diff --git a/.editorconfig b/.editorconfig index 70d85025..d583a75d 100644 --- a/.editorconfig +++ b/.editorconfig @@ -4,6 +4,6 @@ root = true end_of_line = lf insert_final_newline = true -[*.nix] +[*.{nix,yaml,json}] indent_style = space indent_size = 2 diff --git a/.gitattributes b/.gitattributes new file mode 100644 index 00000000..24c6b39b --- /dev/null +++ b/.gitattributes @@ -0,0 +1 @@ +*.yaml diff=sopsfilter diff --git a/.sops.yaml b/.sops.yaml new file mode 100644 index 00000000..3e503f48 --- /dev/null +++ b/.sops.yaml @@ -0,0 +1,14 @@ +keys: + - &foo-dogsquared 8FCE86932583783E515B6FE55F2B001E20ED3763 + - &foo-dogsquared-age age1say65zc678yc03tx4zexp20c9gvskvwrm4390j4x2jkepn97duhq9ptuj9 + - &ni age1dm9xugju4q5gx0zty8ckw655ea904c64gv9qw9fn3lu507ck8uzsag59y8 +creation_rules: + - path_regex: hosts/ni/secrets/[^/]+\.(yaml|json)$ + age: *ni + - path_regex: secrets/[^/]+\.(yaml|json)$ + key_groups: + - age: + - *foo-dogsquared-age + - *ni + pgp: + - *foo-dogsquared diff --git a/README.adoc b/README.adoc index a265aba0..936e8f1d 100644 --- a/README.adoc +++ b/README.adoc @@ -134,8 +134,7 @@ For more information, see the link:./modules/README.adoc[related documentation]. * link:./pkgs/[`./pkgs/`] contains my custom packages. It is exported in the flakes at `outputs.packages` compiled through various systems. -* link:./secrets/[`./secrets/`] contains my secrets managed with link:https://github.com/ryantm/agenix[agenix]. -footnote:[It is advised you should minimize SSH keys with passphrases since it is annoying to reenter passwords every time.] +* link:./secrets/[`./secrets/`] contains my secrets managed with link:https://github.com/mozilla/sops[sops] and link:https://github.com/Mic92/sops-nix[sops-nix]. * link:./shells/[`./shells/`] contains my development shells for interacting with the usual type of projects. Setting this up can bring benefits outside of NixOS (unless you're interacting with projects with any OpenGL-related stuff). diff --git a/flake.lock b/flake.lock index 38b3db27..d36ddb6a 100644 --- a/flake.lock +++ b/flake.lock @@ -1,25 +1,5 @@ { "nodes": { - "agenix": { - "inputs": { - "nixpkgs": [ - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1652712410, - "narHash": "sha256-hMJ2TqLt0DleEnQFGUHK9sV2aAzJPU8pZeiZoqRozbE=", - "owner": "ryantm", - "repo": "agenix", - "rev": "7e5e58b98c3dcbf497543ff6f22591552ebfe65b", - "type": "github" - }, - "original": { - "owner": "ryantm", - "repo": "agenix", - "type": "github" - } - }, "base16-schemes": { "flake": false, "locked": { @@ -348,6 +328,22 @@ "type": "github" } }, + "nixpkgs-22_05": { + "locked": { + "lastModified": 