nixos: fine grain secrets
This commit is contained in:
parent
b1e15b64ff
commit
685e913ea2
8 changed files with 66 additions and 90 deletions
20
.sops.yaml
20
.sops.yaml
|
@ -7,16 +7,24 @@ keys:
|
|||
- &sin0 age1u7srtfpgf83hesmsvtqdqftl8xrjmmp33mlg0aze6ken866ad55qxmzdqd
|
||||
- &tyo0 age1vw4kf5v8cfnhfhvl0eyvqzpvy9hpfv9enffvzyt95tx5mu7s5dxqjqw0fa
|
||||
creation_rules:
|
||||
# per host
|
||||
- path_regex: ^hosts/dust/secrets.yaml$
|
||||
key_groups:
|
||||
- age:
|
||||
- *guanranwang
|
||||
- *dust
|
||||
- path_regex: ^hosts/pek0/secrets.yaml$
|
||||
key_groups:
|
||||
- age:
|
||||
- *guanranwang
|
||||
- *pek0
|
||||
- path_regex: ^hosts/tyo0/secrets.yaml$
|
||||
- path_regex: ^hosts/aws/tyo0/secrets.yaml$
|
||||
key_groups:
|
||||
- age:
|
||||
- *guanranwang
|
||||
- *tyo0
|
||||
|
||||
# shared
|
||||
- path_regex: ^nixos/profiles/restic/secrets.yaml$
|
||||
key_groups:
|
||||
- age:
|
||||
|
@ -40,14 +48,8 @@ creation_rules:
|
|||
- age:
|
||||
- *guanranwang
|
||||
- *dust
|
||||
- path_regex: ^secrets.yaml$
|
||||
key_groups:
|
||||
- age:
|
||||
- *guanranwang
|
||||
- *dust
|
||||
- *pek0
|
||||
- *sin0
|
||||
- *tyo0
|
||||
|
||||
# opentofu
|
||||
- path_regex: ^infra/secrets.yaml$
|
||||
key_groups:
|
||||
- age:
|
||||
|
|
|
@ -25,6 +25,18 @@
|
|||
preservation.nixosModules.preservation
|
||||
]);
|
||||
|
||||
sops.secrets = lib.mapAttrs (_n: v: v // { sopsFile = ./secrets.yaml; }) {
|
||||
"hashed-passwd" = {
|
||||
neededForUsers = true;
|
||||
};
|
||||
"nix-access-tokens" = {
|
||||
owner = "guanranwang";
|
||||
mode = "0440";
|
||||
};
|
||||
};
|
||||
|
||||
nix.extraOptions = "!include ${config.sops.secrets.nix-access-tokens.path}";
|
||||
|
||||
networking.hostName = "dust";
|
||||
time.timeZone = "Asia/Shanghai";
|
||||
system.stateVersion = "24.05";
|
||||
|
@ -36,17 +48,12 @@
|
|||
# TODO: this is currently broken
|
||||
# system.etc.overlay.mutable = false;
|
||||
|
||||
users.users = {
|
||||
"guanranwang" = {
|
||||
users.users."guanranwang" = {
|
||||
isNormalUser = true;
|
||||
description = "Guanran Wang";
|
||||
hashedPasswordFile = config.sops.secrets."hashed-passwd".path;
|
||||
shell = pkgs.fish;
|
||||
extraGroups = [
|
||||
"wheel"
|
||||
