foodogsquared/nixos-config
1
0
Fork 0
mirror of https://github.com/foo-dogsquared/nixos-config.git synced 2025-04-18 00:19:12 +00:00
Code Issues Actions 8 Packages Projects Releases Wiki Activity

hosts: remove host path prefix for sops keys

Browse Source 
It is more explicit and elegant but more of a pain to manage especially
with the new function. It was structured that way for other hosts'
secrets but it isn't really used in practice. We could just enforce a
convention such as a `hosts` prefix to contain those secrets.
This commit is contained in:
Gabriel Arazas 2023-07-05 13:11:47 +08:00
parent 240515ed3b
commit 2e7cdeacf3
No known key found for this signature in database
GPG Key ID: ADE0C41DAB221FCC
8 changed files with 46 additions and 46 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
hosts/ni/default.nix
View File

@ -31,7 +31,7 @@
};
services.openssh.hostKeys = [{
path = config.sops.secrets."ni/ssh-key".path;
path = config.sops.secrets."ssh-key".path;
type = "ed25519";
}];
@ -53,7 +53,7 @@
};
sops.secrets = lib.getSecrets ./secrets/secrets.yaml {
"ni/ssh-key" = { };
"ssh-key" = { };
};
sops.age.keyFile = "/var/lib/sops-nix/key.txt";

24
hosts/ni/modules/wireguard.nix
View File

@ -27,15 +27,15 @@ in
{
networking.firewall.allowedUDPPorts = [ wireguardPort ];
sops.secrets = lib.getSecrets ../secrets/secrets.yaml {
"ni/wireguard/private-key" = { };
"ni/wireguard/preshared-keys/plover" = { };
"ni/wireguard/preshared-keys/phone" = { };
"wireguard/private-key" = { };
"wireguard/preshared-keys/plover" = { };
"wireguard/preshared-keys/phone" = { };
};
}
(lib.mkIf config.networking.networkmanager.enable {
networking.wg-quick.interfaces.wireguard0 = {
privateKeyFile = config.sops.secrets."ni/wireguard/private-key".path;
privateKeyFile = config.sops.secrets."wireguard/private-key".path;
listenPort = wireguardPort;
dns = with interfaces.lan; [ IPv4.address IPv6.address ];
postUp =
@ -57,7 +57,7 @@ in
# The "server" peer.
{
publicKey = lib.removeSuffix "\n" (lib.readFile ../../plover/files/wireguard/wireguard-public-key-plover);
presharedKeyFile = config.sops.secrets."ni/wireguard/preshared-keys/plover".path;
presharedKeyFile = config.sops.secrets."wireguard/preshared-keys/plover".path;
allowedIPs = wireguardAllowedIPs;
endpoint = "${interfaces.wan.IPv4.address}:${toString wireguardPort}";
persistentKeepalive = 25;
@ -66,7 +66,7 @@ in
# The "phone" peer.
{
publicKey = lib.removeSuffix "\n" (lib.readFile ../../plover/files/wireguard/wireguard-public-key-phone);
presharedKeyFile = config.sops.secrets."ni/wireguard/preshared-keys/phone".path;
presharedKeyFile = config.sops.secrets."wireguard/preshared-keys/phone".path;
allowedIPs = wireguardAllowedIPs;
}
];
@ -86,9 +86,9 @@ in
secretPaths;
in
applySystemdAttr [
"ni/wireguard/private-key"
"ni/wireguard/preshared-keys/phone"
"ni/wireguard/preshared-keys/plover"
"wireguard/private-key"
"wireguard/preshared-keys/phone"
"wireguard/preshared-keys/plover"
];
systemd.network = {
@ -99,7 +99,7 @@ in
};
wireguardConfig = {
PrivateKeyFile = config.sops.secrets."ni/wireguard/private-key";
PrivateKeyFile = config.sops.secrets."wireguard/private-key";
ListenPort = wireguardPort;
};
@ -107,7 +107,7 @@ in
# The "server" peer.
{
PublicKey = lib.readFile ../../plover/files/wireguard/wireguard-public-key-plover;
PresharedKeyFile = config.sops.secrets."ni/wireguard/preshared-keys/plover".path;
PresharedKeyFile = config.sops.secrets."wireguard/preshared-keys/plover".path;
AllowedIPs = lib.concatStringsSep "," wireguardAllowedIPs;
Endpoint = "${interfaces.wan.IPv4.address}:${toString wireguardPort}";
PersistentKeepalive = 25;
@ -116,7 +116,7 @@ in
# The "phone" peer.
{
PublicKey = lib.readFile ../../plover/files/wireguard/wireguard-public-key-phone;
PresharedKeyFile = config.sops.secrets."ni/wireguard/preshared-keys/phone".path;
PresharedKeyFile = config.sops.secrets."wireguard/preshared-keys/phone".path;
AllowedIPs = lib.concatStringsSep "," wireguardAllowedIPs;
}
];

