ToFR4=";
+            presharedKeyFile = config.sops.secrets."wireguard/psk".path;
+            persistentKeepalive = 20;
+            allowedIPs = [
+              "10.10.10.0/24"
+              "fd7c:585c:c4ae::0/64"
+            ];
+          }
        ];
      };
    };
--- a/secrets.nix
+++ b/secrets.nix
--- a/secrets.nix.example
+++ b/secrets.nix.example
@ -1,7 +0,0 @@
-{
-  wireguard_server = {
-    name = "<a name for the peer>;
-    endpoint = "<endpoint>:<port>";
-    publicKey = "<public key>";
-  };
-}
--- a/secrets.yaml
+++ b/secrets.yaml
@ -1,6 +1,8 @@
 passwd:
    root: ENC[AES256_GCM,data:fEAYZXid9Im/TJrBXj9IOUCdqHT3NZ8GZvouX+RN/1PplH+imoGvjiMc+7AWxUwH28RYpKlFmrILrBSCFEvypX/IXuwx0Zq/uoTLEiP+NiDvSl+e1kvTbI5q19iSajmxU/mN67zTTmUbzA==,iv:MtX/dAEIsQFJc4KahJPbj+dELowLF0caea55/HZ3WWA=,tag:bkfqmLU+dCW+KNJ7RFoeFQ==,type:str]
    adtya: ENC[AES256_GCM,data:ryjjreVHyt/oY4tJcJHZ8ZQNk/hq9UJFECwo65Pd/GTWw/V/0QxwhoPsuFrgrVRwZxmK+m52ZtGstarn6kSK0oqT7rqzu4u0UwgxzRiPOAzyGPCl9PbiMWUQyeh779q133E+GRw5hEih7A==,iv:o1C+5PSKYmXU61k1TOJWIw3dPWbGBQNwB+pa2X5m9ik=,tag:WSKUXPJmMudschBaYJsSrg==,type:str]
+wireguard:
+    psk: ENC[AES256_GCM,data:DmcnhcUtFfz3i6bhd0VZnjO2ySPhBkRNxXnzAZ9/eegLNz4A7pDFociQSkc=,iv:Ucr0YztJ9MCAPsbIh8z4CjD5Fb5K5UvPiTL2FMDJ1U0=,tag:EHu2yWJ42Tohiw5F24igLw==,type:str]
 sops:
    kms: []
    gcp_kms: []
@ -25,8 +27,8 @@ sops:
            MTdMRzR6anF4RzVBbnI5cnFPQmRpWmcKCiFOU74esinQsdc55Zwny5/VVNN2r3rq
            19ZYyCVNuyTeOXxuvUvjPJeW2X+v9H6bvbg1sXMxb761Pm0VGYor+g==
            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-06-16T16:15:25Z"
-    mac: ENC[AES256_GCM,data:oV4M6ZIMuPwjUk9AfkrbGO6bSaLOSqSS8BhT1GzjZujaZou8+McBgvvuman6I3DeF0ZDaX7cDUU/CV3V3Pm/bfNUispamGW/kKaeZmYMKcUOkUKts7736F0BpaytZa8gdQYGvnS1uSgT41TisIJlVdqPgHDkkug5DR3s6EM/vj8=,iv:sPRORyWQU/p7vaRthmgA8/yBiYrcasOrdAP6vkaMWL8=,tag:sgeDQDpeUMHjOX0Yf9MnJw==,type:str]
+    lastmodified: "2024-06-20T11:42:10Z"
+    mac: ENC[AES256_GCM,data:VfUis0iEwTtGZUyccYMLmZ//zHm18cMbutEsTqBkw3vZtBr+mKjAVoihSxVxlol035j5FlYL7T7w344c+q8AIAus4+XdeHqfQKlSuqHwE7h0ZcU94ywa2I7pnHZUU+DIdFfVkKfHwZdIT3GzZLOVvfZIqFik0oOBLuduC/UWQyY=,iv:vdGFGeuR7NeUH3UalKKCaoEoC7NKefSQYfLcH19U10E=,tag:AbJEzpV+fFpWH9tM5RNmtg==,type:str]
    pgp: []
    unencrypted_suffix: _unencrypted
    version: 3.8.1
				`@ -1 +0,0 @@`
				`/secrets.nix filter=git-crypt diff=git-crypt`