all: switch to using dynamic entries in xin-secrets
This commit is contained in:
parent
4d2c3a2365
commit
88a5de8402
@ -584,11 +584,11 @@
|
|||||||
]
|
]
|
||||||
},
|
},
|
||||||
"locked": {
|
"locked": {
|
||||||
"lastModified": 1710255097,
|
"lastModified": 1711079899,
|
||||||
"narHash": "sha256-x2om2VDoJ8dP9MDltW6LnsTLXbVnUs9Y478smAp9Kiw=",
|
"narHash": "sha256-wsLqZx0llg7wWSsQURUSqlrf2dQbsDVnm1z+FB8oj5w=",
|
||||||
"ref": "main",
|
"ref": "main",
|
||||||
"rev": "6c5ab9d3f036e6c430297d34872d72c9c593a60f",
|
"rev": "079e4fff5a6f431cd5287f6b1469924aee079b87",
|
||||||
"revCount": 136,
|
"revCount": 142,
|
||||||
"type": "git",
|
"type": "git",
|
||||||
"url": "ssh://xin-secrets-ro/qbit/xin-secrets.git"
|
"url": "ssh://xin-secrets-ro/qbit/xin-secrets.git"
|
||||||
},
|
},
|
||||||
|
@ -240,7 +240,7 @@
|
|||||||
nixos-hardware.nixosModules.framework-11th-gen-intel
|
nixos-hardware.nixosModules.framework-11th-gen-intel
|
||||||
] "stan";
|
] "stan";
|
||||||
weather = buildSys "aarch64-linux" stable [ ] "weather";
|
weather = buildSys "aarch64-linux" stable [ ] "weather";
|
||||||
octo = buildSys "aarch64-linux" stable [ ] "octo";
|
#octo = buildSys "aarch64-linux" stable [ ] "octo";
|
||||||
|
|
||||||
faf = buildSys "x86_64-linux" stable [ ./configs/hardened.nix ] "faf";
|
faf = buildSys "x86_64-linux" stable [ ./configs/hardened.nix ] "faf";
|
||||||
box = buildSys "x86_64-linux" unstable [ ./configs/hardened.nix ] "box";
|
box = buildSys "x86_64-linux" unstable [ ./configs/hardened.nix ] "box";
|
||||||
|
@ -40,7 +40,7 @@ let
|
|||||||
];
|
];
|
||||||
userBase = { openssh.authorizedKeys.keys = pubKeys; };
|
userBase = { openssh.authorizedKeys.keys = pubKeys; };
|
||||||
mkNginxSecret = {
|
mkNginxSecret = {
|
||||||
sopsFile = config.xin-secrets.box.certs;
|
sopsFile = config.xin-secrets.box.secrets.certs;
|
||||||
owner = config.users.users.nginx.name;
|
owner = config.users.users.nginx.name;
|
||||||
mode = "400";
|
mode = "400";
|
||||||
};
|
};
|
||||||
@ -55,30 +55,30 @@ in
|
|||||||
sops.secrets = {
|
sops.secrets = {
|
||||||
#nextcloud_db_pass = {
|
#nextcloud_db_pass = {
|
||||||
# owner = config.users.users.nextcloud.name;
|
# owner = config.users.users.nextcloud.name;
|
||||||
# sopsFile = config.xin-secrets.box.services;
|
# sopsFile = config.xin-secrets.box.secrets.services;
|
||||||
#};
|
#};
|
||||||
#nextcloud_admin_pass = {
|
#nextcloud_admin_pass = {
|
||||||
# owner = config.users.users.nextcloud.name;
|
# owner = config.users.users.nextcloud.name;
|
||||||
# sopsFile = config.xin-secrets.box.services;
|
# sopsFile = config.xin-secrets.box.secrets.services;
|
||||||
#};
|
#};
|
||||||
#photoprism_admin_password = {sopsFile = config.xin-secrets.box.services;};
|
#photoprism_admin_password = {sopsFile = config.xin-secrets.box.secrets.services;};
|
||||||
gitea_db_pass = {
|
gitea_db_pass = {
|
||||||
owner = config.users.users.gitea.name;
|
owner = config.users.users.gitea.name;
|
||||||
