ppetru/alo-cluster
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Secret management via sops-nix.

Browse Source
This commit is contained in:
Petru
2024-09-21 10:24:16 +01:00
parent 9619607919
commit a79e666a85
9 changed files with 142 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

20
.sops.yaml Normal file
View File

@@ -0,0 +1,20 @@
keys:
- &admin_ppetru age1kgkmean5tc0uwl4y8hpknfa2d7g5hka30gzrdnje9n6z2r733upqds0s4l
- &server_zippy age1gtyw202hd07hddac9886as2cs8pm07e4exlnrgfm72lync75ng9qc5fjac
- &server_chilly age16yqffw4yl5jqvsr7tyd883vn98zw0attuv9g5snc329juff6dy3qw2w5wp
- &server_alo_cloud_1 age1w5w4wfvtul3sge9mt205zvrkjaeh3qs9gsxhmq7df2g4dztnvv6qylup8z
- &server_c1 age1e7ejamlagumpgjw56h82e9rsz2aplgzmll4np073a9lyvxw2gauqswpqwl
- &server_c2 age1gekmz8kc8r2lc2x6d4u63s2lnpmres4hu9wulxh29ch74ud7wfksq56xam
- &server_c3 age1zjgqu3zks5kvlw6hvy6ytyygq7n25lu0uj2435zlf30smpxuy4hshpmfer
creation_rules:
- path_regex: secrets/[^/]+\.(yaml|json|env|ini)$
key_groups:
- age:
- *admin_ppetru
- *server_zippy
- *server_chilly
- *server_alo_cloud_1
- *server_c1
- *server_c2
- *server_c3

1
common/global/default.nix
View File

@@ -10,6 +10,7 @@
./nix.nix ./nix.nix
./packages.nix ./packages.nix
./show-changelog.nix ./show-changelog.nix
./sops.nix
./sudo.nix ./sudo.nix
./tailscale.nix ./tailscale.nix
]; ];

3
common/global/packages.nix
View File

@@ -1,9 +1,12 @@
{ pkgs, ... }: { pkgs, ... }:
{ {
environment.systemPackages = with pkgs; [ environment.systemPackages = with pkgs; [
age
file file
lm_sensors # TODO: this shouldn't be installed on cloud nodes lm_sensors # TODO: this shouldn't be installed on cloud nodes
nodejs_20 # TODO: this is for one job on nomad, it should just be a dependency there nodejs_20 # TODO: this is for one job on nomad, it should just be a dependency there
neovim neovim
sops
ssh-to-age
]; ];
} }

