nixos: fine grain secrets

This commit is contained in:
Guanran Wang 2024-10-01 00:15:02 +08:00
parent b1e15b64ff
commit 685e913ea2
Signed by: nyancat
GPG key ID: 91F97D9ED12639CF
8 changed files with 66 additions and 90 deletions

View file

@ -7,16 +7,24 @@ keys:
- &sin0 age1u7srtfpgf83hesmsvtqdqftl8xrjmmp33mlg0aze6ken866ad55qxmzdqd - &sin0 age1u7srtfpgf83hesmsvtqdqftl8xrjmmp33mlg0aze6ken866ad55qxmzdqd
- &tyo0 age1vw4kf5v8cfnhfhvl0eyvqzpvy9hpfv9enffvzyt95tx5mu7s5dxqjqw0fa - &tyo0 age1vw4kf5v8cfnhfhvl0eyvqzpvy9hpfv9enffvzyt95tx5mu7s5dxqjqw0fa
creation_rules: creation_rules:
# per host
- path_regex: ^hosts/dust/secrets.yaml$
key_groups:
- age:
- *guanranwang
- *dust
- path_regex: ^hosts/pek0/secrets.yaml$ - path_regex: ^hosts/pek0/secrets.yaml$
key_groups: key_groups:
- age: - age:
- *guanranwang - *guanranwang
- *pek0 - *pek0
- path_regex: ^hosts/tyo0/secrets.yaml$ - path_regex: ^hosts/aws/tyo0/secrets.yaml$
key_groups: key_groups:
- age: - age:
- *guanranwang - *guanranwang
- *tyo0 - *tyo0
# shared
- path_regex: ^nixos/profiles/restic/secrets.yaml$ - path_regex: ^nixos/profiles/restic/secrets.yaml$
key_groups: key_groups:
- age: - age:
@ -40,14 +48,8 @@ creation_rules:
- age: - age:
- *guanranwang - *guanranwang
- *dust - *dust
- path_regex: ^secrets.yaml$
key_groups: # opentofu
- age:
- *guanranwang
- *dust
- *pek0
- *sin0
- *tyo0
- path_regex: ^infra/secrets.yaml$ - path_regex: ^infra/secrets.yaml$
key_groups: key_groups:
- age: - age:

View file

@ -25,6 +25,18 @@
preservation.nixosModules.preservation preservation.nixosModules.preservation
]); ]);
sops.secrets = lib.mapAttrs (_n: v: v // { sopsFile = ./secrets.yaml; }) {
"hashed-passwd" = {
neededForUsers = true;
};
"nix-access-tokens" = {
owner = "guanranwang";
mode = "0440";
};
};
nix.extraOptions = "!include ${config.sops.secrets.nix-access-tokens.path}";
networking.hostName = "dust"; networking.hostName = "dust";
time.timeZone = "Asia/Shanghai"; time.timeZone = "Asia/Shanghai";
system.stateVersion = "24.05"; system.stateVersion = "24.05";
@ -36,17 +48,12 @@
# TODO: this is currently broken # TODO: this is currently broken
# system.etc.overlay.mutable = false; # system.etc.overlay.mutable = false;
users.users = { users.users."guanranwang" = {
"guanranwang" = { isNormalUser = true;
isNormalUser = true; description = "Guanran Wang";
description = "Guanran Wang"; hashedPasswordFile = config.sops.secrets."hashed-passwd".path;
hashedPasswordFile = config.sops.secrets."hashed-passwd".path; shell = pkgs.fish;
shell = pkgs.fish; extraGroups = [ "wheel" ];
extraGroups = [
"wheel"
"nix-access-tokens"
];
};
}; };
home-manager = { home-manager = {