sopsFile = config.xin-secrets.box.services;
|
sopsFile = config.xin-secrets.box.secrets.services;
|
||||||
};
|
};
|
||||||
"bitwarden_rs.env" = { sopsFile = config.xin-secrets.box.services; };
|
"bitwarden_rs.env" = { sopsFile = config.xin-secrets.box.secrets.services; };
|
||||||
"wireguard_private_key" = { sopsFile = config.xin-secrets.box.services; };
|
"wireguard_private_key" = { sopsFile = config.xin-secrets.box.secrets.services; };
|
||||||
"restic_htpasswd" = {
|
"restic_htpasswd" = {
|
||||||
owner = config.users.users.restic.name;
|
owner = config.users.users.restic.name;
|
||||||
sopsFile = config.xin-secrets.box.services;
|
sopsFile = config.xin-secrets.box.secrets.services;
|
||||||
};
|
};
|
||||||
restic_cert = {
|
restic_cert = {
|
||||||
owner = config.users.users.restic.name;
|
owner = config.users.users.restic.name;
|
||||||
sopsFile = config.xin-secrets.box.certs;
|
sopsFile = config.xin-secrets.box.secrets.certs;
|
||||||
};
|
};
|
||||||
restic_key = {
|
restic_key = {
|
||||||
owner = config.users.users.restic.name;
|
owner = config.users.users.restic.name;
|
||||||
sopsFile = config.xin-secrets.box.certs;
|
sopsFile = config.xin-secrets.box.secrets.certs;
|
||||||
};
|
};
|
||||||
|
|
||||||
books_cert = mkNginxSecret;
|
books_cert = mkNginxSecret;
|
||||||
|
@ -40,69 +40,69 @@ in
|
|||||||
|
|
||||||
sops.secrets = {
|
sops.secrets = {
|
||||||
rkvm_cert = {
|
rkvm_cert = {
|
||||||
sopsFile = config.xin-secrets.europa.qbit;
|
sopsFile = config.xin-secrets.europa.secrets.qbit;
|
||||||
owner = "root";
|
owner = "root";
|
||||||
group = "wheel";
|
group = "wheel";
|
||||||
mode = "400";
|
mode = "400";
|
||||||
};
|
};
|
||||||
rkvm_key = {
|
rkvm_key = {
|
||||||
sopsFile = config.xin-secrets.europa.qbit;
|
sopsFile = config.xin-secrets.europa.secrets.qbit;
|
||||||
owner = "root";
|
owner = "root";
|
||||||
group = "wheel";
|
group = "wheel";
|
||||||
mode = "400";
|
mode = "400";
|
||||||
};
|
};
|
||||||
fastmail = {
|
fastmail = {
|
||||||
sopsFile = config.xin-secrets.europa.qbit;
|
sopsFile = config.xin-secrets.europa.secrets.qbit;
|
||||||
owner = "qbit";
|
owner = "qbit";
|
||||||
group = "wheel";
|
group = "wheel";
|
||||||
mode = "400";
|
mode = "400";
|
||||||
};
|
};
|
||||||
fastmail_user = {
|
fastmail_user = {
|
||||||
sopsFile = config.xin-secrets.europa.qbit;
|
sopsFile = config.xin-secrets.europa.secrets.qbit;
|
||||||
owner = "qbit";
|
owner = "qbit";
|
||||||
group = "wheel";
|
group = "wheel";
|
||||||
mode = "400";
|
mode = "400";
|
||||||
};
|
};
|
||||||
nix_review = {
|
nix_review = {
|
||||||
sopsFile = config.xin-secrets.europa.qbit;
|
sopsFile = config.xin-secrets.europa.secrets.qbit;
|
||||||
owner = "qbit";
|
owner = "qbit";
|
||||||
group = "wheel";
|
group = "wheel";
|
||||||
mode = "400";
|
mode = "400";
|
||||||
};
|
};
|
||||||
netrc = {
|
netrc = {
|
||||||
sopsFile = config.xin-secrets.europa.qbit;
|
sopsFile = config.xin-secrets.europa.secrets.qbit;
