about summary refs log tree commit diff
path: root/nixos
diff options
context:
space:
mode:
Diffstat (limited to 'nixos')
-rw-r--r--nixos/.sops.yaml9
-rw-r--r--nixos/alpha/configuration.nix (renamed from nixos/configurations/alpha.nix)7
-rw-r--r--nixos/alpha/hardware-configuration.nix (renamed from nixos/configurations/hardware/alpha.nix)0
-rw-r--r--nixos/alpha/secrets/secrets.yaml52
-rw-r--r--nixos/configurations/default.nix5
-rw-r--r--nixos/default.nix14
-rw-r--r--nixos/secrets/keys/hosts/alpha.asc28
-rw-r--r--nixos/secrets/keys/users/boopy.asc51
8 files changed, 160 insertions, 6 deletions
diff --git a/nixos/.sops.yaml b/nixos/.sops.yaml
new file mode 100644
index 0000000..0f34ef1
--- /dev/null
+++ b/nixos/.sops.yaml
@@ -0,0 +1,9 @@
+keys:
+  - &user_boopy EE731799CAE9F76B048BDF71F05C1C600B728A18
+  - &host_alpha e1965a67a09b4b20fcea3b57432b5757b7eb1fa4
+creation_rules:
+  - path_regex: alpha/secrets/[^/]+\.yaml$
+    key_groups:
+      - pgp:
+        - *host_alpha
+        - *user_boopy
diff --git a/nixos/configurations/alpha.nix b/nixos/alpha/configuration.nix
index d7fe368..54ec24f 100644
--- a/nixos/configurations/alpha.nix
+++ b/nixos/alpha/configuration.nix
@@ -23,7 +23,7 @@
 
     efiSupport = true;
     configurationLimit = 10;
-    device = "nodev";
+    devices = [ "nodev" ];
     useOSProber = true;
     # device = "/dev/disk/by-uuid/7905-2E41";
     extraEntries = ''
@@ -36,6 +36,7 @@
     '';
   };
 
+  networking.hostName = "alpha";
   networking.networkmanager.enable = true;
   networking.useDHCP = false;
   networking.firewall.enable = true;
@@ -50,6 +51,7 @@
   environment.systemPackages = with pkgs; [ gcc ];
 
   services.openssh.enable = true;
+  services.openssh.passwordAuthentication = false;
 
   sound.enable = true;
   services.pipewire = {
@@ -121,6 +123,9 @@
 
   virtualisation.libvirtd.enable = true;
 
+  sops.defaultSopsFile = ./secrets/secrets.yaml;
+  sops.secrets.spotify-password.owner = "boopy";
+
   users.users = {
     boopy = {
       isNormalUser = true;
diff --git a/nixos/configurations/hardware/alpha.nix b/nixos/alpha/hardware-configuration.nix
index 3e99ea9..3e99ea9 100644
--- a/nixos/configurations/hardware/alpha.nix
+++ b/nixos/alpha/hardware-configuration.nix
diff --git a/nixos/alpha/secrets/secrets.yaml b/nixos/alpha/secrets/secrets.yaml
