about summary refs log tree commit diff
diff options
context:
space:
mode:
authorsefidel <contact@sefidel.net>2023-02-06 18:16:38 +0900
committersefidel <contact@sefidel.net>2023-02-06 18:26:16 +0900
commit374f2f364a3a5de5438dd310f6cb50490eae6f1e (patch)
treec4a2f0dd33b61285606d894cc61353331c71f009
parent9d2566b5958943643d138186ebc57def41f68e51 (diff)
downloadnixrc-374f2f364a3a5de5438dd310f6cb50490eae6f1e.tar.gz
nixrc-374f2f364a3a5de5438dd310f6cb50490eae6f1e.zip
feat: use sops for secret management
-rw-r--r--flake.lock38
-rw-r--r--flake.nix3
-rw-r--r--lib/mk_colmena.nix2
-rw-r--r--nixos/.sops.yaml17
-rw-r--r--nixos/alpha/configuration.nix8
-rw-r--r--nixos/alpha/secrets/secrets.yaml44
-rw-r--r--nixos/cobalt/configuration.nix2
-rw-r--r--nixos/cobalt/secrets/secrets.yaml43
-rw-r--r--nixos/cobalt/services/acme.nix13
-rw-r--r--nixos/default.nix1
10 files changed, 157 insertions, 14 deletions
diff --git a/flake.lock b/flake.lock
index 7d414ca..668aff8 100644
--- a/flake.lock
+++ b/flake.lock
@@ -178,6 +178,22 @@
         "type": "github"
       }
     },
+    "nixpkgs-stable": {
+      "locked": {
+        "lastModified": 1675556398,
+        "narHash": "sha256-5Gf5KlmFXfIGVQb2hmiiE7FQHoLd4UtEhIolLQvNB/A=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "e32c33811815ca4a535a16faf1c83eeb4493145b",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "ref": "release-22.11",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
     "root": {
       "inputs": {
         "chaotic-nixpkgs": "chaotic-nixpkgs",
@@ -187,6 +203,7 @@
         "neovim": "neovim",
         "nixpkgs-2111": "nixpkgs-2111",
         "rust": "rust",
+        "sops-nix": "sops-nix",
         "unstable": "unstable",
         "unstable-small": "unstable-small"
       }
@@ -212,6 +229,27 @@
         "type": "github"
       }
     },
+    "sops-nix": {
+      "inputs": {
+        "nixpkgs": [
+          "unstable"
+        ],
+        "nixpkgs-stable": "nixpkgs-stable"
+      },
+      "locked": {
+        "lastModified": 1675566616,
+        "narHash": "sha256-Wki1ffvQUIB044M9ltjOxpXJGsqnQiVQPvMpQ0RiEBE=",
+        "owner": "Mic92",
+        "repo": "sops-nix",
+        "rev": "4d16c18787ba8ff80c1ff8db25c5ca56f68ceed3",
+        "type": "github"
+      },
+      "original": {
+        "owner": "Mic92",
+        "repo": "sops-nix",
+        "type": "github"
+      }
+    },
     "unstable": {
       "locked": {
         "lastModified": 1667629849,
diff --git a/flake.nix b/flake.nix
index 780c422..d8b1284 100644
--- a/flake.nix
+++ b/flake.nix
@@ -14,6 +14,9 @@
 
     impermanence.url = "github:nix-community/impermanence";
 
+    sops-nix.url = "github:Mic92/sops-nix";
+    sops-nix.inputs.nixpkgs.follows = "unstable";
+
     neovim.url = "github:neovim/neovim?dir=contrib";
     neovim.inputs.nixpkgs.follows = "unstable";
 
diff --git a/lib/mk_colmena.nix b/lib/mk_colmena.nix
index 641dd34..82dce9d 100644
--- a/lib/mk_colmena.nix
+++ b/lib/mk_colmena.nix
@@ -30,6 +30,8 @@ in
     hardware
     ../nixos/modules/flake.nix
     ../nixos/modules/nix.nix
+    # TODO: implement extraModules
     inputs.impermanence.nixosModules.impermanence
+    inputs.sops-nix.nixosModules.sops
   ];
 }
diff --git a/nixos/.sops.yaml b/nixos/.sops.yaml
index 0d15882..030fefe 100644
--- a/nixos/.sops.yaml
+++ b/nixos/.sops.yaml
@@ -1,10 +1,15 @@
 keys:
-  - &user_zach 346833414516C852FFB238E19F734565641C2F14
-  - &host_alpha age1ndc6vascfywmk5d3ptyeps92dyc9d9qsxmezn6t4wv56jjzysucqu8ldfn
+  - &sefidel 387E2BF0402610B00A9CB7E689C80C5BD6DBE2B2
+  - &host_alpha c62b0336ff6e444e5f2041e8074ca855641a5b7f
+  - &host_cobalt 9794c486d5673ff6613f6cde774d4895eb911703
 creation_rules:
   - path_regex: alpha/secrets/[^/]+\.yaml$
     key_groups:
-      - pgp:
-        - *user_zach
-      - age:
-        - *host_alpha
+    - pgp:
+      - *sefidel
+      - *host_alpha
+  - path_regex: cobalt/secrets/[^/]+\.yaml$
+    key_groups:
+    - pgp:
+      - *sefidel
+      - *host_cobalt
diff --git a/nixos/alpha/configuration.nix b/nixos/alpha/configuration.nix
index 67f56a2..d9dd00d 100644
--- a/nixos/alpha/configuration.nix
+++ b/nixos/alpha/configuration.nix
@@ -236,16 +236,20 @@
     ];
   };
 