5
common/global/sops.nix Normal file
View File

@@ -0,0 +1,5 @@
{
sops = {
defaultSopsFile = ./../../secrets/secrets.yaml;
};
}

5
common/user-ppetru.nix
View File

@@ -1,6 +1,7 @@
{ pkgs, ... }: { pkgs, config, ... }:
{ {
programs.fish.enable = true; programs.fish.enable = true;
sops.secrets.ppetru-password.neededForUsers = true;
users.users.ppetru = { users.users.ppetru = {
isNormalUser = true; isNormalUser = true;
extraGroups = [ extraGroups = [
@@ -10,7 +11,7 @@
shell = pkgs.fish; shell = pkgs.fish;
hashedPassword = "$y$j9T$RStwCKefSqHTIiRo6u6Q50$Pp2dNUeJeUMH0HJdDoM/vXMQa2jqyTTPvvIzACHZhVB"; hashedPasswordFile = config.sops.secrets.ppetru-password.path;
openssh.authorizedKeys.keys = [ openssh.authorizedKeys.keys = [
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCdZ9dHN+DamoyRAIS8v7Ph85KyJ9zYdgwoqkp7F+smEJEdDKboHE5LA49IDQk4cgkR5xNEMtxANpJm+AXNAhQOPVl/w57vI/Z+TBtSvDoj8LuAvKjmmrPfok2iyD2IIlbctcw8ypn1revZwDb1rBFefpbbZdr5h+75tVqqmNebzxk6UQsfL++lU8HscWwYKzxrrom5aJL6wxNTfy7/Htkt4FHzoKAc5gcB2KM/q0s6NvZzX9WtdHHwAR1kib2EekssjDM9VLecX75Xhtbp+LrHOJKRnxbIanXos4UZUzaJctdNTcOYzEVLvV0BCYaktbI+uVvJcC0qo28bXbHdS3rTGRu8CsykFneJXnrrRIJw7mYWhJSTV9bf+6j/lnFNAurbiYmd4SzaTgbGjj2j38Gr/CTsyv8Rho7P3QUWbRRZnn4a7eVPtjGagqwIwS59YDxRcOy2Wdsw35ry/N2G802V7Cr3hUqeaAIev2adtn4FaG72C8enacYUeACPEhi7TYdsDzuuyt31W7AQa5Te4Uda20rTa0Y9N5Lw85uGB2ebbdYWlO2CqI/m+xNYcPkKqL7zZILz782jDw1sxWd/RUbEgJNrWjsKZ7ybiEMmhpw5vLiMGOeqQWIT6cBCNjocmW0ocU+FBLhhioyrvuZOyacoEZLoklatsL0DMkvvkbT0Ew== petru@paler.net" "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCdZ9dHN+DamoyRAIS8v7Ph85KyJ9zYdgwoqkp7F+smEJEdDKboHE5LA49IDQk4cgkR5xNEMtxANpJm+AXNAhQOPVl/w57vI/Z+TBtSvDoj8LuAvKjmmrPfok2iyD2IIlbctcw8ypn1revZwDb1rBFefpbbZdr5h+75tVqqmNebzxk6UQsfL++lU8HscWwYKzxrrom5aJL6wxNTfy7/Htkt4FHzoKAc5gcB2KM/q0s6NvZzX9WtdHHwAR1kib2EekssjDM9VLecX75Xhtbp+LrHOJKRnxbIanXos4UZUzaJctdNTcOYzEVLvV0BCYaktbI+uVvJcC0qo28bXbHdS3rTGRu8CsykFneJXnrrRIJw7mYWhJSTV9bf+6j/lnFNAurbiYmd4SzaTgbGjj2j38Gr/CTsyv8Rho7P3QUWbRRZnn4a7eVPtjGagqwIwS59YDxRcOy2Wdsw35ry/N2G802V7Cr3hUqeaAIev2adtn4FaG72C8enacYUeACPEhi7TYdsDzuuyt31W7AQa5Te4Uda20rTa0Y9N5Lw85uGB2ebbdYWlO2CqI/m+xNYcPkKqL7zZILz782jDw1sxWd/RUbEgJNrWjsKZ7ybiEMmhpw5vLiMGOeqQWIT6cBCNjocmW0ocU+FBLhhioyrvuZOyacoEZLoklatsL0DMkvvkbT0Ew== petru@paler.net"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIH+QbeQG/gTPJ2sIMPgZ3ZPEirVo5qX/carbZMKt50YN petru@happy" "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIH+QbeQG/gTPJ2sIMPgZ3ZPEirVo5qX/carbZMKt50YN petru@happy"

26
flake.lock generated
View File

@@ -354,7 +354,31 @@
"nix-index-database": "nix-index-database", "nix-index-database": "nix-index-database",
"nixpkgs": "nixpkgs", "nixpkgs": "nixpkgs",
"nixpkgs-unstable": "nixpkgs-unstable", "nixpkgs-unstable": "nixpkgs-unstable",
"nixvim": "nixvim" "nixvim": "nixvim",
"sops-nix": "sops-nix"
}
},
"sops-nix": {
"inputs": {
"nixpkgs": [
"nixpkgs"
],
"nixpkgs-stable": [
"nixpkgs"
]
},
"locked": {
"lastModified": 1726524647,
"narHash": "sha256-qis6BtOOBBEAfUl7FMHqqTwRLB61OL5OFzIsOmRz2J4=",
"owner": "Mic92",
"repo": "sops-nix",
"rev": "e2d404a7ea599a013189aa42947f66cede0645c8",
"type": "github"
},
"original": {
"owner": "Mic92",
"repo": "sops-nix",
"type": "github"
} }
}, },
"systems": { "systems": {