new file mode 100644
index 0000000..f1abf24
--- /dev/null
+++ b/nixos/alpha/secrets/secrets.yaml
@@ -0,0 +1,52 @@
+spotify-password: ENC[AES256_GCM,data:tmzSh7Cf9fmL4PIdrV1dMz0=,iv:tLnKsQ2qEEZbGmuavMqiAXczlsZh21JU4tWWhhZP3OY=,tag:egoGT/V8AxIfcaVV0/ddtg==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age: []
+    lastmodified: "2022-01-15T16:15:09Z"
+    mac: ENC[AES256_GCM,data:1uhM/dHYwkdWoF90gbqdX+y1LgCkY0xFrC/tGQtm6tk0/X9Q9yq7se646IUVwhyZDP4+PRA1DhmjJTOwFxRWpXLPtRbPgcAGjNoMjP/n8HhDiDr5dUJWLsuHg4vB9MGA8UnEewUdYjZiR+7+x6iULcnRojR06Uzy1D47f6tQqZ8=,iv:yTY9blxNtbvYjOVidtLeTzuDfWpN+AgLtkAC/D+VV+Q=,tag:fIR+NVF9YkghhMJTOpGrPw==,type:str]
+    pgp:
+        - created_at: "2022-01-15T16:14:51Z"
+          enc: |
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMA0MrV1e36x+kAQ/+N5pvwngEyucZTGlNZV1yachrUEkylK84bfJPwCn5JMWY
+            mBhdhgBZ5DEmseA2pny6mDyid6EQjKB/akIDnW2ZTaBposdDlJUw4S7wqO+vtuLM
+            9L1jFg+y9xn9H2HzIyaglBN0cLQIPqZtu72yriV3bAu7wPLd3J+5fq/ohPV4GrsL
+            CVs0h8t/n/BkJ6q0s7gTBe2+tvB78fsLZwSpSwc5fzXdaZTRBCopEqT+3DO/shX3
+            qOsP3zvbUIKvdIXsfGhwtfpuPD3qg42HoyI+CmedjoG1DkPX0jLiu44K+EJJr9n1
+            jQ9Ms/jc4But5DW+EyWm9rkMGinMY+cEENKcJ/8LVuUzud/KFsJhJnEAi23U705+
+            om7Gte+UOLE+Z5LDaLNKNJ51mHcl/JS+ze74mafkcyrbQsCXgicyS47VxPltVtnX
+            P6u/NQmrvWlnWGw1QLHVjOzN5FEedAWvUaS4kQABG/LFobMx6M9dPucKUBAkOhXy
+            ZvcJDUN4XbIIxnfM8bQ9ijYAC5+axhonY95UX9OCwiErXC7rawa1J8mJTdGmxFIK
+            MVV2yfBoqGyhQduq/j7ScPfGkY/pC7NtFtphwjocQkVDO6SO/o1zYEAzgqpOKYzP
+            1piFC7Z0MUnOYu0omhXXt2UGIxmxl4DbPSq3hZVfTzjjVlPp3wr6EmI6eUO2o6nS
+            WAG60D7zdhWEJF7LrNqg0abwbsqUUMGOzdSUA89AfoQIK3mZ0hDl4fzklPMxpqio
+            K5gNpvazqLGDLQXXjByoPXg8sFZXm3Isoq1WbrdkRonmjYJCIhGzdt4=
+            =ntAB
+            -----END PGP MESSAGE-----
+          fp: e1965a67a09b4b20fcea3b57432b5757b7eb1fa4
+        - created_at: "2022-01-15T16:14:51Z"
+          enc: |
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMAzBHloZFtyD7AQ//YazK3vEkUC9A8gtjn7mst91PL57bBEFOsgp0MXYR4U9m
+            +Ro9qA98vF6PIcBLA9yfixpbiT+JVUTJPHrS8j0aegocVgUTNlrh7qPMU0w220oF
+            e+6P9XmEh4w1rSy03F5Ch7AVZ/o9aUEFKSMud7Zl5oPk2v7JqgqtHy7SHdlDa6JL
+            PQftiu9rozzOM+7UmRWA1pzi2JX03Md6qLGaPpMyM0AhdZuf/bLV8zpcKRIBWmkF