+  sops.defaultSopsFile = ./secrets/secrets.yaml;
+  sops.secrets.root-password.neededForUsers = true;
+  sops.secrets.zach-password.neededForUsers = true;
+
   users.mutableUsers = false;
 
   fileSystems."/persist".neededForBoot = true;
 
   users.users = {
-    root.passwordFile = "/persist/passwords/root";
+    root.passwordFile = config.sops.secrets.root-password.path;
     zach = {
       isNormalUser = true;
       shell = pkgs.zsh;
-      passwordFile = "/persist/passwords/zach";
+      passwordFile = config.sops.secrets.zach-password.path;
 
       extraGroups = [
         "wheel"
diff --git a/nixos/alpha/secrets/secrets.yaml b/nixos/alpha/secrets/secrets.yaml
new file mode 100644
index 0000000..185220f
--- /dev/null
+++ b/nixos/alpha/secrets/secrets.yaml
@@ -0,0 +1,44 @@
+root-password: ENC[AES256_GCM,data:KVPWUhy2dqSz8djBQRogBYUxZXmnJ1m7w+d6osLQXiVyrMf/ZKdJIn3jWUNkTTFRIdiHeZT4WZbffHtZO1GhjQG4jeRIfS6oBmPzhFJKG8d3R2JwbL4gCXQT9mvmX4cgPIs7BJxCo3GnWg==,iv:D9uva5kvuiPtYWGDcStbD+f+K2+xpE3Ogdq4idCnUsQ=,tag:OcwGkm541OPSHMEqU4odgw==,type:str]
+zach-password: ENC[AES256_GCM,data:hjCi2Pu0KtmaJ+RVU1SyLHKMgG/WP/AcTBYce+IV/ftfA9e7z294yZ6EizvtwwTDqJbI0ADSekdiomYIP5u6g1gz9pvexDEw3KR3nhVSQSKnhOwZ6wBm9ycNhRJhPmCM27uh6dM/SPuIgg==,iv:qJuPimIzJP053V1GnUTe5GKC8s/sFfQ7Wr3Wb0meGGM=,tag:SR4jecEt2P6u+PzqEl2ZNQ==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age: []
+    lastmodified: "2023-02-05T11:33:33Z"
+    mac: ENC[AES256_GCM,data:bgEgm7Wu53ttYIygSCMZP9F2FMcqjc941cmERolnwFQhbjYMh5viRIsBm5t+bRDRRgIpOZsrieCGzRHll4Ub3718geLx8mkEOA57bRSgl4BBVx2qg7HHhK9yHMhO1VsazVQg/W5QW+m0EGtc/skfnM9rprywbPIGiPQW0RuP0LY=,iv:s8zHX5z9iGzijvn4fb5vZRuyDMsdZKWYRMZ3z/I1c4s=,tag:3WwXUfhmg5rsBxtq/PbOvQ==,type:str]
+    pgp:
+        - created_at: "2023-02-05T09:49:30Z"
+          enc: |
+            -----BEGIN PGP MESSAGE-----
+
+            hF4Dr9flwPWa1q8SAQdA+fosTjcmurKUcSFNK/FF5LNqpajbdcBxjm/ZBKMOLFEw