"nix-access-tokens"
|
||||
];
|
||||
};
|
||||
extraGroups = [ "wheel" ];
|
||||
};
|
||||
|
||||
home-manager = {
|
||||
|
|
31
hosts/dust/secrets.yaml
Normal file
31
hosts/dust/secrets.yaml
Normal file
|
@ -0,0 +1,31 @@
|
|||
hashed-passwd: ENC[AES256_GCM,data:Ww/aE2CEQG2ZvFALA0cfN/jsmoywTsDLUh9sgVtF6xyNYLLd1+XCbzG9KUJGsB0PXO+ISdL/5ySRCuU8a79FytZdbyZ1FZKTzg==,iv:vLKHMzFjiwp8gW9VhKZq85D2tj+TvJ9iIeQoJBcvCDE=,tag:aZ5JmvrCfE7WQ1FIugpHkQ==,type:str]
|
||||
nix-access-tokens: ENC[AES256_GCM,data:LHkzgXCYBRrdgLDDlym1NL9N2rNjrNTVgqTvfp4E/ytIKTqxOccFUAc0lYeOj8Q1+JQJ4Jqw1vEU756lCSJXHoOkNjhYAnDkuHlL1543pykBlLXXw2O8Y7R9cELaFENx4cIv6gsa9BWA8DcvLiR4oAjnVuFiuMHo,iv:iQxdyajRAVFV0zk2FLOLktcTX7uKFE1tuGP4eWePdfE=,tag:XJF2axqMmslPH3z8cWRdOA==,type:str]
|
||||
sops:
|
||||
kms: []
|
||||
gcp_kms: []
|
||||
azure_kv: []
|
||||
hc_vault: []
|
||||
age:
|
||||
- recipient: age129yyxyz686qj88ce5v77ahelqqwt6zz94mzzls0ny4hq76psrd9qhc79kq
|
||||
enc: |
|
||||
-----BEGIN AGE ENCRYPTED FILE-----
|
||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBrVExsaTZiVW9iMExPZmly
|
||||
ODdHNUJTOUxQd2ltd2hlSTZ3SE5vRXRqQ2pzCmFUMFVZSHdrdy9xSmpuLzVOZ3Rt
|
||||
bUZiS3pBQkFZQkd6QTdGbW90cjU0bEEKLS0tIDBpbjFCRjB1azFsTURrWFBWQm13
|
||||
Q0RBNFkyMmZZWjQwMnkyOXJBSXhYc28KXujCQ2jyG5c7qDXVr/7j4/qfDsVDV6qy
|
||||
ZueXQbKw7Ylf6XJ5RobbgkNSwPhwXilcZY/Xr76/HmdFnealztPclw==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
- recipient: age193x79xx8snu82w3t3hax6nruuw57g7pduwnkpvzkzmd7fs5jvfrquqa3sl
|
||||
enc: |
|
||||
-----BEGIN AGE ENCRYPTED FILE-----
|
||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB6aHJXYnJUbWU2TDY3VEdH
|
||||
MXRGRlU3Y09zK3A2T3U5djhYWlFMOE1HSkhRCklFSUo3cm5nV0hBK3ZwQkh5Tzhy
|
||||
d1lPdGNqTmNkY0xONlBUK0NRN1h1aGsKLS0tIGIxREdIUllINlJLTUhSaWxjUVNj
|
||||
VFVQMENGUms4ME9KUVhMcnk3K2VJejQKfLmuUjFwgG0gHgk2//AR+HfMvG2IfOel
|
||||
TgzJwaYAGnfGCeSKSaAd1lkqtYteR5nmb0lqh1a76kjsZRQgfN4iwA==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
lastmodified: "2024-09-30T16:07:48Z"
|
||||
mac: ENC[AES256_GCM,data:IyuBOWiSuPXr1iUUnnAoAxraOAk9kEATpGwCvVgmjYD6fptA95YCg3RxJoRClfgYWl1RQMqkmTh/6En4Sik+KfwvXyGuORRdl2RYokHIgvN+iIK2/eRQY2oW7HHbyplIxfvmaQPKFo3cB6a28xZS5scLutcBQm4mnaJk2wV7a54=,iv:JL7LfF/DDhQKvrr0Aemv4aWN+OkC2LWqhcnJTa2CtK8=,tag:K/M+G8kzWmqasLub0LJUZQ==,type:str]
