diff --git a/configurations/host/waffentrager/configuration.nix b/configurations/host/waffentrager/configuration.nix index 4ce7b9e..1423faf 100644 --- a/configurations/host/waffentrager/configuration.nix +++ b/configurations/host/waffentrager/configuration.nix @@ -26,6 +26,7 @@ openssh.authorizedKeys.keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPEDY+H8Hc/RSLE064AAh8IojvqxPd8BE5gec2aOfYMh materus@podkos.pl" ]; + hashedPasswordFile = config.sops.secrets."users/materus".path; }; nix = { diff --git a/configurations/host/waffentrager/secrets/default.nix b/configurations/host/waffentrager/secrets/default.nix new file mode 100644 index 0000000..a0dba32 --- /dev/null +++ b/configurations/host/waffentrager/secrets/default.nix @@ -0,0 +1,27 @@ +{ config, pkgs, lib, materusCfg, ... }: +{ + imports = + [ + + ] ++ (if (materusCfg.materusFlake.decrypted) then [ ./private ] else [ ]); + + sops.age.generateKey = false; + sops.gnupg.home = null; + sops.gnupg.sshKeyPaths = [ ]; + sops.defaultSopsFile = materusCfg.hostPath + "/secrets/secrets.yaml"; + + services.openssh.hostKeys = [ + { + bits = 4096; + path = "/materus/root/ssh_host_rsa_key"; + type = "rsa"; + } + { + path = "/materus/root/ssh_host_ed25519_key"; + type = "ed25519"; + } + ]; + sops.secrets.wireguard = { }; + sops.secrets."users/materus" = { neededForUsers = true; }; + +} diff --git a/configurations/host/waffentrager/secrets/private/default.nix b/configurations/host/waffentrager/secrets/private/default.nix new file mode 100644 index 0000000..2b36e7a Binary files /dev/null and b/configurations/host/waffentrager/secrets/private/default.nix differ diff --git a/configurations/host/waffentrager/secrets/secrets.yaml b/configurations/host/waffentrager/secrets/secrets.yaml new file mode 100644 index 0000000..8bf7f0f --- /dev/null +++ b/configurations/host/waffentrager/secrets/secrets.yaml @@ -0,0 +1,35 @@ +wireguard: ENC[AES256_GCM,data:QLngCAtEa6wfRRrZwywbARhsS1oGj9+hGTlC1QV6xnRmlZLorAoftGb8jTg=,iv:rNbE0tfJKTjo0pPwfw3oKxOZmSO9PGgW/xDo9zi8lCU=,tag:ZT4mfXaToiR6SjzOwSz4HA==,type:str] +users: + materus: ENC[AES256_GCM,data:MhPrMJ4/0oxEsFZDUKcYb3WMUWLI2ZbRTgnh1fQZG1Ly2J781jcUWtA8vVAdMBedNfWky0mDq5+KEQ/2fJNGU4IkTBvLdAqnWw==,iv:Dpl+M+x1weNIVkEsf3I/uXpG0SM6bDz+d9w7AYwn/MY=,tag:yGc1D2ODp6Te/QAztOj7yA==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1j34lqh0z6ak2c94n564wgyjeykn9srma34f5e5e7xvf498fwk3rqxvwx0l + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAvejRrcGVwZHNkTVB5dkYr + RnhVVjNEblFVd0xXSStqdjFhWVVNS3ljUTNZCnBFVmRRVVVENGhJUVg2L1lSM1NO + dkQydVhOaFVxd0p0aFhVcmp6eXdGeVEKLS0tIFIvRDlvZDdsbm1USEZUZ3FYMmla + eFN4VVdUMkVjcTVWNFdLM0xtbExLdncK6LYUufWzIcd2jFyEeZDypo0xkJQ4z91F + ULyGxJLLWl6/inYXtxHNdxIIPfwW+5yppBAbXaOgvABi1E7tf1JZcA== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-03-21T18:19:14Z" + mac: ENC[AES256_GCM,data:W+DPXTyAZCMawijkbvNNe6UItS4ZVHY4qZ7hDOGkaMlziu9+e1awkvgmqg7H7gM0DgoAz17UE4uVIGB9Y/fnSc80Rk9sPZoNP8wnTwqzujmCyYIroi570aNQuNc6riTgaNcrSEefkzoATRUJvjbv63m+Sp5Vbl1kXepD3qaDDAU=,iv:HLOBwzemB8kqAE2DLoWeIIUUmp9i913bTG0onNdHAWY=,tag:cW0gP2TlUPY42NkWiWqICg==,type:str] + pgp: + - created_at: "2024-03-21T18:15:00Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hF4D5fSX77p80GYSAQdAWetrf0jhs/b9qcQc4b21+PJUPdSjk372BjokfwJ2oXQw + 4LaIaNB3LRmY4FF3UOqk28NwkwBw6n0AzYKC/k1G4ntaNBMI9eDtFJ1c1+KkxSl2 + 1GYBCQIQMCKcu2aBEMiIGOyG08vcRW2T23DUAfTQqQdRKD/SgSTqAZLSICVJ91xU + TBsdiPBKO2cRDfPc7DlVLbPNe/SUqVUX9N4GTGPUocXc1s6lvgx3NBP5cGoSNx+A + xCmXl373IDc= + =uSyc + -----END PGP MESSAGE----- + fp: 28D140BCA60B4FD1 + unencrypted_suffix: _unencrypted + version: 3.8.1