diff options
Diffstat (limited to 'nixos')
| -rw-r--r-- | nixos/.sops.yaml | 9 | ||||
| -rw-r--r-- | nixos/alpha/configuration.nix (renamed from nixos/configurations/alpha.nix) | 7 | ||||
| -rw-r--r-- | nixos/alpha/hardware-configuration.nix (renamed from nixos/configurations/hardware/alpha.nix) | 0 | ||||
| -rw-r--r-- | nixos/alpha/secrets/secrets.yaml | 52 | ||||
| -rw-r--r-- | nixos/configurations/default.nix | 5 | ||||
| -rw-r--r-- | nixos/default.nix | 14 | ||||
| -rw-r--r-- | nixos/secrets/keys/hosts/alpha.asc | 28 | ||||
| -rw-r--r-- | nixos/secrets/keys/users/boopy.asc | 51 |
8 files changed, 160 insertions, 6 deletions
diff --git a/nixos/.sops.yaml b/nixos/.sops.yaml new file mode 100644 index 0000000..0f34ef1 --- /dev/null +++ b/nixos/.sops.yaml @@ -0,0 +1,9 @@ +keys: + - &user_boopy EE731799CAE9F76B048BDF71F05C1C600B728A18 + - &host_alpha e1965a67a09b4b20fcea3b57432b5757b7eb1fa4 +creation_rules: + - path_regex: alpha/secrets/[^/]+\.yaml$ + key_groups: + - pgp: + - *host_alpha + - *user_boopy diff --git a/nixos/configurations/alpha.nix b/nixos/alpha/configuration.nix index d7fe368..54ec24f 100644 --- a/nixos/configurations/alpha.nix +++ b/nixos/alpha/configuration.nix @@ -23,7 +23,7 @@ efiSupport = true; configurationLimit = 10; - device = "nodev"; + devices = [ "nodev" ]; useOSProber = true; # device = "/dev/disk/by-uuid/7905-2E41"; extraEntries = '' @@ -36,6 +36,7 @@ ''; }; + networking.hostName = "alpha"; networking.networkmanager.enable = true; networking.useDHCP = false; networking.firewall.enable = true; @@ -50,6 +51,7 @@ environment.systemPackages = with pkgs; [ gcc ]; services.openssh.enable = true; + services.openssh.passwordAuthentication = false; sound.enable = true; services.pipewire = { @@ -121,6 +123,9 @@ virtualisation.libvirtd.enable = true; + sops.defaultSopsFile = ./secrets/secrets.yaml; + sops.secrets.spotify-password.owner = "boopy"; + users.users = { boopy = { isNormalUser = true; diff --git a/nixos/configurations/hardware/alpha.nix b/nixos/alpha/hardware-configuration.nix index 3e99ea9..3e99ea9 100644 --- a/nixos/configurations/hardware/alpha.nix +++ b/nixos/alpha/hardware-configuration.nix diff --git