|
||||
pgp: []
|
||||
unencrypted_suffix: _unencrypted
|
||||
version: 3.9.0
|
|
@ -29,6 +29,9 @@
|
|||
|
||||
######## Secrets
|
||||
sops.secrets = lib.mapAttrs (_name: value: value // { sopsFile = ./secrets.yaml; }) {
|
||||
"hashed-passwd" = {
|
||||
neededForUsers = true;
|
||||
};
|
||||
"synapse/secret" = {
|
||||
restartUnits = [ "matrix-synapse.service" ];
|
||||
owner = config.systemd.services.matrix-synapse.serviceConfig.User;
|
||||
|
|
|
@ -1,3 +1,4 @@
|
|||
hashed-passwd: ENC[AES256_GCM,data:nzULt69D8wGj9pOwCNR8y3KWeM41HVAniA4l6mS2YUQtlrwFV6ehqFQQk4+Ue14c79cAa0FyI4ddtQeuuRm/ZxRvLmczlYe2Qg==,iv:kDUc1ksqR4TMjpLe5tO4pBMiyEgDOL5/MuvBW9Bry4s=,tag:/L4y/TSag+4GYGJmYCdc+w==,type:str]
|
||||
synapse:
|
||||
secret: ENC[AES256_GCM,data:H7bHbreE4NmpqXHpkPQ5AkwGOAs97YcQhQZIr5zgK1mgHMTGSbMP57elWMyMAQ3+wCy7x9Jx0H2omrdQh39iG32XoVyyMMoVMQ0OCgFa4O77DHdgG+wrWl7VLWNY,iv:cFbMEqJQG482ShZlpoxRhk7z/y5216WucXfJbkMxuxU=,tag:7iUyMlu2yStLLdkC/V9/DQ==,type:str]
|
||||
oidc: ENC[AES256_GCM,data:ihiMcrrYvPrNDJ13p6/FbINgh5wxv2vyOYxg0sthipM=,iv:+aESWZLI7/4HWjV7QT94py+zGLbTl+VoSsWdiGNHkjU=,tag:yxxZeDOtzFegCQGQT2HCgA==,type:str]
|
||||
|
@ -29,8 +30,8 @@ sops:
|
|||
bGQ1cytGR09Dd2JoaU5CSW1DL1FVR0kK8F2DoJcnd+T+eQ9h39DtaAGCSpS4wXVJ
|
||||
hOZBh9fDeue1PwMWufDJ6KGeR0atPbUjn2w0dquvLEdBjt3Un9rFcA==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
lastmodified: "2024-08-29T15:23:52Z"
|
||||
mac: ENC[AES256_GCM,data:32DW8e/ojxJzL8UOAQ3x8jg5fbUC+m+mwom00gXBaBsu/C2CLkOC2xyiZragBjbp/OWy3xoZC3GG7dngXpBT8pSo7T/F8KDnP2fKacvrKJRNBTT+JFjxZ0VkPy82MIi2JBkXqYRF248ofdXHFTHp/71s15R97xVtHEZdtGbEly0=,iv:sMgk1pTVWdgjSlXNvX4EAraw4tNwP1mxzihCv/dSfuI=,tag:FhfSoy5w2WezE++2QGjFrg==,type:str]
|
||||
lastmodified: "2024-09-30T16:13:16Z"
|
||||
mac: ENC[AES256_GCM,data:T0xsHlw5ibxgsjuIyk7ibrEIxGnez6fwFea6L/GiIpzhBOQIAx7dX+cVO+d3Nkwblr8Sx44ytEZGzCngR2eHPG8uIjxtcWYk0Hb7/3DneLRd2+mAJej5W7UUqbNWtDMpLPHjIHMy03z6T8NOTnLfH8MLiQfxQk5QgIrisMmAmrE=,iv:SOZugaEclPpvmIADcCQJSEouuLCcI0kBAGIa7yvtxtA=,tag:PcKhw9ZT06nr7jylLMGh8Q==,type:str]
|
||||
pgp: []
|
||||
unencrypted_suffix: _unencrypted
|
||||
version: 3.9.0
|
||||
|
|
|
@ -65,9 +65,7 @@
|
|||
|
||||
### sops-nix
|
||||
sops = {
|
||||
