diff --git a/.configuration.nix.swp b/.configuration.nix.swp new file mode 100644 index 0000000..193b388 Binary files /dev/null and b/.configuration.nix.swp differ diff --git a/.sops.yaml b/.sops.yaml new file mode 100644 index 0000000..f33e88d --- /dev/null +++ b/.sops.yaml @@ -0,0 +1,9 @@ +keys: + - &james age10m78ue8j5l32qftdfqynsvwhwdfmshzq98gqhyxf2fu999xj93rsmymq2y + - &matricx_server age1elxjcu8m3k5h0sz30ewx2jgzsnada2pqs9l847vqf0c6y9985vmqdvxdms +creation_rules: + - path_regex: secrets/[^/]+\.yaml$ + key_groups: + - age: + - *james + - *matricx_server diff --git a/configuration.nix b/configuration.nix deleted file mode 100644 index d9bfe22..0000000 --- a/configuration.nix +++ /dev/null @@ -1,52 +0,0 @@ -{ config, lib, pkgs, ... }: { - imports = [ ./hardware-configuration.nix ]; - - boot = { - loader.systemd-boot.enable = true; - loader.efi.canTouchEfiVariables = true; - }; - - nix = { - buildMachines = [ ]; - distributedBuilds = false; - settings.experimental-features = [ "nix-command" "flakes" ]; - }; - - networking = { - hostName = "eve-psr-nix0"; - firewall = { - allowedTCPPorts = [ 22 80 443 ]; - allowedUDPPorts = [ 22 80 443 ]; - }; - }; - - time.timeZone = "America/Chicago"; - - services.openssh.enable = true; - virtualisation.docker = { - enable = true; - liveRestore = false; - }; - - environment.systemPackages = with pkgs; [ git pciutils vim wget ]; - - programs.zsh.enable = true; - users = { - defaultUserShell = pkgs.zsh; - users = { - sezycei = { - isNormalUser = true; - initialPassword = "bootMaster"; - extraGroups = [ "wheel" "docker" ]; - packages = with pkgs; [ byobu tmux stack ]; - }; - torrent = { - isNormalUser = true; - initialPassword = "torrentUserTemp"; - }; - }; - - }; - - system.stateVersion = "22.11"; -} diff --git a/flake.lock b/flake.lock index a12002a..37bc75f 100644 --- a/flake.lock +++ b/flake.lock @@ -15,9 +15,47 @@ "type": "indirect" } }, + "nixpkgs-stable": { + "locked": { + "lastModified": 1685758009, + "narHash": "sha256-IT4Z5WGhafrq+xbDTyuKrRPRQ1f+kVOtE+4JU1CHFeo=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "eaf03591711b46d21abc7082a8ebee4681f9dbeb", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "release-22.11", + "repo": "nixpkgs", + "type": "github" + } + }, "root": { "inputs": { - "nixpkgs": "nixpkgs" + "nixpkgs": "nixpkgs", + "sops": "sops" + } + }, + "sops": { + "inputs": { + "nixpkgs": [ + "nixpkgs" + ], + "nixpkgs-stable": "nixpkgs-stable" + }, + "locked": { + "lastModified": 1685848844, + "narHash": "sha256-Iury+/SVbAwLES76QJSiKFiQDzmf/8Hsq8j54WF2qyw=", + "owner": "Mic92", + "repo": "sops-nix", + "rev": "a522e12ee35e50fa7d902a164a9796e420e6e75b", + "type": "github" + }, + "original": { + "owner": "Mic92", + "repo": "sops-nix", + "type": "github" } } }, diff --git a/flake.nix b/flake.nix index c7f7000..fb7484a 100644 --- a/flake.nix +++ b/flake.nix @@ -1,12 +1,89 @@ { - inputs = { nixpkgs.url = "nixpkgs/nixos-unstable"; }; - - outputs = { self, nixpkgs }: { - nixosConfigurations = { - eve-psr-nix0 = nixpkgs.lib.nixosSystem { - system = "x86_64-linux"; - modules = [ ./configuration.nix ]; - }; + inputs = { + nixpkgs.url = "nixpkgs/nixos-unstable"; + sops = { + url = "github:Mic92/sops-nix"; + inputs.nixpkgs.follows = "nixpkgs"; }; }; + + outputs = { self, nixpkgs, sops, ... }@attrs: + let + pkgs = import nixpkgs { inherit system; }; + system = "x86_64-linux"; + in { + devShell.x86_64-linux = pkgs.mkShell { + buildInputs = + [ (pkgs.nixos { }).nixos-rebuild pkgs.terraform pkgs.sops ]; + shellHook = + " alias sops-deploy=\"nixos-rebuild switch --target-host root@matri.cx --build-host root@matri.cx --flake .