|
||||||
owner = "qbit";
|
owner = "qbit";
|
||||||
group = "wheel";
|
group = "wheel";
|
||||||
mode = "400";
|
mode = "400";
|
||||||
};
|
};
|
||||||
peerix_private_key = {
|
peerix_private_key = {
|
||||||
sopsFile = config.xin-secrets.europa.peerix;
|
sopsFile = config.xin-secrets.europa.secrets.peerix;
|
||||||
owner = "${peerixUser}";
|
owner = "${peerixUser}";
|
||||||
group = "wheel";
|
group = "wheel";
|
||||||
mode = "400";
|
mode = "400";
|
||||||
};
|
};
|
||||||
restic_password_file = {
|
restic_password_file = {
|
||||||
sopsFile = config.xin-secrets.europa.services;
|
sopsFile = config.xin-secrets.europa.secrets.services;
|
||||||
owner = "root";
|
owner = "root";
|
||||||
mode = "400";
|
mode = "400";
|
||||||
};
|
};
|
||||||
restic_env_file = {
|
restic_env_file = {
|
||||||
sopsFile = config.xin-secrets.europa.services;
|
sopsFile = config.xin-secrets.europa.secrets.services;
|
||||||
owner = "root";
|
owner = "root";
|
||||||
mode = "400";
|
mode = "400";
|
||||||
};
|
};
|
||||||
restic_remote_password_file = {
|
restic_remote_password_file = {
|
||||||
sopsFile = config.xin-secrets.europa.services;
|
sopsFile = config.xin-secrets.europa.secrets.services;
|
||||||
owner = "root";
|
owner = "root";
|
||||||
mode = "400";
|
mode = "400";
|
||||||
};
|
};
|
||||||
restic_remote_env_file = {
|
restic_remote_env_file = {
|
||||||
sopsFile = config.xin-secrets.europa.services;
|
sopsFile = config.xin-secrets.europa.secrets.services;
|
||||||
owner = "root";
|
owner = "root";
|
||||||
mode = "400";
|
mode = "400";
|
||||||
};
|
};
|
||||||
restic_remote_repo_file = {
|
restic_remote_repo_file = {
|
||||||
sopsFile = config.xin-secrets.europa.services;
|
sopsFile = config.xin-secrets.europa.secrets.services;
|
||||||
owner = "root";
|
owner = "root";
|
||||||
mode = "400";
|
mode = "400";
|
||||||
};
|
};
|
||||||
|
@ -38,7 +38,6 @@ in
|
|||||||
|
|
||||||
users.users = {
|
users.users = {
|
||||||
root = userBase;
|
root = userBase;
|
||||||
qbit = userBase;
|
|
||||||
};
|
};
|
||||||
|
|
||||||
services = {
|
services = {
|
||||||
|
@ -95,76 +95,76 @@ in
|
|||||||
synapse_signing_key = {
|
synapse_signing_key = {
|
||||||
owner = config.users.users.matrix-synapse.name;
|
owner = config.users.users.matrix-synapse.name;
|
||||||
mode = "600";
|
mode = "600";
|
||||||
sopsFile = config.xin-secrets.h.services;
|
sopsFile = config.xin-secrets.h.secrets.services;
|
||||||
};
|
};
|
||||||
synapse_shared_secret = {
|
synapse_shared_secret = {
|
||||||
owner = config.users.users.matrix-synapse.name;
|
owner = config.users.users.matrix-synapse.name;
|
||||||
mode = "600";
|
mode = "600";
|
||||||
sopsFile = config.xin-secrets.h.services;
|
sopsFile = config.xin-secrets.h.secrets.services;
|
||||||
};
|
};
|
||||||
hammer_access_token = {
|
hammer_access_token = {
|
||||||
owner = config.users.users.mjolnir.name;
|
owner = config.users.users.mjolnir.name;
|
||||||
mode = "600";
|
mode = "600";
|
||||||
