all: switch to using dynamic entries in xin-secrets
This commit is contained in:
parent
4d2c3a2365
commit
88a5de8402
8
flake.lock
generated
8
flake.lock
generated
@ -584,11 +584,11 @@
|
||||
]
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1710255097,
|
||||
"narHash": "sha256-x2om2VDoJ8dP9MDltW6LnsTLXbVnUs9Y478smAp9Kiw=",
|
||||
"lastModified": 1711079899,
|
||||
"narHash": "sha256-wsLqZx0llg7wWSsQURUSqlrf2dQbsDVnm1z+FB8oj5w=",
|
||||
"ref": "main",
|
||||
"rev": "6c5ab9d3f036e6c430297d34872d72c9c593a60f",
|
||||
"revCount": 136,
|
||||
"rev": "079e4fff5a6f431cd5287f6b1469924aee079b87",
|
||||
"revCount": 142,
|
||||
"type": "git",
|
||||
"url": "ssh://xin-secrets-ro/qbit/xin-secrets.git"
|
||||
},
|
||||
|
@ -240,7 +240,7 @@
|
||||
nixos-hardware.nixosModules.framework-11th-gen-intel
|
||||
] "stan";
|
||||
weather = buildSys "aarch64-linux" stable [ ] "weather";
|
||||
octo = buildSys "aarch64-linux" stable [ ] "octo";
|
||||
#octo = buildSys "aarch64-linux" stable [ ] "octo";
|
||||
|
||||
faf = buildSys "x86_64-linux" stable [ ./configs/hardened.nix ] "faf";
|
||||
box = buildSys "x86_64-linux" unstable [ ./configs/hardened.nix ] "box";
|
||||
|
@ -40,7 +40,7 @@ let
|
||||
];
|
||||
userBase = { openssh.authorizedKeys.keys = pubKeys; };
|
||||
mkNginxSecret = {
|
||||
sopsFile = config.xin-secrets.box.certs;
|
||||
sopsFile = config.xin-secrets.box.secrets.certs;
|
||||
owner = config.users.users.nginx.name;
|
||||
mode = "400";
|
||||
};
|
||||
@ -55,30 +55,30 @@ in
|
||||
sops.secrets = {
|
||||
#nextcloud_db_pass = {
|
||||
# owner = config.users.users.nextcloud.name;
|
||||
# sopsFile = config.xin-secrets.box.services;
|
||||
# sopsFile = config.xin-secrets.box.secrets.services;
|
||||
#};
|
||||
#nextcloud_admin_pass = {
|
||||
# owner = config.users.users.nextcloud.name;
|
||||
# sopsFile = config.xin-secrets.box.services;
|
||||
# sopsFile = config.xin-secrets.box.secrets.services;
|
||||
#};
|
||||
#photoprism_admin_password = {sopsFile = config.xin-secrets.box.services;};
|
||||
#photoprism_admin_password = {sopsFile = config.xin-secrets.box.secrets.services;};
|
||||
gitea_db_pass = {
|
||||
owner = config.users.users.gitea.name;
|
||||
sopsFile = config.xin-secrets.box.services;
|
||||
sopsFile = config.xin-secrets.box.secrets.services;
|
||||
};
|
||||
"bitwarden_rs.env" = { sopsFile = config.xin-secrets.box.services; };
|
||||
"wireguard_private_key" = { sopsFile = config.xin-secrets.box.services; };
|
||||
"bitwarden_rs.env" = { sopsFile = config.xin-secrets.box.secrets.services; };
|
||||
"wireguard_private_key" = { sopsFile = config.xin-secrets.box.secrets.services; };
|
||||
"restic_htpasswd" = {
|
||||
owner = config.users.users.restic.name;
|
||||
sopsFile = config.xin-secrets.box.services;
|
||||
sopsFile = config.xin-secrets.box.secrets.services;
|
||||
};
|
||||
restic_cert = {
|
||||
owner = config.users.users.restic.name;
|
||||
sopsFile = config.xin-secrets.box.certs;
|
||||
sopsFile = config.xin-secrets.box.secrets.certs;
|
||||
};
|
||||
restic_key = {
|
||||
owner = config.users.users.restic.name;
|
||||
sopsFile = config.xin-secrets.box.certs;
|
||||
sopsFile = config.xin-secrets.box.secrets.certs;
