all: switch to using dynamic entries in xin-secrets

This commit is contained in:
Aaron Bieber 2024-03-21 22:08:30 -06:00
parent 4d2c3a2365
commit 88a5de8402
No known key found for this signature in database
8 changed files with 98 additions and 87 deletions

View File

@ -584,11 +584,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1710255097, "lastModified": 1711079899,
"narHash": "sha256-x2om2VDoJ8dP9MDltW6LnsTLXbVnUs9Y478smAp9Kiw=", "narHash": "sha256-wsLqZx0llg7wWSsQURUSqlrf2dQbsDVnm1z+FB8oj5w=",
"ref": "main", "ref": "main",
"rev": "6c5ab9d3f036e6c430297d34872d72c9c593a60f", "rev": "079e4fff5a6f431cd5287f6b1469924aee079b87",
"revCount": 136, "revCount": 142,
"type": "git", "type": "git",
"url": "ssh://xin-secrets-ro/qbit/xin-secrets.git" "url": "ssh://xin-secrets-ro/qbit/xin-secrets.git"
}, },

View File

@ -240,7 +240,7 @@
nixos-hardware.nixosModules.framework-11th-gen-intel nixos-hardware.nixosModules.framework-11th-gen-intel
] "stan"; ] "stan";
weather = buildSys "aarch64-linux" stable [ ] "weather"; weather = buildSys "aarch64-linux" stable [ ] "weather";
octo = buildSys "aarch64-linux" stable [ ] "octo"; #octo = buildSys "aarch64-linux" stable [ ] "octo";
faf = buildSys "x86_64-linux" stable [ ./configs/hardened.nix ] "faf"; faf = buildSys "x86_64-linux" stable [ ./configs/hardened.nix ] "faf";
box = buildSys "x86_64-linux" unstable [ ./configs/hardened.nix ] "box"; box = buildSys "x86_64-linux" unstable [ ./configs/hardened.nix ] "box";

View File

@ -40,7 +40,7 @@ let
]; ];
userBase = { openssh.authorizedKeys.keys = pubKeys; }; userBase = { openssh.authorizedKeys.keys = pubKeys; };
mkNginxSecret = { mkNginxSecret = {
sopsFile = config.xin-secrets.box.certs; sopsFile = config.xin-secrets.box.secrets.certs;
owner = config.users.users.nginx.name; owner = config.users.users.nginx.name;
mode = "400"; mode = "400";
}; };
@ -55,30 +55,30 @@ in
sops.secrets = { sops.secrets = {
#nextcloud_db_pass = { #nextcloud_db_pass = {
# owner = config.users.users.nextcloud.name; # owner = config.users.users.nextcloud.name;
# sopsFile = config.xin-secrets.box.services; # sopsFile = config.xin-secrets.box.secrets.services;
#}; #};
#nextcloud_admin_pass = { #nextcloud_admin_pass = {
# owner = config.users.users.nextcloud.name; # owner = config.users.users.nextcloud.name;
# sopsFile = config.xin-secrets.box.services; # sopsFile = config.xin-secrets.box.secrets.services;
#}; #};
#photoprism_admin_password = {sopsFile = config.xin-secrets.box.services;}; #photoprism_admin_password = {sopsFile = config.xin-secrets.box.secrets.services;};
gitea_db_pass = { gitea_db_pass = {
owner = config.users.users.gitea.name; owner = config.users.users.gitea.name;
sopsFile = config.xin-secrets.box.services; sopsFile = config.xin-secrets.box.secrets.services;
}; };
"bitwarden_rs.env" = { sopsFile = config.xin-secrets.box.services; }; "bitwarden_rs.env" = { sopsFile = config.xin-secrets.box.secrets.services; };
"wireguard_private_key" = { sopsFile = config.xin-secrets.box.services; }; "wireguard_private_key" = { sopsFile = config.xin-secrets.box.secrets.services; };
"restic_htpasswd" = { "restic_htpasswd" = {
owner = config.users.users.restic.name; owner = config.users.users.restic.name;
sopsFile = config.xin-secrets.box.services; sopsFile = config.xin-secrets.box.secrets.services;
}; };
restic_cert = { restic_cert = {
owner = config.users.users.restic.name; owner = config.users.users.restic.name;
sopsFile = config.xin-secrets.box.certs; sopsFile = config.xin-secrets.box.secrets.certs;
}; };
restic_key = { restic_key = {
owner = config.users.users.restic.name; owner = config.users.users.restic.name;
sopsFile = config.xin-secrets.box.certs; sopsFile = config.xin-secrets.box.secrets.certs;
}; };
books_cert = mkNginxSecret; books_cert = mkNginxSecret;

