diff --git a/.sops.yaml b/.sops.yaml index 7ee54d6..86594b4 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -1,7 +1,32 @@ keys: - - &primary age14vktfes95f33vuefwnmuvryas7az04u76dsgyhfvsx73czkvmp2q7njkl4 + - &users + - &tux age14vktfes95f33vuefwnmuvryas7az04u76dsgyhfvsx73czkvmp2q7njkl4 + + - &hosts + - &canopus age1cc9phftkzcwaey2rw63m74tyxdjxxzanxphsdrhy6vwlwhgehfzq9rh6e4 + - &controller age1zsl5d4vj6gl3h96y5p53sq5y4vr4vtlwp727h7rp9a4xfkxm53lqrh6r50 + - &wsl age168lay0z8yfa5hcsmz3aq5yndjhmugrsk3v3x4t3hpw29m20tkcwsaxx2fz + creation_rules: + - path_regex: hosts/common/secrets.yaml$ + key_groups: + - age: + - *tux + - *canopus + - *controller + - *wsl + - path_regex: hosts/canopus/secrets.yaml$ + key_groups: + - age: + - *tux + - *canopus - path_regex: hosts/controller/secrets.yaml$ key_groups: - age: - - *primary + - *tux + - *controller + - path_regex: hosts/wsl/secrets.yaml$ + key_groups: + - age: + - *tux + - *wsl diff --git a/hosts/common/default.nix b/hosts/common/default.nix index f164965..ee3d5a1 100644 --- a/hosts/common/default.nix +++ b/hosts/common/default.nix @@ -2,8 +2,18 @@ pkgs, username, outputs, + config, ... }: { + imports = [ + ../../modules/nixos/sops.nix + ]; + + sops.secrets.tux-password = { + sopsFile = ./secrets.yaml; + neededForUsers = true; + }; + nixpkgs = { overlays = [ outputs.overlays.additions @@ -62,9 +72,10 @@ }; users = { + mutableUsers = false; defaultUserShell = pkgs.zsh; users.${username} = { - initialPassword = "${username}"; + hashedPasswordFile = config.sops.secrets.tux-password.path; isNormalUser = true; extraGroups = ["networkmanager" "wheel" "storage"]; openssh.authorizedKeys.keys = [ diff --git a/hosts/common/secrets.yaml b/hosts/common/secrets.yaml new file mode 100644 index 0000000..cd8c9b7 --- /dev/null +++ b/hosts/common/secrets.yaml @@ -0,0 +1,48 @@ +tux-password: ENC[AES256_GCM,data:hasmDz1SmPvjxdnt8DZNk33oOpO7VufGyaaEko5grp/FGDnMUO/NDpdannlZMnDBRL5NCsdTEWZqo9zYqv3azRyNJRajdbqpGw==,iv:jpDZuUdUWzccR6s2hX618IG0EzXLgD1IUFkqF8ADtnk=,tag:YT6wFM+r6t2948/4hWgldA==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age14vktfes95f33vuefwnmuvryas7az04u76dsgyhfvsx73czkvmp2q7njkl4 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA4UEg4OGhOQzNMcXZzZGZX + clIrbExuSDl2dW53NGQrd05jTldaRVZEQlVzCkVBdkNEUGVzclBwVDlObUFPNnRy + K2p1Yjl4d3FKTnZJbTl6ZTl2R0Y3QW8KLS0tIFErRjl6YUxENUhTWFBFL0JpSU1H + VGNWUmxLMDR0OUZCeFlndGtMSGZqYkUKSmEEqdgIJLQrQ8WM10NvffnNvlVBeSMV + 0H5V9kEzNja41N0Lwe3ULBh5q6u3DXOPMJWwBU89xMgDlPWypaHjoQ== + -----END AGE ENCRYPTED FILE----- + - recipient: age1cc9phftkzcwaey2rw63m74tyxdjxxzanxphsdrhy6vwlwhgehfzq9rh6e4 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB5V2gxUnh5cDFGYmExaE0w + ZEZUK3ZKVEpWTGRjejhHWVhEcVhMTFFtYkNJClFQSlBHMU80V2lEa1BzaVhxMDdo + eVJTM0Z1TDNHR0dhdVhaODlaS3pVajAKLS0tIGZucUtBYjk4WTUwRjJDd1dpRXZk + cTQzdDFNZFM0TnkzTkhhZ09OMS92SWsKaTe4W/HA7kDfszc5UpPNQY2VzFh6LBws + uxoJNi49bAaSOEF0A25cYUjBphnTNxMxQwVs4ImnulfDC8yZqD1G1A== + -----END AGE ENCRYPTED FILE----- + - recipient: age1zsl5d4vj6gl3h96y5p53sq5y4vr4vtlwp727h7rp9a4xfkxm53lqrh6r50 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBaVG5SMXJUdjNsRVdoZzkx + SGV3WEI4M1lHL3YyQ0FkdTEzQkhtUEJNS1F3ClR5Rzc3N1h1bk84eTc3WkRTRGE2 + MlB3Qk8zTzNlRG5ucmpsYXFnRDVZMlEKLS0tIHJWaW5vSlh5RithV1hrc3Z3ZTR4 + cWxCZW1HRmNwb0pmTHVhaTVmMzVwVDAKFS0hPOmb09knNPq85Z+YN7qFmy3aU8Xe + AItiuBhxVaJJ/VnI5ycLv9P+20AmXwauvdudSAnTtb1tIsQjbcDW7A== + -----END AGE ENCRYPTED FILE----- + - recipient: age168lay0z8yfa5hcsmz3aq5yndjhmugrsk3v3x4t3hpw29m20tkcwsaxx2fz + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAxY3gzbEU5ZEh1WFZuR0VP + Sm56bEdlV0M3S2t6WEVZRlI4eGtKUzdUdGxBCkNFanBrVHJ2bWhSWGF2RFdiN3dL + aHo3ZXZkUkRiVzRrWGo2dHV3WGQyWGcKLS0tIGVVeDBVdit1RFdjcEpnbkJuU2Yv + M1MzSzdaOWF1WGJJVnRLUG1Bb2xPZFEKqidChAq8EjAjMgufUj/MvIofhYgIpxzt + l8GrLXbJMHcYU23trW+Ggx/QlCYsGtrbucLKOlhcbUM/ztprRSKLuA== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-08-08T08:27:44Z" + mac: ENC[AES256_GCM,data:Zsy6ucuh6cY0bbB4ik5cjuvL9JLQg3nn6ipyhFSHZMNsSyo09dC/XtlrWpPaHQhW7Zb3xBCVJnrKa8Re3CN3BqPOVdKLABq3ZesD7f+9fJumGzKgtpw7QdD7RVD59jsVhM14VdeZv41ymgbOiU67v6b98kpA2Z8UMxECO2g5aHY=,iv:32Ug389IYjP9NM5HYODU01n++KWLGTS5CFlLoqobNbs=,tag:X0E5YcL0KhPOrWmyGzE3XQ==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.9.0 diff --git a/hosts/controller/default.nix b/hosts/controller/default.nix index 46fff32..3a30905 100644 --- a/hosts/controller/default.nix +++ b/hosts/controller/default.nix @@ -1,12 +1,10 @@ { pkgs, - inputs, username, config, ... }: { imports = [ - inputs.sops-nix.nixosModules.sops ./hardware-configuration.nix ../common ../../modules/nixos/headscale.nix @@ -18,13 +16,8 @@ ../../modules/nixos/monitoring/promtail.nix ]; - sops = { - age.keyFile = "/home/${username}/.config/sops/age/keys.txt"; - secrets = { - borg_encryption_key = { - sopsFile = ./secrets.yaml; - }; - }; + sops.secrets.borg_encryption_key = { + sopsFile = ./secrets.yaml; }; boot = { diff --git a/hosts/controller/secrets.yaml b/hosts/controller/secrets.yaml index f99432b..060fa92 100644 --- a/hosts/controller/secrets.yaml +++ b/hosts/controller/secrets.yaml @@ -1,4 +1,4 @@ -borg_encryption_key: ENC[AES256_GCM,data:42q7OYR5HLqLzbCx0WZwurND8DGUnCw3fA+4ccEmNp4=,iv:GRj9jXnlfqDoxr55hS97gjqLzIP7rjqoYtRHlU5/9Lo=,tag:ybr8V9RumsU94ja0bLnfNA==,type:str] +borg_encryption_key: ENC[AES256_GCM,data:7DZQaoS2a5mPjTej25vr1aO1yAAPyXT2tf/VxKrLxF0=,iv:it8JlyEj4r4Z+qDvoEWMQlGkbVh08M/BCkGLVzRCVKQ=,tag:81gRhru8J3hkQhIbgUOgBg==,type:str] sops: kms: [] gcp_kms: [] @@ -8,14 +8,23 @@ sops: - recipient: age14vktfes95f33vuefwnmuvryas7az04u76dsgyhfvsx73czkvmp2q7njkl4 enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAwSzNTUzdTYzNpT21DL3gy - bjhHcXFWQjI5c0lSRUEwZXR2UmxOeG5jMEI4Ckg1OWx3NzVOWjIzRWtCblp5K2RK - b21xL2tBWDFqRXI2ZTloR0xwZkhtclUKLS0tIHFaYzM1dWdyUC95UWlsQU1xWjNV - akhaWXdrbXI0TDNNMlppcGovbjNia1EKNomA6zlZmQKE1DtX6JlurBxEkG9aiwjn - RZd5a9XPH8F1XhQF1tcZS+m3hGY00V7Zwiqe68PiiYWpxzZ/sSeR5A== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB6TGpVMzNDZjNQSkNDQmM3 + eXpvZDRPZW9Kbm81Z2VVUVZIckFNUC9zTEZzCmliUkNWS01YMHVRaUoxTS84VmxQ + UDZtbkhmZmdZVWVsaHN3djkwSERGQ1kKLS0tIEh0ckhDTkQvcEM0UFI2MUVXVHI5 + WnhEdnRqazdZWmczYXYxNy9BMHdwdEUKYgB34OOezF3iF706pIfDmQ0FJEHXBbGF + EJRNmA4Zl1AwyzkN3NSlctzvxx201T1GWL4qZeyVafRv5jQ9oSfK7g== -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-08-02T22:42:23Z" - mac: ENC[AES256_GCM,data:C4ueRlhrqollpi6ZE+126idf2SiAd2GooO7CTWR49ACW/y4q50B8girPtuY7Pgig0y/U0rWIFHFwmOwXyJJ8A6YtzD0VzWhZN7Aeb7HGvu/0o4V5OPjH1ZdQ6bb8YyeMQ5RljnG7/Pa/QasFS6h0pv3jnkKYrCCkbxNmKk/DcLY=,iv:UXi8rBLkdgp/bCxIE+6PvgdPv6xJmKtQX/WUVmoKeKc=,tag:Fpo44OFp0CYVAwDFx5WbWQ==,type:str] + - recipient: age1zsl5d4vj6gl3h96y5p53sq5y4vr4vtlwp727h7rp9a4xfkxm53lqrh6r50 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBHeXNrT3c1bENOK0lNZWNT + eFBqYm1BRHBhakFQMVVIKzR0SDRDOW9jUXdBCmFIQWZRSnBlOFBralVFakQ2clNY + Q1Nma0pRVHh4L3IwQm1GbTdqb1BUcWsKLS0tIFRQOVIxb1FRc29WSVVERWsxSDhq + NGprRGVyZ2plWVNrM3drM3JSUjM2L0UKuNk5DqYn2DIfRpY72zDRP5BKoVAXtNv9 + uLI//8wc7f4I3uBdARQdpRE1fapY1UOJOn3i0yndrZARPEbdohRK1Q== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-08-08T07:50:43Z" + mac: ENC[AES256_GCM,data:HjKpSZ1GNp5yUphE0edv9dN45kVTh/jZVQWb+d2Ve46932e+Shadt90DclsLexlxkSFSRqBxWNl1+JqD1OBfuea73Z6zykRpjz5kcRcop8o3KSEG7V/cTvK/SRSglkIHwrO4ALweoUKjixct7ich+OqTHJ06KIxSWNcRpAYlFWQ=,iv:JZ0JX2B2LJcq3+9O9KdKupV9f1ydbMCyDs8bACphOP8=,tag:V4LKBazr4+Dj1UXtoBaWLw==,type:str] pgp: [] unencrypted_suffix: _unencrypted version: 3.9.0 diff --git a/modules/nixos/sops.nix b/modules/nixos/sops.nix new file mode 100644 index 0000000..4323291 --- /dev/null +++ b/modules/nixos/sops.nix @@ -0,0 +1,17 @@ +{ + inputs, + config, + ... +}: let + isEd25519 = k: k.type == "ed25519"; + getKeyPath = k: k.path; + keys = builtins.filter isEd25519 config.services.openssh.hostKeys; +in { + imports = [inputs.sops-nix.nixosModules.sops]; + + sops.age = { + sshKeyPaths = map getKeyPath keys; + keyFile = "/var/lib/sops-nix/key.txt"; + generateKey = true; + }; +}