WIP sops for Lilim -> enable pure eval.

This commit is contained in:
Kevin Baensch 2023-04-15 16:27:27 +02:00
parent b37af57fd5
commit 908b709439
Signed by: derped
GPG key ID: C0F1D326C7626543
6 changed files with 67 additions and 7 deletions

10
.sops.yaml Normal file
View file

@ -0,0 +1,10 @@
keys:
- &admins 1F2EA6D9A57A9BE5A7F3AA035BEBEE4EE57DC7E2
- &lilim age1w3uhx6han0frfvg2t3t3wnwnzpkplzeyhun0dmqpkqwscmzlz4ms3elug4
creation_rules:
- path_regex: machines/Lilim/[^/]+.yaml$
key_groups:
- pgp:
- *admins
age:
- *lilim

View file

@ -14,7 +14,8 @@ in {
trusted-substituters = [ trusted-substituters = [
"https://cache.nixos.org" "https://cache.nixos.org"
] ++ cfg.binaryCaches; ] ++ cfg.binaryCaches;
trusted-public-keys = [ (lib.fileContents "${cfg.secretPath}/hydra_cache.pub") ]; # TODO: integrate into sops
# trusted-public-keys = [ (lib.fileContents "${cfg.secretPath}/hydra_cache.pub") ];
substituters = [ substituters = [
"https://cache.nixos.org" "https://cache.nixos.org"
] ++ cfg.binaryCaches; ] ++ cfg.binaryCaches;

View file

@ -7,7 +7,7 @@ let
name = user.name; name = user.name;
value = let value = let
cfg = config.services; cfg = config.services;
passPath = "${config.machine.secretPath}/${user.name}"; passPath = config.sops.secrets."users/${user.name}/password".path;
in { in {
isNormalUser = true; isNormalUser = true;
name = user.name; name = user.name;
@ -22,9 +22,10 @@ let
++ (optional config.virtualisation.docker.enable "docker"); ++ (optional config.virtualisation.docker.enable "docker");
shell = "${pkgs.zsh}/bin/zsh"; shell = "${pkgs.zsh}/bin/zsh";
passwordFile = passPath; passwordFile = passPath;
openssh.authorizedKeys.keyFiles = optional # TODO: Fix for sops
(cfg.openssh.enable && (builtins.pathExists "${passPath}.pub")) # openssh.authorizedKeys.keyFiles = optional
"${passPath}.pub"; # (cfg.openssh.enable && (builtins.pathExists "${passPath}.pub"))
# "${passPath}.pub";
}; };
}; };
@ -36,7 +37,6 @@ let
members = [ user.name ]; members = [ user.name ];
}; };
}; };
in { in {
users = { users = {
mutableUsers = false; mutableUsers = false;

View file

@ -22,7 +22,7 @@
name = machine; name = machine;
value = let value = let
machinePath = lib.concatStringsSep "/" [(toString ./.) "machines" machine]; machinePath = lib.concatStringsSep "/" [(toString ./.) "machines" machine];
machineFiles = fn.lst { p = machinePath; b = true; }; machineFiles = lib.filter (name: lib.strings.hasSuffix ".nix" name) (fn.lst { p = machinePath; b = true; });
in nixpkgs.lib.nixosSystem { in nixpkgs.lib.nixosSystem {
inherit system; inherit system;
specialArgs = attrs; specialArgs = attrs;

View file

@ -0,0 +1,36 @@
users:
derped:
password: ENC[AES256_GCM,data:XpUNgLLdbzS31XaZm0PbZ6Q/6sDP66YP97VIOV7/ixExFSpJW0gfwIiHuj7ROCeAi8lqcKAnAcTuflUx378HUFtaZ9lSE9GQ26sWcrx9/PYOX0bYnn8nE7S7gVQgf83fIlrK,iv:duZ+xAg/6KgCjEYQbxV4Uhi6RbRhsWW/bHMnlDHzc0M=,tag:iN8uDzDmh7QAMO3ZYiYFLA==,type:str]
mail: ENC[AES256_GCM,data:hEQBzZ4IN9BmwA4s/wDUTFiKyuHl/iVep/xJT5fyOfTaQUPuBMWspDsdEG5g/h1dFf5ujHts2+rcWZiZTjiZbrqCj2/Ivsbqy5xG28VztGPh7M7439TMIq6LrgVUaNVmKxU7,iv:KosKUgGPYicjFSR9njgI/NGSQwBkZR46c6DKyiJITp4=,tag:XIC70j6adWTvvKJJojifPg==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1w3uhx6han0frfvg2t3t3wnwnzpkplzeyhun0dmqpkqwscmzlz4ms3elug4
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBHRENMb3h6MmZTNzVqb2VV
ZXdzM2FTQWhBOTBrMmdDTFBkV0xRV1lFb0JZCi9HTzJkdGVwQVg5QllaTEorbFBM
VU93RWw3Rmo5RDljT1FDN2dVZDA4RFEKLS0tIG4vdTFVV3EzRWs3dWZCQWg3c2dQ
MFUvaVRNZGlnNzZaZUFhaXI1MDhXQ3cKJdzmxVMVpwe7UUZ7lQ9lHvGz3D8kdKVf
S0Sp9GygQtB0PqmCTjR7FqgF+oD/nW3kBdNZPAnJ4jeRMgaZgi2TgA==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2023-04-16T08:54:15Z"
mac: ENC[AES256_GCM,data:hiRA+VeF+MZfO8WaKju675Z6j4UeVZRe8JU11soZaaZ05R4FHtHJOfZWCrpUHniUTxp+lHFLkgSTH342g2LXEsIcTMPqtFTw87sxE8aPzReviO+b6EtAF3G88GMUI6qRdKi4RnD9msrfG18fU7VUvZ8xssX9Sxq1qB9KYnhC8tQ=,iv:y4Z8JqZrlN6BlpzRK+ayLsLTz9ZUYT98XlyR7XvmEtg=,tag:bWFEvstTkp3RCMwut97TEg==,type:str]
pgp:
- created_at: "2023-04-16T11:36:28Z"
enc: |
-----BEGIN PGP MESSAGE-----
hF4DVbZwA9DOvl8SAQdAb3WEdeAdU7FDiAh2ilXcMd620+nq0byAYt5NLG+crQ4w
SoSqyKkd+oHRqv3Yty5s1eD7a2JlGxzpoPfAE6jlMTPVgevIidId3TN2vXi5MsNo
1GgBCQIQLxr5DWEkeSUN2UMez0+t/jfPv0/iQ5hxj/aNNXyBH8np4JXU18KT7LQL
Im/SlwUk+AhX8XTWeU94q5FTR1zEBQnZu0hCKCeeaHXyIwlXGgL/EuO7WddBRhVx
Id/w9ez1/+cpfA==
=seBV
-----END PGP MESSAGE-----
fp: 1F2EA6D9A57A9BE5A7F3AA035BEBEE4EE57DC7E2
unencrypted_suffix: _unencrypted
version: 3.7.3

13
machines/Lilim/sops.nix Normal file
View file

@ -0,0 +1,13 @@
{ config, lib, ... }:
{
sops = {
defaultSopsFile = ./secrets.yaml;
age = {
keyFile = "/var/lib/sops-nix/key.txt";
generateKey = true;
};
# TODO: auto loop over users
secrets."users/derped/password".neededForUsers = true;
};
}