From a76b42c3dab971bd169232af91f404116fa85fd7 Mon Sep 17 00:00:00 2001 From: materus Date: Fri, 22 Mar 2024 00:00:20 +0100 Subject: [PATCH] valkyrie: move secrets --- configurations/host/valkyrie/default.nix | 5 +-- .../materus/default.nix} | 4 +-- .../host/valkyrie/secrets/default.nix | 27 ++++++++++++++ .../host/valkyrie/secrets/private/default.nix | Bin 0 -> 5557 bytes .../host/valkyrie/secrets/secrets.yaml | 33 ++++++++++++++++++ 5 files changed, 65 insertions(+), 4 deletions(-) rename configurations/host/valkyrie/{extraHome.nix => home/materus/default.nix} (85%) create mode 100644 configurations/host/valkyrie/secrets/default.nix create mode 100644 configurations/host/valkyrie/secrets/private/default.nix create mode 100644 configurations/host/valkyrie/secrets/secrets.yaml diff --git a/configurations/host/valkyrie/default.nix b/configurations/host/valkyrie/default.nix index cba3715..d48368c 100644 --- a/configurations/host/valkyrie/default.nix +++ b/configurations/host/valkyrie/default.nix @@ -2,7 +2,7 @@ # your system. Help is available in the configuration.nix(5) man page # and in the NixOS manual (accessible by running `nixos-help`). -{ config, pkgs, materusArg, ... }: +{ pkgs, materusArg, ... }: { imports = @@ -10,6 +10,7 @@ # Include the results of the hardware scan. ./hardware-configuration.nix ./services + ./secrets ]; materus.profile.nix.enable = true; @@ -69,7 +70,7 @@ users.users.materus = { isNormalUser = true; extraGroups = [ "wheel" ]; # Enable ‘sudo’ for the user. - packages = with pkgs; [ + packages = [ ]; openssh.authorizedKeys.keyFiles = [ ("${materusArg.cfg.path}" + "/extraFiles/keys/ssh/materus.pub") ]; }; diff --git a/configurations/host/valkyrie/extraHome.nix b/configurations/host/valkyrie/home/materus/default.nix similarity index 85% rename from configurations/host/valkyrie/extraHome.nix rename to configurations/host/valkyrie/home/materus/default.nix index e1707ab..5d09242 100644 --- a/configurations/host/valkyrie/extraHome.nix +++ b/configurations/host/valkyrie/home/materus/default.nix @@ -1,4 +1,4 @@ -{ config, pkgs, lib, ... }: +{ ... }: { home.stateVersion = "23.05"; home.homeDirectory = "/home/materus"; @@ -10,7 +10,7 @@ enableTerminalExtra = false; enableNixDevel = false; - fish.enable = true; + fish.enable = false; bash.enable = true; }; } diff --git a/configurations/host/valkyrie/secrets/default.nix b/configurations/host/valkyrie/secrets/default.nix new file mode 100644 index 0000000..637e898 --- /dev/null +++ b/configurations/host/valkyrie/secrets/default.nix @@ -0,0 +1,27 @@ +{ materusCfg, ... }: +{ + imports = + [ + + ] ++ (if (materusCfg.materusFlake.decrypted) then [ ./private ] else [ ]); + + sops.age.generateKey = false; + sops.gnupg.home = null; + sops.gnupg.sshKeyPaths = [ ]; + sops.defaultSopsFile = materusCfg.hostPath + "/secrets/secrets.yaml"; + + sops.secrets.wireguard = { }; + + services.openssh.hostKeys = [ + { + bits = 4096; + path = "/materus/root/ssh_host_rsa_key"; + type = "rsa"; + } + { + path = "/materus/root/ssh_host_ed25519_key"; + type = "ed25519"; + } + ]; + +} diff --git a/configurations/host/valkyrie/secrets/private/default.nix b/configurations/host/valkyrie/secrets/private/default.nix new file mode 100644 index 0000000000000000000000000000000000000000..3173bdc502b3df0e220a4b1c886ccd949fbbc17d GIT binary patch literal 5557 zcmV;m6-w#=M@dveQdv+`0G*?i_?LnRW-Qt8qe=W-x3T9v{&CT))WD$0YfRfwcrEdn z*;VsVWI6mx=4L4w&3ZTB#)Y%DZS~Gu%@Xusf8FG`n}CusFD_OuY|3(gM@9UW&?e`f z7jeUobp?QJ3oIm((H&`cqLUQn1!v1`W#_6KI@nxbZ8#~cjcINm*@HllDo)!0vHzGMp<8GtwUIFJuuP;J`6O?{?h&7J9@uwTFK!e;#$cCk7O9GXIvtcbJ zr4xIZTMs@GwoFAd5-45VvjnF`)_piVs(c5<<-k`P2voROZheU7w~aI*h!~IGnMLIQ6KiG?xmvTF>18)uiX)ki=O$$3A;_5sKkU2Vd&qchC@Wlk*#b z`>lo$0%g@BAz@l-s~W!{>|gpcJzvJT{v_+4!R>%f&!F`f2Z+kZ4#M5xPK5TrsH zIvC*^NUo&Cg$nZIK!!N#*xW4e(Nt$F7~8c?HWdiDC0Fo4BvN#M-0J*qIlmXG%rACj z=wS-RiG-tw>sjJ@#l|~VLpLxgzs=JrhYi}0UCbs{BbV4t>a^VBkHtRg0d~HW)n%gI6vKk-fpc3Bk+GLwPtmc=&ci{w1?e(F# z=s7Hv0wSot6%vxj5yoiQL{u?=Iliru~HWTOqQd;6JUtO-=gW(hP*_kvSs6FBI--@g_vfM z`Cpaxv<~i#I>;Vioky|g03K9AP%D3Q&Ga$W$~~D+h+}*eZlv#R^==Q!Kcs6?anUFg zphh1kfUE^~5m!!DP6#aG?