sopsFile = config.xin-secrets.h.services;
|
sopsFile = config.xin-secrets.h.secrets.services;
|
||||||
};
|
};
|
||||||
gqrss_token = {
|
gqrss_token = {
|
||||||
owner = config.users.users.qbit.name;
|
owner = config.users.users.qbit.name;
|
||||||
mode = "400";
|
mode = "400";
|
||||||
sopsFile = config.xin-secrets.h.services;
|
sopsFile = config.xin-secrets.h.secrets.services;
|
||||||
};
|
};
|
||||||
restic_env_file = {
|
restic_env_file = {
|
||||||
owner = config.users.users.root.name;
|
owner = config.users.users.root.name;
|
||||||
mode = "400";
|
mode = "400";
|
||||||
sopsFile = config.xin-secrets.h.services;
|
sopsFile = config.xin-secrets.h.secrets.services;
|
||||||
};
|
};
|
||||||
restic_password_file = {
|
restic_password_file = {
|
||||||
owner = config.users.users.root.name;
|
owner = config.users.users.root.name;
|
||||||
mode = "400";
|
mode = "400";
|
||||||
sopsFile = config.xin-secrets.h.services;
|
sopsFile = config.xin-secrets.h.secrets.services;
|
||||||
};
|
};
|
||||||
yarr_auth = {
|
yarr_auth = {
|
||||||
owner = config.users.users.yarr.name;
|
owner = config.users.users.yarr.name;
|
||||||
mode = "400";
|
mode = "400";
|
||||||
sopsFile = config.xin-secrets.h.services;
|
sopsFile = config.xin-secrets.h.secrets.services;
|
||||||
};
|
};
|
||||||
# TODO: rename
|
# TODO: rename
|
||||||
router_stats_ts_key = {
|
router_stats_ts_key = {
|
||||||
sopsFile = config.xin-secrets.h.services;
|
sopsFile = config.xin-secrets.h.secrets.services;
|
||||||
owner = config.users.users.tsvnstat.name;
|
owner = config.users.users.tsvnstat.name;
|
||||||
};
|
};
|
||||||
#golink = {
|
#golink = {
|
||||||
# sopsFile = config.xin-secrets.h.services;
|
# sopsFile = config.xin-secrets.h.secrets.services;
|
||||||
# owner = config.users.users.golink.name;
|
# owner = config.users.users.golink.name;
|
||||||
#};
|
#};
|
||||||
gostart = {
|
gostart = {
|
||||||
sopsFile = config.xin-secrets.h.services;
|
sopsFile = config.xin-secrets.h.secrets.services;
|
||||||
owner = config.users.users.gostart.name;
|
owner = config.users.users.gostart.name;
|
||||||
};
|
};
|
||||||
wireguard_private_key = { sopsFile = config.xin-secrets.h.services; };
|
wireguard_private_key = { sopsFile = config.xin-secrets.h.secrets.services; };
|
||||||
pots_env_file = {
|
pots_env_file = {
|
||||||
owner = config.users.users.pots.name;
|
owner = config.users.users.pots.name;
|
||||||
mode = "400";
|
mode = "400";
|
||||||
sopsFile = config.xin-secrets.h.services;
|
sopsFile = config.xin-secrets.h.secrets.services;
|
||||||
};
|
};
|
||||||
sliding_sync_env = {
|
sliding_sync_env = {
|
||||||
owner = config.services.sliding-sync.user;
|
owner = config.services.sliding-sync.user;
|
||||||
mode = "400";
|
mode = "400";
|
||||||
sopsFile = config.xin-secrets.h.services;
|
sopsFile = config.xin-secrets.h.secrets.services;
|
||||||
};
|
};
|
||||||
pr_status_env = {
|
pr_status_env = {
|
||||||
mode = "400";
|
mode = "400";
|
||||||