31
hosts/dust/secrets.yaml Normal file
View file

@ -0,0 +1,31 @@
hashed-passwd: ENC[AES256_GCM,data:Ww/aE2CEQG2ZvFALA0cfN/jsmoywTsDLUh9sgVtF6xyNYLLd1+XCbzG9KUJGsB0PXO+ISdL/5ySRCuU8a79FytZdbyZ1FZKTzg==,iv:vLKHMzFjiwp8gW9VhKZq85D2tj+TvJ9iIeQoJBcvCDE=,tag:aZ5JmvrCfE7WQ1FIugpHkQ==,type:str]
nix-access-tokens: ENC[AES256_GCM,data:LHkzgXCYBRrdgLDDlym1NL9N2rNjrNTVgqTvfp4E/ytIKTqxOccFUAc0lYeOj8Q1+JQJ4Jqw1vEU756lCSJXHoOkNjhYAnDkuHlL1543pykBlLXXw2O8Y7R9cELaFENx4cIv6gsa9BWA8DcvLiR4oAjnVuFiuMHo,iv:iQxdyajRAVFV0zk2FLOLktcTX7uKFE1tuGP4eWePdfE=,tag:XJF2axqMmslPH3z8cWRdOA==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age129yyxyz686qj88ce5v77ahelqqwt6zz94mzzls0ny4hq76psrd9qhc79kq
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBrVExsaTZiVW9iMExPZmly
ODdHNUJTOUxQd2ltd2hlSTZ3SE5vRXRqQ2pzCmFUMFVZSHdrdy9xSmpuLzVOZ3Rt
bUZiS3pBQkFZQkd6QTdGbW90cjU0bEEKLS0tIDBpbjFCRjB1azFsTURrWFBWQm13
Q0RBNFkyMmZZWjQwMnkyOXJBSXhYc28KXujCQ2jyG5c7qDXVr/7j4/qfDsVDV6qy
ZueXQbKw7Ylf6XJ5RobbgkNSwPhwXilcZY/Xr76/HmdFnealztPclw==
-----END AGE ENCRYPTED FILE-----
- recipient: age193x79xx8snu82w3t3hax6nruuw57g7pduwnkpvzkzmd7fs5jvfrquqa3sl
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB6aHJXYnJUbWU2TDY3VEdH
MXRGRlU3Y09zK3A2T3U5djhYWlFMOE1HSkhRCklFSUo3cm5nV0hBK3ZwQkh5Tzhy
d1lPdGNqTmNkY0xONlBUK0NRN1h1aGsKLS0tIGIxREdIUllINlJLTUhSaWxjUVNj
VFVQMENGUms4ME9KUVhMcnk3K2VJejQKfLmuUjFwgG0gHgk2//AR+HfMvG2IfOel
TgzJwaYAGnfGCeSKSaAd1lkqtYteR5nmb0lqh1a76kjsZRQgfN4iwA==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2024-09-30T16:07:48Z"
mac: ENC[AES256_GCM,data:IyuBOWiSuPXr1iUUnnAoAxraOAk9kEATpGwCvVgmjYD6fptA95YCg3RxJoRClfgYWl1RQMqkmTh/6En4Sik+KfwvXyGuORRdl2RYokHIgvN+iIK2/eRQY2oW7HHbyplIxfvmaQPKFo3cB6a28xZS5scLutcBQm4mnaJk2wV7a54=,iv:JL7LfF/DDhQKvrr0Aemv4aWN+OkC2LWqhcnJTa2CtK8=,tag:K/M+G8kzWmqasLub0LJUZQ==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.9.0

View file

@ -29,6 +29,9 @@
######## Secrets ######## Secrets
sops.secrets = lib.mapAttrs (_name: value: value // { sopsFile = ./secrets.yaml; }) { sops.secrets = lib.mapAttrs (_name: value: value // { sopsFile = ./secrets.yaml; }) {
"hashed-passwd" = {
neededForUsers = true;
};
"synapse/secret" = { "synapse/secret" = {
restartUnits = [ "matrix-synapse.service" ]; restartUnits = [ "matrix-synapse.service" ];
owner = config.systemd.services.matrix-synapse.serviceConfig.User; owner = config.systemd.services.matrix-synapse.serviceConfig.User;