26
hosts/plover/default.nix
View File

@ -75,13 +75,13 @@ in
};
sops.secrets = lib.getSecrets ./secrets/secrets.yaml {
"plover/ssh-key" = { };
"plover/lego/env" = { };
"ssh-key" = { };
"lego/env" = { };
"plover/borg/repos/host/patterns/keys" = { };
"plover/borg/repos/host/password" = { };
"plover/borg/repos/services/password" = { };
"plover/borg/ssh-key" = { };
"borg/repos/host/patterns/keys" = { };
"borg/repos/host/password" = { };
"borg/repos/services/password" = { };
"borg/ssh-key" = { };
};
# All of the keys required to deploy the secrets.
@ -100,7 +100,7 @@ in
email = "admin+acme@foodogsquared.one";
dnsProvider = "rfc2136";
dnsResolver = "1.1.1.1";
credentialsFile = config.sops.secrets."plover/lego/env".path;
credentialsFile = config.sops.secrets."lego/env".path;
};
# Enable generating new DH params.
@ -108,7 +108,7 @@ in
# !!! The keys should be rotated at an interval here.
services.openssh.hostKeys = [{
path = config.sops.secrets."plover/ssh-key".path;
path = config.sops.secrets."ssh-key".path;
type = "ed25519";
}];
@ -148,7 +148,7 @@ in
yearly = 6;
};
startAt = "monthly";
environment.BORG_RSH = "ssh -i ${config.sops.secrets."plover/borg/ssh-key".path}";
environment.BORG_RSH = "ssh -i ${config.sops.secrets."borg/ssh-key".path}";
};
borgRepo = path: "ssh://${hetzner-boxes-user}@${hetzner-boxes-server}:23/./borg/plover/${path}";
@ -158,10 +158,10 @@ in
# acceptable for it to be backed up monthly.
host-backup = jobCommonSettings {
patternFiles = [
config.sops.secrets."plover/borg/repos/host/patterns/keys".path
config.sops.secrets."borg/repos/host/patterns/keys".path
];
repo = borgRepo "host";
passCommand = "cat ${config.sops.secrets."plover/borg/repos/host/password".path}";
passCommand = "cat ${config.sops.secrets."borg/repos/host/password".path}";
};
# Backups for various services.
@ -172,13 +172,13 @@ in
"/var/lib/acme"
];
repo = borgRepo "services";
passCommand = "cat ${config.sops.secrets."plover/borg/repos/services/password".path}";
passCommand = "cat ${config.sops.secrets."borg/repos/services/password".path}";
} // { startAt = "weekly"; };
};
programs.ssh.extraConfig = ''
Host ${hetzner-boxes-server}
IdentityFile ${config.sops.secrets."plover/borg/ssh-key".path}
IdentityFile ${config.sops.secrets."borg/ssh-key".path}
'';
system.stateVersion = "23.05";

10
hosts/plover/modules/services/bind.nix
View File

@ -60,9 +60,9 @@ in
};
in
lib.getSecrets ../../secrets/secrets.yaml {
"plover/dns/${domain}/mailbox-security-key" = dnsFileAttribute;
"plover/dns/${domain}/mailbox-security-key-record" = dnsFileAttribute;
"plover/dns/${domain}/rfc2136-key" = dnsFileAttribute // {
"dns/${domain}/mailbox-security-key" = dnsFileAttribute;
"dns/${domain}/mailbox-security-key-record" = dnsFileAttribute;
"dns/${domain}/rfc2136-key" = dnsFileAttribute // {
reloadUnits = [ "bind.service" ];
};
};
@ -138,7 +138,7 @@ in
'';
extraConfig = ''
include "${config.sops.secrets."plover/dns/${domain}/rfc2136-key".path}";
include "${config.sops.secrets."dns/${domain}/rfc2136-key".path}";
acl trusted { ${lib.concatStringsSep "; " (clientNetworks ++ serverNetworks)}; localhost; };
@ -186,7 +186,7 @@ in
let
domainZone' = zoneFile domain;
fqdnZone' = zoneFile fqdn;
secretPath = path: config.sops.secrets."plover/dns/${path}".path;
secretPath = path: config.sops.secrets."dns/${path}".path;
in lib.mkAfter ''
[ -f '${domainZone'}' ] || {
install -Dm0600 '${domainZone}' '${domainZone'}'

