Refactor all into Flake.nix; introduce SOPS

2023-06-09 14:24:51 -05:00
parent 639baeb70a
commit 4cf99ff033
6 changed files with 163 additions and 61 deletions
--- a/.configuration.nix.swp
+++ b/.configuration.nix.swp
--- a/.sops.yaml
+++ b/.sops.yaml
@ -0,0 +1,9 @@
+keys:
+  - &james age10m78ue8j5l32qftdfqynsvwhwdfmshzq98gqhyxf2fu999xj93rsmymq2y
+  - &matricx_server age1elxjcu8m3k5h0sz30ewx2jgzsnada2pqs9l847vqf0c6y9985vmqdvxdms
+creation_rules:
+  - path_regex: secrets/[^/]+\.yaml$
+    key_groups:
+    - age:
+      - *james
+      - *matricx_server
--- a/configuration.nix
+++ b/configuration.nix
@ -1,52 +0,0 @@
-{ config, lib, pkgs, ... }: {
-  imports = [ ./hardware-configuration.nix ];
-
-  boot = {
-    loader.systemd-boot.enable = true;
-    loader.efi.canTouchEfiVariables = true;
-  };
-
-  nix = {
-    buildMachines = [ ];
-    distributedBuilds = false;
-    settings.experimental-features = [ "nix-command" "flakes" ];
-  };
-
-  networking = {
-    hostName = "eve-psr-nix0";
-    firewall = {
-      allowedTCPPorts = [ 22 80 443 ];
-      allowedUDPPorts = [ 22 80 443 ];
-    };
-  };
-
-  time.timeZone = "America/Chicago";
-
-  services.openssh.enable = true;
-  virtualisation.docker = {
-    enable = true;
-    liveRestore = false;
-  };
-
-  environment.systemPackages = with pkgs; [ git pciutils vim wget ];
-
-  programs.zsh.enable = true;
-  users = {
-    defaultUserShell = pkgs.zsh;
-    users = {
-      sezycei = {
-        isNormalUser = true;
-        initialPassword = "bootMaster";
-        extraGroups = [ "wheel" "docker" ];
-        packages = with pkgs; [ byobu tmux stack ];
-      };
-      torrent = {
-        isNormalUser = true;
-        initialPassword = "torrentUserTemp";
-      };
-    };
-
-  };
-
-  system.stateVersion = "22.11";
-}
--- a/flake.lock
+++ b/flake.lock
@ -15,9 +15,47 @@
        "type": "indirect"
      }
    },
+    "nixpkgs-stable": {
+      "locked": {
+        "lastModified": 1685758009,
+        "narHash": "sha256-IT4Z5WGhafrq+xbDTyuKrRPRQ1f+kVOtE+4JU1CHFeo=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "eaf03591711b46d21abc7082a8ebee4681f9dbeb",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "ref": "release-22.11",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
    "root": {
      "inputs": {
-        "nixpkgs": "nixpkgs"
+        "nixpkgs": "nixpkgs",
+        "sops": "sops"
+      }
+    },
+    "sops": {
+      "inputs": {
+        "nixpkgs": [
+          "nixpkgs"
+        ],
+        "nixpkgs-stable": "nixpkgs-stable"
+      },
+      "locked": {
+        "lastModified": 1685848844,
+        "narHash": "sha256-Iury+/SVbAwLES76QJSiKFiQDzmf/8Hsq8j54WF2qyw=",
+        "owner": "Mic92",
+        "repo": "sops-nix",
+        "rev": "a522e12ee35e50fa7d902a164a9796e420e6e75b",
+        "type": "github"
+      },
+      "original": {
+        "owner": "Mic92",
+        "repo": "sops-nix",
+        "type": "github"
      }
    }
  },
--- a/flake.nix
+++ b/flake.nix
@ -1,12 +1,89 @@
 {
-  inputs = { nixpkgs.url = "nixpkgs/nixos-unstable"; };
-
-  outputs = { self, nixpkgs }: {
-    nixosConfigurations = {
-      eve-psr-nix0 = nixpkgs.lib.nixosSystem {
-        system = "x86_64-linux";
-        modules = [ ./configuration.nix ];
-      };
+  inputs = {
+    nixpkgs.url = "nixpkgs/nixos-unstable";
+    sops = {
+      url = "github:Mic92/sops-nix";
+      inputs.nixpkgs.follows = "nixpkgs";
    };
  };
+
+  outputs = { self, nixpkgs, sops, ... }@attrs:
+    let
+      pkgs = import nixpkgs { inherit system; };
+      system = "x86_64-linux";
+    in {
+      devShell.x86_64-linux = pkgs.mkShell {
+        buildInputs =
+          [ (pkgs.nixos { }).nixos-rebuild pkgs.terraform pkgs.sops ];
+        shellHook =
+          "	alias sops-deploy=\"nixos-rebuild switch --target-host root@matri.cx --build-host root@matri.cx --flake .#eve-psr-nix0\"\n";