View file

@ -1,3 +1,4 @@
hashed-passwd: ENC[AES256_GCM,data:nzULt69D8wGj9pOwCNR8y3KWeM41HVAniA4l6mS2YUQtlrwFV6ehqFQQk4+Ue14c79cAa0FyI4ddtQeuuRm/ZxRvLmczlYe2Qg==,iv:kDUc1ksqR4TMjpLe5tO4pBMiyEgDOL5/MuvBW9Bry4s=,tag:/L4y/TSag+4GYGJmYCdc+w==,type:str]
synapse: synapse:
secret: ENC[AES256_GCM,data:H7bHbreE4NmpqXHpkPQ5AkwGOAs97YcQhQZIr5zgK1mgHMTGSbMP57elWMyMAQ3+wCy7x9Jx0H2omrdQh39iG32XoVyyMMoVMQ0OCgFa4O77DHdgG+wrWl7VLWNY,iv:cFbMEqJQG482ShZlpoxRhk7z/y5216WucXfJbkMxuxU=,tag:7iUyMlu2yStLLdkC/V9/DQ==,type:str] secret: ENC[AES256_GCM,data:H7bHbreE4NmpqXHpkPQ5AkwGOAs97YcQhQZIr5zgK1mgHMTGSbMP57elWMyMAQ3+wCy7x9Jx0H2omrdQh39iG32XoVyyMMoVMQ0OCgFa4O77DHdgG+wrWl7VLWNY,iv:cFbMEqJQG482ShZlpoxRhk7z/y5216WucXfJbkMxuxU=,tag:7iUyMlu2yStLLdkC/V9/DQ==,type:str]
oidc: ENC[AES256_GCM,data:ihiMcrrYvPrNDJ13p6/FbINgh5wxv2vyOYxg0sthipM=,iv:+aESWZLI7/4HWjV7QT94py+zGLbTl+VoSsWdiGNHkjU=,tag:yxxZeDOtzFegCQGQT2HCgA==,type:str] oidc: ENC[AES256_GCM,data:ihiMcrrYvPrNDJ13p6/FbINgh5wxv2vyOYxg0sthipM=,iv:+aESWZLI7/4HWjV7QT94py+zGLbTl+VoSsWdiGNHkjU=,tag:yxxZeDOtzFegCQGQT2HCgA==,type:str]
@ -29,8 +30,8 @@ sops:
bGQ1cytGR09Dd2JoaU5CSW1DL1FVR0kK8F2DoJcnd+T+eQ9h39DtaAGCSpS4wXVJ bGQ1cytGR09Dd2JoaU5CSW1DL1FVR0kK8F2DoJcnd+T+eQ9h39DtaAGCSpS4wXVJ
hOZBh9fDeue1PwMWufDJ6KGeR0atPbUjn2w0dquvLEdBjt3Un9rFcA== hOZBh9fDeue1PwMWufDJ6KGeR0atPbUjn2w0dquvLEdBjt3Un9rFcA==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
lastmodified: "2024-08-29T15:23:52Z" lastmodified: "2024-09-30T16:13:16Z"
mac: ENC[AES256_GCM,data:32DW8e/ojxJzL8UOAQ3x8jg5fbUC+m+mwom00gXBaBsu/C2CLkOC2xyiZragBjbp/OWy3xoZC3GG7dngXpBT8pSo7T/F8KDnP2fKacvrKJRNBTT+JFjxZ0VkPy82MIi2JBkXqYRF248ofdXHFTHp/71s15R97xVtHEZdtGbEly0=,iv:sMgk1pTVWdgjSlXNvX4EAraw4tNwP1mxzihCv/dSfuI=,tag:FhfSoy5w2WezE++2QGjFrg==,type:str] mac: ENC[AES256_GCM,data:T0xsHlw5ibxgsjuIyk7ibrEIxGnez6fwFea6L/GiIpzhBOQIAx7dX+cVO+d3Nkwblr8Sx44ytEZGzCngR2eHPG8uIjxtcWYk0Hb7/3DneLRd2+mAJej5W7UUqbNWtDMpLPHjIHMy03z6T8NOTnLfH8MLiQfxQk5QgIrisMmAmrE=,iv:SOZugaEclPpvmIADcCQJSEouuLCcI0kBAGIa7yvtxtA=,tag:PcKhw9ZT06nr7jylLMGh8Q==,type:str]
pgp: [] pgp: []
unencrypted_suffix: _unencrypted unencrypted_suffix: _unencrypted
version: 3.9.0 version: 3.9.0