+            ITClO3QJMtQjG8knzV5Pk8EekGFWYcdhQETvuVHZpEpaPmZDcYUsFa/N/7S7dtUl
+            0l4BFfTjxrZTNqO43pnhS+TYOIMuutNKfknE7kaFCw5TpLHkpf+QZz4Ted0B4Wbh
+            JMaiaMGmCGi2z1AjLpHTiRPFd3kkoljhm4geITMqL0AlmumrxosGWkdqejXtIbBr
+            =mxAB
+            -----END PGP MESSAGE-----
+          fp: 387E2BF0402610B00A9CB7E689C80C5BD6DBE2B2
+        - created_at: "2023-02-05T09:49:30Z"
+          enc: |
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMAwdMqFVkGlt/AQ/9Gh0eEPgRGO/n3fihcpy7Ec5n1BTZ6IYcIFayFrLoqztP
+            LzRNwT5gt3T/D7rRCwgYEULXWGC1+9JLoLw6QgjiK4ArO8Wkb+7V2FEHF+jdpqth
+            +XrwGEozwsmOi0Oh1BBUIF5mpPjrQjf3SyF9Rr6hhauhg0WWMAeuDu1uP9xMaZet
+            lZVv73G3WvHwphRzaSoA70yby+o5EzT1DuOSjH5/6X6GP0U5LmnsZx1o7HHJ9tN6
+            9uD5TnUVzE7Ib0Bh/+3Hxb1csWI7HW9nH5A687foX5zuPklvFjtkaR3fH2gzo7l3
+            pL+PXhlpO7BPoNHKghAUhKNrk1TUHZZUyqplVPcLTXt14wK5sWWMvn7h4OMqt7h/
+            rGXNhEzNR66urJBCykBJ+3bdD7t324M+KWK5gcwbJgN9VVs1UVGYNcbqwGP94eNs
+            A3vUUBrMRbSXHi2FMRMQTPCO3CH5X+xpTn3yYSZLDvPrLRpLKffGph/usEwmnXub
+            TYXNMRa+Kt8zjLIF9R+eemjSYQ5Z+jg5GDUGmMw8xEk8nY9TsqOxKQ1keh1BIScF
+            7xY9rzDI2CDmSH88Gs+cifAW3MwOLGjPSmzuNpMqm6JPrOPNWtVIMe5cd5dNNbcu
+            2Qgvxr3KtXzO/fX/DjbdOWSpS6yWpKnoTwkM6ATuAS6OodTvenqj8GO5yiXRDO7S
+            WAFf9iqF0/ajPpbjeRS17NA/eC5CmRJ7aw66TbD4mndGUusTqVNvL98OtadLmSuF
+            T1UkSAJeyGSb2THMLLFcTvpYu1q83l+mBbMDaIkLd/VO2dQG/AfwKuE=
+            =QIC+
+            -----END PGP MESSAGE-----
+          fp: c62b0336ff6e444e5f2041e8074ca855641a5b7f
+    unencrypted_suffix: _unencrypted
+    version: 3.7.3
diff --git a/nixos/cobalt/configuration.nix b/nixos/cobalt/configuration.nix
index c596536..b4baf47 100644
--- a/nixos/cobalt/configuration.nix
+++ b/nixos/cobalt/configuration.nix
@@ -134,6 +134,8 @@ in
   # impermanence requirement
   fileSystems."/persist".neededForBoot = true;
 
