From 3d9e197056c5df481675624bfa653bcf7a4f7d7d Mon Sep 17 00:00:00 2001 From: Gabe Venberg Date: Fri, 31 May 2024 21:05:06 -0500 Subject: [PATCH] inital steps into sops-nix. figured out ssh pubkey management. --- configs/home-manager/sops.nix | 22 ++++++++++++++++++++++ flake.lock | 18 ++++++++++++++++++ flake.nix | 25 +++++++++++++++---------- hosts/archlaptop-vm/default.nix | 8 +++++++- hosts/home-personal.nix | 4 +++- hosts/home-workstation.nix | 4 +++- hosts/workstation-vm/default.nix | 12 +++++++++++- hosts/workstation-vm/secrets.nix | 20 ++++++++++++++++++++ hosts/wsl-workstation.nix | 4 +++- justfile | 3 +++ lib/default.nix | 12 ++++++++++++ 11 files changed, 117 insertions(+), 15 deletions(-) create mode 100644 configs/home-manager/sops.nix create mode 100644 hosts/workstation-vm/secrets.nix create mode 100644 lib/default.nix diff --git a/configs/home-manager/sops.nix b/configs/home-manager/sops.nix new file mode 100644 index 0000000..293619c --- /dev/null +++ b/configs/home-manager/sops.nix @@ -0,0 +1,22 @@ +{ + config, + pkgs, + lib, + inputs, + ... +}: let + secretsPath = builtins.toString inputs.nix-secrets; +in { + imports = [ + inputs.sops-nix.homeManagerModules.sops + ]; + + sops={ + defaultSopsFile="${secretsPath}/secrets.yaml"; + age={ + sshKeyPaths=["${config.home.homeDirectory}/keys/age/master.txt"]; + keyFile="/var/lib/sops-nix/key.txt"; + generateKey=true; + }; + }; +} diff --git a/flake.lock b/flake.lock index 7581c2b..2325b3c 100644 --- a/flake.lock +++ b/flake.lock @@ -237,6 +237,23 @@ "type": "github" } }, + "nix-secrets": { + "flake": false, + "locked": { + "lastModified": 1717206943, + "narHash": "sha256-TtBaZMGhA8fkQbt/RKJml992JFr/sdz4gqdIJeu6ltk=", + "ref": "refs/heads/main", + "rev": "3e19bf8fce17779c5f6fce5f8f894de8a5193fa2", + "shallow": true, + "type": "git", + "url": "ssh://git@git.venberg.xyz:7920/Gabe/nix-secrets.git" + }, + "original": { + "shallow": true, + "type": "git", + "url": "ssh://git@git.venberg.xyz:7920/Gabe/nix-secrets.git" + } + }, "nixos-wsl": { "inputs": { "flake-compat": [ @@ -361,6 +378,7 @@ "flake-compat": "flake-compat", "flake-utils": "flake-utils", "home-manager": "home-manager", + "nix-secrets": "nix-secrets", "nixos-wsl": "nixos-wsl", "nixpkgs": "nixpkgs", "nixvim": "nixvim", diff --git a/flake.nix b/flake.nix index f6508ee..299f83d 100644 --- a/flake.nix +++ b/flake.nix @@ -42,6 +42,12 @@ inputs.nixpkgs.follows = "nixpkgs"; }; + nix-secrets = { + url = "git+ssh://git@git.venberg.xyz:7920/Gabe/nix-secrets.git?shallow=1"; + # url = "git+https://git.venberg.xyz/Gabe/nix-secrets.git?shallow=1"; + flake = false; + }; + # just for follows statements flake-utils.url = "github:numtide/flake-utils"; flake-compat.url = "github:edolstra/flake-compat"; @@ -58,6 +64,8 @@ "x86_64-linux" "aarch64-linux" ]; + inherit (nixpkgs) lib; + configLib=import ./lib {inherit lib;}; in { formatter = forAllSystems (system: nixpkgs.legacyPackages.${system}.alejandra); @@ -69,9 +77,6 @@ packages = with pkgs; [ just deploy-rs.packages.${system}.deploy-rs - age - ssh-to-age - sops ]; }; } @@ -82,18 +87,18 @@ # NixOS configuration entrypoint # Available through 'nixos-rebuild --flake .