+            n5LE0blIYv/9yvowXgZQaDj2eejWzKWm0Zpd9Cw3MsuJHG1TLOgyjhpdV9raMg+k
+            BE8kBN+EwUy4CTKzeBeyGenY5mn7ll+x/vGo3aa2Shywalkr6mSmnH5B8FuO2c2U
+            S1hwrpoTJjsTiQzCnxVEm+Jv1uRAfoOQwJMt2Br0MM3iVCrm+/mGNv5K4GC96MqN
+            FPfGt1tsUViZ0xbbVbJ2ULAZUpBHzK7XTFcobnuHMRSjQ16QO8mIAN0ROEzTl/ng
+            7gVRxV2X9f+9aChQ14bmoovjPqVbxl09B3cYPrvXvd0x7V0FGUTHWexXZBOg9OOc
+            zG9VTDBiEy26G9a7XOMGNAIwNPxULCa7uKRql2UvtrDZf4CZx3H7dnJKAKXmTbx2
+            WjxQ2N0au8oVEkMK6TFUdOBuPGJq/skNXOU0S9kCBhcrA81pwF3Q6I42gml2GiHS
+            XgEgxy2EntotByYJ88UmB6y6WSROfTVGJGykJ0QnU6bAJErss3BmE45yYo6ymI9X
+            kRLyz6YManX2UMUfDrlumeqRFFYkdx+7kdqvgc8vLcGjrCIGsPoEpMltj0A2+M4=
+            =dGjP
+            -----END PGP MESSAGE-----
+          fp: EE731799CAE9F76B048BDF71F05C1C600B728A18
+    unencrypted_suffix: _unencrypted
+    version: 3.7.1
diff --git a/nixos/configurations/default.nix b/nixos/configurations/default.nix
deleted file mode 100644
index 8b84279..0000000
--- a/nixos/configurations/default.nix
+++ /dev/null
@@ -1,5 +0,0 @@
-{ self, nixpkgs, ... } @ inputs:
-
-{
-  alpha = self.lib.mkSystem "alpha" nixpkgs;
-}
diff --git a/nixos/default.nix b/nixos/default.nix
new file mode 100644
index 0000000..211f3d5
--- /dev/null
+++ b/nixos/default.nix
@@ -0,0 +1,14 @@
+{ self, nixpkgs, ... } @ inputs:
+
+{
+  alpha = self.lib.mkSystem {
+    name = "alpha";
+    nixpkgs = nixpkgs;
+    extraModules = [
+      inputs.sops-nix.nixosModules.sops
+      ./modules/security.nix
+      ./modules/cachix
+      ./alpha/configuration.nix
+    ];
+  };
+}
diff --git a/nixos/secrets/keys/hosts/alpha.asc b/nixos/secrets/keys/hosts/alpha.asc
new file mode 100644
index 0000000..41a45b3
--- /dev/null
+++ b/nixos/secrets/keys/hosts/alpha.asc
@@ -0,0 +1,28 @@
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+
+xsFNBAAAAAABEADXplBJ88spBzpK908jDYx4PJPpmBi9yXXmH0CZwmsLLO8jBMa2
+0+4Q2NY9+vZ2BFe3TFr3qp8QINxec5cZvIvuaMdEAXcQ7OYZJR+ijnG7u/Gvhwh6
+G764dGFe7SBIV6jxYCU1NTDzKgb2RvJHP03Tp8Zg8YBcF4WbMTe4WQmiPhGvebMt
+Mw23ZxYj37nBhwDURi4ji293Aree+6GSIALxdIm7uMJlH5N4WlMm+jWyX70dlOrx
+fGa6gus3kCnTKetBPLwDyablIgLbEvPX4r3GGSd37sV8PCyIoDWfjxINQu5P2f8x
+H4kL+cqFs7ds8zo7rROsXLCLzsOKSoicCcMfTBeXT2DN0uQfysJI65Rvfolxn0h9
