From 8218e3e8cb6c5b941fb48a9e618be15976ec6fc2 Mon Sep 17 00:00:00 2001 From: materus Date: Sat, 2 Mar 2024 22:36:43 +0100 Subject: [PATCH] materusPC: prepare sops --- .gitattributes | 1 + configurations/home/genHomes.nix | 2 ++ configurations/host/default.nix | 1 + configurations/host/materusPC/default.nix | 2 ++ .../host/materusPC/secrets/default.nix | 27 +++++++++++++++++ .../materusPC/secrets/private/default.nix | 7 +++++ .../host/materusPC/secrets/users.json | 29 +++++++++++++++++++ 7 files changed, 69 insertions(+) create mode 100644 .gitattributes create mode 100644 configurations/host/materusPC/secrets/default.nix create mode 100644 configurations/host/materusPC/secrets/private/default.nix create mode 100644 configurations/host/materusPC/secrets/users.json diff --git a/.gitattributes b/.gitattributes new file mode 100644 index 0000000..0c08582 --- /dev/null +++ b/.gitattributes @@ -0,0 +1 @@ +private/** filter=git-crypt diff=git-crypt diff --git a/configurations/home/genHomes.nix b/configurations/home/genHomes.nix index 570d0b4..964b193 100644 --- a/configurations/home/genHomes.nix +++ b/configurations/home/genHomes.nix @@ -20,6 +20,7 @@ let ../host/${host}/extraHome.nix profiles.homeProfile inputs.private.homeModule + materusFlake.nixosConfigurations.${host}.materusCfg.configInputs.sops-nix.homeManagerModules.sops ]; }; }] @@ -46,6 +47,7 @@ let ./${username} profiles.homeProfile inputs.private.homeModule + materusCfg.configInputs.sops-nix.homeManagerModules.sops ]; }; }; diff --git a/configurations/host/default.nix b/configurations/host/default.nix index 7f9504c..be79c51 100644 --- a/configurations/host/default.nix +++ b/configurations/host/default.nix @@ -25,6 +25,7 @@ let ./${host} inputs.private.systemModule profiles.osProfile + materusCfg.configInputs.sops-nix.nixosModules.sops ] ++ extraModules; }) // { inherit materusCfg; }; in diff --git a/configurations/host/materusPC/default.nix b/configurations/host/materusPC/default.nix index 60540b1..1949c21 100644 --- a/configurations/host/materusPC/default.nix +++ b/configurations/host/materusPC/default.nix @@ -5,6 +5,7 @@ ./hardware ./vm + ./secrets ./scripts.nix ./tmp.nix @@ -12,6 +13,7 @@ ./kde.nix ]; + nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; system.copySystemConfiguration = false; diff --git a/configurations/host/materusPC/secrets/default.nix b/configurations/host/materusPC/secrets/default.nix new file mode 100644 index 0000000..68a9856 --- /dev/null +++ b/configurations/host/materusPC/secrets/default.nix @@ -0,0 +1,27 @@ +{ config, pkgs, lib, ... }: +{ + imports = + [ + ]; + sops.age.keyFile = "/materus/root/age.key"; + sops.age.generateKey = false; + sops.gnupg.home = null; + sops.gnupg.sshKeyPaths = []; + sops.secrets.users.materus = { + format = "json"; + sopsFile = ./users.json; + }; + + services.openssh.hostKeys = [ + { + bits = 4096; + path = "/materus/root/ssh_host_rsa_key"; + type = "rsa"; + } + { + path = "/materus/root/ssh_host_ed25519_key"; + type = "ed25519"; + } + ]; + +} diff --git a/configurations/host/materusPC/secrets/private/default.nix b/configurations/host/materusPC/secrets/private/default.nix new file mode 100644 index 0000000..89cbd0c --- /dev/null +++ b/configurations/host/materusPC/secrets/private/default.nix @@ -0,0 +1,7 @@ +{ config, pkgs, lib, ... }: +{ + imports = + [ + ]; + +} diff --git a/configurations/host/materusPC/secrets/users.json b/configurations/host/materusPC/secrets/users.json new file mode 100644 index 0000000..a891aaf --- /dev/null +++ b/configurations/host/materusPC/secrets/users.json @@ -0,0 +1,29 @@ +{ + "users": { + "materus": "ENC[AES256_GCM,data:rB089alZTUAB24VX76vg7dOdQdWa12/rVXdSKNj80TTQhXu1Alw1l697BbzuOwlkcj+OaeV+cU+rPgXPIPVjnQlyHJNNC9VPUg==,iv:uWjjrvnwEZERsJDw6bAe3qcHO5zl6bCK9rv4MZbXCnU=,tag:QvMjcefg2xHsfXdJs5KguQ==,type:str]", + "root": "ENC[AES256_GCM,data:sbq8UeP6QmJ7gRa8RlL4/upy1y5RhWRrU+THCs1Sdc1vZy6s7pJThZeT/GEe9WNYFvbRjgTorkaKpTBp2Xar/fW52EuqSM+P0Q==,iv:Hm//gIpCqYA9aemq4VAly31U9niy/xYYrTghlBbXKSc=,tag:J8VT7nFRrTOHA8wIlOUw+g==,type:str]" + }, + "sops": { + "kms": null, + "gcp_kms": null, + "azure_kv": null, + "hc_vault": null, + "age": [ + { + "recipient": "age1fq9ckkwtgvm69w045rf9pgurnhch6ukdxejr8yxgrthn7j8vp48qvd9rkx", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA2a21FTnMwM3JIZmhWSExI\naUJXVUZVVDZ4VFRXTXJ6R0hKY1VkZWQwejJNClB1NS9vWXRrendOSmpobjZ6ZGJv\na2cwR2lNcm96aEtjMktpWmUwZTdxWEUKLS0tIDF4b2tyQ24yMVQ1citpdDZUMUt5\nRGZIV3ZaakY3aDFjek9Hdklpb01IaTAKGwMh6ZPBRnBRTzMzYM2qfgqPcDhxcdnB\nVI3v6eQMpJcqfKg8t2RtPoS0sXItEIGb22O1cqv7lqsDNFTfJFsKcQ==\n-----END AGE ENCRYPTED FILE-----\n" + } + ], + "lastmodified": "2024-03-02T21:30:11Z", + "mac": "ENC[AES256_GCM,data:k1L4cZJD+o8oxCxD0DaF7596Oca4npFQSKKG7XQzkLJdCEyq1u51waCXcOn976lipgCPrgPlnc1Ad8QpRjvkROaUjFVq3NH/dUtEQa+haWHTQC58kVJU+hzE8NPv6fId+m5z1nu4KRhHoFoMOtuiXc/XLR8yLejIg17d+ncKokA=,iv:YOiwx2NX/piw43E74B/kWwr+zw02DLqiOxe5vVgK0gI=,tag:TdEHcJmwNMTos9T/tpT1pQ==,type:str]", + "pgp": [ + { + "created_at": "2024-03-02T20:47:34Z", + "enc": "-----BEGIN PGP MESSAGE-----\n\nhF4D5fSX77p80GYSAQdA12LSQRZXdxMZVUaMilMqDfY2f9Zx25S5wxsvg4HirjEw\nI2SIG1eW6MZaeFqJc3rEHEx6SY0igFy+gpwWr6KugBTdJmXVJgh6aG5fsv7z00Rx\n1GYBCQIQ1hXRnsn6UsaNcFaqv1WCsIc+h5WLIFZeB3Jrwdzy8YeVv8WYkNlbrni8\nihQnWhOwWfzjOYpmee1goRAqKBrbqHBouJwZJH6V7ZGUDfOMU63gvpmdKhUu2ML6\nw7swxzkrglo=\n=g87z\n-----END PGP MESSAGE-----", + "fp": "28D140BCA60B4FD1" + } + ], + "unencrypted_suffix": "_unencrypted", + "version": "3.8.1" + } +} \ No newline at end of file