#your-hostname' nixosConfigurations = { - archlaptop-vm = import ./hosts/archlaptop-vm {inherit inputs outputs;}; - workstation-vm = import ./hosts/workstation-vm {inherit inputs outputs;}; - gv-wsl = import ./hosts/wsl-workstation.nix {inherit inputs outputs;}; + archlaptop-vm = import ./hosts/archlaptop-vm {inherit inputs outputs configLib;}; + workstation-vm = import ./hosts/workstation-vm {inherit inputs outputs configLib;}; + gv-wsl = import ./hosts/wsl-workstation.nix {inherit inputs outputs configLib;}; }; # Standalone home-manager configuration entrypoint # Available through 'home-manager --flake .#your-username@your-hostname' homeConfigurations = { - "gabe@archlaptop" = import ./hosts/home-personal.nix {inherit inputs outputs;}; - "gabe@linuxgamingrig" = import ./hosts/home-personal.nix {inherit inputs outputs;}; - "gabe@gv-workstation" = import ./hosts/home-workstation.nix {inherit inputs outputs;}; - "gabe@gv-ubuntu" = import ./hosts/home-workstation.nix {inherit inputs outputs;}; + "gabe@archlaptop" = import ./hosts/home-personal.nix {inherit inputs outputs configLib;}; + "gabe@linuxgamingrig" = import ./hosts/home-personal.nix {inherit inputs outputs configLib;}; + "gabe@gv-workstation" = import ./hosts/home-workstation.nix {inherit inputs outputs configLib;}; + "gabe@gv-ubuntu" = import ./hosts/home-workstation.nix {inherit inputs outputs configLib;}; }; templates = import ./templates {inherit inputs outputs;}; diff --git a/hosts/archlaptop-vm/default.nix b/hosts/archlaptop-vm/default.nix index f122713..5e3d9f2 100644 --- a/hosts/archlaptop-vm/default.nix +++ b/hosts/archlaptop-vm/default.nix @@ -1,11 +1,12 @@ { inputs, outputs, + configLib, ... }: inputs.nixpkgs.lib.nixosSystem { system = "x86_64-linux"; - specialArgs = {inherit inputs outputs;}; + specialArgs = {inherit inputs outputs configLib;}; # > Our main nixos configuration file < modules = [ inputs.home-manager.nixosModules.home-manager @@ -19,6 +20,7 @@ inputs.nixpkgs.lib.nixosSystem { ({ config, pkgs, + configLib, ... }: { host = { @@ -39,6 +41,9 @@ inputs.nixpkgs.lib.nixosSystem { xkb.variant = ""; }; + users.users.root.openssh.authorizedKeys.keys = + configLib.dirToStrings "${inputs.nix-secrets}/public-keys"; + programs.zsh.enable = true; environment.shells = with pkgs; [zsh]; # Define a user account. Don't forget to set a password with ‘passwd’. @@ -51,6 +56,7 @@ inputs.nixpkgs.lib.nixosSystem { firefox # thunderbird ]; + openssh.authorizedKeys.keys=config.users.users.root.openssh.authorizedKeys.keys; }; home-manager.users.${config.host.user} = { diff --git a/hosts/home-personal.nix b/hosts/home-personal.nix index a48c06e..740ea77 100644 --- a/hosts/home-personal.nix +++ b/hosts/home-personal.nix @@ -1,16 +1,18 @@ { inputs, outputs, + configLib, ... }: inputs.home-manager.lib.homeManagerConfiguration { pkgs = inputs.nixpkgs.legacyPackages.x86_64-linux; # Home-manager requires 'pkgs' instance - extraSpecialArgs = {inherit inputs outputs;}; + extraSpecialArgs = {inherit inputs outputs configLib;}; modules = [ ({ config, pkgs, lib, + configLib, ... }: { # machine specific options diff --git a/hosts/home-workstation.nix b/hosts/home-workstation.nix index e7539e2..c92506c 100644 --- a/hosts/home-workstation.nix +++ b/hosts/home-workstation.nix @@ -1,17 +1,19 @@ { inputs, outputs, + configLib, ... }: inputs.home-manager.lib.homeManagerConfiguration { pkgs = inputs.nixpkgs.legacyPackages.x86_64-linux; # Home-manager requires 'pkgs' instance - extraSpecialArgs = {inherit inputs outputs;}; + extraSpecialArgs = {inherit inputs outputs configLib;}; modules = [ inputs.nixvim.homeManagerModules.nixvim ({ config, pkgs, lib, + configLib, ... }: { # machine specific options diff --git a/hosts/workstation-vm/default.nix