inital steps into sops-nix. figured out ssh pubkey management.

2024-05-31 21:05:06 -05:00 · 2024-05-31 21:05:06 -05:00 · 3d9e197056
parent a04727757b
commit 3d9e197056
11 changed files with 117 additions and 15 deletions
--- a/configs/home-manager/sops.nix
+++ b/configs/home-manager/sops.nix
@ -0,0 +1,22 @@
 {
  config,
  pkgs,
  lib,
  inputs,
  ...
 }: let
  secretsPath = builtins.toString inputs.nix-secrets;
 in {
  imports = [
    inputs.sops-nix.homeManagerModules.sops
  ];
  sops={
    defaultSopsFile="${secretsPath}/secrets.yaml";
    age={
      sshKeyPaths=["${config.home.homeDirectory}/keys/age/master.txt"];
      keyFile="/var/lib/sops-nix/key.txt";
      generateKey=true;
    };
  };
 }
--- a/flake.lock
+++ b/flake.lock
@ -237,6 +237,23 @@
        "type": "github"
      }
    },
    "nix-secrets": {
      "flake": false,
      "locked": {
        "lastModified": 1717206943,
        "narHash": "sha256-TtBaZMGhA8fkQbt/RKJml992JFr/sdz4gqdIJeu6ltk=",
        "ref": "refs/heads/main",
        "rev": "3e19bf8fce17779c5f6fce5f8f894de8a5193fa2",
        "shallow": true,
        "type": "git",
        "url": "ssh://git@git.venberg.xyz:7920/Gabe/nix-secrets.git"
      },
      "original": {
        "shallow": true,
        "type": "git",
        "url": "ssh://git@git.venberg.xyz:7920/Gabe/nix-secrets.git"
      }
    },
    "nixos-wsl": {
      "inputs": {
        "flake-compat": [
@ -361,6 +378,7 @@
        "flake-compat": "flake-compat",
        "flake-utils": "flake-utils",
        "home-manager": "home-manager",
        "nix-secrets": "nix-secrets",
        "nixos-wsl": "nixos-wsl",
        "nixpkgs": "nixpkgs",
        "nixvim": "nixvim",
--- a/flake.nix
+++ b/flake.nix
@ -42,6 +42,12 @@
      inputs.nixpkgs.follows = "nixpkgs";
    };
    nix-secrets = {
      url = "git+ssh://git@git.venberg.xyz:7920/Gabe/nix-secrets.git?shallow=1";
      # url = "git+https://git.venberg.xyz/Gabe/nix-secrets.git?shallow=1";
      flake = false;
    };
    # just for follows statements
    flake-utils.url = "github:numtide/flake-utils";
    flake-compat.url = "github:edolstra/flake-compat";
@ -58,6 +64,8 @@
      "x86_64-linux"
      "aarch64-linux"
    ];
    inherit (nixpkgs) lib;
    configLib=import ./lib {inherit lib;};
  in {
    formatter = forAllSystems (system: nixpkgs.legacyPackages.${system}.alejandra);
@ -69,9 +77,6 @@
          packages = with pkgs; [
            just
            deploy-rs.packages.${system}.deploy-rs
            age
            ssh-to-age
            sops
          ];
        };
      }
@ -82,18 +87,18 @@
    # NixOS configuration entrypoint
    # Available through 'nixos-rebuild --flake .#your-hostname'
    nixosConfigurations = {
-      archlaptop-vm = import ./hosts/archlaptop-vm {inherit inputs outputs;};
+      archlaptop-vm = import ./hosts/archlaptop-vm {inherit inputs outputs configLib;};
-      workstation-vm = import ./hosts/workstation-vm {inherit inputs outputs;};
+      workstation-vm = import ./hosts/workstation-vm {inherit inputs outputs configLib;};
-      gv-wsl = import ./hosts/wsl-workstation.nix {inherit inputs outputs;};
+      gv-wsl = import ./hosts/wsl-workstation.nix {inherit inputs outputs configLib;};
    };
    # Standalone home-manager configuration entrypoint