|
||||
};
|
||||
|
||||
books_cert = mkNginxSecret;
|
||||
|
@ -40,69 +40,69 @@ in
|
||||
|
||||
sops.secrets = {
|
||||
rkvm_cert = {
|
||||
sopsFile = config.xin-secrets.europa.qbit;
|
||||
sopsFile = config.xin-secrets.europa.secrets.qbit;
|
||||
owner = "root";
|
||||
group = "wheel";
|
||||
mode = "400";
|
||||
};
|
||||
rkvm_key = {
|
||||
sopsFile = config.xin-secrets.europa.qbit;
|
||||
sopsFile = config.xin-secrets.europa.secrets.qbit;
|
||||
owner = "root";
|
||||
group = "wheel";
|
||||
mode = "400";
|
||||
};
|
||||
fastmail = {
|
||||
sopsFile = config.xin-secrets.europa.qbit;
|
||||
sopsFile = config.xin-secrets.europa.secrets.qbit;
|
||||
owner = "qbit";
|
||||
group = "wheel";
|
||||
mode = "400";
|
||||
};
|
||||
fastmail_user = {
|
||||
sopsFile = config.xin-secrets.europa.qbit;
|
||||
sopsFile = config.xin-secrets.europa.secrets.qbit;
|
||||
owner = "qbit";
|
||||
group = "wheel";
|
||||
mode = "400";
|
||||
};
|
||||
nix_review = {
|
||||
sopsFile = config.xin-secrets.europa.qbit;
|
||||
sopsFile = config.xin-secrets.europa.secrets.qbit;
|
||||
owner = "qbit";
|
||||
group = "wheel";
|
||||
mode = "400";
|
||||
};
|
||||
netrc = {
|
||||
sopsFile = config.xin-secrets.europa.qbit;
|
||||
sopsFile = config.xin-secrets.europa.secrets.qbit;
|
||||
owner = "qbit";
|
||||
group = "wheel";
|
||||
mode = "400";
|
||||
};
|
||||
peerix_private_key = {
|
||||
sopsFile = config.xin-secrets.europa.peerix;
|
||||
sopsFile = config.xin-secrets.europa.secrets.peerix;
|
||||
owner = "${peerixUser}";
|
||||
group = "wheel";
|
||||
mode = "400";
|
||||
};
|
||||
restic_password_file = {
|
||||
sopsFile = config.xin-secrets.europa.services;
|
||||
sopsFile = config.xin-secrets.europa.secrets.services;
|
||||
owner = "root";
|
||||
mode = "400";
|
||||
};
|
||||
restic_env_file = {
|
||||
sopsFile = config.xin-secrets.europa.services;
|
||||
sopsFile = config.xin-secrets.europa.secrets.services;
|
||||
owner = "root";
|
||||
mode = "400";
|
||||
};
|
||||
restic_remote_password_file = {
|
||||
sopsFile = config.xin-secrets.europa.services;
|
||||
sopsFile = config.xin-secrets.europa.secrets.services;
|
||||
owner = "root";
|
||||
mode = "400";
|
||||
};
|
||||
restic_remote_env_file = {
|
||||
sopsFile = config.xin-secrets.europa.services;
|
||||
sopsFile = config.xin-secrets.europa.secrets.services;
|
||||
owner = "root";
|
||||
mode = "400";
|
||||
};
|
||||
restic_remote_repo_file = {
|
||||
sopsFile = config.xin-secrets.europa.services;
|
||||
sopsFile = config.xin-secrets.europa.secrets.services;
|
||||
owner = "root";
|
||||
mode = "400";
|
||||
};
|
||||
|
@ -38,7 +38,6 @@ in
|
||||
|
||||
users.users = {
|
||||
root = userBase;
|
||||
qbit = userBase;
|
||||
};
|
||||
|
||||
services = {
|
||||
|
@ -95,76 +95,76 @@ in
|
||||
synapse_signing_key = {
|
||||
owner = config.users.users.matrix-synapse.name;
|
||||
mode = "600";
|
||||
sopsFile = config.xin-secrets.h.services;
|
||||
sopsFile = config.xin-secrets.h.secrets.services;
|
||||
};
|
||||
synapse_shared_secret = {
|
||||
owner = config.users.users.matrix-synapse.name;
|
||||
mode = "600";
|
||||
sopsFile = config.xin-secrets.h.services;
|
||||
sopsFile = config.xin-secrets.h.secrets.services;