defaultSopsFile = ../../../secrets.yaml;
|
||||
age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
|
||||
gnupg.sshKeyPaths = [ ];
|
||||
secrets."hashed-passwd".neededForUsers = true;
|
||||
};
|
||||
}
|
||||
|
|
|
@ -49,13 +49,5 @@
|
|||
dates = "weekly";
|
||||
options = "--delete-older-than 7d";
|
||||
};
|
||||
|
||||
extraOptions = "!include ${config.sops.secrets.nix-access-tokens.path}";
|
||||
};
|
||||
|
||||
users.groups."nix-access-tokens" = { };
|
||||
sops.secrets."nix-access-tokens" = {
|
||||
group = config.users.groups."nix-access-tokens".name;
|
||||
mode = "0440";
|
||||
};
|
||||
}
|
||||
|
|
58
secrets.yaml
58
secrets.yaml
|
@ -1,58 +0,0 @@
|
|||
hashed-passwd: ENC[AES256_GCM,data:KPOh1bYW2eruBI7Z9OKqqRmoXAxQ/k5sghAmHDFyUeJTNavelU9hcGfBq69KSU+MeFVfRmwHZncZYyiDkF4hFI2YFgFY0M2jzA==,iv:h7XtrT/4/T1b4SPGx10w5g84DMCA/FE3mjinwcLn0tI=,tag:jS8XnwEdEH2QYkNJVRwkcA==,type:str]
|
||||
nix-access-tokens: ENC[AES256_GCM,data:lUeCDT0r1AnTFG4s8eLxSlGRVQAJ4eyXVW80pkgAL5aVrG86+G7NOLVfQYUxthLBRFFXnGA2rQD4h4c2VWknd0YDFdS+me8RBbN2mqJm6YqEYdMEW2Lgv9iSz/zXuDT9FFdDWRdv71lTTwyP2Gie4Y8UkBrAV3ue,iv:HyDyQ5H2nDzi4nIUKoelOrzF4K3sIMlB5HoQR9EMc0s=,tag:vgn2TtQRE8Qd+/zjlOSuAw==,type:str]
|
||||
sops:
|
||||
kms: []
|
||||
gcp_kms: []
|
||||
azure_kv: []
|
||||
hc_vault: []
|
||||
age:
|
||||
- recipient: age129yyxyz686qj88ce5v77ahelqqwt6zz94mzzls0ny4hq76psrd9qhc79kq
|
||||
enc: |
|
||||
-----BEGIN AGE ENCRYPTED FILE-----
|
||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBoc0l1c2U1ZDZhTEVKNG84
|
||||
VFFZQWJ5WXJKZ1J0N1Z2TjB5WUg3VEo4QzN3CjcySXllZTBmUVRWVnRET2NzTjMw
|
||||
N2ZhYS9Rb2VDeUk0RUM3NWVta21YTW8KLS0tIE9Ca2dRN2R2VFVzNitPUHZ0YmVZ
|
||||
dGp0RjY0cmczZnI5RFlHRDE0bkExK0UKGgia9rCsoiMuGzWum8TWcPAHf4v1N/pj
|
||||
t8eTf/Du2KYbULhPgUKQdGiB/5/07D4AvFGA/cz2tzmqGoBNOfMXmg==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
- recipient: age193x79xx8snu82w3t3hax6nruuw57g7pduwnkpvzkzmd7fs5jvfrquqa3sl
|
||||
enc: |
|
||||
-----BEGIN AGE ENCRYPTED FILE-----
|
||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBHSXd5ak5ueTJWczVFYnNR
|
||||
clJTdUUzTTlXWTFocWZJOTBZa2J5NFJjTlZjCktKRjBiWnFMdjhIT1MrTG0wV1Vj
|
||||
enpmN1VuSE1FZ0krc29oYUhNOHByTWsKLS0tIERjNGRlVEZ4T1ZXRGg2ajNYZnhZ
|
||||