View file

@ -65,9 +65,7 @@
### sops-nix ### sops-nix
sops = { sops = {
defaultSopsFile = ../../../secrets.yaml;
age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ]; age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
gnupg.sshKeyPaths = [ ]; gnupg.sshKeyPaths = [ ];
secrets."hashed-passwd".neededForUsers = true;
}; };
} }

View file

@ -49,13 +49,5 @@
dates = "weekly"; dates = "weekly";
options = "--delete-older-than 7d"; options = "--delete-older-than 7d";
}; };
extraOptions = "!include ${config.sops.secrets.nix-access-tokens.path}";
};
users.groups."nix-access-tokens" = { };
sops.secrets."nix-access-tokens" = {
group = config.users.groups."nix-access-tokens".name;
mode = "0440";
}; };
} }

View file

@ -1,58 +0,0 @@
hashed-passwd: ENC[AES256_GCM,data:KPOh1bYW2eruBI7Z9OKqqRmoXAxQ/k5sghAmHDFyUeJTNavelU9hcGfBq69KSU+MeFVfRmwHZncZYyiDkF4hFI2YFgFY0M2jzA==,iv:h7XtrT/4/T1b4SPGx10w5g84DMCA/FE3mjinwcLn0tI=,tag:jS8XnwEdEH2QYkNJVRwkcA==,type:str]
nix-access-tokens: ENC[AES256_GCM,data:lUeCDT0r1AnTFG4s8eLxSlGRVQAJ4eyXVW80pkgAL5aVrG86+G7NOLVfQYUxthLBRFFXnGA2rQD4h4c2VWknd0YDFdS+me8RBbN2mqJm6YqEYdMEW2Lgv9iSz/zXuDT9FFdDWRdv71lTTwyP2Gie4Y8UkBrAV3ue,iv:HyDyQ5H2nDzi4nIUKoelOrzF4K3sIMlB5HoQR9EMc0s=,tag:vgn2TtQRE8Qd+/zjlOSuAw==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age129yyxyz686qj88ce5v77ahelqqwt6zz94mzzls0ny4hq76psrd9qhc79kq
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBoc0l1c2U1ZDZhTEVKNG84
VFFZQWJ5WXJKZ1J0N1Z2TjB5WUg3VEo4QzN3CjcySXllZTBmUVRWVnRET2NzTjMw
N2ZhYS9Rb2VDeUk0RUM3NWVta21YTW8KLS0tIE9Ca2dRN2R2VFVzNitPUHZ0YmVZ
dGp0RjY0cmczZnI5RFlHRDE0bkExK0UKGgia9rCsoiMuGzWum8TWcPAHf4v1N/pj
t8eTf/Du2KYbULhPgUKQdGiB/5/07D4AvFGA/cz2tzmqGoBNOfMXmg==
-----END AGE ENCRYPTED FILE-----
- recipient: age193x79xx8snu82w3t3hax6nruuw57g7pduwnkpvzkzmd7fs5jvfrquqa3sl
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBHSXd5ak5ueTJWczVFYnNR
clJTdUUzTTlXWTFocWZJOTBZa2J5NFJjTlZjCktKRjBiWnFMdjhIT1MrTG0wV1Vj
