valkyrie: move secrets

2024-03-22 00:00:20 +01:00 · 2024-03-22 00:00:20 +01:00 · a76b42c3da
parent e17d19dcfd
commit a76b42c3da
5 changed files with 65 additions and 4 deletions
--- a/configurations/host/valkyrie/default.nix
+++ b/configurations/host/valkyrie/default.nix
@ -2,7 +2,7 @@
 # your system.  Help is available in the configuration.nix(5) man page
 # and in the NixOS manual (accessible by running `nixos-help`).
-{ config, pkgs, materusArg, ... }:
+{ pkgs, materusArg, ... }:
 {
  imports =
@ -10,6 +10,7 @@
      # Include the results of the hardware scan.
      ./hardware-configuration.nix
      ./services
      ./secrets
    ];
  materus.profile.nix.enable = true;
@ -69,7 +70,7 @@
  users.users.materus = {
    isNormalUser = true;
    extraGroups = [ "wheel" ]; # Enable ‘sudo’ for the user.
-    packages = with pkgs; [
+    packages = [
    ];
    openssh.authorizedKeys.keyFiles = [ ("${materusArg.cfg.path}" + "/extraFiles/keys/ssh/materus.pub") ];
  };
--- a/configurations/host/valkyrie/home/materus/default.nix
+++ b/configurations/host/valkyrie/home/materus/default.nix
@ -1,4 +1,4 @@
-{ config, pkgs, lib, ... }:
+{ ... }:
 {
  home.stateVersion = "23.05";
  home.homeDirectory = "/home/materus";
@ -10,7 +10,7 @@
    enableTerminalExtra = false;
    enableNixDevel = false;
-    fish.enable = true;
+    fish.enable = false;
    bash.enable = true;
  };
 }
--- a/configurations/host/valkyrie/secrets/default.nix
+++ b/configurations/host/valkyrie/secrets/default.nix
@ -0,0 +1,27 @@
 { materusCfg, ... }:
 {
  imports =
    [
    ] ++ (if (materusCfg.materusFlake.decrypted) then [ ./private ] else [ ]);
  sops.age.generateKey = false;
  sops.gnupg.home = null;
  sops.gnupg.sshKeyPaths = [ ];
  sops.defaultSopsFile = materusCfg.hostPath + "/secrets/secrets.yaml";
  sops.secrets.wireguard = { };
  services.openssh.hostKeys = [
    {
      bits = 4096;
      path = "/materus/root/ssh_host_rsa_key";
      type = "rsa";
    }
    {
      path = "/materus/root/ssh_host_ed25519_key";
      type = "ed25519";
    }
  ];
 }
--- a/configurations/host/valkyrie/secrets/private/default.nix
+++ b/configurations/host/valkyrie/secrets/private/default.nix
--- a/configurations/host/valkyrie/secrets/secrets.yaml
+++ b/configurations/host/valkyrie/secrets/secrets.yaml
@ -0,0 +1,33 @@
 wireguard: ENC[AES256_GCM,data:i98U0ugxbNqWNuKR8u+mdWoSMLViHXfsWRBS1lvjb+hgGxveyzjBcagBIeY=,iv:/hF9oH2R6NSeHT/UQTlbmtx+gPX/3CJOLPNnxrzsY/g=,tag:2ub5w8uH2O1B2hoku8Kowg==,type:str]
 sops:
    kms: []
    gcp_kms: []
    azure_kv: []
    hc_vault: []
    age:
        - recipient: age1wscr6kv8393wv0fjaux8juplaxq55znlzrp62qyteq0fauu3yg0s7d7k98
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBSRXNLdUZaVU13alNhVGgz
            aXdMb3IzNjNQcHJFV2JLNVM2SUVBa3VNZlRFCkxxd21CTWVDUkVXbzR6ZEkxbm5J
            VGorSkp6a2xSdHRHcFk5T3VYVlJJa0UKLS0tIE1WdHo5eTlpNEEyN25oSjk1KzdS
            d2dMUUh1RDB3UnpEdFJsNHpQRXFWemMKc41dlOapTsvH91QLNhdPbrzerPFakOiX
            J/uoZDMIhsmQxgQM7Fqxr05NywhI/ZjOtJS2bayp73O57xjjMYcyNQ==
            -----END AGE ENCRYPTED FILE-----
    lastmodified: "2024-03-21T22:56:14Z"
    mac: ENC[AES256_GCM,data:bh6fCWIn4Ppv0NSa2qXPIi2O0VfRqZCUqcvPFttrh1Q1BISkBFrX5uz7Zq5OTE0HzUMDhHq2/uQGqKjao9qyDYhaP20Ffh2HbQGvIvOZLtyKzT12LVwBLxSAsJ9l6fF+sDLrT98f4vDiu/8dyRnhDAV4V9DUNbDi/gF4imjoyXQ=,iv:Xh+nK7DyogwUxMPO4qbZgL9XptOISH/qTRaml9HjWAw=,tag:gzZ4ZRd6LjvsN9Axd4aykQ==,type:str]
    pgp:
        - created_at: "2024-03-21T22:55:36Z"
          enc: |-
            -----BEGIN PGP MESSAGE-----
            hF4D5fSX77p80GYSAQdA667A9P/3ktuS2iEjxkv3aYMAGSu0oPGIX7dsC23VVgkw
            OmcwhXxBnipcG+izbtNylXz5VonyyKHwdR2QIgkt9FEuC8lI17GHVyogTCFiP7Dj
            1GgBCQIQN4EqFdiXqzJUeeE+PdOzVPs+1kStz+S1H22NjrJAFv67cbyIgwpItuXD
            Sfao+MU1HWDY4iKZrcfWArUgpQj/pvsmUeJ72iXD3bkTTrK61g3GZA+g9lFewl/B
            SORJMu9btS4GAw==
            =aBMP
            -----END PGP MESSAGE-----
          fp: 28D140BCA60B4FD1
    unencrypted_suffix: _unencrypted
    version: 3.8.1