a/nixos/alpha/secrets/secrets.yaml b/nixos/alpha/secrets/secrets.yaml new file mode 100644 index 0000000..f1abf24 --- /dev/null +++ b/nixos/alpha/secrets/secrets.yaml @@ -0,0 +1,52 @@ +spotify-password: ENC[AES256_GCM,data:tmzSh7Cf9fmL4PIdrV1dMz0=,iv:tLnKsQ2qEEZbGmuavMqiAXczlsZh21JU4tWWhhZP3OY=,tag:egoGT/V8AxIfcaVV0/ddtg==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: [] + lastmodified: "2022-01-15T16:15:09Z" + mac: ENC[AES256_GCM,data:1uhM/dHYwkdWoF90gbqdX+y1LgCkY0xFrC/tGQtm6tk0/X9Q9yq7se646IUVwhyZDP4+PRA1DhmjJTOwFxRWpXLPtRbPgcAGjNoMjP/n8HhDiDr5dUJWLsuHg4vB9MGA8UnEewUdYjZiR+7+x6iULcnRojR06Uzy1D47f6tQqZ8=,iv:yTY9blxNtbvYjOVidtLeTzuDfWpN+AgLtkAC/D+VV+Q=,tag:fIR+NVF9YkghhMJTOpGrPw==,type:str] + pgp: + - created_at: "2022-01-15T16:14:51Z" + enc: | + -----BEGIN PGP MESSAGE----- + + hQIMA0MrV1e36x+kAQ/+N5pvwngEyucZTGlNZV1yachrUEkylK84bfJPwCn5JMWY + mBhdhgBZ5DEmseA2pny6mDyid6EQjKB/akIDnW2ZTaBposdDlJUw4S7wqO+vtuLM + 9L1jFg+y9xn9H2HzIyaglBN0cLQIPqZtu72yriV3bAu7wPLd3J+5fq/ohPV4GrsL + CVs0h8t/n/BkJ6q0s7gTBe2+tvB78fsLZwSpSwc5fzXdaZTRBCopEqT+3DO/shX3 + qOsP3zvbUIKvdIXsfGhwtfpuPD3qg42HoyI+CmedjoG1DkPX0jLiu44K+EJJr9n1 + jQ9Ms/jc4But5DW+EyWm9rkMGinMY+cEENKcJ/8LVuUzud/KFsJhJnEAi23U705+ + om7Gte+UOLE+Z5LDaLNKNJ51mHcl/JS+ze74mafkcyrbQsCXgicyS47VxPltVtnX + P6u/NQmrvWlnWGw1QLHVjOzN5FEedAWvUaS4kQABG/LFobMx6M9dPucKUBAkOhXy + ZvcJDUN4XbIIxnfM8bQ9ijYAC5+axhonY95UX9OCwiErXC7rawa1J8mJTdGmxFIK + MVV2yfBoqGyhQduq/j7ScPfGkY/pC7NtFtphwjocQkVDO6SO/o1zYEAzgqpOKYzP + 1piFC7Z0MUnOYu0omhXXt2UGIxmxl4DbPSq3hZVfTzjjVlPp3wr6EmI6eUO2o6nS + WAG60D7zdhWEJF7LrNqg0abwbsqUUMGOzdSUA89AfoQIK3mZ0hDl4fzklPMxpqio + K5gNpvazqLGDLQXXjByoPXg8sFZXm3Isoq1WbrdkRonmjYJCIhGzdt4= + =ntAB + -----END PGP MESSAGE----- + fp: e1965a67a09b4b20fcea3b57432b5757b7eb1fa4 + - created_at: "2022-01-15T16:14:51Z" + enc: | + -----BEGIN PGP MESSAGE----- + + hQIMAzBHloZFtyD7AQ//YazK3vEkUC9A8gtjn7mst91PL57bBEFOsgp0MXYR4U9m + +Ro9qA98vF6PIcBLA9yfixpbiT+JVUTJPHrS8j0aegocVgUTNlrh7qPMU0w220oF + e+6P9XmEh4w1rSy03F5Ch7AVZ/o9aUEFKSMud7Zl5oPk2v7JqgqtHy7SHdlDa6JL + PQftiu9rozzOM+7UmRWA1pzi2JX03Md6qLGaPpMyM0AhdZuf/bLV8zpcKRIBWmkF + n5LE0blIYv/9yvowXgZQaDj2eejWzKWm0Zpd9Cw3MsuJHG1TLOgyjhpdV9raMg+k + BE8kBN+EwUy4CTKzeBeyGenY5mn7ll+x/vGo3aa2Shywalkr6mSmnH5B8FuO2c2U + S1hwrpoTJjsTiQzCnxVEm+Jv1uRAfoOQwJMt2Br0MM3iVCrm+/mGNv5K4GC96MqN + FPfGt1tsUViZ0xbbVbJ2ULAZUpBHzK7XTFcobnuHMRSjQ16QO8mIAN0ROEzTl/ng + 7gVRxV2X9f+9aChQ14bmoovjPqVbxl09B3cYPrvXvd0x7V0FGUTHWexXZBOg9OOc + zG9VTDBiEy26G9a7XOMGNAIwNPxULCa7uKRql2UvtrDZf4CZx3H7dnJKAKXmTbx2 + WjxQ2N0au8oVEkMK6TFUdOBuPGJq/skNXOU0S9kCBhcrA81pwF3Q6I42gml2GiHS + XgEgxy2EntotByYJ88UmB6y6WSROfTVGJGykJ0QnU6bAJErss3BmE45yYo6ymI9X + kRLyz6YManX2UMUfDrlumeqRFFYkdx+7kdqvgc8vLcGjrCIGsPoEpMltj0A2+M4= + =dGjP + -----END PGP MESSAGE----- + fp: EE731799CAE9F76B048BDF71F05C1C600B728A18 + unencrypted_suffix: _unencrypted + version: 3.7.1 diff --git a/nixos/configurations/default.nix b/nixos/configurations/default.nix deleted file mode 100644 index 8b84279..0000000 --- a/nixos/configurations/default.nix +++ /dev/null @@ -1,5 +0,0 @@ -{ self, nixpkgs, ... } @ inputs: - -{ - alpha = self.lib.mkSystem "alpha" nixpkgs; -} diff --git a/nixos/default.nix b/nixos/default.nix new file mode 100644 index 0000000..211f3d5 --- /dev/null +++ b/nixos/default.nix @@ -0,0 +1,14 @@ +{ self, nixpkgs, ... } @ inputs: + +{ + alpha = self.lib.mkSystem { + name = "alpha"; + nixpkgs = nixpkgs; + extraModules = [ + inputs.sops-nix.nixosModules.sops + ./modules/security.nix + ./modules/cachix + ./alpha/configuration.nix + ]; + }; +} diff --git a/nixos/secrets/keys/hosts/alpha.asc b/nixos/secrets/keys/hosts/alpha.asc new file mode 100644 index 0000000..41a45b3 --- /dev/null +++ b/nixos/secrets/keys/hosts/alpha.asc @@ -0,0 +1,28 @@ +-----BEGIN PGP PUBLIC KEY BLOCK----- + +xsFNBAAAAAABEADXplBJ88spBzpK908jDYx4PJPpmBi9yXXmH0CZwmsLLO8jBMa2 +0+4Q2NY9+vZ2BFe3TFr3qp8QINxec5cZvIvuaMdEAXcQ7OYZJR+ijnG7u/Gvhwh6 +G764dGFe7SBIV6jxYCU1NTDzKgb2RvJHP03Tp8Zg8YBcF4WbMTe4WQmiPhGvebMt +Mw23ZxYj37nBhwDURi4ji293Aree+6GSIALxdIm7uMJlH5N4WlMm+jWyX70dlOrx +fGa6gus3kCnTKetBPLwDyablIgLbEvPX4r3GGSd37sV8PCyIoDWfjxINQu5P2f8x +H4kL+cqFs7ds8zo7rROsXLCLzsOKSoicCcMfTBeXT2DN0uQfysJI65Rvfolxn0h9 +UGBKEqcMcAl9lluJoF4C3ZUKREFtwiy6FezDZ2tT5Tpp1O5eWqaroHd3HRxgsnIT +GXbSTlpyZVNQOHp9WoC6lzyLYPGARKOYjwJy3aMTJold4r97TgQQ2sWop5EZ9kg9 +k2zBlLbf6+1OPYMUG6OTTjjt4FMne4gbQ9+9LTfRa+zT4RDEGYgLoWadzPuTIhwm +RHtnpv0pe+OBRQnkvnFEl6dR6/rKbsUNQBIaliPXUxsfrrcjThoXMO4ecBfdwzFi +3ql7fyOX0/DXRj/tQ1PxXzfPp3IiZVsh7MKemH94/KHeTFLS9leZmtz6wQARAQAB +zSlyb290IChJbXBvcnRlZCBmcm9tIFNTSCkgPHJvb3RAbG9jYWxob3N0PsLBYgQT +AQgAFgUCAAAAAAkQQytXV7frH6QCGw8CGQEAABpqEAAdM9PfVFV+MJ81eoEAXlJg +2cE8TGcb6chOWW9CJAHv54aQxbPs18055vqOmrVgWWNMTdIs+50TlMKt9/9qLUjH +22HljRZi2W4ct1Itre+ID74yhrDYeAhNoCtN5Exz18r6Ef+HGkANWs60O9g32v/B +FDamVW+cGorp0XhfZiMRHQAwvOKib+ovGvwI6Llkp3mJam381DWW5/rPnm4e04ze +2QvNOm/PhbKxdFS10iSz7tABp3NfEDG2eZykywRm/DSJwJn3JcnrFXqmfRXm1ANE +rvNr/ISHnmPLmiMdzpG2PdT9Lssmz9Oz9ZSkIgGJQwaifh7F6Y1TAXloEjRW/6vw +EST1+um1EAZ1vhucR6RM+S3WeYZ9jr4TMJ6PdhtVTlyPcMBSLKYJ1TlBaDruAmc7 +anplewF5VAKyMc6x0iuEVa3GL/iw+Tphuq5HPqc+2IF2OQvfWbxAKOZjdQpluJ7x +AA8qHgSyImlv/VVkoegt7W0mA0DKJTdnhHA4HXT4gKyB68xyAUXyddJ1qP1YD6ou +wwmArjQuLPQ352rVGs9mc+Djq3BgBXunvmnaG6FDE6J+slelubfrGF+0s9oCxip7 +HR52nhWteSGNT7ZGjYdEkhQGWAUgxJZlawxZqOXR/er2bi+zTcgoErND9cccEbXi +ptZcqbdR0qUMDKPk22Svuw== +=49eP +-----END PGP PUBLIC KEY BLOCK-----
\ No newline at end of file diff --git a/nixos/secrets/keys/users/boopy.asc b/nixos/secrets/keys/users/boopy.asc new file mode 100644 index 0000000..5580dab --- /dev/null +++ b/nixos/secrets/keys/users/boopy.asc @@ -0,0 +1,51 @@ +-----BEGIN PGP PUBLIC KEY BLOCK----- + +mQINBGGBNKMBEAC/FfuwKRKjb5TNVD7FtSuj9LcP/fzWWAg/xi0Cu4cX2S8lUotr +kJ8Mj5/Mk4LhQ9D1TQE+fcQIc91Ibk2AO0+ddCrZwZxBLzizj3Bvq8XLO8wS6LsF +pRcd4a67fzKRg5w/5ldJuO7GbV1we1a9Nwl2DRIyQn9MmlPOEgjJ85U26m+jeoNz +rt+IsR0nJadbcrzgfiTy2NQ5FuvcOLhDBe7PTOs+pkqrtcM+AJHGEuUQk6r0E3Tr +yXFIzSzST9CYKVGLkR3VvRL3b7X+gBPKdJRi9x8JjQbc2LfDX2Jas35HNHIzsTAS +54fDNvjDp5qJdbMXPZzUZKCxcMD7+GGblcUnZ9U7OO4ZEfE+I2Bx6wagpRbs0ZFX ++poLuoMkgs5oLO/UhVkZI7tOYOVvy0i7zJTQ8fXEa/kT0bc0I8rp+gtReGnjOpTT +mp6VVfH87nVWRcndUf8S3aNF0fRsxGz6kTL/rC89/MQzbC6/yRjGt1fpNkiLPf0K +7SCmEeavScJf3P7EUvSj/itdzt29zmZyrtkWEpFWUKvjFrFSqiUEOFulkJlx4+Ew +NkVk2KoT7EGDIRyyNng1qu6QdM7ikpv61JI59bMkdFpIKhvOD7/bAO7z2D8bdWU9 +UudCNuxXwLE+vqDKfUXu2NcyIJeEEG51Nrrm7/pHuZniSKzKzR+6m7bsFQARAQAB +tBVaYWNrIEEgPGhpQGJvb3B5LmRldj6JAlQEEwEIAD4CGwMFCwkIBwIGFQoJCAsC +BBYCAwECHgECF4AWIQTucxeZyun3awSL33HwXBxgC3KKGAUCYawAbgUJBc5mSwAK +CRDwXBxgC3KKGIQSEACwAob0zFlfJCL4IZyFnx8Gj+RT5FypnNPq+lBtZ8jDWWqy +pM9BR8ugXvpTfNmwSI6h82cAAHALQ71Z+hFV8XeO111gxW22dGMWPS6NsIA7M0go +TMLfU19ZZb9zUG6kDXB9g4JijEBYgbLVUddXy61r2NUKMCEA/8GDLjeQLpbRf4fa +2UAHt5UfOzoWh30SdYvMmeku/Lg0YuSnVbduFstlGbHSUHGjjDj8+o10sGfaRi4c +6Etsk23qYATczd3WFj6vksrp0+vlsnI/Dq7F2FgZKNqmHEGo+lpMyuOHTWNoxkvf +NvD7hZSz/GR7RpomyJdHD/ENnu7cWHD7MNx4JCiE2uXeqvDRx4cIgPA/AjbHV7m2 +cgilMzVRydksHuQM+DFEZtYrkw8pHAR4j0+DXD5tXWx5ziv1eK0jrlNIKf9ZRmCB +au1Z54mMQ7XczOeC2v1XTVfRA5Qn1QkqSRhK6/WDI/MGnZV+rZfr5TgxpJSeuJTW +6BamHfWogaoO3uIME380JroMCk4aQ4lbW/9HtUFz01Ti5UE/GrcrWhd/SS3dr7q7 +ygCIAcMTqI/QRbPG/2but96/P7FJYpyguDFAxZbpTaQ52n0vFWQ624AJshvoenis +wi53DXHGxym7dGpRBPYgAdsh0YqQ9C/u/AzhuJ0DroKZjAbsx0zH2x8ljd0Pv7kC +DQRhgTSjARAAyjp257sZZqW6/hFqkrVCygwSYY2RRQC2CIkO1mhWPwV2OJ/2tG48 +7HNeCkcTGGQMxzgBz+M055pZMyxGoBVdu6MI4p6UvGroBW5W/N+sVKqDOg30v5Tc +4UqpcrOZUp6gQ3uebOrS9w6LXiPA6n36SuouWMViinm4/GNNYOEPOZL9fO18qyfW +rc5tQiyoOmyvB8wu+ftumoLBMsMDsuu3StptETGv2EeY7jBp/fn2Mt/Luot5/8nX +rrxtywcscbItIlV7wlhf/o1gS6EfmVjs1DkVAAJBlgRlsIFis7mo17f4br4pTsY7 +ZoaNKyDiOo6ot/O6ntYLDFiM02MAqvDKt/TvOHyuXI3FzcGlRVfVNBQ0ISg5sr5C +55UkanmeHIt4zR20Hpr0mI6GyFSkm7VYIK1lQxLhCCTxsmtm83MZc3IhpsRQcsqY +oihFIAFOUQ9kbBqo8FDqmQy4zXSP33lkUpJmcLpwvRPHrJlEJjXk3sFHdXobw65s +xOgy9p8QB3tQgwd3kB3tD2jCoJ9+RACcMT3RRfyQsylZalyuiLCPxCmF/aU1fNyI +1Bk3t4iUAa9dvxsif8qfx/4Bh3Gj7RUc+MaTexSBudBxVcO1qxDuQOaW/c2R5CRm +vcd9J23WoKYN1j4dzM5aMxNFCyTtu4VeYaU3bi3VbAc53q60f7s6dusAEQEAAYkC +PAQYAQgAJgIbDBYhBO5zF5nK6fdrBIvfcfBcHGALcooYBQJhrAC/BQkFzmacAAoJ +EPBcHGALcooYAT4P/jayUQMDUGG8zMqIjyMS3GXY8Pg024AGhjvCkAgV6HjW8Q/v +aOPZOWaQvWYTKHEsi/+qhq1ybKjhKqXeI/dS75YCpNzBSPpI9J8TMJybEc6G36Ja +F2QRd+/a+vjvoFpfbzMhr1ECbLsHu48B3QgTvP8H1xy5P8SO02OxRd+/W44bRvs9 ++89mSNbXWQD4qbDeq9bPSleCKBF9haA+xA96vtfMwRnx2+olCWr5I0keCLGG5MV1 +zwmefTHxHiuMyzJjkrBFNAcuPYINEkLrjips5aq8wrgBJDeDQW81FmhPGgtKbfoN +DT4aT4UxVLyy4WaoBe7uZquoEC+EHxxgba7aqxOiBmmqti4aG8F180QTrSIT1Dol +d2GK+CUxiyUpdK1bg5Iyv8Gwlvey+yVXXLKDVUsde3+M6mRRVLJbWlur/ej69oAA +m7A28LZZxvYGzuWCcZvP5ATAzl9umbASO6BuEzzLsrO081Bb0etZWT9hx4wreLyE +90uGYZctokEJWA5Vk0YKLGmyiRymoGehxepYEJ2eiEsQgy2KS1SR9MB7iHJSFpu3 +iEFF9ODikeb0rmroUWL/lqY38AEuEt/tRlgS6w0DnZBnkL29RhXFiDaR5kM0eaf5 +sYx2723BpXQSGG6MptN8rYr70EpIIp9FCC17sQkn3Fx2PCRS8IDxGhe0+xQI +=pcnT +-----END PGP PUBLIC KEY BLOCK----- |