From 908b709439602a388b04da21672dcec1a3c7f1b4 Mon Sep 17 00:00:00 2001 From: derped Date: Sat, 15 Apr 2023 16:27:27 +0200 Subject: [PATCH] WIP sops for Lilim -> enable pure eval. --- .sops.yaml | 10 ++++++++++ config/nix.nix | 3 ++- config/users.nix | 10 +++++----- flake.nix | 2 +- machines/Lilim/secrets.yaml | 36 ++++++++++++++++++++++++++++++++++++ machines/Lilim/sops.nix | 13 +++++++++++++ 6 files changed, 67 insertions(+), 7 deletions(-) create mode 100644 .sops.yaml create mode 100644 machines/Lilim/secrets.yaml create mode 100644 machines/Lilim/sops.nix diff --git a/.sops.yaml b/.sops.yaml new file mode 100644 index 0000000..b5b5429 --- /dev/null +++ b/.sops.yaml @@ -0,0 +1,10 @@ +keys: + - &admins 1F2EA6D9A57A9BE5A7F3AA035BEBEE4EE57DC7E2 + - &lilim age1w3uhx6han0frfvg2t3t3wnwnzpkplzeyhun0dmqpkqwscmzlz4ms3elug4 +creation_rules: + - path_regex: machines/Lilim/[^/]+.yaml$ + key_groups: + - pgp: + - *admins + age: + - *lilim diff --git a/config/nix.nix b/config/nix.nix index 427d0dd..9b0f94f 100644 --- a/config/nix.nix +++ b/config/nix.nix @@ -14,7 +14,8 @@ in { trusted-substituters = [ "https://cache.nixos.org" ] ++ cfg.binaryCaches; - trusted-public-keys = [ (lib.fileContents "${cfg.secretPath}/hydra_cache.pub") ]; + # TODO: integrate into sops + # trusted-public-keys = [ (lib.fileContents "${cfg.secretPath}/hydra_cache.pub") ]; substituters = [ "https://cache.nixos.org" ] ++ cfg.binaryCaches; diff --git a/config/users.nix b/config/users.nix index dd3ae24..56c24e9 100644 --- a/config/users.nix +++ b/config/users.nix @@ -7,7 +7,7 @@ let name = user.name; value = let cfg = config.services; - passPath = "${config.machine.secretPath}/${user.name}"; + passPath = config.sops.secrets."users/${user.name}/password".path; in { isNormalUser = true; name = user.name; @@ -22,9 +22,10 @@ let ++ (optional config.virtualisation.docker.enable "docker"); shell = "${pkgs.zsh}/bin/zsh"; passwordFile = passPath; - openssh.authorizedKeys.keyFiles = optional - (cfg.openssh.enable && (builtins.pathExists "${passPath}.pub")) - "${passPath}.pub"; + # TODO: Fix for sops + # openssh.authorizedKeys.keyFiles = optional + # (cfg.openssh.enable && (builtins.pathExists "${passPath}.pub")) + # "${passPath}.pub"; }; }; @@ -36,7 +37,6 @@ let members = [ user.name ]; }; }; - in { users = { mutableUsers = false; diff --git a/flake.nix b/flake.nix index 9d9339c..f12e59a 100644 --- a/flake.nix +++ b/flake.nix @@ -22,7 +22,7 @@ name = machine; value = let machinePath = lib.concatStringsSep "/" [(toString ./.) "machines" machine]; - machineFiles = fn.lst { p = machinePath; b = true; }; + machineFiles = lib.filter (name: lib.strings.hasSuffix ".nix" name) (fn.lst { p = machinePath; b = true; }); in nixpkgs.lib.nixosSystem { inherit system; specialArgs = attrs; diff --git a/machines/Lilim/secrets.yaml b/machines/Lilim/secrets.yaml new file mode 100644 index 0000000..9d79a99 --- /dev/null +++ b/machines/Lilim/secrets.yaml @@ -0,0 +1,36 @@ +users: + derped: + password: ENC[AES256_GCM,data:XpUNgLLdbzS31XaZm0PbZ6Q/6sDP66YP97VIOV7/ixExFSpJW0gfwIiHuj7ROCeAi8lqcKAnAcTuflUx378HUFtaZ9lSE9GQ26sWcrx9/PYOX0bYnn8nE7S7gVQgf83fIlrK,iv:duZ+xAg/6KgCjEYQbxV4Uhi6RbRhsWW/bHMnlDHzc0M=,tag:iN8uDzDmh7QAMO3ZYiYFLA==,type:str] + mail: ENC[AES256_GCM,data:hEQBzZ4IN9BmwA4s/wDUTFiKyuHl/iVep/xJT5fyOfTaQUPuBMWspDsdEG5g/h1dFf5ujHts2+rcWZiZTjiZbrqCj2/Ivsbqy5xG28VztGPh7M7439TMIq6LrgVUaNVmKxU7,iv:KosKUgGPYicjFSR9njgI/NGSQwBkZR46c6DKyiJITp4=,tag:XIC70j6adWTvvKJJojifPg==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1w3uhx6han0frfvg2t3t3wnwnzpkplzeyhun0dmqpkqwscmzlz4ms3elug4 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBHRENMb3h6MmZTNzVqb2VV + ZXdzM2FTQWhBOTBrMmdDTFBkV0xRV1lFb0JZCi9HTzJkdGVwQVg5QllaTEorbFBM + VU93RWw3Rmo5RDljT1FDN2dVZDA4RFEKLS0tIG4vdTFVV3EzRWs3dWZCQWg3c2dQ + MFUvaVRNZGlnNzZaZUFhaXI1MDhXQ3cKJdzmxVMVpwe7UUZ7lQ9lHvGz3D8kdKVf + S0Sp9GygQtB0PqmCTjR7FqgF+oD/nW3kBdNZPAnJ4jeRMgaZgi2TgA== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2023-04-16T08:54:15Z" + mac: ENC[AES256_GCM,data:hiRA+VeF+MZfO8WaKju675Z6j4UeVZRe8JU11soZaaZ05R4FHtHJOfZWCrpUHniUTxp+lHFLkgSTH342g2LXEsIcTMPqtFTw87sxE8aPzReviO+b6EtAF3G88GMUI6qRdKi4RnD9msrfG18fU7VUvZ8xssX9Sxq1qB9KYnhC8tQ=,iv:y4Z8JqZrlN6BlpzRK+ayLsLTz9ZUYT98XlyR7XvmEtg=,tag:bWFEvstTkp3RCMwut97TEg==,type:str] + pgp: + - created_at: "2023-04-16T11:36:28Z" + enc: | + -----BEGIN PGP MESSAGE----- + + hF4DVbZwA9DOvl8SAQdAb3WEdeAdU7FDiAh2ilXcMd620+nq0byAYt5NLG+crQ4w + SoSqyKkd+oHRqv3Yty5s1eD7a2JlGxzpoPfAE6jlMTPVgevIidId3TN2vXi5MsNo + 1GgBCQIQLxr5DWEkeSUN2UMez0+t/jfPv0/iQ5hxj/aNNXyBH8np4JXU18KT7LQL + Im/SlwUk+AhX8XTWeU94q5FTR1zEBQnZu0hCKCeeaHXyIwlXGgL/EuO7WddBRhVx + Id/w9ez1/+cpfA== + =seBV + -----END PGP MESSAGE----- + fp: 1F2EA6D9A57A9BE5A7F3AA035BEBEE4EE57DC7E2 + unencrypted_suffix: _unencrypted + version: 3.7.3 diff --git a/machines/Lilim/sops.nix b/machines/Lilim/sops.nix new file mode 100644 index 0000000..6dd02ef --- /dev/null +++ b/machines/Lilim/sops.nix @@ -0,0 +1,13 @@ +{ config, lib, ... }: + +{ + sops = { + defaultSopsFile = ./secrets.yaml; + age = { + keyFile = "/var/lib/sops-nix/key.txt"; + generateKey = true; + }; + # TODO: auto loop over users + secrets."users/derped/password".neededForUsers = true; + }; +}