diff --git a/.sops.yaml b/.sops.yaml new file mode 100644 index 0000000..6526283 --- /dev/null +++ b/.sops.yaml @@ -0,0 +1,20 @@ +keys: + - &admin_ppetru age1kgkmean5tc0uwl4y8hpknfa2d7g5hka30gzrdnje9n6z2r733upqds0s4l + - &server_zippy age1gtyw202hd07hddac9886as2cs8pm07e4exlnrgfm72lync75ng9qc5fjac + - &server_chilly age16yqffw4yl5jqvsr7tyd883vn98zw0attuv9g5snc329juff6dy3qw2w5wp + - &server_alo_cloud_1 age1w5w4wfvtul3sge9mt205zvrkjaeh3qs9gsxhmq7df2g4dztnvv6qylup8z + - &server_c1 age1e7ejamlagumpgjw56h82e9rsz2aplgzmll4np073a9lyvxw2gauqswpqwl + - &server_c2 age1gekmz8kc8r2lc2x6d4u63s2lnpmres4hu9wulxh29ch74ud7wfksq56xam + - &server_c3 age1zjgqu3zks5kvlw6hvy6ytyygq7n25lu0uj2435zlf30smpxuy4hshpmfer +creation_rules: + - path_regex: secrets/[^/]+\.(yaml|json|env|ini)$ + key_groups: + - age: + - *admin_ppetru + - *server_zippy + - *server_chilly + - *server_alo_cloud_1 + - *server_c1 + - *server_c2 + - *server_c3 + diff --git a/common/global/default.nix b/common/global/default.nix index cf8030d..e94b351 100644 --- a/common/global/default.nix +++ b/common/global/default.nix @@ -10,6 +10,7 @@ ./nix.nix ./packages.nix ./show-changelog.nix + ./sops.nix ./sudo.nix ./tailscale.nix ]; diff --git a/common/global/packages.nix b/common/global/packages.nix index 962b2b5..5949bff 100644 --- a/common/global/packages.nix +++ b/common/global/packages.nix @@ -1,9 +1,12 @@ { pkgs, ... }: { environment.systemPackages = with pkgs; [ + age file lm_sensors # TODO: this shouldn't be installed on cloud nodes nodejs_20 # TODO: this is for one job on nomad, it should just be a dependency there neovim + sops + ssh-to-age ]; } diff --git a/common/global/sops.nix b/common/global/sops.nix new file mode 100644 index 0000000..8560b89 --- /dev/null +++ b/common/global/sops.nix @@ -0,0 +1,5 @@ +{ + sops = { + defaultSopsFile = ./../../secrets/secrets.yaml; + }; +} diff --git a/common/user-ppetru.nix b/common/user-ppetru.nix index 141ee3b..b81e60f 100644 --- a/common/user-ppetru.nix +++ b/common/user-ppetru.nix @@ -1,6 +1,7 @@ -{ pkgs, ... }: +{ pkgs, config, ... }: { programs.fish.enable = true; + sops.secrets.ppetru-password.neededForUsers = true; users.users.ppetru = { isNormalUser = true; extraGroups = [ @@ -10,7 +11,7 @@ shell = pkgs.fish; - hashedPassword = "$y$j9T$RStwCKefSqHTIiRo6u6Q50$Pp2dNUeJeUMH0HJdDoM/vXMQa2jqyTTPvvIzACHZhVB"; + hashedPasswordFile = config.sops.secrets.ppetru-password.path; openssh.authorizedKeys.keys = [ "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCdZ9dHN+DamoyRAIS8v7Ph85KyJ9zYdgwoqkp7F+smEJEdDKboHE5LA49IDQk4cgkR5xNEMtxANpJm+AXNAhQOPVl/w57vI/Z+TBtSvDoj8LuAvKjmmrPfok2iyD2IIlbctcw8ypn1revZwDb1rBFefpbbZdr5h+75tVqqmNebzxk6UQsfL++lU8HscWwYKzxrrom5aJL6wxNTfy7/Htkt4FHzoKAc5gcB2KM/q0s6NvZzX9WtdHHwAR1kib2EekssjDM9VLecX75Xhtbp+LrHOJKRnxbIanXos4UZUzaJctdNTcOYzEVLvV0BCYaktbI+uVvJcC0qo28bXbHdS3rTGRu8CsykFneJXnrrRIJw7mYWhJSTV9bf+6j/lnFNAurbiYmd4SzaTgbGjj2j38Gr/CTsyv8Rho7P3QUWbRRZnn4a7eVPtjGagqwIwS59YDxRcOy2Wdsw35ry/N2G802V7Cr3hUqeaAIev2adtn4FaG72C8enacYUeACPEhi7TYdsDzuuyt31W7AQa5Te4Uda20rTa0Y9N5Lw85uGB2ebbdYWlO2CqI/m+xNYcPkKqL7zZILz782jDw1sxWd/RUbEgJNrWjsKZ7ybiEMmhpw5vLiMGOeqQWIT6cBCNjocmW0ocU+FBLhhioyrvuZOyacoEZLoklatsL0DMkvvkbT0Ew== petru@paler.net" "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIH+QbeQG/gTPJ2sIMPgZ3ZPEirVo5qX/carbZMKt50YN