View File

@ -40,69 +40,69 @@ in
sops.secrets = { sops.secrets = {
rkvm_cert = { rkvm_cert = {
sopsFile = config.xin-secrets.europa.qbit; sopsFile = config.xin-secrets.europa.secrets.qbit;
owner = "root"; owner = "root";
group = "wheel"; group = "wheel";
mode = "400"; mode = "400";
}; };
rkvm_key = { rkvm_key = {
sopsFile = config.xin-secrets.europa.qbit; sopsFile = config.xin-secrets.europa.secrets.qbit;
owner = "root"; owner = "root";
group = "wheel"; group = "wheel";
mode = "400"; mode = "400";
}; };
fastmail = { fastmail = {
sopsFile = config.xin-secrets.europa.qbit; sopsFile = config.xin-secrets.europa.secrets.qbit;
owner = "qbit"; owner = "qbit";
group = "wheel"; group = "wheel";
mode = "400"; mode = "400";
}; };
fastmail_user = { fastmail_user = {
sopsFile = config.xin-secrets.europa.qbit; sopsFile = config.xin-secrets.europa.secrets.qbit;
owner = "qbit"; owner = "qbit";
group = "wheel"; group = "wheel";
mode = "400"; mode = "400";
}; };
nix_review = { nix_review = {
sopsFile = config.xin-secrets.europa.qbit; sopsFile = config.xin-secrets.europa.secrets.qbit;
owner = "qbit"; owner = "qbit";
group = "wheel"; group = "wheel";
mode = "400"; mode = "400";
}; };
netrc = { netrc = {
sopsFile = config.xin-secrets.europa.qbit; sopsFile = config.xin-secrets.europa.secrets.qbit;
owner = "qbit"; owner = "qbit";
group = "wheel"; group = "wheel";
mode = "400"; mode = "400";
}; };
peerix_private_key = { peerix_private_key = {
sopsFile = config.xin-secrets.europa.peerix; sopsFile = config.xin-secrets.europa.secrets.peerix;
owner = "${peerixUser}"; owner = "${peerixUser}";
group = "wheel"; group = "wheel";
mode = "400"; mode = "400";
}; };
restic_password_file = { restic_password_file = {
sopsFile = config.xin-secrets.europa.services; sopsFile = config.xin-secrets.europa.secrets.services;
owner = "root"; owner = "root";
mode = "400"; mode = "400";
}; };
restic_env_file = { restic_env_file = {
sopsFile = config.xin-secrets.europa.services; sopsFile = config.xin-secrets.europa.secrets.services;
owner = "root"; owner = "root";
mode = "400"; mode = "400";
}; };
restic_remote_password_file = { restic_remote_password_file = {
sopsFile = config.xin-secrets.europa.services; sopsFile = config.xin-secrets.europa.secrets.services;
owner = "root"; owner = "root";
mode = "400"; mode = "400";
}; };
restic_remote_env_file = { restic_remote_env_file = {
sopsFile = config.xin-secrets.europa.services; sopsFile = config.xin-secrets.europa.secrets.services;
owner = "root"; owner = "root";
mode = "400"; mode = "400";
}; };
restic_remote_repo_file = { restic_remote_repo_file = {
sopsFile = config.xin-secrets.europa.services; sopsFile = config.xin-secrets.europa.secrets.services;
owner = "root"; owner = "root";
mode = "400"; mode = "400";
}; };

View File

@ -38,7 +38,6 @@ in
users.users = { users.users = {
root = userBase; root = userBase;
qbit = userBase;
}; };
services = { services = {

