From 88a5de8402450b94f7ef7667307dfb021bb0a06e Mon Sep 17 00:00:00 2001 From: Aaron Bieber Date: Thu, 21 Mar 2024 22:08:30 -0600 Subject: [PATCH] all: switch to using dynamic entries in xin-secrets --- flake.lock | 8 ++-- flake.nix | 2 +- hosts/box/default.nix | 20 +++++----- hosts/europa/default.nix | 24 ++++++------ hosts/faf/default.nix | 1 - hosts/h/default.nix | 32 +++++++-------- hosts/stan/default.nix | 14 +++---- users/default.nix | 84 +++++++++++++++++++++++----------------- 8 files changed, 98 insertions(+), 87 deletions(-) diff --git a/flake.lock b/flake.lock index a275ac8..0033d6e 100644 --- a/flake.lock +++ b/flake.lock @@ -584,11 +584,11 @@ ] }, "locked": { - "lastModified": 1710255097, - "narHash": "sha256-x2om2VDoJ8dP9MDltW6LnsTLXbVnUs9Y478smAp9Kiw=", + "lastModified": 1711079899, + "narHash": "sha256-wsLqZx0llg7wWSsQURUSqlrf2dQbsDVnm1z+FB8oj5w=", "ref": "main", - "rev": "6c5ab9d3f036e6c430297d34872d72c9c593a60f", - "revCount": 136, + "rev": "079e4fff5a6f431cd5287f6b1469924aee079b87", + "revCount": 142, "type": "git", "url": "ssh://xin-secrets-ro/qbit/xin-secrets.git" }, diff --git a/flake.nix b/flake.nix index aee1276..9405a10 100644 --- a/flake.nix +++ b/flake.nix @@ -240,7 +240,7 @@ nixos-hardware.nixosModules.framework-11th-gen-intel ] "stan"; weather = buildSys "aarch64-linux" stable [ ] "weather"; - octo = buildSys "aarch64-linux" stable [ ] "octo"; + #octo = buildSys "aarch64-linux" stable [ ] "octo"; faf = buildSys "x86_64-linux" stable [ ./configs/hardened.nix ] "faf"; box = buildSys "x86_64-linux" unstable [ ./configs/hardened.nix ] "box"; diff --git a/hosts/box/default.nix b/hosts/box/default.nix index 86c24f7..f8a3db8 100644 --- a/hosts/box/default.nix +++ b/hosts/box/default.nix @@ -40,7 +40,7 @@ let ]; userBase = { openssh.authorizedKeys.keys = pubKeys; }; mkNginxSecret = { - sopsFile = config.xin-secrets.box.certs; + sopsFile = config.xin-secrets.box.secrets.certs; owner = config.users.users.nginx.name; mode = "400"; }; @@ -55,30 +55,30 @@ in sops.secrets = { #nextcloud_db_pass = { # owner = config.users.users.nextcloud.name; - # sopsFile = config.xin-secrets.box.services; + # sopsFile = config.xin-secrets.box.secrets.services; #}; #nextcloud_admin_pass = { # owner = config.users.users.nextcloud.name; - # sopsFile = config.xin-secrets.box.services; + # sopsFile = config.xin-secrets.box.secrets.services; #}; - #photoprism_admin_password = {sopsFile = config.xin-secrets.box.services;}; + #photoprism_admin_password = {sopsFile = config.xin-secrets.box.secrets.services;}; gitea_db_pass = { owner = config.users.users.gitea.name; - sopsFile = config.xin-secrets.box.services; + sopsFile = config.xin-secrets.box.secrets.services; }; - "bitwarden_rs.env" = { sopsFile = config.xin-secrets.box.services; }; - "wireguard_private_key" = { sopsFile = config.xin-secrets.box.services; }; + "bitwarden_rs.env" = { sopsFile = config.xin-secrets.box.secrets.services; }; + "wireguard_private_key" = { sopsFile = config.xin-secrets.box.secrets.services; }; "restic_htpasswd" = { owner = config.users.users.restic.name; - sopsFile = config.xin-secrets.box.services; + sopsFile = config.xin-secrets.box.secrets.services; }; restic_cert = { owner = config.users.users.restic.name; - sopsFile = config.xin-secrets.box.certs; + sopsFile = config.xin-secrets.box.secrets.certs; }; restic_key = { owner = config.users.users.restic.name; - sopsFile = config.xin-secrets.box.certs; + sopsFile = config.xin-secrets.box.secrets.certs; }; books_cert = mkNginxSecret; diff --git a/hosts/europa/default.nix b/hosts/europa/default.nix index 929fcf5..08dbd2c 100644 --- a/hosts/europa/default.nix +++ b/hosts/europa/default.nix @@ -40,69 +40,69 @@ in sops.secrets = { rkvm_cert = { - sopsFile = config.xin-secrets.europa.qbit; + sopsFile = config.xin-secrets.europa.secrets.qbit; owner = "root"; group = "wheel"; mode = "400"; }; rkvm_key = { - sopsFile = config.xin-secrets.europa.qbit; + sopsFile = config.xin-secrets.europa.secrets.qbit; owner = "root"; group = "wheel"; mode = "400"; }; fastmail = { - sopsFile = config.xin-secrets.europa.qbit; + sopsFile = config.xin-secrets.europa.secrets.qbit; owner = "qbit"; group = "wheel"; mode = "400"; }; fastmail_user = { - sopsFile = config.xin-secrets.europa.qbit; + sopsFile = config.xin-secrets.europa.secrets.qbit; owner = "qbit"; group = "wheel"; mode = "400"; }; nix_review = { - sopsFile = config.xin-secrets.europa.qbit; + sopsFile = config.xin-secrets.europa.secrets.qbit; owner = "qbit"; group = "wheel"; mode = "400"; }; netrc = { - sopsFile = config.xin-secrets.europa.qbit; + sopsFile = config.xin-secrets.europa.secrets.qbit; owner = "qbit"; group = "wheel"; mode = "400"; }; peerix_private_key = { - sopsFile = config.xin-secrets.europa.peerix; + sopsFile = config.xin-secrets.europa.secrets.peerix; owner = "${peerixUser}"; group = "wheel"; mode = "400"; }; restic_password_file = { - sopsFile = config.xin-secrets.europa.services; + sopsFile = config.xin-secrets.europa.secrets.services; owner = "root"; mode = "400"; }; restic_env_file = { - sopsFile = config.xin-secrets.europa.services; + sopsFile = config.xin-secrets.europa.secrets.services; owner = "root"; mode = "400"; }; restic_remote_password_file = { - sopsFile = config.xin-secrets.europa.services; + sopsFile = config.xin-secrets.europa.secrets.services; owner = "root"; mode = "400"; }; restic_remote_env_file = { - sopsFile = config.xin-secrets.europa.services; + sopsFile = config.xin-secrets.europa.secrets.services; owner = "root"; mode = "400"; }; restic_remote_repo_file = { - sopsFile = config.xin-secrets.europa.services; + sopsFile = config.xin-secrets.europa.secrets.services; owner = "root"; mode = "400"; }; diff --git a/hosts/faf/default.nix b/hosts/faf/default.nix index bd6d376..f6f4ff2 100644 --- a/hosts/faf/default.nix +++ b/hosts/faf/default.nix @@ -38,7 +38,6 @@ in users.users = { root = userBase; - qbit = userBase; }; services = { diff --git a/hosts/h/default.nix b/hosts/h/default.nix index 3a267ba..214a9ef 100644 --- a/hosts/h/default.nix +++ b/hosts/h/default.nix @@ -95,76 +95,76 @@ in synapse_signing_key = { owner = config.users.users.matrix-synapse.name; mode = "600"; - sopsFile = config.xin-secrets.h.services; + sopsFile = config.xin-secrets.h.secrets.services; }; synapse_shared_secret = { owner = config.users.users.matrix-synapse.name; mode = "600"; - sopsFile = config.xin-secrets.h.services; + sopsFile = config.xin-secrets.h.secrets.services; }; hammer_access_token = { owner = config.users.users.mjolnir.name; mode = "600"; - sopsFile = config.xin-secrets.h.services; + sopsFile = config.xin-secrets.h.secrets.services; }; gqrss_token = { owner = config.users.users.qbit.name; mode = "400"; - sopsFile = config.xin-secrets.h.services; + sopsFile = config.xin-secrets.h.secrets.services; }; restic_env_file = { owner = config.users.users.root.name; mode = "400"; - sopsFile = config.xin-secrets.h.services; + sopsFile = config.xin-secrets.h.secrets.services; }; restic_password_file = { owner = config.users.users.root.name; mode = "400"; - sopsFile = config.xin-secrets.h.services; + sopsFile = config.xin-secrets.h.secrets.services; }; yarr_auth = { owner = config.users.users.yarr.name; mode = "400"; - sopsFile = config.xin-secrets.h.services; + sopsFile = config.xin-secrets.h.secrets.services; }; # TODO: rename router_stats_ts_key = { - sopsFile = config.xin-secrets.h.services; + sopsFile = config.xin-secrets.h.secrets.services; owner = config.users.users.tsvnstat.name; }; #golink = { - # sopsFile = config.xin-secrets.h.services; + # sopsFile = config.xin-secrets.h.secrets.services; # owner = config.users.users.golink.name; #}; gostart = { - sopsFile = config.xin-secrets.h.services; + sopsFile = config.xin-secrets.h.secrets.services; owner = config.users.users.gostart.name; }; - wireguard_private_key = { sopsFile = config.xin-secrets.h.services; }; + wireguard_private_key = { sopsFile = config.xin-secrets.h.secrets.services; }; pots_env_file = { owner = config.users.users.pots.name; mode = "400"; - sopsFile = config.xin-secrets.h.services; + sopsFile = config.xin-secrets.h.secrets.services; }; sliding_sync_env = { owner = config.services.sliding-sync.user; mode = "400"; - sopsFile = config.xin-secrets.h.services; + sopsFile = config.xin-secrets.h.secrets.services; }; pr_status_env = { mode = "400"; owner = config.services.tsrevprox.user; - sopsFile = config.xin-secrets.h.services; + sopsFile = config.xin-secrets.h.secrets.services; }; qbit_at_suah_pass_file = { mode = "400"; owner = "root"; - sopsFile = config.xin-secrets.h.services; + sopsFile = config.xin-secrets.h.secrets.services; }; #wallabag_secret = { # mode = "400"; # owner = "wallabag"; - # sopsFile = config.xin-secrets.h.services; + # sopsFile = config.xin-secrets.h.secrets.services; #}; }; diff --git a/hosts/stan/default.nix b/hosts/stan/default.nix index 027e392..aaaf58a 100644 --- a/hosts/stan/default.nix +++ b/hosts/stan/default.nix @@ -121,40 +121,40 @@ in sops.secrets = { rkvm_cert = { - sopsFile = config.xin-secrets.stan.main; + sopsFile = config.xin-secrets.stan.secrets.main; owner = "root"; group = "wheel"; mode = "400"; }; vm_pass = { - sopsFile = config.xin-secrets.stan.main; + sopsFile = config.xin-secrets.stan.secrets.main; owner = "root"; group = "wheel"; mode = "400"; }; peerix_private_key = { - sopsFile = config.xin-secrets.stan.peerix; + sopsFile = config.xin-secrets.stan.secrets.peerix; owner = "${peerixUser}"; group = "wheel"; mode = "400"; }; restic_password_file = { - sopsFile = config.xin-secrets.stan.main; + sopsFile = config.xin-secrets.stan.secrets.main; owner = "root"; mode = "400"; }; restic_env_file = { - sopsFile = config.xin-secrets.stan.main; + sopsFile = config.xin-secrets.stan.secrets.main; owner = "root"; mode = "400"; }; restic_repo_file = { - sopsFile = config.xin-secrets.stan.main; + sopsFile = config.xin-secrets.stan.secrets.main; owner = "root"; mode = "400"; }; abieber_hash = { - sopsFile = config.xin-secrets.user_passwords; + sopsFile = config.xin-secrets.stan.user_passwords.abieber; owner = "root"; mode = "400"; neededForUsers = true; diff --git a/users/default.nix b/users/default.nix index 656b70a..8331ebd 100644 --- a/users/default.nix +++ b/users/default.nix @@ -1,7 +1,6 @@ { config , lib , pkgs -, isUnstable , ... }: with lib; let @@ -24,43 +23,56 @@ in }; }; - config = mkIf config.defaultUsers.enable { - sops = { - age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ]; - secrets = { - "${config.networking.hostName}_hash" = { - sopsFile = config.xin-secrets.root_passwords; - owner = "root"; - mode = "400"; - neededForUsers = true; + config = + let + hasQbit = + if builtins.hasAttr "qbit" config.xin-secrets.${config.networking.hostName}.user_passwords then + true + else false; + in + mkIf config.defaultUsers.enable { + sops = + { + age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ]; + secrets = mkMerge [ + ({ + root_hash = + { + sopsFile = config.xin-secrets.${config.networking.hostName}.user_passwords.root; + owner = "root"; + mode = "400"; + neededForUsers = true; + }; + }) + (mkIf hasQbit { + qbit_hash = { + sopsFile = config.xin-secrets.${config.networking.hostName}.user_passwords.qbit; + owner = "root"; + mode = "400"; + neededForUsers = true; + }; + }) + ]; }; - qbit_hash = { - sopsFile = config.xin-secrets.user_passwords; - owner = "root"; - mode = "400"; - neededForUsers = true; - }; - }; - }; - users = { - mutableUsers = false; users = { - root = userBase // { - hashedPasswordFile = config.sops.secrets."${config.networking.hostName}_hash".path; - }; - qbit = userBase // { - isNormalUser = true; - description = "Aaron Bieber"; - home = "/home/qbit"; - extraGroups = [ "wheel" ]; - hashedPasswordFile = config.sops.secrets.qbit_hash.path; - }; + mutableUsers = false; + users = mkMerge [ + ( + { + root = userBase // { + hashedPasswordFile = config.sops.secrets.root_hash.path; + }; + }) + (mkIf hasQbit { + qbit = userBase // { + isNormalUser = true; + description = "Aaron Bieber"; + home = "/home/qbit"; + extraGroups = [ "wheel" ]; + hashedPasswordFile = config.sops.secrets.qbit_hash.path; + }; + }) + ]; }; }; - - environment.systemPackages = - if isUnstable - then [ pkgs.yash pkgs.go ] - else [ pkgs.go ]; - }; }