@2#Zg6?h7t$$z@&YwRWxu)NU)$HZB0uV*1bA>A|#Tgva zqR#!fvG!sw1ai4cF1c;xi1An;bbiu9cHW;!eoASMv|ECrE{9={UzuF1NRQ&OT}>khvP(w)wG0;776+VKw_!nd2!34CFowmNhJ zc*HC`{z#~a*1_UW^=m10J0c-xkMP^ShzS4&Gnsyd}Nt<(ccEL~bQXU!bnqxFMz z5xZ~&$yghnBJ{VW$~uWdO4!J4VX=%6%F8q)Z3^rgZl;Fq#bW{hU#`CjiVBmet}8!Q_^$YYKYbmX=6^ zL15p+K(MMJBLU5+XDlSOguTnqV^#WiMA$UEps?0k$|Fp<=u)epW1YR7tnn^sv|xMW zlP_m@pi4c$GoXW;7BQ8Fq+xxp%H((<^d5`nC5(Z7X7yaHG34Lcy7l3_8jWOSW`WLa zK-LafG!%~`P?yZR-BBxHYqrHTYC$wHe0t$59gG63QLft>rUfnHOg+i7)99GWXrb>x z-a0V0cAkXw&8R`E1vI#oA-uk{1M%Nlf0h#`5H&I5L9PweOd~xMy|kaZ;XE(!jB(>B zxrGPxO_!j3Jz9;JdpH66EyE&9V-DFJ)valFht+THzI-MFs_koUk62Le+n_z$GjQF2 z?i{%nb-XGeqcsf=xr{&Sn8$veKllK?wBqn&I`**knARYOGn!p(pm^k|+2z=&HH2ao z`45?2dNF{&9ONoZ^&3+SnMdIA=`h^H=AID^g;iT_#}Bb<-M<^y<~93(UUY;#QDdkP z0o##-t+Zuvz*=7~qwN@+3QeQw4(2pMHp+zh8kkwnt>q^}*JeI-_;0+|YfVsdaasPq zaNfIsQUIpG$KbH0qd7sO+d(hAwijK^L?a|Db!P|9zt>mFEedzdI_hog?`!#nonKNS zJO_rkqGqnJSYuYAcc)c-6c_@sql8%AxSHLeB6%|dx_hpB?37vbv+P0YVan&zU zlc_GO8PAT}NDu0vhq_6Si7~;1W^%9Vkj@&0#h~{MUoj$FV@8QXiyuj4aC|^7E9nM2 zi%MOjWR>GG*+y6HH%bLHCPZ)6}TU zMrhfcidV+_M}+EIna<@VGeUe(h_&l(R48=>UUsVyPNOt?g(X|`a!)XAzxqwDOwnnf z`nv8&3Z`cI8u8}28E$FkGA(Lv8X;&jSo-bu+jj;e;TtZIT7w7D%-4Hqfvm8l`n&_t z*9J4akXO&HG2AZO5jBQyiROXKf-PW5la8XPaDj zU6;?NYk2?9-eX=M^-_@55Gg1!;3FUXg93*QjUvWEAIi0QH`t-QoUO7{Fl+=As0ajw zKk-cQFSv(vZ6GVAn`soa-FhYctSuHoSQ~{y2)Q=FnX3O+NkuWh!~aU|-iIbPMq&TT z$U$?*LcMyK#9Nyn>eRi{93&NEfq@^Ljej}EdnbUa@cm#&dxH^?*Lm@ES(&dBtGvj> zr195M7$|xFC*n~efBlp}xt)PnZzw`PTv>P2i+%kXFkFq5jzPVmOL1vnYb$Dx?0AGM z=x0fndB=?!9#;~L5Q=#TEtzIhQ31Up>mGT;qpzyPuX%0bPNO7YPC_02;~VNZfS@+y zUv}IQtoInJWNP06rFA$w;jj(KaWsW1 zn@G$y_g+aMGurabI=x0H;RCI==urSKH7uZtt7K|;QROKh4{XCA7gGZnTh6_%Jr272 zX-l@Z$-oVK6nQqDKV6MWu6mhJf!othQ1O~x8Tb;qU)yH+?%=|&G~+`o_PX3F<9u$} zhHBoBXu)<0p||i$fdb7I1*5u8733&T{#sICczY-O|igdc*St*6Q%YNa$ygAm`W zkly0RD=VXPrJjYyf>M0a+~K*+?U1(;gUtL|wb9s|924F-+8{A@IJ^QuBzaIblap#W z0MtUmq!`W%)uFvjLmZe$ zq~yQC3LJCtxaBG;v4dp_rS$2CbKwfV09%4(KkDIxFeI6(uR;9w$g3?