View File

@ -95,76 +95,76 @@ in
synapse_signing_key = { synapse_signing_key = {
owner = config.users.users.matrix-synapse.name; owner = config.users.users.matrix-synapse.name;
mode = "600"; mode = "600";
sopsFile = config.xin-secrets.h.services; sopsFile = config.xin-secrets.h.secrets.services;
}; };
synapse_shared_secret = { synapse_shared_secret = {
owner = config.users.users.matrix-synapse.name; owner = config.users.users.matrix-synapse.name;
mode = "600"; mode = "600";
sopsFile = config.xin-secrets.h.services; sopsFile = config.xin-secrets.h.secrets.services;
}; };
hammer_access_token = { hammer_access_token = {
owner = config.users.users.mjolnir.name; owner = config.users.users.mjolnir.name;
mode = "600"; mode = "600";
sopsFile = config.xin-secrets.h.services; sopsFile = config.xin-secrets.h.secrets.services;
}; };
gqrss_token = { gqrss_token = {
owner = config.users.users.qbit.name; owner = config.users.users.qbit.name;
mode = "400"; mode = "400";
sopsFile = config.xin-secrets.h.services; sopsFile = config.xin-secrets.h.secrets.services;
}; };
restic_env_file = { restic_env_file = {
owner = config.users.users.root.name; owner = config.users.users.root.name;
mode = "400"; mode = "400";
sopsFile = config.xin-secrets.h.services; sopsFile = config.xin-secrets.h.secrets.services;
}; };
restic_password_file = { restic_password_file = {
owner = config.users.users.root.name; owner = config.users.users.root.name;
mode = "400"; mode = "400";
sopsFile = config.xin-secrets.h.services; sopsFile = config.xin-secrets.h.secrets.services;
}; };
yarr_auth = { yarr_auth = {
owner = config.users.users.yarr.name; owner = config.users.users.yarr.name;
mode = "400"; mode = "400";
sopsFile = config.xin-secrets.h.services; sopsFile = config.xin-secrets.h.secrets.services;
}; };
# TODO: rename # TODO: rename
router_stats_ts_key = { router_stats_ts_key = {
sopsFile = config.xin-secrets.h.services; sopsFile = config.xin-secrets.h.secrets.services;
owner = config.users.users.tsvnstat.name; owner = config.users.users.tsvnstat.name;
}; };
#golink = { #golink = {
# sopsFile = config.xin-secrets.h.services; # sopsFile = config.xin-secrets.h.secrets.services;
# owner = config.users.users.golink.name; # owner = config.users.users.golink.name;
#}; #};
gostart = { gostart = {
sopsFile = config.xin-secrets.h.services; sopsFile = config.xin-secrets.h.secrets.services;
owner = config.users.users.gostart.name; owner = config.users.users.gostart.name;
}; };
wireguard_private_key = { sopsFile = config.xin-secrets.h.services; }; wireguard_private_key = { sopsFile = config.xin-secrets.h.secrets.services; };
pots_env_file = { pots_env_file = {
owner = config.users.users.pots.name; owner = config.users.users.pots.name;
mode = "400"; mode = "400";
sopsFile = config.xin-secrets.h.services; sopsFile = config.xin-secrets.h.secrets.services;
}; };
sliding_sync_env = { sliding_sync_env = {
owner = config.services.sliding-sync.user; owner = config.services.sliding-sync.user;
mode = "400"; mode = "400";
sopsFile = config.xin-secrets.h.services; sopsFile = config.xin-secrets.h.secrets.services;
}; };
pr_status_env = { pr_status_env = {
mode = "400"; mode = "400";
owner = config.services.tsrevprox.user; owner = config.services.tsrevprox.user;
sopsFile = config.xin-secrets.h.services; sopsFile = config.xin-secrets.h.secrets.services;
}; };
qbit_at_suah_pass_file = { qbit_at_suah_pass_file = {
mode = "400"; mode = "400";
owner = "root"; owner = "root";
sopsFile = config.xin-secrets.h.services; sopsFile = config.xin-secrets.h.secrets.services;
}; };
#wallabag_secret = { #wallabag_secret = {
# mode = "400"; # mode = "400";
# owner = "wallabag"; # owner = "wallabag";
# sopsFile = config.xin-secrets.h.services; # sopsFile = config.xin-secrets.h.secrets.services;
#}; #};
}; };

