all: switch to using dynamic entries in xin-secrets

This commit is contained in:
Aaron Bieber 2024-03-21 22:08:30 -06:00
parent 4d2c3a2365
commit 88a5de8402
No known key found for this signature in database
8 changed files with 98 additions and 87 deletions

8
flake.lock generated
View File

@ -584,11 +584,11 @@
]
},
"locked": {
"lastModified": 1710255097,
"narHash": "sha256-x2om2VDoJ8dP9MDltW6LnsTLXbVnUs9Y478smAp9Kiw=",
"lastModified": 1711079899,
"narHash": "sha256-wsLqZx0llg7wWSsQURUSqlrf2dQbsDVnm1z+FB8oj5w=",
"ref": "main",
"rev": "6c5ab9d3f036e6c430297d34872d72c9c593a60f",
"revCount": 136,
"rev": "079e4fff5a6f431cd5287f6b1469924aee079b87",
"revCount": 142,
"type": "git",
"url": "ssh://xin-secrets-ro/qbit/xin-secrets.git"
},

View File

@ -240,7 +240,7 @@
nixos-hardware.nixosModules.framework-11th-gen-intel
] "stan";
weather = buildSys "aarch64-linux" stable [ ] "weather";
octo = buildSys "aarch64-linux" stable [ ] "octo";
#octo = buildSys "aarch64-linux" stable [ ] "octo";
faf = buildSys "x86_64-linux" stable [ ./configs/hardened.nix ] "faf";
box = buildSys "x86_64-linux" unstable [ ./configs/hardened.nix ] "box";

View File

@ -40,7 +40,7 @@ let
];
userBase = { openssh.authorizedKeys.keys = pubKeys; };
mkNginxSecret = {
sopsFile = config.xin-secrets.box.certs;
sopsFile = config.xin-secrets.box.secrets.certs;
owner = config.users.users.nginx.name;
mode = "400";
};
@ -55,30 +55,30 @@ in
sops.secrets = {
#nextcloud_db_pass = {
# owner = config.users.users.nextcloud.name;
# sopsFile = config.xin-secrets.box.services;
# sopsFile = config.xin-secrets.box.secrets.services;
#};
#nextcloud_admin_pass = {
# owner = config.users.users.nextcloud.name;
# sopsFile = config.xin-secrets.box.services;
# sopsFile = config.xin-secrets.box.secrets.services;
#};
#photoprism_admin_password = {sopsFile = config.xin-secrets.box.services;};
#photoprism_admin_password = {sopsFile = config.xin-secrets.box.secrets.services;};
gitea_db_pass = {
owner = config.users.users.gitea.name;
sopsFile = config.xin-secrets.box.services;
sopsFile = config.xin-secrets.box.secrets.services;
};
"bitwarden_rs.env" = { sopsFile = config.xin-secrets.box.services; };
"wireguard_private_key" = { sopsFile = config.xin-secrets.box.services; };
"bitwarden_rs.env" = { sopsFile = config.xin-secrets.box.secrets.services; };
"wireguard_private_key" = { sopsFile = config.xin-secrets.box.secrets.services; };
"restic_htpasswd" = {
owner = config.users.users.restic.name;
sopsFile = config.xin-secrets.box.services;
sopsFile = config.xin-secrets.box.secrets.services;
};
restic_cert = {
owner = config.users.users.restic.name;
sopsFile = config.xin-secrets.box.certs;
sopsFile = config.xin-secrets.box.secrets.certs;
};
restic_key = {
owner = config.users.users.restic.name;
sopsFile = config.xin-secrets.box.certs;
sopsFile = config.xin-secrets.box.secrets.certs;
};
books_cert = mkNginxSecret;

