From 4cf99ff0332fc362843a71c6ebf3b292dae21d8c Mon Sep 17 00:00:00 2001 From: James Eversole Date: Fri, 9 Jun 2023 14:24:51 -0500 Subject: [PATCH] Refactor all into Flake.nix; introduce SOPS --- .configuration.nix.swp | Bin 0 -> 12288 bytes .sops.yaml | 9 ++++ configuration.nix | 52 ----------------------- flake.lock | 40 +++++++++++++++++- flake.nix | 93 +++++++++++++++++++++++++++++++++++++---- secrets/keys.yaml | 30 +++++++++++++ 6 files changed, 163 insertions(+), 61 deletions(-) create mode 100644 .configuration.nix.swp create mode 100644 .sops.yaml delete mode 100644 configuration.nix create mode 100644 secrets/keys.yaml diff --git a/.configuration.nix.swp b/.configuration.nix.swp new file mode 100644 index 0000000000000000000000000000000000000000..193b388debca2677d7be95e43dbeddc324d23d36 GIT binary patch literal 12288 zcmeI2y>A>v7>6g35T79kN+^akMGD`peMwM)}?Mu!yK4%}LL$J^Rkg`#v*s zlI3m9ZM?e7&xUghpC=gmcw%s^$jGb)GS4Vv&c$Po)BkVmCaI`Mse0@K1;9mdgZ{C16;0<^K-hemY z4R{0IfH&X`cmv*mH*g;s5D8;%KFrvaN02=J|G)S5|8K_``vH6bZh{-&Iv9av@CsN0 zi{Lr%0Ql~4#%_UK@Hw~!cEARRzzHw|0`TWC#{K|5gI#a~dG8fTzJxDCDq-+-^dSKu1B3NC{_SOmwxL*PO16YBpF+y-BQ zo8U9>DR>_^KbL|3cmv*mH{cC;1Kxl);0^q513Qd!GcuO4&{$z@46ixpCfA#^xd;gl*T)48@wPaV@R~=Lxk%nc9o0Fc)O%Lc^#IifAaZBBgL7 zvb36DYV4UFjp`0T)E7ERWh*im#l5W>;bCZp7HPRTkh|%=Mx#|>yKd@BJc!7~5n3Ia zF3(L$nx{|CpWQ^)fWJNNC^}W{3lyqi|k#s`4AR zOifaVxQ9Ai_5*3Vyy$hz0u;1Hs#S8El|zmtjeC1Fy8&ouwOG=stcr%Ns>px`iHduq zCw^S)U5aQaWtRnZi~eu<*Y6xp@-I>1*tVOX-XX5;i(N`ngt;2REz@-Zrh^NuI$C7a zvygJpsy5VE6+$WRORe$@g2VA{Ui}w29cg(H%hJl!@V?CWphMOf!YH-dRQBl&GH~zq zNWI`l7qk3hUXK3SmLipA{Oa`BVO=bW>dTl+s0zxl7w?j_l^KQZ@|McoRKbfGX&H;? zTo>1lg5&+HCJQgpR1GLue|dFP>FU5;;>{*MGsjPzI=R2rb=cau!@}B9(*Tim&f|l< zGCtVB^h@H^a_3}m3VJf{RPp<{8L}3wCZu733fwY?w9zJEOI__xY&0C+My#?-+JOo?x~wq+4_WnK@51>+n;9!MlrA|V}8TZXa7*HjsI z&$s1<(9*4(8+HG5)v@F4k~G}bKDb7lyVkuqsyR8n#kxW#1EC4^9C&k{BP*E|lXYR+ Yd>k{&@hvu6ZSPqgh9Td1fp4?F0hZ?V=Kufz literal 0 HcmV?d00001 diff --git a/.sops.yaml b/.sops.yaml new file mode 100644 index 0000000..f33e88d --- /dev/null +++ b/.sops.yaml @@ -0,0 +1,9 @@ +keys: + - &james age10m78ue8j5l32qftdfqynsvwhwdfmshzq98gqhyxf2fu999xj93rsmymq2y + - &matricx_server age1elxjcu8m3k5h0sz30ewx2jgzsnada2pqs9l847vqf0c6y9985vmqdvxdms +creation_rules: + - path_regex: secrets/[^/]+\.yaml$ + key_groups: + - age: + - *james + - *matricx_server diff --git a/configuration.nix b/configuration.nix deleted file mode 100644 index d9bfe22..0000000 --- a/configuration.nix +++ /dev/null @@ -1,52 +0,0 @@ -{ config, lib, pkgs, ... }: { - imports = [ ./hardware-configuration.nix ]; - - boot = { - loader.systemd-boot.enable = true; - loader.efi.canTouchEfiVariables = true; - }; - - nix = { - buildMachines = [ ]; - distributedBuilds = false; - settings.experimental-features = [ "nix-command" "flakes" ]; - }; - - networking = { - hostName = "eve-psr-nix0"; - firewall = { - allowedTCPPorts = [ 22 80 443 ]; - allowedUDPPorts = [ 22 80 443 ]; - }; - }; - - time.timeZone = "America/Chicago"; - - services.openssh.enable = true; - virtualisation.docker = { - enable = true; - liveRestore = false; - }; - - environment.systemPackages = with pkgs; [ git pciutils vim wget ]; - - programs.zsh.enable = true; - users = { - defaultUserShell = pkgs.zsh; - users = { - sezycei = { - isNormalUser = true; - initialPassword = "bootMaster"; - extraGroups = [ "wheel" "docker" ]; - packages = with pkgs; [ byobu tmux stack ]; - }; - torrent = { - isNormalUser = true; - initialPassword = "torrentUserTemp"; - }; - }; - - }; - - system.stateVersion = "22.11"; -} diff --git a/flake.lock b/flake.lock index a12002a..37bc75f 100644 --- a/flake.lock +++ b/flake.lock @@ -15,9 +15,47 @@ "type": "indirect" } }, + "nixpkgs-stable": { + "locked": { + "lastModified": 1685758009, + "narHash": "sha256-IT4Z5WGhafrq+xbDTyuKrRPRQ1f+kVOtE+4JU1CHFeo=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "eaf03591711b46d21abc7082a8ebee4681f9dbeb", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "release-22.11", + "repo": "nixpkgs", + "type": "github" + } + }, "root": { "inputs": { - "nixpkgs": "nixpkgs" + "nixpkgs": "nixpkgs", + "sops": "sops" + } + }, + "sops": { + "inputs": { + "nixpkgs": [ + "nixpkgs" + ], + "nixpkgs-stable": "nixpkgs-stable" + }, + "locked": { + "lastModified": 1685848844, + "narHash": "sha256-Iury+/SVbAwLES76QJSiKFiQDzmf/8Hsq8j54WF2qyw=", + "owner": "Mic92", + "repo": "sops-nix", + "rev": "a522e12ee35e50fa7d902a164a9796e420e6e75b", + "type": "github" + }, + "original": { + "owner": "Mic92", + "repo": "sops-nix", + "type": "github" } } }, diff --git a/flake.nix b/flake.nix index c7f7000..fb7484a 100644 --- a/flake.nix +++ b/flake.nix @@ -1,12 +1,89 @@ { - inputs = { nixpkgs.url = "nixpkgs/nixos-unstable"; }; - - outputs = { self, nixpkgs }: { - nixosConfigurations = { - eve-psr-nix0 = nixpkgs.lib.nixosSystem { - system = "x86_64-linux"; - modules = [ ./configuration.nix ]; - }; + inputs = { + nixpkgs.url = "nixpkgs/nixos-unstable"; + sops = { + url = "github:Mic92/sops-nix"; + inputs.nixpkgs.follows = "nixpkgs"; }; }; + + outputs = { self, nixpkgs, sops, ... }@attrs: + let + pkgs = import nixpkgs { inherit system; }; + system = "x86_64-linux"; + in { + devShell.x86_64-linux = pkgs.mkShell { + buildInputs = + [ (pkgs.nixos { }).nixos-rebuild pkgs.terraform pkgs.sops ]; + shellHook = + " alias sops-deploy=\"nixos-rebuild switch --target-host root@matri.cx --build-host root@matri.cx --flake .