owner = config.services.tsrevprox.user;
|
owner = config.services.tsrevprox.user;
|
||||||
sopsFile = config.xin-secrets.h.services;
|
sopsFile = config.xin-secrets.h.secrets.services;
|
||||||
};
|
};
|
||||||
qbit_at_suah_pass_file = {
|
qbit_at_suah_pass_file = {
|
||||||
mode = "400";
|
mode = "400";
|
||||||
owner = "root";
|
owner = "root";
|
||||||
sopsFile = config.xin-secrets.h.services;
|
sopsFile = config.xin-secrets.h.secrets.services;
|
||||||
};
|
};
|
||||||
#wallabag_secret = {
|
#wallabag_secret = {
|
||||||
# mode = "400";
|
# mode = "400";
|
||||||
# owner = "wallabag";
|
# owner = "wallabag";
|
||||||
# sopsFile = config.xin-secrets.h.services;
|
# sopsFile = config.xin-secrets.h.secrets.services;
|
||||||
#};
|
#};
|
||||||
};
|
};
|
||||||
|
|
||||||
|
@ -121,40 +121,40 @@ in
|
|||||||
|
|
||||||
sops.secrets = {
|
sops.secrets = {
|
||||||
rkvm_cert = {
|
rkvm_cert = {
|
||||||
sopsFile = config.xin-secrets.stan.main;
|
sopsFile = config.xin-secrets.stan.secrets.main;
|
||||||
owner = "root";
|
owner = "root";
|
||||||
group = "wheel";
|
group = "wheel";
|
||||||
mode = "400";
|
mode = "400";
|
||||||
};
|
};
|
||||||
vm_pass = {
|
vm_pass = {
|
||||||
sopsFile = config.xin-secrets.stan.main;
|
sopsFile = config.xin-secrets.stan.secrets.main;
|
||||||
owner = "root";
|
owner = "root";
|
||||||
group = "wheel";
|
group = "wheel";
|
||||||
mode = "400";
|
mode = "400";
|
||||||
};
|
};
|
||||||
peerix_private_key = {
|
peerix_private_key = {
|
||||||
sopsFile = config.xin-secrets.stan.peerix;
|
sopsFile = config.xin-secrets.stan.secrets.peerix;
|
||||||
owner = "${peerixUser}";
|
owner = "${peerixUser}";
|
||||||
group = "wheel";
|
group = "wheel";
|
||||||
mode = "400";
|
mode = "400";
|
||||||
};
|
};
|
||||||
restic_password_file = {
|
restic_password_file = {
|
||||||
sopsFile = config.xin-secrets.stan.main;
|
sopsFile = config.xin-secrets.stan.secrets.main;
|
||||||
owner = "root";
|
owner = "root";
|
||||||
mode = "400";
|
mode = "400";
|
||||||
};
|
};
|
||||||
restic_env_file = {
|
restic_env_file = {
|
||||||
sopsFile = config.xin-secrets.stan.main;
|
sopsFile = config.xin-secrets.stan.secrets.main;
|
||||||
owner = "root";
|
owner = "root";
|
||||||
mode = "400";
|
mode = "400";
|
||||||
};
|
};
|
||||||
restic_repo_file = {
|
restic_repo_file = {
|
||||||
sopsFile = config.xin-secrets.stan.main;
|
sopsFile = config.xin-secrets.stan.secrets.main;
|
||||||
owner = "root";
|
owner = "root";
|
||||||
mode = "400";
|
mode = "400";
|
||||||
};
|
};
|
||||||
abieber_hash = {
|
abieber_hash = {
|
||||||
sopsFile = config.xin-secrets.user_passwords;
|
sopsFile = config.xin-secrets.stan.user_passwords.abieber;
|
||||||
owner = "root";
|
owner = "root";
|
||||||
mode = "400";
|
mode = "400";
|
||||||
neededForUsers = true;
|
neededForUsers = true;
|
||||||
|
@ -1,7 +1,6 @@
|
|||||||
{ config
|
{ config
|
||||||
, lib
|
, lib
|
||||||
, pkgs
|
, pkgs
|
||||||
, isUnstable
|
|
||||||
, ...