10
flake.nix
View File

@@ -22,6 +22,11 @@
inputs.nixpkgs.follows = "nixpkgs-unstable"; inputs.nixpkgs.follows = "nixpkgs-unstable";
inputs.home-manager.follows = "home-manager"; inputs.home-manager.follows = "home-manager";
}; };
sops-nix = {
url = "github:Mic92/sops-nix";
inputs.nixpkgs.follows = "nixpkgs";
inputs.nixpkgs-stable.follows = "nixpkgs";
};
}; };
outputs = outputs =
@@ -31,6 +36,8 @@
nixpkgs-unstable, nixpkgs-unstable,
deploy-rs, deploy-rs,
disko, disko,
home-manager,
sops-nix,
... ...
}@inputs: }@inputs:
let let
@@ -51,7 +58,8 @@
} }
) )
disko.nixosModules.disko disko.nixosModules.disko
inputs.home-manager.nixosModules.home-manager sops-nix.nixosModules.sops
home-manager.nixosModules.home-manager
{ {
home-manager = { home-manager = {
useGlobalPkgs = true; useGlobalPkgs = true;

1
home/default.nix
View File

@@ -21,6 +21,7 @@
directories = [ directories = [
".cache/nix" ".cache/nix"
".cache/nix-index" ".cache/nix-index"
".config/sops/"
".local/share/fish" ".local/share/fish"
".ssh" ".ssh"
"projects" "projects"