+  sops.defaultSopsFile = ./secrets/secrets.yaml;
+
   # This value determines the NixOS release from which the default
   # settings for stateful data, like file locations and database versions
   # on your system were taken. It‘s perfectly fine and recommended to leave
diff --git a/nixos/cobalt/secrets/secrets.yaml b/nixos/cobalt/secrets/secrets.yaml
new file mode 100644
index 0000000..8d2e9f2
--- /dev/null
+++ b/nixos/cobalt/secrets/secrets.yaml
@@ -0,0 +1,43 @@
+hetzner-dns-key: ENC[AES256_GCM,data:Ir3gRLc8XXIOC8Vjm43gLAmuhyDw5wysOsTCXlJfBQTcpingEbCENc4+eziStyF6,iv:5R4k9Yb8AJjavSivhs19RWrNh7r3rtkrbB6HdZZudqc=,tag:2tFXwQOXKZKYt/qwfsRr7A==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age: []
+    lastmodified: "2023-02-06T09:15:44Z"
+    mac: ENC[AES256_GCM,data:kLl+dIZe6aFaE3VEL7pF597Akn/W9j+klLvGHI8E8o4hcyiF/jlidMp3/oEAX209okuOrERO4w0KZ+sXwuaYymx4XWMhnS7VmMKQqgJ8uOq9xzwAl3rNyH3IWx/4fQk/cyWj/aa6cRLuTQkv+pANZ8n+tSop9FCnX3M5SgCL6F4=,iv:mjNBo7hzpoLlPuxyu6Qlpf9DuXTATkZ6DBNdJMux8eM=,tag:jczhijwEr+iMYrKJ3/wOjQ==,type:str]
+    pgp:
+        - created_at: "2023-02-05T09:56:11Z"
+          enc: |
+            -----BEGIN PGP MESSAGE-----
+
+            hF4Dr9flwPWa1q8SAQdAtFIasB4kQZqTb7d1+2X6i3W7xHM/BnU87nUBzjgARwAw
+            cDezIZDi9L0IKZt/pui44uCJHBQKLZ9rGHuVKqY3R0Hsv06D2Lmgm6z9agano1JZ
+            0l4BUstc9knAl/dqAoNcLs+0Ehb84EYUxPfJowAnZaDbH5oaB0ke24Ug6gpHnejc
+            2eilh+Gnu4hEtrob//BQ0FSEn/PlLHjedqKJuJG0+w19sTZD5BPPj2ydbWLU6DYL
+            =3baE
+            -----END PGP MESSAGE-----
+          fp: 387E2BF0402610B00A9CB7E689C80C5BD6DBE2B2
+        - created_at: "2023-02-05T09:56:11Z"
+          enc: |
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMA3dNSJXrkRcDAQ/8DD0yVDj+CfykNQ6GupMBfKpNrEByupAijeMQKrPGSLAi
+            TKI0vi7Bh5UwxbhS9DZWnZqDnApba0/0S4t7oeRNTGjDusZJ4C1pglQY022hRvzh
+            AGvWwVnilg57ccqWW42eScqGL9ohtRTc2nFjWEXr2rc9w4CyjxzT46ZmYUo1zV7B
+            XXTn5TdpcRiFx81rvriW+L2BLE4Bd0nUeNxnL7FWG9mO+yaJtuv0lXtO5A3cGTn1
+            0hERax7VyCxzV78PHHtYVzkSY5ZVfpLH8su/Wg3dgMa6goMFmufnXPFr1l3HCQMH
+            oF2qEaWu3mP8efpSgstCDFMlH+i8wAbhPMFVwcN8kxPox9JACGmlqIvbCgOOwfKQ
+            eoQKkZPRpNuuK3e/+NddFqf+Eex5lh7v+iFk6PXZWqxzdOAjenWR53Gww5gFBJj+
+            bt6qvS/8Z7Hq8zNWD1eHhUj+ywazxuUrtUz7TOMRbfcGqaeFTAJntTc1pIu4GNcA
+            ut0fSyQr/xoTxv4J1Zyz4GnAzuJKE4fB4LCeonXLwIEU/MsV0sNKwUcgRL4oimYO
+            xDJ44rbKzHNX1cmmh3bVrdezJSqTNiG/5DCdYi8iqGcUzvUfkhhzT44VcUI7MIgI
+            VhLLk21M3eITbXKNPbOvkbXm/y1EeDeVNLg1JeqcXA43V5RBOKw3qKFheD+Se3bS
+            WAHZQxWslmuEvXVgWiewK+sh0x3uY7dCHN3Tcs1dggonAZBD1MIaKNutmPT1h8Nx
+            NtXsIaXB23oTv5xZ7R6b5B0NnVUFFok4VzYwSZBxPDBX9RQp9ErYX/o=
+            =uD2V
+            -----END PGP MESSAGE-----
+          fp: 9794c486d5673ff6613f6cde774d4895eb911703
+    unencrypted_suffix: _unencrypted
+    version: 3.7.3
diff --git a/nixos/cobalt/services/acme.nix b/nixos/cobalt/services/acme.nix
index d28bfc7..58a5c77 100644
--- a/nixos/cobalt/services/acme.nix
+++ b/nixos/cobalt/services/acme.nix
@@ -1,7 +1,13 @@
+{ config, ... }:
+
 let
   poorObfuscation = y: x: "${x}@${y}";
 in
 {
+  sops.secrets.hetzner-dns-key = {
+    owner = "acme";
+  };
+
   security.acme = {
     acceptTerms = true;
     defaults.email = poorObfuscation "sefidel.com" "postmaster";
@@ -14,7 +20,7 @@ in
         ];
         dnsProvider = "hetzner";
         dnsPropagationCheck = true;
-        credentialsFile = "/persist/secrets/hetzner.key";
+        credentialsFile = config.sops.secrets.hetzner-dns-key.path;
       };
     };
   };
@@ -22,9 +28,4 @@ in
   environment.persistence."/persist".directories = [
     "/var/lib/acme"
   ];
-
-  deployment.keys."hetzner.key" = {
-    keyCommand = [ "pass" "show" "server/hetzner-dns" ];
-    destDir = "/persist/secrets";
-  };
 }
diff --git a/nixos/default.nix b/nixos/default.nix
index 31d1a61..c113d42 100644
--- a/nixos/default.nix
+++ b/nixos/default.nix
@@ -8,6 +8,7 @@
     extraModules = [
       ./modules/security.nix
       ./modules/cachix
+      inputs.sops-nix.nixosModules.sops
     ];
   };