+UGBKEqcMcAl9lluJoF4C3ZUKREFtwiy6FezDZ2tT5Tpp1O5eWqaroHd3HRxgsnIT
+GXbSTlpyZVNQOHp9WoC6lzyLYPGARKOYjwJy3aMTJold4r97TgQQ2sWop5EZ9kg9
+k2zBlLbf6+1OPYMUG6OTTjjt4FMne4gbQ9+9LTfRa+zT4RDEGYgLoWadzPuTIhwm
+RHtnpv0pe+OBRQnkvnFEl6dR6/rKbsUNQBIaliPXUxsfrrcjThoXMO4ecBfdwzFi
+3ql7fyOX0/DXRj/tQ1PxXzfPp3IiZVsh7MKemH94/KHeTFLS9leZmtz6wQARAQAB
+zSlyb290IChJbXBvcnRlZCBmcm9tIFNTSCkgPHJvb3RAbG9jYWxob3N0PsLBYgQT
+AQgAFgUCAAAAAAkQQytXV7frH6QCGw8CGQEAABpqEAAdM9PfVFV+MJ81eoEAXlJg
+2cE8TGcb6chOWW9CJAHv54aQxbPs18055vqOmrVgWWNMTdIs+50TlMKt9/9qLUjH
+22HljRZi2W4ct1Itre+ID74yhrDYeAhNoCtN5Exz18r6Ef+HGkANWs60O9g32v/B
+FDamVW+cGorp0XhfZiMRHQAwvOKib+ovGvwI6Llkp3mJam381DWW5/rPnm4e04ze
+2QvNOm/PhbKxdFS10iSz7tABp3NfEDG2eZykywRm/DSJwJn3JcnrFXqmfRXm1ANE
+rvNr/ISHnmPLmiMdzpG2PdT9Lssmz9Oz9ZSkIgGJQwaifh7F6Y1TAXloEjRW/6vw
+EST1+um1EAZ1vhucR6RM+S3WeYZ9jr4TMJ6PdhtVTlyPcMBSLKYJ1TlBaDruAmc7
+anplewF5VAKyMc6x0iuEVa3GL/iw+Tphuq5HPqc+2IF2OQvfWbxAKOZjdQpluJ7x
+AA8qHgSyImlv/VVkoegt7W0mA0DKJTdnhHA4HXT4gKyB68xyAUXyddJ1qP1YD6ou
+wwmArjQuLPQ352rVGs9mc+Djq3BgBXunvmnaG6FDE6J+slelubfrGF+0s9oCxip7
+HR52nhWteSGNT7ZGjYdEkhQGWAUgxJZlawxZqOXR/er2bi+zTcgoErND9cccEbXi
+ptZcqbdR0qUMDKPk22Svuw==
+=49eP
+-----END PGP PUBLIC KEY BLOCK-----
\ No newline at end of file
diff --git a/nixos/secrets/keys/users/boopy.asc b/nixos/secrets/keys/users/boopy.asc
new file mode 100644
index 0000000..5580dab
--- /dev/null
+++ b/nixos/secrets/keys/users/boopy.asc
@@ -0,0 +1,51 @@
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+
+mQINBGGBNKMBEAC/FfuwKRKjb5TNVD7FtSuj9LcP/fzWWAg/xi0Cu4cX2S8lUotr
+kJ8Mj5/Mk4LhQ9D1TQE+fcQIc91Ibk2AO0+ddCrZwZxBLzizj3Bvq8XLO8wS6LsF
+pRcd4a67fzKRg5w/5ldJuO7GbV1we1a9Nwl2DRIyQn9MmlPOEgjJ85U26m+jeoNz
+rt+IsR0nJadbcrzgfiTy2NQ5FuvcOLhDBe7PTOs+pkqrtcM+AJHGEuUQk6r0E3Tr
+yXFIzSzST9CYKVGLkR3VvRL3b7X+gBPKdJRi9x8JjQbc2LfDX2Jas35HNHIzsTAS
+54fDNvjDp5qJdbMXPZzUZKCxcMD7+GGblcUnZ9U7OO4ZEfE+I2Bx6wagpRbs0ZFX
++poLuoMkgs5oLO/UhVkZI7tOYOVvy0i7zJTQ8fXEa/kT0bc0I8rp+gtReGnjOpTT
+mp6VVfH87nVWRcndUf8S3aNF0fRsxGz6kTL/rC89/MQzbC6/yRjGt1fpNkiLPf0K
+7SCmEeavScJf3P7EUvSj/itdzt29zmZyrtkWEpFWUKvjFrFSqiUEOFulkJlx4+Ew
+NkVk2KoT7EGDIRyyNng1qu6QdM7ikpv61JI59bMkdFpIKhvOD7/bAO7z2D8bdWU9
+UudCNuxXwLE+vqDKfUXu2NcyIJeEEG51Nrrm7/pHuZniSKzKzR+6m7bsFQARAQAB
+tBVaYWNrIEEgPGhpQGJvb3B5LmRldj6JAlQEEwEIAD4CGwMFCwkIBwIGFQoJCAsC
+BBYCAwECHgECF4AWIQTucxeZyun3awSL33HwXBxgC3KKGAUCYawAbgUJBc5mSwAK