1657399715, + "narHash": "sha256-7YX+I8FP3/iJTRs33VhIbdx91YWlZQf8zaEEeM97964=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "0ad6eae04953060dff8ba28af158799c3e13878d", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "release-22.05", + "repo": "nixpkgs", + "type": "github" + } + }, "nur": { "locked": { "lastModified": 1657837635, @@ -390,7 +386,6 @@ }, "root": { "inputs": { - "agenix": "agenix", "devshell": "devshell", "dotfiles": "dotfiles", "emacs-overlay": "emacs-overlay", @@ -404,7 +399,8 @@ "nixos-generators": "nixos-generators", "nixpkgs": "nixpkgs", "nur": "nur", - "rust-overlay": "rust-overlay" + "rust-overlay": "rust-overlay", + "sops-nix": "sops-nix" } }, "rust-overlay": { @@ -430,6 +426,27 @@ "type": "github" } }, + "sops-nix": { + "inputs": { + "nixpkgs": [ + "nixpkgs" + ], + "nixpkgs-22_05": "nixpkgs-22_05" + }, + "locked": { + "lastModified": 1657695756, + "narHash": "sha256-5eeq7Itk9gMK6E5u3IrooFd3KswlheIO/L2Cs7Wwj9k=", + "owner": "Mic92", + "repo": "sops-nix", + "rev": "912514e60a6e0227d6a2e0ecc8524752337fcde2", + "type": "github" + }, + "original": { + "owner": "Mic92", + "repo": "sops-nix", + "type": "github" + } + }, "utils": { "locked": { "lastModified": 1652372896, diff --git a/flake.nix b/flake.nix index ae21e366..58314211 100644 --- a/flake.nix +++ b/flake.nix @@ -41,8 +41,8 @@ nixos-generators.inputs.nixpkgs.follows = "nixpkgs"; # Managing your secrets. - agenix.url = "github:ryantm/agenix"; - agenix.inputs.nixpkgs.follows = "nixpkgs"; + sops-nix.url = "github:Mic92/sops-nix"; + sops-nix.inputs.nixpkgs.follows = "nixpkgs"; # Easy access to development environments. devshell.url = "github:numtide/devshell"; @@ -119,10 +119,10 @@ # Only use imports as minimally as possible with the absolute # requirements of a host. imports = [ - inputs.agenix.nixosModules.age inputs.home-manager.nixosModules.home-manager inputs.nix-ld.nixosModules.nix-ld inputs.nur.nixosModules.nur + inputs.sops-nix.nixosModules.sops ]; # Bleeding edge, baybee! @@ -139,7 +139,6 @@ # All of the important flakes will be included. nixpkgs.flake = nixpkgs; home-manager.flake = inputs.home-manager; - agenix.flake = inputs.agenix; nur.flake = inputs.nur; guix-overlay.flake = inputs.guix-overlay; nixos-generators.flake = inputs.nixos-generators; @@ -201,7 +200,7 @@ lib'.modulesToList (lib'.filesToAttr ./modules/home-manager); home-manager.extraSpecialArgs = { inherit inputs system self; }; - # Enabling some things for agenix. + # Enabling some things for sops. programs.gnupg.agent = { enable = true; enableSSHSupport = true; diff --git a/modules/nixos/tasks/backup-archive/borg-ssh-key.pub b/modules/nixos/tasks/backup-archive/borg-ssh-key.pub deleted file mode 100644 index 10c413ac..00000000 --- a/modules/nixos/tasks/backup-archive/borg-ssh-key.pub +++ /dev/null @@ -1 +0,0 @@ -ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJ1IdisweU/qW+Np36K1WoR+RsPSyG6JcLNp96m1rDWx foo-dogsquared@ni diff --git a/modules/nixos/tasks/backup-archive/borgbase-ssh-key.pub b/modules/nixos/tasks/backup-archive/borgbase-ssh-key.pub new file mode 100644 index 00000000..6346e33c --- /dev/null +++ b/modules/nixos/tasks/backup-archive/borgbase-ssh-key.pub @@ -0,0 +1 @@ +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFOZzSBe/YHUfpCKfKM7BC60i3t2K3euiw2P6VEfe7kI Borgbase backup diff --git a/modules/nixos/tasks/backup-archive/default.nix b/modules/nixos/tasks/backup-archive/default.nix index 83d96a5a..a1a56137 100644 --- a/modules/nixos/tasks/backup-archive/default.nix +++ b/modules/nixos/tasks/backup-archive/default.nix @@ -10,7 +10,7 @@ let doInit = true; encryption = { mode = "repokey-blake2"; - passCommand = "cat ${config.age.secrets.borg-password.path}"; + passCommand = "cat ${config.sops.secrets.borg-password.path}"; }; extraCreateArgs = lib.concatStringsSep " " (builtins.map (patternFile: "--patterns-from ${patternFile}") patterns); @@ -41,11 +41,17 @@ in { lib.mkEnableOption "backup setup with BorgBackup"; config = lib.mkIf cfg.enable { - age.secrets.borg-password.file = lib.getSecret "archive/password"; - age.secrets.borg-patterns.file = lib.getSecret "archive/borg-patterns"; - age.secrets.borg-patterns-local.file = - lib.getSecret "archive/borg-patterns-local"; - age.secrets.borg-ssh-key.file = lib.getSecret "archive/borg-ssh-key"; + sops.secrets = let + getKey = key: { + inherit key; + sopsFile = lib.getSecret "backup-archive.yaml"; + }; in { + borg-patterns-home = getKey "borg-patterns/home"; + borg-patterns-etc = getKey "borg-patterns/etc"; + borg-patterns-keys = getKey "borg-patterns/keys"; + borg-ssh-key = getKey "ssh-key"; + borg-password = getKey "password"; + }; fileSystems."/mnt/external-storage" = { device = "/dev/disk/by-uuid/665A391C5A38EB07"; @@ -92,8 +98,9 @@ in { services.borgbackup.jobs = { local-archive = borgJobCommonSetting { patterns = [ - config.age.secrets.borg-patterns-local.path - config.age.secrets.borg-patterns.path + config.sops.secrets.borg-patterns-home.path + config.sops.secrets.borg-patterns-etc.path + config.sops.secrets.borg-patterns-keys.path ]; } // { doInit = false; @@ -104,8 +111,9 @@ in { local-external-drive = borgJobCommonSetting { patterns = [ - config.age.secrets.borg-patterns-local.path - config.age.secrets.borg-patterns.path + config.sops.secrets.borg-patterns-home.path + config.sops.secrets.borg-patterns-etc.path + config.sops.secrets.borg-patterns-keys.path ]; } // { doInit = false; @@ -115,17 +123,17 @@ in { }; remote-borgbase = borgJobCommonSetting { - patterns = [ config.age.secrets.borg-patterns.path ]; + patterns = [ config.sops.secrets.borg-patterns-home.path ]; } // { repo = "r6o30viv@r6o30viv.repo.borgbase.com:repo"; startAt = "daily"; - environment.BORG_RSH = "ssh -i ${config.age.secrets.borg-ssh-key.path}"; + environment.BORG_RSH = "ssh -i ${config.sops.secrets.borg-ssh-key.path}"; }; }; programs.ssh.extraConfig = '' Host *.repo.borgbase.com - IdentityFile ${config.age.secrets.borg-ssh-key.path} + IdentityFile ${config.sops.secrets.borg-ssh-key.path} ''; }; } diff --git a/secrets/README.adoc b/secrets/README.adoc index aff0d253..42d69f63 100644 --- a/secrets/README.adoc +++ b/secrets/README.adoc @@ -2,4 +2,6 @@ :toc: My secret files in public! -This is managed through link:https://github.com/ryantm/agenix[agenix] (thus, uses the link:https://github.com/FiloSottile/age[age encryption tool]). +All hail secret management tools! + +In my case, this is managed by link:https://github.com/mozilla/sops[sops] and link:https://github.com/Mic92/sops-nix[sops-nix] for integrating it with my NixOS setup. diff --git a/secrets/archive/borg-patterns b/secrets/archive/borg-patterns deleted file mode 100644 index 5dee39c9..00000000 Binary files a/secrets/archive/borg-patterns and /dev/null differ diff --git a/secrets/archive/borg-patterns-local b/secrets/archive/borg-patterns-local deleted file mode 100644 index 0e394a45..00000000 Binary files a/secrets/archive/borg-patterns-local and /dev/null differ diff --git a/secrets/archive/borg-ssh-key b/secrets/archive/borg-ssh-key deleted file mode 100644 index 9ae30bcb..00000000 Binary files a/secrets/archive/borg-ssh-key and /dev/null differ diff --git a/secrets/archive/key b/secrets/archive/key deleted file mode 100644 index c27edde2..00000000 Binary files a/secrets/archive/key and /dev/null differ diff --git a/secrets/archive/password b/secrets/archive/password deleted file mode 100644 index 1d3b34aa..00000000 Binary files a/secrets/archive/password and /dev/null differ diff --git a/secrets/backup-archive.yaml b/secrets/backup-archive.yaml new file mode 100644 index 00000000..d21e51a4 --- /dev/null +++ b/secrets/backup-archive.yaml @@ -0,0 +1,47 @@ +password: ENC[AES256_GCM,data:IR+V7h8gdNXfEkDjjAF+T+isVzJFPHfzxAv/MPukdm5+3/Yt,iv:NY8bvHG/FkT6LWq6YQ087cr4YAEu4sjTGWw1yb1z5cg=,tag:baxiViXssOjpV1FqVHA2ow==,type:str] +ssh-key: ENC[AES256_GCM,data:MDKZC4QMcfoXLtmTQYUXmz7vAFVKhcLACiQp3DzyeIle3FykNuvD/i5TLmqDclMHAcIfBb7yOCTPL/+hIvXRbU25btqWTc/i48RjYTvbpkVKQyyb7lBCmgeMHPoFNpSeu+NluelUpicQv2zOhIgG+LInQsDSy6uZuEnAEDh/MkCrch9G5DOQ1fGFcmRnpReKPNShkFaEnwiT0iYfQ/ksAvJlRS+szphWCcP6phwGWINETXyIQVekvnPp4pcioFtQ2sIZoLEkcOnhloNoSXs/hrqDaxgbEc7biITy+FCDU0M/qMVHiS8pE9Sb443MpmCSx84pm+kcgRpKPLqhhcf/PB0wLLGDvBD4Wv+0cmgGdKEKaZxvoTcYuCplvMKfRCzOGCDliBUGEy9gU/E8QCNNxC1OokhJFPs0b6YiHTAv+n+z48lRMojaKfmA5sRhiAh2mbiQerga8Tf3pEhtDW2myR3zrXYsJH2201F1j8O4TSQrXjvwC4ZeaIrzC1zYHXbTlNykdopv++M9U5BxRptBrAG5MgoQablsV3cH,iv:mIXPJIZ1z9xnoja+zQcHvVLLCWn3YMdVFKkhadbWCjY=,tag:Z/c2LB/mTaY8MzDfLjLrDQ==,type:str] +borg-patterns: + home: ENC[AES256_GCM,data:Vmz2TVmoQKasF91OKJO860WPO4VuBm3U3u9izzZecRGDWfIaZU7Li2CoxtO2XX4Pq3EEgo9+/QoW2ZRJCnm2ws+/4hb8e7UNVuO/DwAGTXmvCaxEi3u/7La6WOl2FMZVg8QFbYUE6rPoyXfm/iTYZhry5g0jzb6yNJt4IisH2y4HZ++xJndv2eeKfwbwyEUuLfYOdtSB6QG5bS3jwxz6dNH0NHZHRkOpKKyLfo3qzSfRVMM6qMWeqB86uQmJYKQgNsQyJBjWQfx8Qhzu7iZGMy7SFmS2eiftXt3B480ea2F0mcDrJTkkmq3TIRkUIPnwQXrdOZArlWzY8fdcpIA6/lOJW/t+yQcCTf8YAWzg8gTVsHldeiRRzuGgHF5At09FBNJWoIhhOUw+yjUdASJq2IaCkHDBzBGvnPry6Pn8PSZ7los5++4bRbZq/S5FJL4ODr0XBkBUXEvSaq8pUwKHOUbYvUbslA+tnr+bi6dysDRaAbjLxAhZ9k7r8US5EM0XArVp2C2TSLtin6urwP+hcqwV1zp7g2fmralggwyXlpIYOb5annm9mU4rnhz/D18WBN5u3Y+h3RBI3eY08JjvDxbDHMTF/0nc5qvWpznoMm6zrtJeF3/+sB46Wq2PAdwd5WV37Ob+aV6Dp69qqaOsynR/qDXJwOKhR8QuftLD0WQ9qdEvZUYwT1+M7QR6LeN9KTssiu9ov1uxVdua2vBsbTEGrPkWWmHI17l08YAO9FT2L1vwKhWqolBQ7BwVzDO/f+6Uv8ItnygIa/iH6govdE3cyddNIgGcbdak8E6Vz3R8ZW0ptaWOFH2hQ5AD0mvBbtdCLizNm5xMRlFKg5L1p/H4aZrPafr7PtcjjK9/tJ7BhFdYWMOZ8xL/tDsoWI7W4jWM0w==,iv:gg7vbrzukPJj5WEL55gzX+EghZps5+rSJbWiCzJFE28=,tag:HYxQlwGM0de8lht9w+iiWA==,type:str] + etc: ENC[AES256_GCM,data:RUpVlNFuEVbhtfXio2N3XpDiYZPjNE1mqladh7iMB7gJX2HSivh5hqt4KkD3Bpl3zSClYqbS6GwxkQ46i5mXqJWl/vCNSFuWPg3qiw==,iv:QJnXrAHfJQJ7Gj4kTIh1RSAFfpBQCIkLIlgeYDsrHko=,tag:NzDm2lamC6YXVH9oBxet5A==,type:str] + keys: ENC[AES256_GCM,data:qrnNqEhStnsuCHjFgCC1fNUDLmIvHbXUzCFXK9PGudQtj5W6DJX6him1rkMNW5VltoFilHo4flRk6ebB+eWNq4eN4h/7/1a7IfoaIQDmpjl4/skbVpPA9wriEgFunY3dWyiH4Qu3MCBiDSIOKJrkD11o2FKnvudTSxavNkvccQI9Z5ALrHKc1t3I0NDt4sE4gfocAq1l6cfnRJ8CTs8ZcWtLTQ==,iv:4/CUrq/oq0qvEbGUS2udLiBLZeGuQZ/KiSueBCqAoV0=,tag:tPiRZW/0y1BqHdwR3KNuyQ==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1say65zc678yc03tx4zexp20c9gvskvwrm4390j4x2jkepn97duhq9ptuj9 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBub2xqNVJHeHFNbzRsQzlJ + cFBZTnBTWVdRbGtKZzc3b2hOVEIxbFV5RENnCk9BSTdyRFI3eHBjZ202MFppVHVW + N1V1QllWcTVVSDZZTFRzcUVSL0R4VU0KLS0tIGJBQkdUaGZTM1p2NTQvSFNWa1R6 + aHF5WEpjcUdBUWtaYk56RWZyRWZvdFkKDJg0l69Aa27SrWcAth4CbxdOACDLqE6t + crS49bDKqhZfsxE/6TNt279uBvPR8SsD0IE0hlBYJqGz6CxTmbMX8A== + -----END AGE ENCRYPTED FILE----- + - recipient: age1dm9xugju4q5gx0zty8ckw655ea904c64gv9qw9fn3lu507ck8uzsag59y8 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBkMTlpWDd4ckNKRWpNVXNq + a0FSdWhVWitCUEFDNjVNbDdHSWlWYkdxbHhRCkJKT3VrMDVhNEh5T09JYUR0UTYz + bE9DSW56UXRlN1QrSVZtMHhNQWVTekUKLS0tIEw0L3dnSnFGdnF3MTJpbmdaMVlS + QUlyNHBlNDV6eVJXc3VWNzJSaThIQUEKCdNxZCCNISWll5uaCcDQBA2ir7oLpHco + +7ypF6lcOalqjvzc5DTXTt/v6QVs0f7SCZmNJFBMpZm8M2B+7O1h7A== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2022-07-18T13:40:36Z" + mac: ENC[AES256_GCM,data:gcobfyFJyKLfde3HlNXUsUdBakISwUCeWVCudn9/sMn6ABNYAlkvOa3PDnYERfp8G8q3QKouyqw43qpWPm+NLIRJs7Db7dR0w4DZOklWuElTumiGFLOSWHafuSNDrSEQS4QZNtaZ4CzobtIKsR9nZ9Admwyf2Jywew2bWxyXV/E=,iv:tEm62tvWmnsdIaRoQNcc6k6mOOG/6CzJv960SLdU0EA=,tag:vVmRjyNlZbxZDds+po93kQ==,type:str] + pgp: + - created_at: "2022-07-18T13:19:32Z" + enc: | + -----BEGIN PGP MESSAGE----- + + hF4DFV150TdUJTsSAQdANGcWrpkQLvVjB4XVycennMACAEher2mlKNsUFFGSKhIw + 6UHOKEdnTaWaOWzq1OhgTSqgYaXoWu3dXmZ/LAN7skym1jAiWFJmuqsRiDDsyH0V + 1GgBCQIQ2xEU2UgjyW6C9p6MUOniPypezbI+fd3jmJ3iIf/93a8M0+0vowWyKgGE + wdRzSlo4bCz9rm0BeS1Gxw8/5rkdmkHiGpwfk9jNUJ6pkQ/oRdtMCrpNAUoBdgge + S4DRtOSDgQcepA== + =qoxa + -----END PGP MESSAGE----- + fp: 8FCE86932583783E515B6FE55F2B001E20ED3763 + unencrypted_suffix: _unencrypted + version: 3.7.3 diff --git a/secrets/secrets.nix b/secrets/secrets.nix deleted file mode 100644 index b0d8a22b..00000000 --- a/secrets/secrets.nix +++ /dev/null @@ -1,25 +0,0 @@ -let - system1 = - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIG42LafAFOeh3oYz/cm6FXes0ss59/EOCXpGsYvhpI21"; - system2 = - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHjRjAddjbyoM32tQhCjj8OrnqNBsXj+5D379iryupK+"; - system3 = - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJ4X7YXsEmMW3jP2dfU9l/KrF9jUZqN0sVXSvkag8VFH"; - systems = [ system1 system2 system3 ]; - - user1 = - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMclb6WPpYRoMVqCCzQcG2XQHczB6vaIEDIHqjVsyQJi"; - user2 = - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBhrzY7tD0ZiGoA6nnfVxRQVQox0votQ2fuHz78LjNUD"; - user3 = - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIytwsseYS6kV8ldiUV767C2Gy7okxckdDRW4aA3q/Ku"; - user4 = - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGtn+t2D7clY1U1rzKcSCBJjNbuJzbRArEiM3soyFcnv"; - users = [ user1 user2 user3 user4 ]; -in { - "archive/borg-patterns".publicKeys = users ++ systems; - "archive/borg-patterns-local".publicKeys = users ++ systems; - "archive/borg-ssh-key".publicKeys = systems; - "archive/password".publicKeys = users ++ systems; - "archive/key".publicKeys = users ++ systems; -} diff --git a/shell.nix b/shell.nix index 067d3c14..89d4cd62 100644 --- a/shell.nix +++ b/shell.nix @@ -1,5 +1,5 @@ { pkgs ? import { } }: pkgs.mkShell { - packages = with pkgs; [ asciidoctor git git-crypt nixfmt rnix-lsp ]; + packages = with pkgs; [ asciidoctor age git nixpkgs-fmt rnix-lsp sops ]; }