diff options
| author | sefidel <contact@sefidel.net> | 2023-02-06 18:16:38 +0900 |
|---|---|---|
| committer | sefidel <contact@sefidel.net> | 2023-02-06 18:26:16 +0900 |
| commit | 374f2f364a3a5de5438dd310f6cb50490eae6f1e (patch) | |
| tree | c4a2f0dd33b61285606d894cc61353331c71f009 | |
| parent | 9d2566b5958943643d138186ebc57def41f68e51 (diff) | |
| download | nixrc-374f2f364a3a5de5438dd310f6cb50490eae6f1e.tar.gz nixrc-374f2f364a3a5de5438dd310f6cb50490eae6f1e.zip | |
feat: use sops for secret management
| -rw-r--r-- | flake.lock | 38 | ||||
| -rw-r--r-- | flake.nix | 3 | ||||
| -rw-r--r-- | lib/mk_colmena.nix | 2 | ||||
| -rw-r--r-- | nixos/.sops.yaml | 17 | ||||
| -rw-r--r-- | nixos/alpha/configuration.nix | 8 | ||||
| -rw-r--r-- | nixos/alpha/secrets/secrets.yaml | 44 | ||||
| -rw-r--r-- | nixos/cobalt/configuration.nix | 2 | ||||
| -rw-r--r-- | nixos/cobalt/secrets/secrets.yaml | 43 | ||||
| -rw-r--r-- | nixos/cobalt/services/acme.nix | 13 | ||||
| -rw-r--r-- | nixos/default.nix | 1 |
10 files changed, 157 insertions, 14 deletions
diff --git a/flake.lock b/flake.lock index 7d414ca..668aff8 100644 --- a/flake.lock +++ b/flake.lock @@ -178,6 +178,22 @@ "type": "github" } }, + "nixpkgs-stable": { + "locked": { + "lastModified": 1675556398, + "narHash": "sha256-5Gf5KlmFXfIGVQb2hmiiE7FQHoLd4UtEhIolLQvNB/A=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "e32c33811815ca4a535a16faf1c83eeb4493145b", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "release-22.11", + "repo": "nixpkgs", + "type": "github" + } + }, "root": { "inputs": { "chaotic-nixpkgs": "chaotic-nixpkgs", @@ -187,6 +203,7 @@ "neovim": "neovim", "nixpkgs-2111": "nixpkgs-2111", "rust": "rust", + "sops-nix": "sops-nix", "unstable": "unstable", "unstable-small": "unstable-small" } @@ -212,6 +229,27 @@ "type": "github" } }, + "sops-nix": { + "inputs": { + "nixpkgs": [ + "unstable" + ], + "nixpkgs-stable": "nixpkgs-stable" + }, + "locked": { + "lastModified": 1675566616, + "narHash": "sha256-Wki1ffvQUIB044M9ltjOxpXJGsqnQiVQPvMpQ0RiEBE=", + "owner": "Mic92", + "repo": "sops-nix", + "rev": "4d16c18787ba8ff80c1ff8db25c5ca56f68ceed3", + "type": "github" + }, + "original": { + "owner": "Mic92", + "repo": "sops-nix", + "type": "github" + } + }, "unstable": { "locked": { "lastModified": 1667629849, diff --git a/flake.nix b/flake.nix index 780c422..d8b1284 100644 --- a/flake.nix +++ b/flake.nix @@ -14,6 +14,9 @@ impermanence.url = "github:nix-community/impermanence"; + sops-nix.url = "github:Mic92/sops-nix"; + sops-nix.inputs.nixpkgs.follows = "unstable"; + neovim.url = "github:neovim/neovim?dir=contrib"; neovim.inputs.nixpkgs.follows = "unstable"; diff --git a/lib/mk_colmena.nix b/lib/mk_colmena.nix index 641dd34..82dce9d 100644 --- a/lib/mk_colmena.nix +++ b/lib/mk_colmena.nix @@ -30,6 +30,8 @@ in hardware ../nixos/modules/flake.nix ../nixos/modules/nix.nix + # TODO: implement extraModules inputs.impermanence.nixosModules.impermanence + inputs.sops-nix.nixosModules.sops ]; } diff --git a/nixos/.sops.yaml b/nixos/.sops.yaml index 0d15882..030fefe 100644 --- a/nixos/.sops.yaml +++ b/nixos/.sops.yaml @@ -1,10 +1,15 @@ keys: - - &user_zach 346833414516C852FFB238E19F734565641C2F14 - - &host_alpha age1ndc6vascfywmk5d3ptyeps92dyc9d9qsxmezn6t4wv56jjzysucqu8ldfn + - &sefidel 387E2BF0402610B00A9CB7E689C80C5BD6DBE2B2 + - &host_alpha c62b0336ff6e444e5f2041e8074ca855641a5b7f + - &host_cobalt 9794c486d5673ff6613f6cde774d4895eb911703 creation_rules: - path_regex: alpha/secrets/[^/]+\.yaml$ key_groups: - - pgp: - - *user_zach - - age: - - *host_alpha + - pgp: + - *sefidel + - *host_alpha + - path_regex: cobalt/secrets/[^/]+\.yaml$ + key_groups: + - pgp: + - *sefidel + - *host_cobalt diff --git a/nixos/alpha/configuration.nix b/nixos/alpha/configuration.nix index 67f56a2..d9dd00d 100644 --- a/nixos/alpha/configuration.nix +++ b/nixos/alpha/configuration.nix @@ -236,16 +236,20 @@ ]; }; + sops.defaultSopsFile = ./secrets/secrets.yaml; + sops.secrets.root-password.neededForUsers = true; + sops.secrets.zach-password.neededForUsers = true; + users.mutableUsers = false; fileSystems."/persist".neededForBoot = true; users.users = { - root.passwordFile = "/persist/passwords/root"; + root.passwordFile = config.sops.secrets.root-password.path; zach = { isNormalUser = true; shell = pkgs.zsh; - passwordFile = "/persist/passwords/zach"; + passwordFile = config.sops.secrets.zach-password.path; extraGroups = [ "wheel" diff --git a/nixos/alpha/secrets/secrets.yaml b/nixos/alpha/secrets/secrets.yaml new file mode 100644 index 0000000..185220f --- /dev/null +++ b/nixos/alpha/secrets/secrets.yaml @@ -0,0 +1,44 @@ +root-password: ENC[AES256_GCM,data:KVPWUhy2dqSz8djBQRogBYUxZXmnJ1m7w+d6osLQXiVyrMf/ZKdJIn3jWUNkTTFRIdiHeZT4WZbffHtZO1GhjQG4jeRIfS6oBmPzhFJKG8d3R2JwbL4gCXQT9mvmX4cgPIs7BJxCo3GnWg==,iv:D9uva5kvuiPtYWGDcStbD+f+K2+xpE3Ogdq4idCnUsQ=,tag:OcwGkm541OPSHMEqU4odgw==,type:str] +zach-password: ENC[AES256_GCM,data:hjCi2Pu0KtmaJ+RVU1SyLHKMgG/WP/AcTBYce+IV/ftfA9e7z294yZ6EizvtwwTDqJbI0ADSekdiomYIP5u6g1gz9pvexDEw3KR3nhVSQSKnhOwZ6wBm9ycNhRJhPmCM27uh6dM/SPuIgg==,iv:qJuPimIzJP053V1GnUTe5GKC8s/sFfQ7Wr3Wb0meGGM=,tag:SR4jecEt2P6u+PzqEl2ZNQ==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: [] + lastmodified: "2023-02-05T11:33:33Z" + mac: ENC[AES256_GCM,data:bgEgm7Wu53ttYIygSCMZP9F2FMcqjc941cmERolnwFQhbjYMh5viRIsBm5t+bRDRRgIpOZsrieCGzRHll4Ub3718geLx8mkEOA57bRSgl4BBVx2qg7HHhK9yHMhO1VsazVQg/W5QW+m0EGtc/skfnM9rprywbPIGiPQW0RuP0LY=,iv:s8zHX5z9iGzijvn4fb5vZRuyDMsdZKWYRMZ3z/I1c4s=,tag:3WwXUfhmg5rsBxtq/PbOvQ==,type:str] + pgp: + - created_at: "2023-02-05T09:49:30Z" + enc: | + -----BEGIN PGP MESSAGE----- + + hF4Dr9flwPWa1q8SAQdA+fosTjcmurKUcSFNK/FF5LNqpajbdcBxjm/ZBKMOLFEw + ITClO3QJMtQjG8knzV5Pk8EekGFWYcdhQETvuVHZpEpaPmZDcYUsFa/N/7S7dtUl + 0l4BFfTjxrZTNqO43pnhS+TYOIMuutNKfknE7kaFCw5TpLHkpf+QZz4Ted0B4Wbh + JMaiaMGmCGi2z1AjLpHTiRPFd3kkoljhm4geITMqL0AlmumrxosGWkdqejXtIbBr + =mxAB + -----END PGP MESSAGE----- + fp: 387E2BF0402610B00A9CB7E689C80C5BD6DBE2B2 + - created_at: "2023-02-05T09:49:30Z" + enc: | + -----BEGIN PGP MESSAGE----- + + hQIMAwdMqFVkGlt/AQ/9Gh0eEPgRGO/n3fihcpy7Ec5n1BTZ6IYcIFayFrLoqztP + LzRNwT5gt3T/D7rRCwgYEULXWGC1+9JLoLw6QgjiK4ArO8Wkb+7V2FEHF+jdpqth + +XrwGEozwsmOi0Oh1BBUIF5mpPjrQjf3SyF9Rr6hhauhg0WWMAeuDu1uP9xMaZet + lZVv73G3WvHwphRzaSoA70yby+o5EzT1DuOSjH5/6X6GP0U5LmnsZx1o7HHJ9tN6 + 9uD5TnUVzE7Ib0Bh/+3Hxb1csWI7HW9nH5A687foX5zuPklvFjtkaR3fH2gzo7l3 + pL+PXhlpO7BPoNHKghAUhKNrk1TUHZZUyqplVPcLTXt14wK5sWWMvn7h4OMqt7h/ + rGXNhEzNR66urJBCykBJ+3bdD7t324M+KWK5gcwbJgN9VVs1UVGYNcbqwGP94eNs + A3vUUBrMRbSXHi2FMRMQTPCO3CH5X+xpTn3yYSZLDvPrLRpLKffGph/usEwmnXub + TYXNMRa+Kt8zjLIF9R+eemjSYQ5Z+jg5GDUGmMw8xEk8nY9TsqOxKQ1keh1BIScF + 7xY9rzDI2CDmSH88Gs+cifAW3MwOLGjPSmzuNpMqm6JPrOPNWtVIMe5cd5dNNbcu + 2Qgvxr3KtXzO/fX/DjbdOWSpS6yWpKnoTwkM6ATuAS6OodTvenqj8GO5yiXRDO7S + WAFf9iqF0/ajPpbjeRS17NA/eC5CmRJ7aw66TbD4mndGUusTqVNvL98OtadLmSuF + T1UkSAJeyGSb2THMLLFcTvpYu1q83l+mBbMDaIkLd/VO2dQG/AfwKuE= + =QIC+ + -----END PGP MESSAGE----- + fp: c62b0336ff6e444e5f2041e8074ca855641a5b7f + unencrypted_suffix: _unencrypted + version: 3.7.3 diff --git a/nixos/cobalt/configuration.nix b/nixos/cobalt/configuration.nix index c596536..b4baf47 100644 --- a/nixos/cobalt/configuration.nix +++ b/nixos/cobalt/configuration.nix @@ -134,6 +134,8 @@ in # impermanence requirement fileSystems."/persist".neededForBoot = true; + sops.defaultSopsFile = ./secrets/secrets.yaml; + # This value determines the NixOS release from which the default # settings for stateful data, like file locations and database versions # on your system were taken. It‘s perfectly fine and recommended to leave diff --git a/nixos/cobalt/secrets/secrets.yaml b/nixos/cobalt/secrets/secrets.yaml new file mode 100644 index 0000000..8d2e9f2 --- /dev/null +++ b/nixos/cobalt/secrets/secrets.yaml @@ -0,0 +1,43 @@ +hetzner-dns-key: ENC[AES256_GCM,data:Ir3gRLc8XXIOC8Vjm43gLAmuhyDw5wysOsTCXlJfBQTcpingEbCENc4+eziStyF6,iv:5R4k9Yb8AJjavSivhs19RWrNh7r3rtkrbB6HdZZudqc=,tag:2tFXwQOXKZKYt/qwfsRr7A==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: [] + lastmodified: "2023-02-06T09:15:44Z" + mac: ENC[AES256_GCM,data:kLl+dIZe6aFaE3VEL7pF597Akn/W9j+klLvGHI8E8o4hcyiF/jlidMp3/oEAX209okuOrERO4w0KZ+sXwuaYymx4XWMhnS7VmMKQqgJ8uOq9xzwAl3rNyH3IWx/4fQk/cyWj/aa6cRLuTQkv+pANZ8n+tSop9FCnX3M5SgCL6F4=,iv:mjNBo7hzpoLlPuxyu6Qlpf9DuXTATkZ6DBNdJMux8eM=,tag:jczhijwEr+iMYrKJ3/wOjQ==,type:str] + pgp: + - created_at: "2023-02-05T09:56:11Z" + enc: | + -----BEGIN PGP MESSAGE----- + + hF4Dr9flwPWa1q8SAQdAtFIasB4kQZqTb7d1+2X6i3W7xHM/BnU87nUBzjgARwAw + cDezIZDi9L0IKZt/pui44uCJHBQKLZ9rGHuVKqY3R0Hsv06D2Lmgm6z9agano1JZ + 0l4BUstc9knAl/dqAoNcLs+0Ehb84EYUxPfJowAnZaDbH5oaB0ke24Ug6gpHnejc + 2eilh+Gnu4hEtrob//BQ0FSEn/PlLHjedqKJuJG0+w19sTZD5BPPj2ydbWLU6DYL + =3baE + -----END PGP MESSAGE----- + fp: 387E2BF0402610B00A9CB7E689C80C5BD6DBE2B2 + - created_at: "2023-02-05T09:56:11Z" + enc: | + -----BEGIN PGP MESSAGE----- + + hQIMA3dNSJXrkRcDAQ/8DD0yVDj+CfykNQ6GupMBfKpNrEByupAijeMQKrPGSLAi + TKI0vi7Bh5UwxbhS9DZWnZqDnApba0/0S4t7oeRNTGjDusZJ4C1pglQY022hRvzh + AGvWwVnilg57ccqWW42eScqGL9ohtRTc2nFjWEXr2rc9w4CyjxzT46ZmYUo1zV7B + XXTn5TdpcRiFx81rvriW+L2BLE4Bd0nUeNxnL7FWG9mO+yaJtuv0lXtO5A3cGTn1 + 0hERax7VyCxzV78PHHtYVzkSY5ZVfpLH8su/Wg3dgMa6goMFmufnXPFr1l3HCQMH + oF2qEaWu3mP8efpSgstCDFMlH+i8wAbhPMFVwcN8kxPox9JACGmlqIvbCgOOwfKQ + eoQKkZPRpNuuK3e/+NddFqf+Eex5lh7v+iFk6PXZWqxzdOAjenWR53Gww5gFBJj+ + bt6qvS/8Z7Hq8zNWD1eHhUj+ywazxuUrtUz7TOMRbfcGqaeFTAJntTc1pIu4GNcA + ut0fSyQr/xoTxv4J1Zyz4GnAzuJKE4fB4LCeonXLwIEU/MsV0sNKwUcgRL4oimYO + xDJ44rbKzHNX1cmmh3bVrdezJSqTNiG/5DCdYi8iqGcUzvUfkhhzT44VcUI7MIgI + VhLLk21M3eITbXKNPbOvkbXm/y1EeDeVNLg1JeqcXA43V5RBOKw3qKFheD+Se3bS + WAHZQxWslmuEvXVgWiewK+sh0x3uY7dCHN3Tcs1dggonAZBD1MIaKNutmPT1h8Nx + NtXsIaXB23oTv5xZ7R6b5B0NnVUFFok4VzYwSZBxPDBX9RQp9ErYX/o= + =uD2V + -----END PGP MESSAGE----- + fp: 9794c486d5673ff6613f6cde774d4895eb911703 + unencrypted_suffix: _unencrypted + version: 3.7.3 diff --git a/nixos/cobalt/services/acme.nix b/nixos/cobalt/services/acme.nix index d28bfc7..58a5c77 100644 --- a/nixos/cobalt/services/acme.nix +++ b/nixos/cobalt/services/acme.nix @@ -1,7 +1,13 @@ +{ config, ... }: + let poorObfuscation = y: x: "${x}@${y}"; in { + sops.secrets.hetzner-dns-key = { + owner = "acme"; + }; + security.acme = { acceptTerms = true; defaults.email = poorObfuscation "sefidel.com" "postmaster"; @@ -14,7 +20,7 @@ in ]; dnsProvider = "hetzner"; dnsPropagationCheck = true; - credentialsFile = "/persist/secrets/hetzner.key"; + credentialsFile = config.sops.secrets.hetzner-dns-key.path; }; }; }; @@ -22,9 +28,4 @@ in environment.persistence."/persist".directories = [ "/var/lib/acme" ]; - - deployment.keys."hetzner.key" = { - keyCommand = [ "pass" "show" "server/hetzner-dns" ]; - destDir = "/persist/secrets"; - }; } diff --git a/nixos/default.nix b/nixos/default.nix index 31d1a61..c113d42 100644 --- a/nixos/default.nix +++ b/nixos/default.nix @@ -8,6 +8,7 @@ extraModules = [ ./modules/security.nix ./modules/cachix + inputs.sops-nix.nixosModules.sops ]; }; |