tux/tawm
1
0
Fork 0
mirror of https://github.com/tuxdotrs/tawm.git synced 2025-07-05 20:56:33 +05:30
Code Issues Packages Projects Releases Wiki Activity

move sops to modules

Browse Source
This commit is contained in:
0xTux
2024-08-08 14:09:44 +05:30
parent fd92021844
commit 42a23950d6
6 changed files with 123 additions and 20 deletions
Download Patch File Download Diff File Expand all files Collapse all files

29
.sops.yaml
View File

@ -1,7 +1,32 @@
keys:
- &primary age14vktfes95f33vuefwnmuvryas7az04u76dsgyhfvsx73czkvmp2q7njkl4
- &users
- &tux age14vktfes95f33vuefwnmuvryas7az04u76dsgyhfvsx73czkvmp2q7njkl4
- &hosts
- &canopus age1cc9phftkzcwaey2rw63m74tyxdjxxzanxphsdrhy6vwlwhgehfzq9rh6e4
- &controller age1zsl5d4vj6gl3h96y5p53sq5y4vr4vtlwp727h7rp9a4xfkxm53lqrh6r50
- &wsl age168lay0z8yfa5hcsmz3aq5yndjhmugrsk3v3x4t3hpw29m20tkcwsaxx2fz
creation_rules:
- path_regex: hosts/common/secrets.yaml$
key_groups:
- age:
- *tux
- *canopus
- *controller
- *wsl
- path_regex: hosts/canopus/secrets.yaml$
key_groups:
- age:
- *tux
- *canopus
- path_regex: hosts/controller/secrets.yaml$
key_groups:
- age:
- *primary
- *tux
- *controller
- path_regex: hosts/wsl/secrets.yaml$
key_groups:
- age:
- *tux
- *wsl

13
hosts/common/default.nix
View File

@ -2,8 +2,18 @@
pkgs,
username,
outputs,
config,
...
}: {
imports = [
../../modules/nixos/sops.nix
];
sops.secrets.tux-password = {
sopsFile = ./secrets.yaml;
neededForUsers = true;
};
nixpkgs = {
overlays = [
outputs.overlays.additions
@ -62,9 +72,10 @@
};
users = {
mutableUsers = false;
defaultUserShell = pkgs.zsh;
users.${username} = {
initialPassword = "${username}";
hashedPasswordFile = config.sops.secrets.tux-password.path;
isNormalUser = true;
extraGroups = ["networkmanager" "wheel" "storage"];
openssh.authorizedKeys.keys = [