    # Available through 'home-manager --flake .#your-username@your-hostname'
    homeConfigurations = {
-      "gabe@archlaptop" = import ./hosts/home-personal.nix {inherit inputs outputs;};
+      "gabe@archlaptop" = import ./hosts/home-personal.nix {inherit inputs outputs configLib;};
-      "gabe@linuxgamingrig" = import ./hosts/home-personal.nix {inherit inputs outputs;};
+      "gabe@linuxgamingrig" = import ./hosts/home-personal.nix {inherit inputs outputs configLib;};
-      "gabe@gv-workstation" = import ./hosts/home-workstation.nix {inherit inputs outputs;};
+      "gabe@gv-workstation" = import ./hosts/home-workstation.nix {inherit inputs outputs configLib;};
-      "gabe@gv-ubuntu" = import ./hosts/home-workstation.nix {inherit inputs outputs;};
+      "gabe@gv-ubuntu" = import ./hosts/home-workstation.nix {inherit inputs outputs configLib;};
    };
    templates = import ./templates {inherit inputs outputs;};
--- a/hosts/archlaptop-vm/default.nix
+++ b/hosts/archlaptop-vm/default.nix
@ -1,11 +1,12 @@
 {
  inputs,
  outputs,
  configLib,
  ...
 }:
 inputs.nixpkgs.lib.nixosSystem {
  system = "x86_64-linux";
-  specialArgs = {inherit inputs outputs;};
+  specialArgs = {inherit inputs outputs configLib;};
  # > Our main nixos configuration file <
  modules = [
    inputs.home-manager.nixosModules.home-manager
@ -19,6 +20,7 @@ inputs.nixpkgs.lib.nixosSystem {
    ({
      config,
      pkgs,
      configLib,
      ...
    }: {
      host = {
@ -39,6 +41,9 @@ inputs.nixpkgs.lib.nixosSystem {
        xkb.variant = "";
      };
      users.users.root.openssh.authorizedKeys.keys =
      configLib.dirToStrings "${inputs.nix-secrets}/public-keys";
      programs.zsh.enable = true;
      environment.shells = with pkgs; [zsh];
      # Define a user account. Don't forget to set a password with ‘passwd’.
@ -51,6 +56,7 @@ inputs.nixpkgs.lib.nixosSystem {
          firefox
          #  thunderbird
        ];
        openssh.authorizedKeys.keys=config.users.users.root.openssh.authorizedKeys.keys;
      };
      home-manager.users.${config.host.user} = {
--- a/hosts/home-personal.nix
+++ b/hosts/home-personal.nix
@ -1,16 +1,18 @@
 {
  inputs,
  outputs,
  configLib,
  ...
 }:
 inputs.home-manager.lib.homeManagerConfiguration {
  pkgs = inputs.nixpkgs.legacyPackages.x86_64-linux; # Home-manager requires 'pkgs' instance
-  extraSpecialArgs = {inherit inputs outputs;};
+  extraSpecialArgs = {inherit inputs outputs configLib;};
  modules = [
    ({
      config,
      pkgs,
      lib,
      configLib,
      ...
    }: {
      # machine specific options
--- a/hosts/home-workstation.nix
+++ b/hosts/home-workstation.nix
@ -1,17 +1,19 @@
 {
  inputs,
  outputs,
  configLib,
  ...
 }:
 inputs.home-manager.lib.homeManagerConfiguration {
  pkgs = inputs.nixpkgs.legacyPackages.x86_64-linux; # Home-manager requires 'pkgs' instance
-  extraSpecialArgs = {inherit inputs outputs;};
+  extraSpecialArgs = {inherit inputs outputs configLib;};
  modules = [
    inputs.nixvim.homeManagerModules.nixvim
    ({
      config,
      pkgs,
      lib,
      configLib,
      ...
    }: {
      # machine specific options
--- a/hosts/workstation-vm/default.nix
+++ b/hosts/workstation-vm/default.nix
@ -4,11 +4,12 @@
 {
  inputs,
  outputs,
  configLib,
  ...