b/hosts/workstation-vm/default.nix index 54a3e2b..a4285da 100644 --- a/hosts/workstation-vm/default.nix +++ b/hosts/workstation-vm/default.nix @@ -4,11 +4,12 @@ { inputs, outputs, + configLib, ... }: inputs.nixpkgs.lib.nixosSystem { system = "x86_64-linux"; - specialArgs = {inherit inputs outputs;}; + specialArgs = {inherit inputs outputs configLib;}; # > Our main nixos configuration file < modules = [ inputs.home-manager.nixosModules.home-manager @@ -20,10 +21,13 @@ inputs.nixpkgs.lib.nixosSystem { ../../configs/nixos/nfsv2.nix ../../configs/nixos/i3 ../../configs/nixos/common.nix + ./secrets.nix ({ config, pkgs, lib, + inputs, + configLib, ... }: { host = { @@ -44,10 +48,15 @@ inputs.nixpkgs.lib.nixosSystem { xkb.variant = ""; }; + users.users.root.openssh.authorizedKeys.keys = + configLib.dirToStrings "${inputs.nix-secrets}/public-keys"; + programs.zsh.enable = true; environment.shells = with pkgs; [zsh]; # Define a user account. Don't forget to set a password with ‘passwd’. + users.mutableUsers = false; users.users.${config.host.user} = { + hashedPasswordFile = config.sops.secrets.gv-password.path; isNormalUser = true; description = "Gabe Venberg"; shell = pkgs.zsh; @@ -56,6 +65,7 @@ inputs.nixpkgs.lib.nixosSystem { firefox # thunderbird ]; + openssh.authorizedKeys.keys = config.users.users.root.openssh.authorizedKeys.keys; }; home-manager.users.${config.host.user} = { diff --git a/hosts/workstation-vm/secrets.nix b/hosts/workstation-vm/secrets.nix new file mode 100644 index 0000000..9836f31 --- /dev/null +++ b/hosts/workstation-vm/secrets.nix @@ -0,0 +1,20 @@ +{ + inputs, + config, + lib, + pkgs, + ... +}: let + secretsDirectory = builtins.toString inputs.nix-secrets; +in { + imports = [ + inputs.sops-nix.nixosModules.sops + ]; + sops = { + defaultSopsFile = "${secretsDirectory}/common.yaml"; + validateSopsFiles = false; + secrets.gv-password={ + neededForUsers=true; + }; + }; +} diff --git a/hosts/wsl-workstation.nix b/hosts/wsl-workstation.nix index 9a34603..928ebec 100644 --- a/hosts/wsl-workstation.nix +++ b/hosts/wsl-workstation.nix @@ -1,10 +1,11 @@ { inputs, outputs, + configLib, }: inputs.nixpkgs.lib.nixosSystem { system = "x86_64-linux"; - specialArgs = {inherit inputs outputs;}; + specialArgs = {inherit inputs outputs configLib;}; # > Our main nixos configuration file < modules = [ inputs.home-manager.nixosModules.home-manager @@ -13,6 +14,7 @@ inputs.nixpkgs.lib.nixosSystem { ({ config, pkgs, + configLib, ... }: { wsl.enable = true; diff --git a/justfile b/justfile index 0dfdede..428b53f 100644 --- a/justfile +++ b/justfile @@ -3,14 +3,17 @@ default: nixos target=`hostname`: git add -AN + nix flake lock --update-input nix-secrets sudo nixos-rebuild --flake .#{{target}} switch home-manager target=(`whoami`+"@"+`hostname`): git add -AN + nix flake lock --update-input nix-secrets home-manager --flake .#{{target}} switch check: git add -AN + nix flake lock --update-input nix-secrets nix flake check --keep-going bootstrap-home-manager target=(`whoami`+"@"+`hostname`): diff --git a/lib/default.nix b/lib/default.nix new file mode 100644 index 0000000..5675bad --- /dev/null +++ b/lib/default.nix @@ -0,0 +1,12 @@ +{lib}: { + dirToStrings = dir: (map (v: builtins.readFile "${dir}/${v}") + (builtins.filter (v: + (builtins.readFileType "${dir}/${v}") == "regular") ( + if (builtins.pathExists dir && (builtins.readFileType dir) == "directory") + then + builtins.attrNames ( + builtins.readDir dir + ) + else [] + ))); +}