#eve-psr-nix0\"\n"; + }; + nixosConfigurations = { + eve-psr-nix0 = nixpkgs.lib.nixosSystem { + inherit system; + specialArgs = attrs; + modules = [ + ({ modulesPath, ... }: { + imports = [ sops.nixosModules.sops ./hardware-configuration.nix ]; + boot = { + loader.systemd-boot.enable = true; + loader.efi.canTouchEfiVariables = true; + }; + + nix = { + buildMachines = [ ]; + distributedBuilds = false; + settings.experimental-features = [ "nix-command" "flakes" ]; + }; + + networking = { + hostName = "eve-psr-nix0"; + firewall = { + allowedTCPPorts = [ 22 80 443 ]; + allowedUDPPorts = [ 22 80 443 ]; + }; + }; + + time.timeZone = "America/Chicago"; + + services.openssh.enable = true; + virtualisation.docker = { + enable = true; + liveRestore = false; + }; + + environment.systemPackages = with pkgs; [ git pciutils vim wget ]; + + programs.zsh.enable = true; + users = { + defaultUserShell = pkgs.zsh; + users = { + sezycei = { + isNormalUser = true; + initialPassword = "bootMaster"; + extraGroups = [ "wheel" "docker" ]; + packages = with pkgs; [ byobu tmux stack ]; + }; + torrent = { + isNormalUser = true; + initialPassword = "torrentUserTemp"; + }; + }; + + }; + + security.sudo.wheelNeedsPassword = false; + + sops = { + age = { sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ]; }; + defaultSopsFile = ./secrets/keys.yaml; + secrets = { hostname = { }; }; + }; + + system.stateVersion = "22.11"; + }) + ]; + }; + }; + }; } diff --git a/secrets/keys.yaml b/secrets/keys.yaml new file mode 100644 index 0000000..71fb23f --- /dev/null +++ b/secrets/keys.yaml @@ -0,0 +1,30 @@ +hostname: ENC[AES256_GCM,data:cFZxNM65KwVZ7ngg,iv:iqm5Hbr8Q336XjC60Yz9lcSKpLcGwKobzKT/EESCqjk=,tag:msBSYFGI4AR1mMpfmr5C4Q==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age10m78ue8j5l32qftdfqynsvwhwdfmshzq98gqhyxf2fu999xj93rsmymq2y + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBVbnlHMEFMWUJnRCsxaUh6 + ZkpRdEwzNkltamdHRzRpSEQ2RUxDTFkrYVhBCmdpNldvWkZDMVJnYU5QOC9hM0lP + ZjZBM3JkY1JTZFJEbTJzZS9iWnhHdEEKLS0tIHpDU3hLbjR6UUxNYmJNampGeERw + U1hwN1NEZ0tYdVdVOERFdnRLeTJFbVUKSDPmG16R4TC/uuE98iKZg8QL9qZEfBMZ + 1TV0I66HmrkLX8l9TUkNkKhDdcUO/LCH9vBtgxBCWEM8M1G/mYYnyw== + -----END AGE ENCRYPTED FILE----- + - recipient: age1elxjcu8m3k5h0sz30ewx2jgzsnada2pqs9l847vqf0c6y9985vmqdvxdms + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBMT2VZa3lFSVp2dXNUSE1x + aWpIcmMrYk14OElDd1EvRGFybWRJVU1aRUgwCjZ5YmRjNnowa0UwVEdvNmE0anBB + UUpRRXVsTHQrOTdYVlYvYVpzNzJiQ0UKLS0tIGdHUjR4akwrUHd6N3FFMmV2VDBG + S0JzQ1B6WUZlL0hVeXVMcFUyVDNBaVEKtbF6NwzyO69Y7Az36Wm4SOUNnQL7oCTU + dx99asfwJW2+6wiofPbL6sn1LFIVqGH2jbAfeZIxyODabFYa8m984g== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2023-06-09T19:16:10Z" + mac: ENC[AES256_GCM,data:ayliPO8bDg0yTC1u5K1ZARdBPCOpb3g2UfEorak/RNq1KeTK4zTaWwvwr8xNIuqTFLxqAHJvMFVmEbUGgkH7wCE+5hYsun59dChnSASayEhxMdyPUnOauzaGVMuRm0q2D4UKfmtkTBEtnTM9yvDeBqd9LD0vqUpeltXggesdKCA=,iv:oq8GQPNjFaj6x28qtwcUakmbt4urZxDOls2Lw3Z4Rns=,tag:WK89gCSh0HT3Az5cMSpuRg==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.7.3