|
||||
};
|
||||
hammer_access_token = {
|
||||
owner = config.users.users.mjolnir.name;
|
||||
mode = "600";
|
||||
sopsFile = config.xin-secrets.h.services;
|
||||
sopsFile = config.xin-secrets.h.secrets.services;
|
||||
};
|
||||
gqrss_token = {
|
||||
owner = config.users.users.qbit.name;
|
||||
mode = "400";
|
||||
sopsFile = config.xin-secrets.h.services;
|
||||
sopsFile = config.xin-secrets.h.secrets.services;
|
||||
};
|
||||
restic_env_file = {
|
||||
owner = config.users.users.root.name;
|
||||
mode = "400";
|
||||
sopsFile = config.xin-secrets.h.services;
|
||||
sopsFile = config.xin-secrets.h.secrets.services;
|
||||
};
|
||||
restic_password_file = {
|
||||
owner = config.users.users.root.name;
|
||||
mode = "400";
|
||||
sopsFile = config.xin-secrets.h.services;
|
||||
sopsFile = config.xin-secrets.h.secrets.services;
|
||||
};
|
||||
yarr_auth = {
|
||||
owner = config.users.users.yarr.name;
|
||||
mode = "400";
|
||||
sopsFile = config.xin-secrets.h.services;
|
||||
sopsFile = config.xin-secrets.h.secrets.services;
|
||||
};
|
||||
# TODO: rename
|
||||
router_stats_ts_key = {
|
||||
sopsFile = config.xin-secrets.h.services;
|
||||
sopsFile = config.xin-secrets.h.secrets.services;
|
||||
owner = config.users.users.tsvnstat.name;
|
||||
};
|
||||
#golink = {
|
||||
# sopsFile = config.xin-secrets.h.services;
|
||||
# sopsFile = config.xin-secrets.h.secrets.services;
|
||||
# owner = config.users.users.golink.name;
|
||||
#};
|
||||
gostart = {
|
||||
sopsFile = config.xin-secrets.h.services;
|
||||
sopsFile = config.xin-secrets.h.secrets.services;
|
||||
owner = config.users.users.gostart.name;
|
||||
};
|
||||
wireguard_private_key = { sopsFile = config.xin-secrets.h.services; };
|
||||
wireguard_private_key = { sopsFile = config.xin-secrets.h.secrets.services; };
|
||||
pots_env_file = {
|
||||
owner = config.users.users.pots.name;
|
||||
mode = "400";
|
||||
sopsFile = config.xin-secrets.h.services;
|
||||
sopsFile = config.xin-secrets.h.secrets.services;
|
||||
};
|
||||
sliding_sync_env = {
|
||||
owner = config.services.sliding-sync.user;
|
||||
mode = "400";
|
||||
sopsFile = config.xin-secrets.h.services;
|
||||
sopsFile = config.xin-secrets.h.secrets.services;
|
||||
};
|
||||
pr_status_env = {
|
||||
mode = "400";
|
||||
owner = config.services.tsrevprox.user;
|
||||
sopsFile = config.xin-secrets.h.services;
|
||||
sopsFile = config.xin-secrets.h.secrets.services;
|
||||
};
|
||||
qbit_at_suah_pass_file = {
|
||||
mode = "400";
|
||||
owner = "root";
|
||||
sopsFile = config.xin-secrets.h.services;
|
||||
sopsFile = config.xin-secrets.h.secrets.services;
|
||||
};
|
||||
#wallabag_secret = {
|
||||
# mode = "400";
|
||||
# owner = "wallabag";
|
||||
# sopsFile = config.xin-secrets.h.services;
|
||||
# sopsFile = config.xin-secrets.h.secrets.services;
|
||||
#};
|
||||
};
|
||||
|
||||
|
@ -121,40 +121,40 @@ in
|
||||
|
||||
sops.secrets = {
|
||||
rkvm_cert = {
|
||||
sopsFile = config.xin-secrets.stan.main;
|
||||
sopsFile = config.xin-secrets.stan.secrets.main;
|
||||
owner = "root";
|
||||
group = "wheel";
|
||||
mode = "400";
|
||||
};
|
||||
vm_pass = {
|
||||
sopsFile = config.xin-secrets.stan.main;