+      };
+      nixosConfigurations = {
+        eve-psr-nix0 = nixpkgs.lib.nixosSystem {
+          inherit system;
+          specialArgs = attrs;
+          modules = [
+            ({ modulesPath, ... }: {
+              imports = [ sops.nixosModules.sops ./hardware-configuration.nix ];
+              boot = {
+                loader.systemd-boot.enable = true;
+                loader.efi.canTouchEfiVariables = true;
+              };
+
+              nix = {
+                buildMachines = [ ];
+                distributedBuilds = false;
+                settings.experimental-features = [ "nix-command" "flakes" ];
+              };
+
+              networking = {
+                hostName = "eve-psr-nix0";
+                firewall = {
+                  allowedTCPPorts = [ 22 80 443 ];
+                  allowedUDPPorts = [ 22 80 443 ];
+                };
+              };
+
+              time.timeZone = "America/Chicago";
+
+              services.openssh.enable = true;
+              virtualisation.docker = {
+                enable = true;
+                liveRestore = false;
+              };
+
+              environment.systemPackages = with pkgs; [ git pciutils vim wget ];
+
+              programs.zsh.enable = true;
+              users = {
+                defaultUserShell = pkgs.zsh;
+                users = {
+                  sezycei = {
+                    isNormalUser = true;
+                    initialPassword = "bootMaster";
+                    extraGroups = [ "wheel" "docker" ];
+                    packages = with pkgs; [ byobu tmux stack ];
+                  };
+                  torrent = {
+                    isNormalUser = true;
+                    initialPassword = "torrentUserTemp";
+                  };
+                };
+
+              };
+
+              security.sudo.wheelNeedsPassword = false;
+
+              sops = {
+                age = { sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ]; };
+                defaultSopsFile = ./secrets/keys.yaml;
+                secrets = { hostname = { }; };
+              };
+
+              system.stateVersion = "22.11";
+            })
+          ];
+        };
+      };
+    };
 }
--- a/secrets/keys.yaml
+++ b/secrets/keys.yaml
@ -0,0 +1,30 @@
+hostname: ENC[AES256_GCM,data:cFZxNM65KwVZ7ngg,iv:iqm5Hbr8Q336XjC60Yz9lcSKpLcGwKobzKT/EESCqjk=,tag:msBSYFGI4AR1mMpfmr5C4Q==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age10m78ue8j5l32qftdfqynsvwhwdfmshzq98gqhyxf2fu999xj93rsmymq2y
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBVbnlHMEFMWUJnRCsxaUh6
+            ZkpRdEwzNkltamdHRzRpSEQ2RUxDTFkrYVhBCmdpNldvWkZDMVJnYU5QOC9hM0lP
+            ZjZBM3JkY1JTZFJEbTJzZS9iWnhHdEEKLS0tIHpDU3hLbjR6UUxNYmJNampGeERw
+            U1hwN1NEZ0tYdVdVOERFdnRLeTJFbVUKSDPmG16R4TC/uuE98iKZg8QL9qZEfBMZ
+            1TV0I66HmrkLX8l9TUkNkKhDdcUO/LCH9vBtgxBCWEM8M1G/mYYnyw==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1elxjcu8m3k5h0sz30ewx2jgzsnada2pqs9l847vqf0c6y9985vmqdvxdms
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBMT2VZa3lFSVp2dXNUSE1x
+            aWpIcmMrYk14OElDd1EvRGFybWRJVU1aRUgwCjZ5YmRjNnowa0UwVEdvNmE0anBB
+            UUpRRXVsTHQrOTdYVlYvYVpzNzJiQ0UKLS0tIGdHUjR4akwrUHd6N3FFMmV2VDBG
+            S0JzQ1B6WUZlL0hVeXVMcFUyVDNBaVEKtbF6NwzyO69Y7Az36Wm4SOUNnQL7oCTU
+            dx99asfwJW2+6wiofPbL6sn1LFIVqGH2jbAfeZIxyODabFYa8m984g==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2023-06-09T19:16:10Z"
+    mac: ENC[AES256_GCM,data:ayliPO8bDg0yTC1u5K1ZARdBPCOpb3g2UfEorak/RNq1KeTK4zTaWwvwr8xNIuqTFLxqAHJvMFVmEbUGgkH7wCE+5hYsun59dChnSASayEhxMdyPUnOauzaGVMuRm0q2D4UKfmtkTBEtnTM9yvDeBqd9LD0vqUpeltXggesdKCA=,iv:oq8GQPNjFaj6x28qtwcUakmbt4urZxDOls2Lw3Z4Rns=,tag:WK89gCSh0HT3Az5cMSpuRg==,type:str]
+    pgp: []
+    unencrypted_suffix: _unencrypted
+    version: 3.7.3