diff --git a/README.md b/README.md index dc340a7..61bc872 100644 --- a/README.md +++ b/README.md @@ -27,3 +27,7 @@ Each host *must* import `configs/nixos/common.nix` in the top level and `configs Each host *must also* define the variables declared in `modules/hostopts.nix`. * Modules are always imported by the respective common.nix. They each have an enable option, and only have effects if enabled. * Roles are larger bundles of software and options. They define packages to be installed and may import configurations or enable modules. + +## Secrets +This repo uses nix-sops for secrets management, with the encrypted secrets being stored in a private repo imported as an input. +if the `nix-secrets` input is commented out, the repo should still build, gracefully degrading to default, non-secret, values. diff --git a/configs/home-manager/email.nix b/configs/home-manager/email.nix index 35caa95..5860a9b 100644 --- a/configs/home-manager/email.nix +++ b/configs/home-manager/email.nix @@ -24,7 +24,7 @@ programs.himalaya.enable = true; - accounts.email.accounts.gmail = { + accounts.email.accounts.gmail = lib.mkIf (lib.hasAttrByPath ["sops" "secrets" "gmail-password"] config) { address = "gabevenberg@gmail.com"; primary = true; flavor = "gmail.com"; diff --git a/configs/home-manager/secrets.nix b/configs/home-manager/secrets.nix index f1a94da..000ee9b 100644 --- a/configs/home-manager/secrets.nix +++ b/configs/home-manager/secrets.nix @@ -5,15 +5,17 @@ pkgs, ... }: let - secretsDirectory = builtins.toString inputs.nix-secrets; + secretsDirectory = builtins.toString (inputs.nix-secrets or ""); in { - sops = { - defaultSopsFile = "${secretsDirectory}/common.yaml"; - validateSopsFiles = false; - age = { - sshKeyPaths = ["${config.home.homeDirectory}/.ssh/id_ed25519"]; - keyFile = "${config.home.homeDirectory}/.config/sops-nix/key.txt"; - generateKey = true; + config = lib.mkIf (inputs ? nix-secrets) { + sops = { + defaultSopsFile = "${secretsDirectory}/common.yaml"; + validateSopsFiles = false; + age = { + sshKeyPaths = ["${config.home.homeDirectory}/.ssh/id_ed25519"]; + keyFile = "${config.home.homeDirectory}/.config/sops-nix/key.txt"; + generateKey = true; + }; }; }; } diff --git a/configs/home-manager/tiny-irc.nix b/configs/home-manager/tiny-irc.nix index e0e0bb0..a9bbc66 100644 --- a/configs/home-manager/tiny-irc.nix +++ b/configs/home-manager/tiny-irc.nix @@ -29,7 +29,7 @@ "#gamingonlinux" "##chat" ]; - sasl = { + sasl = lib.mkIf (lib.hasAttrByPath ["sops" "secrets" "irc-cert"] config) { username = "toric"; pem = config.sops.secrets.irc-cert.path; }; diff --git a/configs/nixos/common.nix b/configs/nixos/common.nix index d7559b1..ec2f3a5 100644 --- a/configs/nixos/common.nix +++ b/configs/nixos/common.nix @@ -4,7 +4,10 @@ inputs, lib, ... -}: { +}: let + # hash for "nixos" + defaultPasswordHash = "$y$j9T$u0O3PELyRv3GOemCReQhA0$Qb4Sl6dXnafYwZeDYrJGwS4xp3v6vGriWFMYomHH2w3"; +in { nix = { package = pkgs.nixFlakes; extraOptions = '' @@ -40,15 +43,22 @@ programs.zsh.enable = lib.mkDefault true; environment.shells = lib.mkDefault [pkgs.zsh]; - users.mutableUsers = false; + # if we arent setting our password from nix secrets, we need to allow changing it. + users.mutableUsers = !inputs ? nix-secrets; users.users.