48
hosts/common/secrets.yaml Normal file
View File

@ -0,0 +1,48 @@
tux-password: ENC[AES256_GCM,data:hasmDz1SmPvjxdnt8DZNk33oOpO7VufGyaaEko5grp/FGDnMUO/NDpdannlZMnDBRL5NCsdTEWZqo9zYqv3azRyNJRajdbqpGw==,iv:jpDZuUdUWzccR6s2hX618IG0EzXLgD1IUFkqF8ADtnk=,tag:YT6wFM+r6t2948/4hWgldA==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age14vktfes95f33vuefwnmuvryas7az04u76dsgyhfvsx73czkvmp2q7njkl4
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA4UEg4OGhOQzNMcXZzZGZX
clIrbExuSDl2dW53NGQrd05jTldaRVZEQlVzCkVBdkNEUGVzclBwVDlObUFPNnRy
K2p1Yjl4d3FKTnZJbTl6ZTl2R0Y3QW8KLS0tIFErRjl6YUxENUhTWFBFL0JpSU1H
VGNWUmxLMDR0OUZCeFlndGtMSGZqYkUKSmEEqdgIJLQrQ8WM10NvffnNvlVBeSMV
0H5V9kEzNja41N0Lwe3ULBh5q6u3DXOPMJWwBU89xMgDlPWypaHjoQ==
-----END AGE ENCRYPTED FILE-----
- recipient: age1cc9phftkzcwaey2rw63m74tyxdjxxzanxphsdrhy6vwlwhgehfzq9rh6e4
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB5V2gxUnh5cDFGYmExaE0w
ZEZUK3ZKVEpWTGRjejhHWVhEcVhMTFFtYkNJClFQSlBHMU80V2lEa1BzaVhxMDdo
eVJTM0Z1TDNHR0dhdVhaODlaS3pVajAKLS0tIGZucUtBYjk4WTUwRjJDd1dpRXZk
cTQzdDFNZFM0TnkzTkhhZ09OMS92SWsKaTe4W/HA7kDfszc5UpPNQY2VzFh6LBws
uxoJNi49bAaSOEF0A25cYUjBphnTNxMxQwVs4ImnulfDC8yZqD1G1A==
-----END AGE ENCRYPTED FILE-----
- recipient: age1zsl5d4vj6gl3h96y5p53sq5y4vr4vtlwp727h7rp9a4xfkxm53lqrh6r50
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBaVG5SMXJUdjNsRVdoZzkx
SGV3WEI4M1lHL3YyQ0FkdTEzQkhtUEJNS1F3ClR5Rzc3N1h1bk84eTc3WkRTRGE2
MlB3Qk8zTzNlRG5ucmpsYXFnRDVZMlEKLS0tIHJWaW5vSlh5RithV1hrc3Z3ZTR4
cWxCZW1HRmNwb0pmTHVhaTVmMzVwVDAKFS0hPOmb09knNPq85Z+YN7qFmy3aU8Xe
AItiuBhxVaJJ/VnI5ycLv9P+20AmXwauvdudSAnTtb1tIsQjbcDW7A==
-----END AGE ENCRYPTED FILE-----
- recipient: age168lay0z8yfa5hcsmz3aq5yndjhmugrsk3v3x4t3hpw29m20tkcwsaxx2fz
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAxY3gzbEU5ZEh1WFZuR0VP
Sm56bEdlV0M3S2t6WEVZRlI4eGtKUzdUdGxBCkNFanBrVHJ2bWhSWGF2RFdiN3dL
aHo3ZXZkUkRiVzRrWGo2dHV3WGQyWGcKLS0tIGVVeDBVdit1RFdjcEpnbkJuU2Yv
M1MzSzdaOWF1WGJJVnRLUG1Bb2xPZFEKqidChAq8EjAjMgufUj/MvIofhYgIpxzt
l8GrLXbJMHcYU23trW+Ggx/QlCYsGtrbucLKOlhcbUM/ztprRSKLuA==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2024-08-08T08:27:44Z"
mac: ENC[AES256_GCM,data:Zsy6ucuh6cY0bbB4ik5cjuvL9JLQg3nn6ipyhFSHZMNsSyo09dC/XtlrWpPaHQhW7Zb3xBCVJnrKa8Re3CN3BqPOVdKLABq3ZesD7f+9fJumGzKgtpw7QdD7RVD59jsVhM14VdeZv41ymgbOiU67v6b98kpA2Z8UMxECO2g5aHY=,iv:32Ug389IYjP9NM5HYODU01n++KWLGTS5CFlLoqobNbs=,tag:X0E5YcL0KhPOrWmyGzE3XQ==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.9.0

11
hosts/controller/default.nix
View File

@ -1,12 +1,10 @@
{
pkgs,
inputs,
username,
config,
...
}: {
imports = [
inputs.sops-nix.nixosModules.sops
./hardware-configuration.nix
../common
../../modules/nixos/headscale.nix
@ -18,13 +16,8 @@
../../modules/nixos/monitoring/promtail.nix
];
sops = {
age.keyFile = "/home/${username}/.config/sops/age/keys.txt";
secrets = {
borg_encryption_key = {
sopsFile = ./secrets.yaml;
};
};
sops.secrets.borg_encryption_key = {
sopsFile = ./secrets.yaml;
};
boot = {