|
, ...
|
||||||
}:
|
}:
|
||||||
with lib; let
|
with lib; let
|
||||||
@ -24,30 +23,47 @@ in
|
|||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
config = mkIf config.defaultUsers.enable {
|
config =
|
||||||
sops = {
|
let
|
||||||
|
hasQbit =
|
||||||
|
if builtins.hasAttr "qbit" config.xin-secrets.${config.networking.hostName}.user_passwords then
|
||||||
|
true
|
||||||
|
else false;
|
||||||
|
in
|
||||||
|
mkIf config.defaultUsers.enable {
|
||||||
|
sops =
|
||||||
|
{
|
||||||
age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
|
age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
|
||||||
secrets = {
|
secrets = mkMerge [
|
||||||
"${config.networking.hostName}_hash" = {
|
({
|
||||||
sopsFile = config.xin-secrets.root_passwords;
|
root_hash =
|
||||||
|
{
|
||||||
|
sopsFile = config.xin-secrets.${config.networking.hostName}.user_passwords.root;
|
||||||
owner = "root";
|
owner = "root";
|
||||||
mode = "400";
|
mode = "400";
|
||||||
neededForUsers = true;
|
neededForUsers = true;
|
||||||
};
|
};
|
||||||
|
})
|
||||||
|
(mkIf hasQbit {
|
||||||
qbit_hash = {
|
qbit_hash = {
|
||||||
sopsFile = config.xin-secrets.user_passwords;
|
sopsFile = config.xin-secrets.${config.networking.hostName}.user_passwords.qbit;
|
||||||
owner = "root";
|
owner = "root";
|
||||||
mode = "400";
|
mode = "400";
|
||||||
neededForUsers = true;
|
neededForUsers = true;
|
||||||
};
|
};
|
||||||
};
|
})
|
||||||
|
];
|
||||||
};
|
};
|
||||||
users = {
|
users = {
|
||||||
mutableUsers = false;
|
mutableUsers = false;
|
||||||
users = {
|
users = mkMerge [
|
||||||
|
(
|
||||||
|
{
|
||||||
root = userBase // {
|
root = userBase // {
|
||||||
hashedPasswordFile = config.sops.secrets."${config.networking.hostName}_hash".path;
|
hashedPasswordFile = config.sops.secrets.root_hash.path;
|
||||||
};
|
};
|
||||||
|
})
|
||||||
|
(mkIf hasQbit {
|
||||||
qbit = userBase // {
|
qbit = userBase // {
|
||||||
isNormalUser = true;
|
isNormalUser = true;
|
||||||
description = "Aaron Bieber";
|
description = "Aaron Bieber";
|
||||||
@ -55,12 +71,8 @@ in
|
|||||||
extraGroups = [ "wheel" ];
|
extraGroups = [ "wheel" ];
|
||||||
hashedPasswordFile = config.sops.secrets.qbit_hash.path;
|
hashedPasswordFile = config.sops.secrets.qbit_hash.path;
|
||||||
};
|
};
|
||||||
|
})
|
||||||
|
];
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
environment.systemPackages =
|
|
||||||
if isUnstable
|
|
||||||
then [ pkgs.yash pkgs.go ]
|
|
||||||
else [ pkgs.go ];
|
|
||||||
};
|
|
||||||
}
|
}
|
||||||
|
Loading…
Reference in New Issue
Block a user