75
secrets/secrets.yaml Normal file
View File

@@ -0,0 +1,75 @@
ppetru-password: ENC[AES256_GCM,data:3q1oSiMObDDC0pRErkoCbttofFlRiJ/Y2KqCk5widNZTecjouSnUCArKvxpn3KsZRCF1ZvomQhG10tg+/ZZYnOiOdxyRMWBNiw==,iv:UM9S3/UeseaGAXCptbT9GCKn5GAXzH0uQJhMJNIMffk=,tag:gS2UDo1JaEotEv2qiREnNA==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1kgkmean5tc0uwl4y8hpknfa2d7g5hka30gzrdnje9n6z2r733upqds0s4l
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBWK2VIRUZmajF6TjBlbEVQ
TTBtN3N5d0lndXNnNzY3ang4alRYeE04K2dJCnhtVmF0WWdZUTdBYTY1MVpQWEg2
SWhyZ1VuVTBra1hzV2pxM0NONmFENnMKLS0tIGxVWDVQRHlPKzFtQU9STE83czdm
UEFBdjVpRVRrNGVpZnlVR29hclJRck0KPKRgZZ0eaRZftrh3aBjOWLD2g6wFxJ+4
Rw/oaza3MledGTujZmWyHW2JgwhuE2T2HD3KddVaftWSHESQN1Om2g==
-----END AGE ENCRYPTED FILE-----
- recipient: age1gtyw202hd07hddac9886as2cs8pm07e4exlnrgfm72lync75ng9qc5fjac
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBXbGlNNUtBd0traXg3cGJW
ZVUzc1hNMnA5ZjJuM1h5aGdtbjBPNTdTQ21jCmxDUnU5WitkRnFMRFgwcDJCR0F6
ZERrVUdJYjVaZ2hvbVJRVEdMM0tLalUKLS0tIGV3Z0JzY01RcEdvR282Ly9sb1NJ
U3V1RE1tRCt4cFNtRkpaWGJMRFJBeVEKBcDcuJX/O+xJ3a4HHvjqZGl6TlpvKRjZ
Pr+cGGcCFHRzxpamU2VZV6L2bK+vJIo4vduKbOrntItHsJtLCZmRVQ==
-----END AGE ENCRYPTED FILE-----
- recipient: age16yqffw4yl5jqvsr7tyd883vn98zw0attuv9g5snc329juff6dy3qw2w5wp
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBrckJaN1dJRTZJcGtjQThT
QUFSOUJUekpPZTd0SHJTL3RWdmZlc3FTU3lNCkU5T1hqVERHVytoenpQRFJBRUcv
NHZPTEc5Si9wSythSFhibUtINUo1eG8KLS0tIG9RQktsTERLaUFiaE1mMWdQK0xl
L2VWRngva0xkaW41Q0xtQjhIWGdmUGsKKWxCOM5puUD9iLnlDl4PECWsRrKzTzKW
3uVNZJHDE8Bb1yXxIVFGkNoPaOOS8u+qNUg6k3aH69PrirdfKUgChw==
-----END AGE ENCRYPTED FILE-----
- recipient: age1w5w4wfvtul3sge9mt205zvrkjaeh3qs9gsxhmq7df2g4dztnvv6qylup8z
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBSVnU3Qjd4UGZCYys5RkpD
S1VRd3cydEV6VDdTRXY5dkNieFNiYWhjTmpnCnl0NGE5akVIMjNENDdES2h6bGhV
UFpCa3lCcDZnUmFyNlpObHJ6cUtCL00KLS0tIGp6U3M5ZkNzOGZZQ0x1dk56L0Js
ZVBON0w1YzhxMit6SUxYV0JBcXI1N2sKq3c4yigumNGvsgjxgB07kR0F6e2lKzdQ
Wro4jiBv/kB7hWhOQcpgpodmsVzoYsbFwCHySV3MjpDeyO1AS68fRw==
-----END AGE ENCRYPTED FILE-----
- recipient: age1e7ejamlagumpgjw56h82e9rsz2aplgzmll4np073a9lyvxw2gauqswpqwl
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBaWlBCYjducUZOR05GTlJx
eGVsRnNoWjhEL0JaS1FuR3dPSmVGRk9ZN0FZCmY4bW4xd2dGbkdIamhmV1EyWE9z
NWtJc0xKbWZ6cEsrRE5jenB4bC93K3cKLS0tIDAxUUc5OFFzWUEyQmh2R3Vzb0RS
S2xjbnpKWFdIS3FybXRrZjFkNzJaNXMKAwQmEjNZoDthL2dk3nbW1yWbrl2weyrf
MTXyF9pfAT+rnmS20Z40Hn9srI+W8+W4Qf+AMhzQAdPHCyFflrT8oA==
-----END AGE ENCRYPTED FILE-----
- recipient: age1gekmz8kc8r2lc2x6d4u63s2lnpmres4hu9wulxh29ch74ud7wfksq56xam
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBLUXNBVXhHNEN0bzdyVzRl
VS9ZSlNmMXRRRVBrd1BxQXVUalVET0hqZHpFClQvUktFVjBpakg0aS94UXZzRWhq
UGZCOTZwTHBHdVJGYTFPbk5LRVpZRTgKLS0tIGxORGVWQm5oWG85ZkRBWjgwVFht
N0lXWlQrTWthQzgxaU9WSFpZRm9LRDgK4FqR0ggrikAWBDlmg5PM51zgbdXH0s9k
GbZQzvpOd4ScF12YejRZ2usslGDYauhdL+eCNlqRIvABYKfA8KfZsQ==
-----END AGE ENCRYPTED FILE-----
- recipient: age1zjgqu3zks5kvlw6hvy6ytyygq7n25lu0uj2435zlf30smpxuy4hshpmfer
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBUbWlUUkp6SGkzUzlnS0sy
V29ISDNlb3JkeHBKZ3VhUEJycFJTUG5MMERjCjJCTy9vYUdrdC9jM1RUa2ZLMS9z
WEdmK20rNmVtRXBCbVlLa3p4MVJoWlUKLS0tIFFmaTJod3ZUODFvMnR4UFNJLzZj
b2FwQUNmcytoelM5c1lkT2ZlS3FieXcK9ZuoUKQeoCrMx0X+6UDfVIKn5sON4o4h
Y8KDphPCb7RINcPbVX4MhMqzkBkGOgMEBeo8YRo8mJYD0S92K4qUUQ==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2024-09-21T09:16:15Z"
mac: ENC[AES256_GCM,data:VrpYMsWdGvzCvfNCDj+R9NKsq5FVHn4FYlZd10FbFiSd2sfPikiOZfE7ih1E7Smp2KRM3ARyjnq0OSgpw+V1NnRQVTk1uL6oE/VDRUsBJG97EPS8gbC3a7hbvNaa9dAoj8ZB08wziuVs9GExvkpYS+Y13xKDiaxc97XrpQzOcHY=,iv:vxaTs950++ig2rZsPn4mMVT0OMfmEbvHZqnQKYxvkTM=,tag:w2Zp4PGzQLhcCaASKr0/vg==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.8.1