View File

@ -121,40 +121,40 @@ in
sops.secrets = { sops.secrets = {
rkvm_cert = { rkvm_cert = {
sopsFile = config.xin-secrets.stan.main; sopsFile = config.xin-secrets.stan.secrets.main;
owner = "root"; owner = "root";
group = "wheel"; group = "wheel";
mode = "400"; mode = "400";
}; };
vm_pass = { vm_pass = {
sopsFile = config.xin-secrets.stan.main; sopsFile = config.xin-secrets.stan.secrets.main;
owner = "root"; owner = "root";
group = "wheel"; group = "wheel";
mode = "400"; mode = "400";
}; };
peerix_private_key = { peerix_private_key = {
sopsFile = config.xin-secrets.stan.peerix; sopsFile = config.xin-secrets.stan.secrets.peerix;
owner = "${peerixUser}"; owner = "${peerixUser}";
group = "wheel"; group = "wheel";
mode = "400"; mode = "400";
}; };
restic_password_file = { restic_password_file = {
sopsFile = config.xin-secrets.stan.main; sopsFile = config.xin-secrets.stan.secrets.main;
owner = "root"; owner = "root";
mode = "400"; mode = "400";
}; };
restic_env_file = { restic_env_file = {
sopsFile = config.xin-secrets.stan.main; sopsFile = config.xin-secrets.stan.secrets.main;
owner = "root"; owner = "root";
mode = "400"; mode = "400";
}; };
restic_repo_file = { restic_repo_file = {
sopsFile = config.xin-secrets.stan.main; sopsFile = config.xin-secrets.stan.secrets.main;
owner = "root"; owner = "root";
mode = "400"; mode = "400";
}; };
abieber_hash = { abieber_hash = {
sopsFile = config.xin-secrets.user_passwords; sopsFile = config.xin-secrets.stan.user_passwords.abieber;
owner = "root"; owner = "root";
mode = "400"; mode = "400";
neededForUsers = true; neededForUsers = true;

View File

@ -1,7 +1,6 @@
{ config { config
, lib , lib
, pkgs , pkgs
, isUnstable
, ... , ...
}: }:
with lib; let with lib; let
@ -24,30 +23,47 @@ in
}; };
}; };
config = mkIf config.defaultUsers.enable { config =
sops = { let
hasQbit =
if builtins.hasAttr "qbit" config.xin-secrets.${config.networking.hostName}.user_passwords then
true
else false;
in
mkIf config.defaultUsers.enable {
sops =
{
age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ]; age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
secrets = { secrets = mkMerge [
"${config.networking.hostName}_hash" = { ({
sopsFile = config.xin-secrets.root_passwords; root_hash =
{
sopsFile = config.xin-secrets.${config.networking.hostName}.user_passwords.root;
owner = "root"; owner = "root";
mode = "400"; mode = "400";
neededForUsers = true; neededForUsers = true;
}; };
})
(mkIf hasQbit {
qbit_hash = { qbit_hash = {
sopsFile = config.xin-secrets.user_passwords; sopsFile = config.xin-secrets.${config.networking.hostName}.user_passwords.qbit;
owner = "root"; owner = "root";
mode = "400"; mode = "400";
neededForUsers = true; neededForUsers = true;
}; };
}; })
];
}; };
users = { users = {
mutableUsers = false; mutableUsers = false;
users = { users = mkMerge [
(
{
root = userBase // { root = userBase // {
hashedPasswordFile = config.sops.secrets."${config.networking.hostName}_hash".path; hashedPasswordFile = config.sops.secrets.root_hash.path;
}; };
})
(mkIf hasQbit {
qbit = userBase // { qbit = userBase // {
isNormalUser = true; isNormalUser = true;
description = "Aaron Bieber"; description = "Aaron Bieber";
@ -55,12 +71,8 @@ in
extraGroups = [ "wheel" ]; extraGroups = [ "wheel" ];
hashedPasswordFile = config.sops.secrets.qbit_hash.path; hashedPasswordFile = config.sops.secrets.qbit_hash.path;
}; };
})
];
}; };
}; };
environment.systemPackages =
if isUnstable
then [ pkgs.yash pkgs.go ]
else [ pkgs.go ];
};
} }