enpmN1VuSE1FZ0krc29oYUhNOHByTWsKLS0tIERjNGRlVEZ4T1ZXRGg2ajNYZnhZ
V2VmZ2hxS0E2ekNlK2ZrYWxqSVhZaFEK+OpXvvuqRQuoTVYPMhYcNvCPJ+J64lKg
yIrUWv+nunSYzi9KfwNMuext0CeWFw5DcjJTy1Oowrnlv9SkgFSc6w==
-----END AGE ENCRYPTED FILE-----
- recipient: age174knn6hjtukp32ymcdvjwj6x0j54g7yw02dqfjmua3fkyltwcqrsxccjdk
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBzdWxDblFnTGFMRE8zckEx
MmxCbWpRQzZOZDJMY0ZPQXlVRkVRUUpoeDBVCmo0TEtjVmVwUEMzcDMrRVNjcGt5
MDJKeU12RmpLRi9pT005WXMzN2kyTE0KLS0tIGE0ZTkwQjdYUWx5UVdmZnUreXIx
WUJNR0FWSlhwU0kzL0Fsb0ZtUWI5UzgKK51QBzkTK2Ctg6Pa5ZfchJgHEZz+aUht
WVLk/IE7e3ihZY8nTn5vB1WnfT+v1WUAGfhYeYyooAmJt6s0c+VgaQ==
-----END AGE ENCRYPTED FILE-----
- recipient: age1u7srtfpgf83hesmsvtqdqftl8xrjmmp33mlg0aze6ken866ad55qxmzdqd
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA4dmlubnMzaEJEcG9jdHZQ
YjNVRTlTRFdqbkI5d0pURVU2cWNwSE8rZkUwCkZwTmxhN3R2S0RKeWZHLzN0NDJQ
UkZkdXZEOXZRV09NOENxa21NSFgvaUkKLS0tIEFxUlgrakk5QmRETHZEWnVTY05m
M25HWXlaR2JEbVA0V0ljMklad2dCZU0KfR9LG8tglre5zoL7m9CgJn6ocyXls3De
5xDPaVtqp7ECVVt5sdks8ca40LPtSJ8nf6ytp815nuCreX8gVgkyDA==
-----END AGE ENCRYPTED FILE-----
- recipient: age1vw4kf5v8cfnhfhvl0eyvqzpvy9hpfv9enffvzyt95tx5mu7s5dxqjqw0fa
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBUY1NYUjJINVp0SGlhamRz
MzFjZWdIV3IxYWoycnV2MG5WaW1KcjQxTERZCkRnejRmQm93dUw0N2IwVnd6MU9o
QVRPdGRQRDlCTzJHbHBUL1E5cENNSXMKLS0tIEt1OG9KZ3BxdDlMY3VqVDNhRWdS
elg4MmtDbkdhVWJ6OEtqU1BHMEhnd00KoLeUmsw66nzraADSyVN3WW8GfMMmDOoG
FKWMn+mIskI11065Bn/zkpP6ud1+KLptndip5c749OBdBfDwBtZhzw==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2024-07-09T22:04:25Z"
mac: ENC[AES256_GCM,data:d8ml8uokaSlD/nJQVM732OoEXZB0a7dpq5Koq1/Nz8iW9xDmwvrWONRmI6EPHMHJ+vFXKS09iLBtaWRo83H1KPIEfN6slVY8wrVYychz38A/jXx3TWd1oh00otJpkmjzWfEbhYYB6K0D2lTP/rfu009b29OzBNbqcIfVrJRz4vQ=,iv:/PBfFIf+SZ4zmRdOba8NKV29JRWHzCGwK5Oo2EGq/90=,tag:5eHt2FPi+5uSNEd3GlFkcQ==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.9.0