${config.host.user} = { isNormalUser = true; - hashedPassword = lib.removeSuffix "\n" (builtins.readFile "${inputs.nix-secrets}/password-hash"); + hashedPassword = + if inputs ? nix-secrets + then (lib.removeSuffix "\n" (builtins.readFile "${inputs.nix-secrets}/password-hash")) + else defaultPasswordHash; description = config.host.fullName; shell = pkgs.zsh; extraGroups = ["wheel"]; }; - # users.users.root.password = lib.removeSuffix "\n" (builtins.readFile "${inputs.nix-secrets}/password-hash"); + users.users.root.password = + if inputs ? nix-secrets + then (lib.removeSuffix "\n" (builtins.readFile "${inputs.nix-secrets}/password-hash")) + else defaultPasswordHash; imports = [ ../../modules/hostopts.nix diff --git a/configs/nixos/secrets.nix b/configs/nixos/secrets.nix index 98c065e..673f1ff 100644 --- a/configs/nixos/secrets.nix +++ b/configs/nixos/secrets.nix @@ -5,17 +5,20 @@ pkgs, ... }: let - secretsDirectory = builtins.toString inputs.nix-secrets; + secretsDirectory = builtins.toString (inputs.nix-secrets or ""); in { imports = [ inputs.sops-nix.nixosModules.sops ]; - sops = { - validateSopsFiles = false; - age = { - sshKeyPaths = ["/etc/ssh/ssh_host_ed25519_key"]; - keyFile = "/var/lib/sops-nix/key.txt"; - generateKey = true; + config = lib.mkIf (inputs ? nix-secrets) { + sops = { + defaultSopsFile = "${secretsDirectory}/common.yaml"; + validateSopsFiles = false; + age = { + sshKeyPaths = ["/etc/ssh/ssh_host_ed25519_key"]; + keyFile = "/var/lib/sops-nix/key.txt"; + generateKey = true; + }; }; }; } diff --git a/configs/nixos/sshd.nix b/configs/nixos/sshd.nix index e424d94..341a261 100644 --- a/configs/nixos/sshd.nix +++ b/configs/nixos/sshd.nix @@ -16,8 +16,11 @@ kitty.terminfo ]; - users.users.root.openssh.authorizedKeys.keys = - lib.mkDefault (configLib.dirToStrings "${inputs.nix-secrets}/public-keys"); + users.users.root.openssh.authorizedKeys.keys = lib.mkDefault ( + if inputs ? nix-secrets + then (configLib.dirToStrings "${inputs.nix-secrets}/public-keys") + else [] + ); # if it can log into root, it should also be able to log in to the main user. users.users.${config.host.user}.openssh.authorizedKeys.keys = config.users.users.root.openssh.authorizedKeys.keys; diff --git a/hosts/archlaptop-vm/default.nix b/hosts/archlaptop-vm/default.nix index 65ae846..82562de 100644 --- a/hosts/archlaptop-vm/default.nix +++ b/hosts/archlaptop-vm/default.nix @@ -43,6 +43,7 @@ inputs.nixpkgs.lib.nixosSystem { home-manager.users.${config.host.user} = { inputs, osConfig, + lib, ... }: { host = osConfig.host; @@ -59,11 +60,12 @@ inputs.nixpkgs.lib.nixosSystem { ../../roles/home-manager/terminal.nix ../../configs/home-manager/common.nix ../../configs/home-manager/email.nix + ../../configs/home-manager/tiny-irc.nix inputs.nixvim.homeManagerModules.nixvim ../../configs/home-manager/secrets.nix ]; - sops = { + sops = lib.mkIf (inputs ? nix-secrets) { secrets = { gmail-password.sopsFile = "${inputs.nix-secrets}/workstations.yaml"; irc-cert.sopsFile = "${inputs.nix-secrets}/workstations.yaml"; diff --git a/hosts/home-personal.nix b/hosts/home-personal.nix index 7a17afe..1e1496e 100644 --- a/hosts/home-personal.nix +++ b/hosts/home-personal.nix @@ -41,7 +41,7 @@ inputs.home-manager.lib.homeManagerConfiguration { inputs.sops-nix.homeManagerModules.sops ]; - sops = { + sops = lib.mkIf (inputs ? nix-secrets) { secrets = { gmail-password.sopsFile = "${inputs.nix-secrets}/workstations.yaml"; irc-cert.sopsFile = "${inputs.nix-secrets}/workstations.yaml"; diff --git a/hosts/home-workstation.nix b/hosts/home-workstation.nix index fb6360d..38eb0b4 100644 --- a/hosts/home-workstation.nix +++ b/hosts/home-workstation.nix @@ -40,12 +40,12 @@ inputs.home-manager.lib.homeManagerConfiguration { ../roles/home-manager/terminal.nix ../configs/home-manager/common.nix ../configs/home-manager/syncthing.nix - ../../configs/home-manager/tiny-irc.nix + ../configs/home-manager/tiny-irc.nix ../configs/home-manager/secrets.nix inputs.sops-nix.homeManagerModules.sops ]; - sops = { + sops = lib.mkIf (inputs?nix-secrets) { secrets = { irc-cert.sopsFile = "${inputs.nix-secrets}/workstations.yaml"; };