25
hosts/controller/secrets.yaml
View File

@ -1,4 +1,4 @@
borg_encryption_key: ENC[AES256_GCM,data:42q7OYR5HLqLzbCx0WZwurND8DGUnCw3fA+4ccEmNp4=,iv:GRj9jXnlfqDoxr55hS97gjqLzIP7rjqoYtRHlU5/9Lo=,tag:ybr8V9RumsU94ja0bLnfNA==,type:str]
borg_encryption_key: ENC[AES256_GCM,data:7DZQaoS2a5mPjTej25vr1aO1yAAPyXT2tf/VxKrLxF0=,iv:it8JlyEj4r4Z+qDvoEWMQlGkbVh08M/BCkGLVzRCVKQ=,tag:81gRhru8J3hkQhIbgUOgBg==,type:str]
sops:
kms: []
gcp_kms: []
@ -8,14 +8,23 @@ sops:
- recipient: age14vktfes95f33vuefwnmuvryas7az04u76dsgyhfvsx73czkvmp2q7njkl4
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAwSzNTUzdTYzNpT21DL3gy
bjhHcXFWQjI5c0lSRUEwZXR2UmxOeG5jMEI4Ckg1OWx3NzVOWjIzRWtCblp5K2RK
b21xL2tBWDFqRXI2ZTloR0xwZkhtclUKLS0tIHFaYzM1dWdyUC95UWlsQU1xWjNV
akhaWXdrbXI0TDNNMlppcGovbjNia1EKNomA6zlZmQKE1DtX6JlurBxEkG9aiwjn
RZd5a9XPH8F1XhQF1tcZS+m3hGY00V7Zwiqe68PiiYWpxzZ/sSeR5A==
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB6TGpVMzNDZjNQSkNDQmM3
eXpvZDRPZW9Kbm81Z2VVUVZIckFNUC9zTEZzCmliUkNWS01YMHVRaUoxTS84VmxQ
UDZtbkhmZmdZVWVsaHN3djkwSERGQ1kKLS0tIEh0ckhDTkQvcEM0UFI2MUVXVHI5
WnhEdnRqazdZWmczYXYxNy9BMHdwdEUKYgB34OOezF3iF706pIfDmQ0FJEHXBbGF
EJRNmA4Zl1AwyzkN3NSlctzvxx201T1GWL4qZeyVafRv5jQ9oSfK7g==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2024-08-02T22:42:23Z"
mac: ENC[AES256_GCM,data:C4ueRlhrqollpi6ZE+126idf2SiAd2GooO7CTWR49ACW/y4q50B8girPtuY7Pgig0y/U0rWIFHFwmOwXyJJ8A6YtzD0VzWhZN7Aeb7HGvu/0o4V5OPjH1ZdQ6bb8YyeMQ5RljnG7/Pa/QasFS6h0pv3jnkKYrCCkbxNmKk/DcLY=,iv:UXi8rBLkdgp/bCxIE+6PvgdPv6xJmKtQX/WUVmoKeKc=,tag:Fpo44OFp0CYVAwDFx5WbWQ==,type:str]
- recipient: age1zsl5d4vj6gl3h96y5p53sq5y4vr4vtlwp727h7rp9a4xfkxm53lqrh6r50
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBHeXNrT3c1bENOK0lNZWNT
eFBqYm1BRHBhakFQMVVIKzR0SDRDOW9jUXdBCmFIQWZRSnBlOFBralVFakQ2clNY
Q1Nma0pRVHh4L3IwQm1GbTdqb1BUcWsKLS0tIFRQOVIxb1FRc29WSVVERWsxSDhq
NGprRGVyZ2plWVNrM3drM3JSUjM2L0UKuNk5DqYn2DIfRpY72zDRP5BKoVAXtNv9
uLI//8wc7f4I3uBdARQdpRE1fapY1UOJOn3i0yndrZARPEbdohRK1Q==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2024-08-08T07:50:43Z"
mac: ENC[AES256_GCM,data:HjKpSZ1GNp5yUphE0edv9dN45kVTh/jZVQWb+d2Ve46932e+Shadt90DclsLexlxkSFSRqBxWNl1+JqD1OBfuea73Z6zykRpjz5kcRcop8o3KSEG7V/cTvK/SRSglkIHwrO4ALweoUKjixct7ich+OqTHJ06KIxSWNcRpAYlFWQ=,iv:JZ0JX2B2LJcq3+9O9KdKupV9f1ydbMCyDs8bACphOP8=,tag:V4LKBazr4+Dj1UXtoBaWLw==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.9.0

17
modules/nixos/sops.nix Normal file
View File

@ -0,0 +1,17 @@
{
inputs,
config,
...
}: let
isEd25519 = k: k.type == "ed25519";
getKeyPath = k: k.path;
keys = builtins.filter isEd25519 config.services.openssh.hostKeys;
in {
imports = [inputs.sops-nix.nixosModules.sops];
sops.age = {
sshKeyPaths = map getKeyPath keys;
keyFile = "/var/lib/sops-nix/key.txt";
generateKey = true;
};
}