petru@happy" diff --git a/flake.lock b/flake.lock index 90e61ef..20b84ee 100644 --- a/flake.lock +++ b/flake.lock @@ -354,7 +354,31 @@ "nix-index-database": "nix-index-database", "nixpkgs": "nixpkgs", "nixpkgs-unstable": "nixpkgs-unstable", - "nixvim": "nixvim" + "nixvim": "nixvim", + "sops-nix": "sops-nix" + } + }, + "sops-nix": { + "inputs": { + "nixpkgs": [ + "nixpkgs" + ], + "nixpkgs-stable": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1726524647, + "narHash": "sha256-qis6BtOOBBEAfUl7FMHqqTwRLB61OL5OFzIsOmRz2J4=", + "owner": "Mic92", + "repo": "sops-nix", + "rev": "e2d404a7ea599a013189aa42947f66cede0645c8", + "type": "github" + }, + "original": { + "owner": "Mic92", + "repo": "sops-nix", + "type": "github" } }, "systems": { diff --git a/flake.nix b/flake.nix index 841a33f..6b9eb26 100644 --- a/flake.nix +++ b/flake.nix @@ -22,6 +22,11 @@ inputs.nixpkgs.follows = "nixpkgs-unstable"; inputs.home-manager.follows = "home-manager"; }; + sops-nix = { + url = "github:Mic92/sops-nix"; + inputs.nixpkgs.follows = "nixpkgs"; + inputs.nixpkgs-stable.follows = "nixpkgs"; + }; }; outputs = @@ -31,6 +36,8 @@ nixpkgs-unstable, deploy-rs, disko, + home-manager, + sops-nix, ... }@inputs: let @@ -51,7 +58,8 @@ } ) disko.nixosModules.disko - inputs.home-manager.nixosModules.home-manager + sops-nix.nixosModules.sops + home-manager.nixosModules.home-manager { home-manager = { useGlobalPkgs = true; diff --git a/home/default.nix b/home/default.nix index f564ecb..0de9831 100644 --- a/home/default.nix +++ b/home/default.nix @@ -21,6 +21,7 @@ directories = [ ".cache/nix" ".cache/nix-index" + ".config/sops/" ".local/share/fish" ".ssh" "projects" diff --git a/secrets/secrets.yaml b/secrets/secrets.yaml new file mode 100644 index 0000000..c8642d2 --- /dev/null +++ b/secrets/secrets.yaml @@ -0,0 +1,75 @@ +ppetru-password: ENC[AES256_GCM,data:3q1oSiMObDDC0pRErkoCbttofFlRiJ/Y2KqCk5widNZTecjouSnUCArKvxpn3KsZRCF1ZvomQhG10tg+/ZZYnOiOdxyRMWBNiw==,iv:UM9S3/UeseaGAXCptbT9GCKn5GAXzH0uQJhMJNIMffk=,tag:gS2UDo1JaEotEv2qiREnNA==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1kgkmean5tc0uwl4y8hpknfa2d7g5hka30gzrdnje9n6z2r733upqds0s4l + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBWK2VIRUZmajF6TjBlbEVQ + TTBtN3N5d0lndXNnNzY3ang4alRYeE04K2dJCnhtVmF0WWdZUTdBYTY1MVpQWEg2 + SWhyZ1VuVTBra1hzV2pxM0NONmFENnMKLS0tIGxVWDVQRHlPKzFtQU9STE83czdm + UEFBdjVpRVRrNGVpZnlVR29hclJRck0KPKRgZZ0eaRZftrh3aBjOWLD2g6wFxJ+4 + Rw/oaza3MledGTujZmWyHW2JgwhuE2T2HD3KddVaftWSHESQN1Om2g== + -----END AGE ENCRYPTED FILE----- + - recipient: age1gtyw202hd07hddac9886as2cs8pm07e4exlnrgfm72lync75ng9qc5fjac + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBXbGlNNUtBd0traXg3cGJW + ZVUzc1hNMnA5ZjJuM1h5aGdtbjBPNTdTQ21jCmxDUnU5WitkRnFMRFgwcDJCR0F6 + ZERrVUdJYjVaZ2hvbVJRVEdMM0tLalUKLS0tIGV3Z0JzY01RcEdvR282Ly9sb1NJ + U3V1RE1tRCt4cFNtRkpaWGJMRFJBeVEKBcDcuJX/O+xJ3a4HHvjqZGl6TlpvKRjZ + Pr+cGGcCFHRzxpamU2VZV6L2bK+vJIo4vduKbOrntItHsJtLCZmRVQ== + -----END AGE ENCRYPTED FILE----- + - recipient: age16yqffw4yl5jqvsr7tyd883vn98zw0attuv9g5snc329juff6dy3qw2w5wp + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBrckJaN1dJRTZJcGtjQThT + QUFSOUJUekpPZTd0SHJTL3RWdmZlc3FTU3lNCkU5T1hqVERHVytoenpQRFJBRUcv + NHZPTEc5Si9wSythSFhibUtINUo1eG8KLS0tIG9RQktsTERLaUFiaE1mMWdQK0xl + L2VWRngva0xkaW41Q0xtQjhIWGdmUGsKKWxCOM5puUD9iLnlDl4PECWsRrKzTzKW + 3uVNZJHDE8Bb1yXxIVFGkNoPaOOS8u+qNUg6k3aH69PrirdfKUgChw== + -----END AGE ENCRYPTED FILE----- + - recipient: age1w5w4wfvtul3sge9mt205zvrkjaeh3qs9gsxhmq7df2g4dztnvv6qylup8z + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBSVnU3Qjd4UGZCYys5RkpD + S1VRd3cydEV6VDdTRXY5dkNieFNiYWhjTmpnCnl0NGE5akVIMjNENDdES2h6bGhV + UFpCa3lCcDZnUmFyNlpObHJ6cUtCL00KLS0tIGp6U3M5ZkNzOGZZQ0x1dk56L0Js + ZVBON0w1YzhxMit6SUxYV0JBcXI1N2sKq3c4yigumNGvsgjxgB07kR0F6e2lKzdQ + Wro4jiBv/kB7hWhOQcpgpodmsVzoYsbFwCHySV3MjpDeyO1AS68fRw== + -----END AGE ENCRYPTED FILE----- + - recipient: age1e7ejamlagumpgjw56h82e9rsz2aplgzmll4np073a9lyvxw2gauqswpqwl + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBaWlBCYjducUZOR05GTlJx + eGVsRnNoWjhEL0JaS1FuR3dPSmVGRk9ZN0FZCmY4bW4xd2dGbkdIamhmV1EyWE9z + NWtJc0xKbWZ6cEsrRE5jenB4bC93K3cKLS0tIDAxUUc5OFFzWUEyQmh2R3Vzb0RS + S2xjbnpKWFdIS3FybXRrZjFkNzJaNXMKAwQmEjNZoDthL2dk3nbW1yWbrl2weyrf + MTXyF9pfAT+rnmS20Z40Hn9srI+W8+W4Qf+AMhzQAdPHCyFflrT8oA== + -----END AGE ENCRYPTED FILE----- + - recipient: age1gekmz8kc8r2lc2x6d4u63s2lnpmres4hu9wulxh29ch74ud7wfksq56xam + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBLUXNBVXhHNEN0bzdyVzRl + VS9ZSlNmMXRRRVBrd1BxQXVUalVET0hqZHpFClQvUktFVjBpakg0aS94UXZzRWhq + UGZCOTZwTHBHdVJGYTFPbk5LRVpZRTgKLS0tIGxORGVWQm5oWG85ZkRBWjgwVFht + N0lXWlQrTWthQzgxaU9WSFpZRm9LRDgK4FqR0ggrikAWBDlmg5PM51zgbdXH0s9k + GbZQzvpOd4ScF12YejRZ2usslGDYauhdL+eCNlqRIvABYKfA8KfZsQ== + -----END AGE ENCRYPTED FILE----- + - recipient: age1zjgqu3zks5kvlw6hvy6ytyygq7n25lu0uj2435zlf30smpxuy4hshpmfer + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBUbWlUUkp6SGkzUzlnS0sy + V29ISDNlb3JkeHBKZ3VhUEJycFJTUG5MMERjCjJCTy9vYUdrdC9jM1RUa2ZLMS9z + WEdmK20rNmVtRXBCbVlLa3p4MVJoWlUKLS0tIFFmaTJod3ZUODFvMnR4UFNJLzZj + b2FwQUNmcytoelM5c1lkT2ZlS3FieXcK9ZuoUKQeoCrMx0X+6UDfVIKn5sON4o4h + Y8KDphPCb7RINcPbVX4MhMqzkBkGOgMEBeo8YRo8mJYD0S92K4qUUQ== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-09-21T09:16:15Z" + mac: ENC[AES256_GCM,data:VrpYMsWdGvzCvfNCDj+R9NKsq5FVHn4FYlZd10FbFiSd2sfPikiOZfE7ih1E7Smp2KRM3ARyjnq0OSgpw+V1NnRQVTk1uL6oE/VDRUsBJG97EPS8gbC3a7hbvNaa9dAoj8ZB08wziuVs9GExvkpYS+Y13xKDiaxc97XrpQzOcHY=,iv:vxaTs950++ig2rZsPn4mMVT0OMfmEbvHZqnQKYxvkTM=,tag:w2Zp4PGzQLhcCaASKr0/vg==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.8.1