{lX}+z3M5ec z{|4{}K^z&zYi*e7Es(mZO_*ipT0JRR9gR51kO-ZiVB+mI4Jvd)eN{O{!W1Xo|MCCf zdtZp<_JwaaP=2&5BYIwV%GA{OiPp4LvlGA$W@Kaz2SSz&*b_D~?nQSQO<+fcot#Zr z#;xTio92RZY`EdQr7|y#)zKwQG)enO)f$?x>SStW&ho#s=2Wl=uRkM|GRe%vSlo_& zFRGDv7<&M78D(MV&@eXA=G(QmD_xe;G)QVU zp~k(+uUk3Nx@h3PFo&SlD0)}MFS;9~Xv?8N@@zFaJJ+5KyqDS4LcNXrP>Zev_8>F~ z-!?k=U+t|+;r*?42&uh#svWBfLc-F2QbY=gUG1bRX5giLku~<0pd}9`m*CK9l)biw zFiqz*{2PL2^5lB1krRGuV8StQ|AJHepCq9|s&e(EfA#$}E-Bl3J?2Gb?ZHx45NN9- zC6SLtfw8AGdlQTn>7+wPEjOWVz@k)O*CB3XszPgr$55$i3lyYTU@!2O@_FIQv*hbf z{`w|#O7qic^n|`WK{3VG*>&@RNK$m)FvLql;p3(|xQJMeZ;|dmTo?kh7*mX^v>gDj zBM^R5L}40DIEhQIW=8(0Myr=ckGdpojJ0p0qQat?4$#Me>h@SM<@4su>$)x!{-tm|@alNEVF~7*ERX%V zpvk8b2OU9GMe5W(Q_u;39wEjunl)$Uv*E8Tt2BvMel6%_Y5duDiv7vpUH0ulNKp^++7%9NnZ#d+vmWO9DH7X%p?L_}A5$e&F03+xs;5~W?q>bCFpWYHG zP)?Ut;cAnQK~BkCr@C3JPb9{D#xau1?C}w+vZe^t)8Do4#)d)KWPqVh&T8;a|E(_G z6H!cNe`1lG=Ae+K)a`AV-Q^q`&O9+-W`BZ7xZPJLNEi^0lM~i*W@f-wKyz`g<|9(V z2gRIc^D@9jPT8RjN9JV~3G`-3ZU+w1- zU#+ipG!K20`<5V^OAq*F7AvXxBiV@ZV?|N<57~{+CX4m`Kc(F`c%9}u=F4Ue&_&qU zLY;=#kQP94BbI`Abw;t{rm(T4%%~U@r8Lk7lRf&_;h%d34mxA4*Q!1(xxZ#;kjl7k z_|UNDmL|>;W`VK)6GFD(W)0Pkj{|HF(`cUxU1a!iM^fd?Ze>h$)?7%)@lvP7CLuhs zMPJ?ye!d_FtzS|`_}KDeHnKKdM)xHQ^PCZHtoc4|uHX)|aCT4pj53Iff|7BK$h%mf zrRx6P5XmkN@|uPCUbjgRh$NpZ{Ff3)@{2p4_q8)A9i|(rHhMl?zKohi+CyuxeGh{O zC}9|Dle|lPA+3><3sIuB7gfRN^Ejw+%q3wuf~;PJBijyH-XDe0QU1vlJn$UD>|+eb zgZc!j%ZXT=6n!%YC?FtmNMs z*sCmywqfhVl-Ak+8a|g(+e6|a9p=_D1pQrBTlSia=3Scx1q>FF(K(KmbWZpW)TlmC zaEBjJcWLv)9D6}=0WJ!uYL~>|L4Z}z-%e$3h@%?+S{bTBA+!6v5%bOfyP7D4`R(3r0roNXtytw_A)f? zTeu%k16xlT7I@YR(6^w_rF{n-Qul2OAJ*?=O`AKt9FyH+Y&?=Qta{Jeausv_L<-j< zc`2abhw!6RanYDB=v+8#6ZYplcd;QWzRwLy#pd`?3Wq3FjZ3nd+O7hj*m`2sE&Z={ zvcZmr0T&~m1F^01amm-4XG0M}i!-3}zuwY!_zpbOD&iAW`mc>XztOt)-voJ?fJmxD z$!O5>+p`q|OnfzUcD6tD@}1|Xva_J1)!@CKMCc+xpZU%IqoDAWjwZX`RtN3m%uc5* z<-r9`>W#t9QWJ<;Wsum}aVF+bB;!R3aeq)NehiXF7OSVvyrI0UXW%sa7U(S;!#(s8 zMtj3}5#=+@`lB^&SGf<$l8}vQNgezNp@v(^{W4_%Bl;r7dAs2U{gH?wFBLxzBgh*1 zVj?5iPf0Lv4KN2HNVdcZ{uY`@g34(G0u|Zmy@RJjy5PD#Ek8uLYe=c+9MzM(el(VR z-Nh>{Y-pjamRt!Wvo98x{Rl6Aw)U}i^S}c9C8+wHV#}Wt$vlFEPU8PZ6ax)W?j0OY zvJf