8
hosts/plover/modules/services/gitea.nix
View File

@ -12,8 +12,8 @@ let
in
{
sops.secrets = lib.getSecrets ../../secrets/secrets.yaml {
"plover/gitea/db/password".owner = giteaUser;
"plover/gitea/smtp/password".owner = giteaUser;
"gitea/db/password".owner = giteaUser;
"gitea/smtp/password".owner = giteaUser;
};
services.gitea = {
@ -21,7 +21,7 @@ in
appName = "foodogsquared's code forge";
database = {
type = "postgres";
passwordFile = config.sops.secrets."plover/gitea/db/password".path;
passwordFile = config.sops.secrets."gitea/db/password".path;
};
# Allow Gitea to take a dump.
@ -33,7 +33,7 @@ in
# There are a lot of services in port 3000 so we'll change it.
lfs.enable = true;
mailerPasswordFile = config.sops.secrets."plover/gitea/smtp/password".path;
mailerPasswordFile = config.sops.secrets."gitea/smtp/password".path;
# You can see the available configuration options at
# https://docs.gitea.io/en-us/config-cheat-sheet/.

4
hosts/plover/modules/services/portunus.nix
View File

@ -9,7 +9,7 @@ let
in
{
sops.secrets = lib.getSecrets ../../secrets/secrets.yaml {
"plover/ldap/users/foodogsquared/password".owner = portunusUser;
"ldap/users/foodogsquared/password".owner = portunusUser;
};
services.portunus = {
@ -51,7 +51,7 @@ in
../../../../users/home-manager/foo-dogsquared/files/ssh-key.pub
../../../../users/home-manager/foo-dogsquared/files/ssh-key-2.pub
];
password.from_command = [ "${pkgs.coreutils}/bin/cat" config.sops.secrets."plover/ldap/users/foodogsquared/password".path ];
password.from_command = [ "${pkgs.coreutils}/bin/cat" config.sops.secrets."ldap/users/foodogsquared/password".path ];
}
];
};

4
hosts/plover/modules/services/vaultwarden.nix
View File

@ -13,13 +13,13 @@ let
in
{
sops.secrets = lib.getSecrets ../../secrets/secrets.yaml {
"plover/vaultwarden/env".owner = vaultwardenUser;
"vaultwarden/env".owner = vaultwardenUser;
};
services.vaultwarden = {
enable = true;
dbBackend = "postgresql";
environmentFile = config.sops.secrets."plover/vaultwarden/env".path;
environmentFile = config.sops.secrets."vaultwarden/env".path;
config = {
DOMAIN = "https://${passwordManagerDomain}";

12
hosts/plover/modules/services/wireguard.nix
View File

@ -25,9 +25,9 @@ in
};
in
lib.getSecrets ../../secrets/secrets.yaml {
"plover/wireguard/private-key" = systemdNetworkdPermission;
"plover/wireguard/preshared-keys/ni" = systemdNetworkdPermission;
"plover/wireguard/preshared-keys/phone" = systemdNetworkdPermission;
"wireguard/private-key" = systemdNetworkdPermission;
"wireguard/preshared-keys/ni" = systemdNetworkdPermission;
"wireguard/preshared-keys/phone" = systemdNetworkdPermission;
};
networking.firewall = {
@ -67,7 +67,7 @@ in
};
wireguardConfig = {
PrivateKeyFile = config.sops.secrets."plover/wireguard/private-key".path;
PrivateKeyFile = config.sops.secrets."wireguard/private-key".path;
ListenPort = wireguardPort;
};
@ -76,7 +76,7 @@ in
{
wireguardPeerConfig = {
PublicKey = lib.readFile ../../../ni/files/wireguard/wireguard-public-key-ni;
PresharedKeyFile = config.sops.secrets."plover/wireguard/preshared-keys/ni".path;
PresharedKeyFile = config.sops.secrets."wireguard/preshared-keys/ni".path;
AllowedIPs = lib.concatStringsSep "," desktopPeerAddresses;
};
}
@ -85,7 +85,7 @@ in
{
wireguardPeerConfig = {
PublicKey = lib.readFile ../../files/wireguard/wireguard-public-key-phone;
PresharedKeyFile = config.sops.secrets."plover/wireguard/preshared-keys/phone".path;
PresharedKeyFile = config.sops.secrets."wireguard/preshared-keys/phone".path;
AllowedIPs = lib.concatStringsSep "," phonePeerAddresses;
};
}