View File

@ -40,69 +40,69 @@ in
sops.secrets = {
rkvm_cert = {
sopsFile = config.xin-secrets.europa.qbit;
sopsFile = config.xin-secrets.europa.secrets.qbit;
owner = "root";
group = "wheel";
mode = "400";
};
rkvm_key = {
sopsFile = config.xin-secrets.europa.qbit;
sopsFile = config.xin-secrets.europa.secrets.qbit;
owner = "root";
group = "wheel";
mode = "400";
};
fastmail = {
sopsFile = config.xin-secrets.europa.qbit;
sopsFile = config.xin-secrets.europa.secrets.qbit;
owner = "qbit";
group = "wheel";
mode = "400";
};
fastmail_user = {
sopsFile = config.xin-secrets.europa.qbit;
sopsFile = config.xin-secrets.europa.secrets.qbit;
owner = "qbit";
group = "wheel";
mode = "400";
};
nix_review = {
sopsFile = config.xin-secrets.europa.qbit;
sopsFile = config.xin-secrets.europa.secrets.qbit;
owner = "qbit";
group = "wheel";
mode = "400";
};
netrc = {
sopsFile = config.xin-secrets.europa.qbit;
sopsFile = config.xin-secrets.europa.secrets.qbit;
owner = "qbit";
group = "wheel";
mode = "400";
};
peerix_private_key = {
sopsFile = config.xin-secrets.europa.peerix;
sopsFile = config.xin-secrets.europa.secrets.peerix;
owner = "${peerixUser}";
group = "wheel";
mode = "400";
};
restic_password_file = {
sopsFile = config.xin-secrets.europa.services;
sopsFile = config.xin-secrets.europa.secrets.services;
owner = "root";
mode = "400";
};
restic_env_file = {
sopsFile = config.xin-secrets.europa.services;
sopsFile = config.xin-secrets.europa.secrets.services;
owner = "root";
mode = "400";
};
restic_remote_password_file = {
sopsFile = config.xin-secrets.europa.services;
sopsFile = config.xin-secrets.europa.secrets.services;
owner = "root";
mode = "400";
};
restic_remote_env_file = {
sopsFile = config.xin-secrets.europa.services;
sopsFile = config.xin-secrets.europa.secrets.services;
owner = "root";
mode = "400";
};
restic_remote_repo_file = {
sopsFile = config.xin-secrets.europa.services;
sopsFile = config.xin-secrets.europa.secrets.services;
owner = "root";
mode = "400";
};

View File

@ -38,7 +38,6 @@ in
users.users = {
root = userBase;
qbit = userBase;
};
services = {

View File

@ -95,76 +95,76 @@ in
synapse_signing_key = {
owner = config.users.users.matrix-synapse.name;
mode = "600";
sopsFile = config.xin-secrets.h.services;
sopsFile = config.xin-secrets.h.secrets.services;
};
synapse_shared_secret = {
owner = config.users.users.matrix-synapse.name;
mode = "600";
sopsFile = config.xin-secrets.h.services;
sopsFile = config.xin-secrets.h.secrets.services;
};
hammer_access_token = {
owner = config.users.users.mjolnir.name;
mode = "600";
sopsFile = config.xin-secrets.h.services;
sopsFile = config.xin-secrets.h.secrets.services;
};
gqrss_token = {
owner = config.users.users.qbit.name;
mode = "400";
sopsFile = config.xin-secrets.h.services;
sopsFile = config.xin-secrets.h.secrets.services;
};
restic_env_file = {
owner = config.users.users.root.name;
mode = "400";
sopsFile = config.xin-secrets.h.services;
sopsFile = config.xin-secrets.h.secrets.services;
};
restic_password_file = {
owner = config.users.users.root.name;
mode = "400";
sopsFile = config.xin-secrets.h.services;
sopsFile = config.xin-secrets.h.secrets.services;
};
yarr_auth = {
owner = config.users.users.yarr.name;
mode = "400";
sopsFile = config.xin-secrets.h.services;
sopsFile = config.xin-secrets.h.secrets.services;
};
# TODO: rename
router_stats_ts_key = {
sopsFile = config.xin-secrets.h.services;
sopsFile = config.xin-secrets.h.secrets.services;
owner = config.users.users.tsvnstat.name;
};
#golink = {
# sopsFile = config.xin-secrets.h.services;
# sopsFile = config.xin-secrets.h.secrets.services;
# owner = config.users.users.golink.name;
#};
gostart = {
sopsFile = config.xin-secrets.h.services;
sopsFile = config.xin-secrets.h.secrets.services;
owner = config.users.users.gostart.name;
};
wireguard_private_key = { sopsFile = config.xin-secrets.h.services; };
wireguard_private_key = { sopsFile = config.xin-secrets.h.secrets.services; };
pots_env_file = {
owner = config.users.users.pots.name;
mode = "400";
sopsFile = config.xin-secrets.h.services;
sopsFile = config.xin-secrets.h.secrets.services;
};
sliding_sync_env = {
owner = config.services.sliding-sync.user;
mode = "400";
sopsFile = config.xin-secrets.h.services;
sopsFile = config.xin-secrets.h.secrets.services;
};
pr_status_env = {
mode = "400";
owner = config.services.tsrevprox.user;
sopsFile = config.xin-secrets.h.services;
sopsFile = config.xin-secrets.h.secrets.services;
};
qbit_at_suah_pass_file = {
mode = "400";
owner = "root";
sopsFile = config.xin-secrets.h.services;
sopsFile = config.xin-secrets.h.secrets.services;
};
#wallabag_secret = {
# mode = "400";
# owner = "wallabag";
# sopsFile = config.xin-secrets.h.services;
# sopsFile = config.xin-secrets.h.secrets.services;
#};
};