V2VmZ2hxS0E2ekNlK2ZrYWxqSVhZaFEK+OpXvvuqRQuoTVYPMhYcNvCPJ+J64lKg
|
||||
yIrUWv+nunSYzi9KfwNMuext0CeWFw5DcjJTy1Oowrnlv9SkgFSc6w==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
- recipient: age174knn6hjtukp32ymcdvjwj6x0j54g7yw02dqfjmua3fkyltwcqrsxccjdk
|
||||
enc: |
|
||||
-----BEGIN AGE ENCRYPTED FILE-----
|
||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBzdWxDblFnTGFMRE8zckEx
|
||||
MmxCbWpRQzZOZDJMY0ZPQXlVRkVRUUpoeDBVCmo0TEtjVmVwUEMzcDMrRVNjcGt5
|
||||
MDJKeU12RmpLRi9pT005WXMzN2kyTE0KLS0tIGE0ZTkwQjdYUWx5UVdmZnUreXIx
|
||||
WUJNR0FWSlhwU0kzL0Fsb0ZtUWI5UzgKK51QBzkTK2Ctg6Pa5ZfchJgHEZz+aUht
|
||||
WVLk/IE7e3ihZY8nTn5vB1WnfT+v1WUAGfhYeYyooAmJt6s0c+VgaQ==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
- recipient: age1u7srtfpgf83hesmsvtqdqftl8xrjmmp33mlg0aze6ken866ad55qxmzdqd
|
||||
enc: |
|
||||
-----BEGIN AGE ENCRYPTED FILE-----
|
||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA4dmlubnMzaEJEcG9jdHZQ
|
||||
YjNVRTlTRFdqbkI5d0pURVU2cWNwSE8rZkUwCkZwTmxhN3R2S0RKeWZHLzN0NDJQ
|
||||
UkZkdXZEOXZRV09NOENxa21NSFgvaUkKLS0tIEFxUlgrakk5QmRETHZEWnVTY05m
|
||||
M25HWXlaR2JEbVA0V0ljMklad2dCZU0KfR9LG8tglre5zoL7m9CgJn6ocyXls3De
|
||||
5xDPaVtqp7ECVVt5sdks8ca40LPtSJ8nf6ytp815nuCreX8gVgkyDA==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
- recipient: age1vw4kf5v8cfnhfhvl0eyvqzpvy9hpfv9enffvzyt95tx5mu7s5dxqjqw0fa
|
||||
enc: |
|
||||
-----BEGIN AGE ENCRYPTED FILE-----
|
||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBUY1NYUjJINVp0SGlhamRz
|
||||
MzFjZWdIV3IxYWoycnV2MG5WaW1KcjQxTERZCkRnejRmQm93dUw0N2IwVnd6MU9o
|
||||
QVRPdGRQRDlCTzJHbHBUL1E5cENNSXMKLS0tIEt1OG9KZ3BxdDlMY3VqVDNhRWdS
|
||||
elg4MmtDbkdhVWJ6OEtqU1BHMEhnd00KoLeUmsw66nzraADSyVN3WW8GfMMmDOoG
|
||||
FKWMn+mIskI11065Bn/zkpP6ud1+KLptndip5c749OBdBfDwBtZhzw==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
lastmodified: "2024-07-09T22:04:25Z"
|
||||
mac: ENC[AES256_GCM,data:d8ml8uokaSlD/nJQVM732OoEXZB0a7dpq5Koq1/Nz8iW9xDmwvrWONRmI6EPHMHJ+vFXKS09iLBtaWRo83H1KPIEfN6slVY8wrVYychz38A/jXx3TWd1oh00otJpkmjzWfEbhYYB6K0D2lTP/rfu009b29OzBNbqcIfVrJRz4vQ=,iv:/PBfFIf+SZ4zmRdOba8NKV29JRWHzCGwK5Oo2EGq/90=,tag:5eHt2FPi+5uSNEd3GlFkcQ==,type:str]
|
||||
pgp: []
|
||||
unencrypted_suffix: _unencrypted
|
||||
version: 3.9.0
|
Loading…
Reference in a new issue