|
||||
sopsFile = config.xin-secrets.stan.secrets.main;
|
||||
owner = "root";
|
||||
group = "wheel";
|
||||
mode = "400";
|
||||
};
|
||||
peerix_private_key = {
|
||||
sopsFile = config.xin-secrets.stan.peerix;
|
||||
sopsFile = config.xin-secrets.stan.secrets.peerix;
|
||||
owner = "${peerixUser}";
|
||||
group = "wheel";
|
||||
mode = "400";
|
||||
};
|
||||
restic_password_file = {
|
||||
sopsFile = config.xin-secrets.stan.main;
|
||||
sopsFile = config.xin-secrets.stan.secrets.main;
|
||||
owner = "root";
|
||||
mode = "400";
|
||||
};
|
||||
restic_env_file = {
|
||||
sopsFile = config.xin-secrets.stan.main;
|
||||
sopsFile = config.xin-secrets.stan.secrets.main;
|
||||
owner = "root";
|
||||
mode = "400";
|
||||
};
|
||||
restic_repo_file = {
|
||||
sopsFile = config.xin-secrets.stan.main;
|
||||
sopsFile = config.xin-secrets.stan.secrets.main;
|
||||
owner = "root";
|
||||
mode = "400";
|
||||
};
|
||||
abieber_hash = {
|
||||
sopsFile = config.xin-secrets.user_passwords;
|
||||
sopsFile = config.xin-secrets.stan.user_passwords.abieber;
|
||||
owner = "root";
|
||||
mode = "400";
|
||||
neededForUsers = true;
|
||||
|
@ -1,7 +1,6 @@
|
||||
{ config
|
||||
, lib
|
||||
, pkgs
|
||||
, isUnstable
|
||||
, ...
|
||||
}:
|
||||
with lib; let
|
||||
@ -24,30 +23,47 @@ in
|
||||
};
|
||||
};
|
||||
|
||||
config = mkIf config.defaultUsers.enable {
|
||||
sops = {
|
||||
config =
|
||||
let
|
||||
hasQbit =
|
||||
if builtins.hasAttr "qbit" config.xin-secrets.${config.networking.hostName}.user_passwords then
|
||||
true
|
||||
else false;
|
||||
in
|
||||
mkIf config.defaultUsers.enable {
|
||||
sops =
|
||||
{
|
||||
age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
|
||||
secrets = {
|
||||
"${config.networking.hostName}_hash" = {
|
||||
sopsFile = config.xin-secrets.root_passwords;
|
||||
secrets = mkMerge [
|
||||
({
|
||||
root_hash =
|
||||
{
|
||||
sopsFile = config.xin-secrets.${config.networking.hostName}.user_passwords.root;
|
||||
owner = "root";
|
||||
mode = "400";
|
||||
neededForUsers = true;
|
||||
};
|
||||
})
|
||||
(mkIf hasQbit {
|
||||
qbit_hash = {
|
||||
sopsFile = config.xin-secrets.user_passwords;
|
||||
sopsFile = config.xin-secrets.${config.networking.hostName}.user_passwords.qbit;
|
||||
owner = "root";
|
||||
mode = "400";
|
||||
neededForUsers = true;
|
||||
};
|
||||
};
|
||||
})
|
||||
];
|
||||
};
|
||||
users = {
|
||||
mutableUsers = false;
|
||||
users = {
|
||||
users = mkMerge [
|
||||
(
|
||||
{
|
||||
root = userBase // {
|
||||
hashedPasswordFile = config.sops.secrets."${config.networking.hostName}_hash".path;
|
||||
hashedPasswordFile = config.sops.secrets.root_hash.path;
|
||||
};
|
||||
})
|
||||
(mkIf hasQbit {
|
||||
qbit = userBase // {
|
||||
isNormalUser = true;
|
||||
description = "Aaron Bieber";
|
||||
@ -55,12 +71,8 @@ in
|
||||
extraGroups = [ "wheel" ];
|
||||
hashedPasswordFile = config.sops.secrets.qbit_hash.path;
|
||||
};
|
||||
})
|
||||
];
|
||||
};
|
||||
};
|
||||
|
||||
environment.systemPackages =
|
||||
if isUnstable
|
||||
then [ pkgs.yash pkgs.go ]
|
||||
else [ pkgs.go ];
|
||||
};
|
||||
}
|
||||
|
Loading…
Reference in New Issue
Block a user