View File

@ -121,40 +121,40 @@ in
sops.secrets = {
rkvm_cert = {
sopsFile = config.xin-secrets.stan.main;
sopsFile = config.xin-secrets.stan.secrets.main;
owner = "root";
group = "wheel";
mode = "400";
};
vm_pass = {
sopsFile = config.xin-secrets.stan.main;
sopsFile = config.xin-secrets.stan.secrets.main;
owner = "root";
group = "wheel";
mode = "400";
};
peerix_private_key = {
sopsFile = config.xin-secrets.stan.peerix;
sopsFile = config.xin-secrets.stan.secrets.peerix;
owner = "${peerixUser}";
group = "wheel";
mode = "400";
};
restic_password_file = {
sopsFile = config.xin-secrets.stan.main;
sopsFile = config.xin-secrets.stan.secrets.main;
owner = "root";
mode = "400";
};
restic_env_file = {
sopsFile = config.xin-secrets.stan.main;
sopsFile = config.xin-secrets.stan.secrets.main;
owner = "root";
mode = "400";
};
restic_repo_file = {
sopsFile = config.xin-secrets.stan.main;
sopsFile = config.xin-secrets.stan.secrets.main;
owner = "root";
mode = "400";
};
abieber_hash = {
sopsFile = config.xin-secrets.user_passwords;
sopsFile = config.xin-secrets.stan.user_passwords.abieber;
owner = "root";
mode = "400";
neededForUsers = true;

View File

@ -1,7 +1,6 @@
{ config
, lib
, pkgs
, isUnstable
, ...
}:
with lib; let
@ -24,30 +23,47 @@ in
};
};
config = mkIf config.defaultUsers.enable {
sops = {
config =
let
hasQbit =
if builtins.hasAttr "qbit" config.xin-secrets.${config.networking.hostName}.user_passwords then
true
else false;
in
mkIf config.defaultUsers.enable {
sops =
{
age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
secrets = {
"${config.networking.hostName}_hash" = {
sopsFile = config.xin-secrets.root_passwords;
secrets = mkMerge [
({
root_hash =
{
sopsFile = config.xin-secrets.${config.networking.hostName}.user_passwords.root;
owner = "root";
mode = "400";
neededForUsers = true;
};
})
(mkIf hasQbit {
qbit_hash = {
sopsFile = config.xin-secrets.user_passwords;
sopsFile = config.xin-secrets.${config.networking.hostName}.user_passwords.qbit;
owner = "root";
mode = "400";
neededForUsers = true;
};
};
})
];
};
users = {
mutableUsers = false;
users = {
users = mkMerge [
(
{
root = userBase // {
hashedPasswordFile = config.sops.secrets."${config.networking.hostName}_hash".path;
hashedPasswordFile = config.sops.secrets.root_hash.path;
};
})
(mkIf hasQbit {
qbit = userBase // {
isNormalUser = true;
description = "Aaron Bieber";
@ -55,12 +71,8 @@ in
extraGroups = [ "wheel" ];
hashedPasswordFile = config.sops.secrets.qbit_hash.path;
};
})
];
};
};
environment.systemPackages =
if isUnstable
then [ pkgs.yash pkgs.go ]
else [ pkgs.go ];
};
}