#eve-psr-nix0\"\n"; + }; + nixosConfigurations = { + eve-psr-nix0 = nixpkgs.lib.nixosSystem { + inherit system; + specialArgs = attrs; + modules = [ + ({ modulesPath, ... }: { + imports = [ sops.nixosModules.sops ./hardware-configuration.nix ]; + boot = { + loader.systemd-boot.enable = true; + loader.efi.canTouchEfiVariables = true; + }; + + nix = { + buildMachines = [ ]; + distributedBuilds = false; + settings.experimental-features = [ "nix-command" "flakes" ]; + }; + + networking = { + hostName = "eve-psr-nix0"; + firewall = { + allowedTCPPorts = [ 22 80 443 ]; + allowedUDPPorts = [ 22 80 443 ]; + }; + }; + + time.timeZone = "America/Chicago"; + + services.openssh.enable = true; + virtualisation.docker = { + enable = true; + liveRestore = false; + }; + + environment.systemPackages = with pkgs; [ git pciutils vim wget ]; + + programs.zsh.enable = true; + users = { + defaultUserShell = pkgs.zsh; + users = { + sezycei = { + isNormalUser = true; + initialPassword = "bootMaster"; + extraGroups = [ "wheel" "docker" ]; + packages = with pkgs; [ byobu tmux stack ]; + }; + torrent = { + isNormalUser = true; + initialPassword = "torrentUserTemp"; + }; + }; + + }; + + security.sudo.wheelNeedsPassword = false; + + sops = { + age = { sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ]; }; + defaultSopsFile = ./secrets/keys.yaml; + secrets = { hostname = { }; }; + }; + + system.stateVersion = "22.11"; + }) + ]; + }; + }; + }; } diff --git a/secrets/keys.yaml b/secrets/keys.yaml new file mode 100644 index 0000000..71fb23f --- /dev/null +++ b/secrets/keys.yaml @@ -0,0 +1,30 @@ +hostname: ENC[AES256_GCM,data:cFZxNM65KwVZ7ngg,iv:iqm5Hbr8Q336XjC60Yz9lcSKpLcGwKobzKT/EESCqjk=,tag:msBSYFGI4AR1mMpfmr5C4Q==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age10m78ue8j5l32qftdfqynsvwhwdfmshzq98gqhyxf2fu999xj93rsmymq2y + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBVbnlHMEFMWUJnRCsxaUh6 + ZkpRdEwzNkltamdHRzRpSEQ2RUxDTFkrYVhBCmdpNldvWkZDMVJnYU5QOC9hM0lP + ZjZBM3JkY1JTZFJEbTJzZS9iWnhHdEEKLS0tIHpDU3hLbjR6UUxNYmJNampGeERw + U1hwN1NEZ0tYdVdVOERFdnRLeTJFbVUKSDPmG16R4TC/uuE98iKZg8QL9qZEfBMZ + 1TV0I66HmrkLX8l9TUkNkKhDdcUO/LCH9vBtgxBCWEM8M1G/mYYnyw== + -----END AGE ENCRYPTED FILE----- + - recipient: age1elxjcu8m3k5h0sz30ewx2jgzsnada2pqs9l847vqf0c6y9985vmqdvxdms + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBMT2VZa3lFSVp2dXNUSE1x + aWpIcmMrYk14OElDd1EvRGFybWRJVU1aRUgwCjZ5YmRjNnowa0UwVEdvNmE0anBB + UUpRRXVsTHQrOTdYVlYvYVpzNzJiQ0UKLS0tIGdHUjR4akwrUHd6N3FFMmV2VDBG + S0JzQ1B6WUZlL0hVeXVMcFUyVDNBaVEKtbF6NwzyO69Y7Az36Wm4SOUNnQL7oCTU + dx99asfwJW2+6wiofPbL6sn1LFIVqGH2jbAfeZIxyODabFYa8m984g== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2023-06-09T19:16:10Z" + mac: ENC[AES256_GCM,data:ayliPO8bDg0yTC1u5K1ZARdBPCOpb3g2UfEorak/RNq1KeTK4zTaWwvwr8xNIuqTFLxqAHJvMFVmEbUGgkH7wCE+5hYsun59dChnSASayEhxMdyPUnOauzaGVMuRm0q2D4UKfmtkTBEtnTM9yvDeBqd9LD0vqUpeltXggesdKCA=,iv:oq8GQPNjFaj6x28qtwcUakmbt4urZxDOls2Lw3Z4Rns=,tag:WK89gCSh0HT3Az5cMSpuRg==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.7.3