+CRDwXBxgC3KKGIQSEACwAob0zFlfJCL4IZyFnx8Gj+RT5FypnNPq+lBtZ8jDWWqy
+pM9BR8ugXvpTfNmwSI6h82cAAHALQ71Z+hFV8XeO111gxW22dGMWPS6NsIA7M0go
+TMLfU19ZZb9zUG6kDXB9g4JijEBYgbLVUddXy61r2NUKMCEA/8GDLjeQLpbRf4fa
+2UAHt5UfOzoWh30SdYvMmeku/Lg0YuSnVbduFstlGbHSUHGjjDj8+o10sGfaRi4c
+6Etsk23qYATczd3WFj6vksrp0+vlsnI/Dq7F2FgZKNqmHEGo+lpMyuOHTWNoxkvf
+NvD7hZSz/GR7RpomyJdHD/ENnu7cWHD7MNx4JCiE2uXeqvDRx4cIgPA/AjbHV7m2
+cgilMzVRydksHuQM+DFEZtYrkw8pHAR4j0+DXD5tXWx5ziv1eK0jrlNIKf9ZRmCB
+au1Z54mMQ7XczOeC2v1XTVfRA5Qn1QkqSRhK6/WDI/MGnZV+rZfr5TgxpJSeuJTW
+6BamHfWogaoO3uIME380JroMCk4aQ4lbW/9HtUFz01Ti5UE/GrcrWhd/SS3dr7q7
+ygCIAcMTqI/QRbPG/2but96/P7FJYpyguDFAxZbpTaQ52n0vFWQ624AJshvoenis
+wi53DXHGxym7dGpRBPYgAdsh0YqQ9C/u/AzhuJ0DroKZjAbsx0zH2x8ljd0Pv7kC
+DQRhgTSjARAAyjp257sZZqW6/hFqkrVCygwSYY2RRQC2CIkO1mhWPwV2OJ/2tG48
+7HNeCkcTGGQMxzgBz+M055pZMyxGoBVdu6MI4p6UvGroBW5W/N+sVKqDOg30v5Tc
+4UqpcrOZUp6gQ3uebOrS9w6LXiPA6n36SuouWMViinm4/GNNYOEPOZL9fO18qyfW
+rc5tQiyoOmyvB8wu+ftumoLBMsMDsuu3StptETGv2EeY7jBp/fn2Mt/Luot5/8nX
+rrxtywcscbItIlV7wlhf/o1gS6EfmVjs1DkVAAJBlgRlsIFis7mo17f4br4pTsY7
+ZoaNKyDiOo6ot/O6ntYLDFiM02MAqvDKt/TvOHyuXI3FzcGlRVfVNBQ0ISg5sr5C
+55UkanmeHIt4zR20Hpr0mI6GyFSkm7VYIK1lQxLhCCTxsmtm83MZc3IhpsRQcsqY
+oihFIAFOUQ9kbBqo8FDqmQy4zXSP33lkUpJmcLpwvRPHrJlEJjXk3sFHdXobw65s
+xOgy9p8QB3tQgwd3kB3tD2jCoJ9+RACcMT3RRfyQsylZalyuiLCPxCmF/aU1fNyI
+1Bk3t4iUAa9dvxsif8qfx/4Bh3Gj7RUc+MaTexSBudBxVcO1qxDuQOaW/c2R5CRm
+vcd9J23WoKYN1j4dzM5aMxNFCyTtu4VeYaU3bi3VbAc53q60f7s6dusAEQEAAYkC
+PAQYAQgAJgIbDBYhBO5zF5nK6fdrBIvfcfBcHGALcooYBQJhrAC/BQkFzmacAAoJ
+EPBcHGALcooYAT4P/jayUQMDUGG8zMqIjyMS3GXY8Pg024AGhjvCkAgV6HjW8Q/v
+aOPZOWaQvWYTKHEsi/+qhq1ybKjhKqXeI/dS75YCpNzBSPpI9J8TMJybEc6G36Ja
+F2QRd+/a+vjvoFpfbzMhr1ECbLsHu48B3QgTvP8H1xy5P8SO02OxRd+/W44bRvs9
++89mSNbXWQD4qbDeq9bPSleCKBF9haA+xA96vtfMwRnx2+olCWr5I0keCLGG5MV1
+zwmefTHxHiuMyzJjkrBFNAcuPYINEkLrjips5aq8wrgBJDeDQW81FmhPGgtKbfoN
+DT4aT4UxVLyy4WaoBe7uZquoEC+EHxxgba7aqxOiBmmqti4aG8F180QTrSIT1Dol
+d2GK+CUxiyUpdK1bg5Iyv8Gwlvey+yVXXLKDVUsde3+M6mRRVLJbWlur/ej69oAA
+m7A28LZZxvYGzuWCcZvP5ATAzl9umbASO6BuEzzLsrO081Bb0etZWT9hx4wreLyE
+90uGYZctokEJWA5Vk0YKLGmyiRymoGehxepYEJ2eiEsQgy2KS1SR9MB7iHJSFpu3
+iEFF9ODikeb0rmroUWL/lqY38AEuEt/tRlgS6w0DnZBnkL29RhXFiDaR5kM0eaf5
+sYx2723BpXQSGG6MptN8rYr70EpIIp9FCC17sQkn3Fx2PCRS8IDxGhe0+xQI
+=pcnT
+-----END PGP PUBLIC KEY BLOCK-----