 }:
 inputs.nixpkgs.lib.nixosSystem {
  system = "x86_64-linux";
-  specialArgs = {inherit inputs outputs;};
+  specialArgs = {inherit inputs outputs configLib;};
  # > Our main nixos configuration file <
  modules = [
    inputs.home-manager.nixosModules.home-manager
@ -20,10 +21,13 @@ inputs.nixpkgs.lib.nixosSystem {
    ../../configs/nixos/nfsv2.nix
    ../../configs/nixos/i3
    ../../configs/nixos/common.nix
    ./secrets.nix
    ({
      config,
      pkgs,
      lib,
      inputs,
      configLib,
      ...
    }: {
      host = {
@ -44,10 +48,15 @@ inputs.nixpkgs.lib.nixosSystem {
        xkb.variant = "";
      };
      users.users.root.openssh.authorizedKeys.keys =
        configLib.dirToStrings "${inputs.nix-secrets}/public-keys";
      programs.zsh.enable = true;
      environment.shells = with pkgs; [zsh];
      # Define a user account. Don't forget to set a password with ‘passwd’.
      users.mutableUsers = false;
      users.users.${config.host.user} = {
        hashedPasswordFile = config.sops.secrets.gv-password.path;
        isNormalUser = true;
        description = "Gabe Venberg";
        shell = pkgs.zsh;
@ -56,6 +65,7 @@ inputs.nixpkgs.lib.nixosSystem {
          firefox
          #  thunderbird
        ];
        openssh.authorizedKeys.keys = config.users.users.root.openssh.authorizedKeys.keys;
      };
      home-manager.users.${config.host.user} = {
--- a/hosts/workstation-vm/secrets.nix
+++ b/hosts/workstation-vm/secrets.nix
@ -0,0 +1,20 @@
 {
  inputs,
  config,
  lib,
  pkgs,
  ...
 }: let
  secretsDirectory = builtins.toString inputs.nix-secrets;
 in {
  imports = [
    inputs.sops-nix.nixosModules.sops
  ];
  sops = {
    defaultSopsFile = "${secretsDirectory}/common.yaml";
    validateSopsFiles = false;
    secrets.gv-password={
      neededForUsers=true;
    };
  };
 }
--- a/hosts/wsl-workstation.nix
+++ b/hosts/wsl-workstation.nix
@ -1,10 +1,11 @@
 {
  inputs,
  outputs,
  configLib,
 }:
 inputs.nixpkgs.lib.nixosSystem {
  system = "x86_64-linux";
-  specialArgs = {inherit inputs outputs;};
+  specialArgs = {inherit inputs outputs configLib;};
  # > Our main nixos configuration file <
  modules = [
    inputs.home-manager.nixosModules.home-manager
@ -13,6 +14,7 @@ inputs.nixpkgs.lib.nixosSystem {
    ({
      config,
      pkgs,
      configLib,
      ...
    }: {
      wsl.enable = true;
--- a/3
+++ b/3
@ -3,14 +3,17 @@ default:
 nixos target=`hostname`:
    git add -AN
    nix flake lock --update-input nix-secrets
    sudo nixos-rebuild --flake .#{{target}} switch
 home-manager target=(`whoami`+"@"+`hostname`):
    git add -AN
    nix flake lock --update-input nix-secrets
    home-manager --flake .#{{target}} switch
 check:
    git add -AN
    nix flake lock --update-input nix-secrets
    nix flake check --keep-going
 bootstrap-home-manager target=(`whoami`+"@"+`hostname`):
--- a/lib/default.nix
+++ b/lib/default.nix
@ -0,0 +1,12 @@
 {lib}: {
  dirToStrings = dir: (map (v: builtins.readFile "${dir}/${v}")
    (builtins.filter (v:
      (builtins.readFileType "${dir}/${v}") == "regular") (
      if (builtins.pathExists dir && (builtins.readFileType dir) == "directory")
      then
        builtins.attrNames (
          builtins.readDir dir
        )
      else []
    )));
 }