foodogsquared/nixos-config
1
0
Fork 0
mirror of https://github.com/foo-dogsquared/nixos-config.git synced 2025-04-24 12:19:12 +00:00
Code Issues Actions 1 Packages Projects Releases Wiki Activity

hosts: remove host path prefix for sops keys

Browse Source 
It is more explicit and elegant but more of a pain to manage especially
with the new function. It was structured that way for other hosts'
secrets but it isn't really used in practice. We could just enforce a
convention such as a `hosts` prefix to contain those secrets.
This commit is contained in:
Gabriel Arazas 2023-07-05 13:11:47 +08:00
parent 240515ed3b
commit 2e7cdeacf3
No known key found for this signature in database
GPG Key ID: ADE0C41DAB221FCC
8 changed files with 46 additions and 46 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
hosts/ni/default.nix
View File

@ -31,7 +31,7 @@
}; };
services.openssh.hostKeys = [{ services.openssh.hostKeys = [{
path = config.sops.secrets."ni/ssh-key".path; path = config.sops.secrets."ssh-key".path;
type = "ed25519"; type = "ed25519";
}]; }];
@ -53,7 +53,7 @@
}; };
sops.secrets = lib.getSecrets ./secrets/secrets.yaml { sops.secrets = lib.getSecrets ./secrets/secrets.yaml {
"ni/ssh-key" = { }; "ssh-key" = { };
}; };
sops.age.keyFile = "/var/lib/sops-nix/key.txt"; sops.age.keyFile = "/var/lib/sops-nix/key.txt";

24
hosts/ni/modules/wireguard.nix
View File

@ -27,15 +27,15 @@ in
{ {
networking.firewall.allowedUDPPorts = [ wireguardPort ]; networking.firewall.allowedUDPPorts = [ wireguardPort ];
sops.secrets = lib.getSecrets ../secrets/secrets.yaml { sops.secrets = lib.getSecrets ../secrets/secrets.yaml {
"ni/wireguard/private-key" = { }; "wireguard/private-key" = { };
"ni/wireguard/preshared-keys/plover" = { }; "wireguard/preshared-keys/plover" = { };
"ni/wireguard/preshared-keys/phone" = { }; "wireguard/preshared-keys/phone" = { };
}; };
} }
(lib.mkIf config.networking.networkmanager.enable { (lib.mkIf config.networking.networkmanager.enable {
networking.wg-quick.interfaces.wireguard0 = { networking.wg-quick.interfaces.wireguard0 = {
privateKeyFile = config.sops.secrets."ni/wireguard/private-key".path; privateKeyFile = config.sops.secrets."wireguard/private-key".path;
listenPort = wireguardPort; listenPort = wireguardPort;
dns = with interfaces.lan; [ IPv4.address IPv6.address ]; dns = with interfaces.lan; [ IPv4.address IPv6.address ];
postUp = postUp =
@ -57,7 +57,7 @@ in
# The "server" peer. # The "server" peer.
{ {
publicKey = lib.removeSuffix "\n" (lib.readFile ../../plover/files/wireguard/wireguard-public-key-plover); publicKey = lib.removeSuffix "\n" (lib.readFile ../../plover/files/wireguard/wireguard-public-key-plover);
presharedKeyFile = config.sops.secrets."ni/wireguard/preshared-keys/plover".path; presharedKeyFile = config.sops.secrets."wireguard/preshared-keys/plover".path;
allowedIPs = wireguardAllowedIPs; allowedIPs = wireguardAllowedIPs;
endpoint = "${interfaces.wan.IPv4.address}:${toString wireguardPort}"; endpoint = "${interfaces.wan.IPv4.address}:${toString wireguardPort}";
persistentKeepalive = 25; persistentKeepalive = 25;
@ -66,7 +66,7 @@ in
# The "phone" peer. # The "phone" peer.
{ {
publicKey = lib.removeSuffix "\n" (lib.readFile ../../plover/files/wireguard/wireguard-public-key-phone); publicKey = lib.removeSuffix "\n" (lib.readFile ../../plover/files/wireguard/wireguard-public-key-phone);
presharedKeyFile = config.sops.secrets."ni/wireguard/preshared-keys/phone".path; presharedKeyFile = config.sops.secrets."wireguard/preshared-keys/phone".path;
allowedIPs = wireguardAllowedIPs; allowedIPs = wireguardAllowedIPs;
} }
]; ];
@ -86,9 +86,9 @@ in
secretPaths; secretPaths;
in in
applySystemdAttr [ applySystemdAttr [
"ni/wireguard/private-key" "wireguard/private-key"
"ni/wireguard/preshared-keys/phone" "wireguard/preshared-keys/phone"
"ni/wireguard/preshared-keys/plover" "wireguard/preshared-keys/plover"
]; ];
systemd.network = { systemd.network = {
@ -99,7 +99,7 @@ in
}; };
wireguardConfig = { wireguardConfig = {
PrivateKeyFile = config.sops.secrets."ni/wireguard/private-key"; PrivateKeyFile = config.sops.secrets."wireguard/private-key";
ListenPort = wireguardPort; ListenPort = wireguardPort;
}; };
@ -107,7 +107,7 @@ in
# The "server" peer. # The "server" peer.
{ {
PublicKey = lib.readFile ../../plover/files/wireguard/wireguard-public-key-plover; PublicKey = lib.readFile ../../plover/files/wireguard/wireguard-public-key-plover;
PresharedKeyFile = config.sops.secrets."ni/wireguard/preshared-keys/plover".path; PresharedKeyFile = config.sops.secrets."wireguard/preshared-keys/plover".path;
AllowedIPs = lib.concatStringsSep "," wireguardAllowedIPs; AllowedIPs = lib.concatStringsSep "," wireguardAllowedIPs;
Endpoint = "${interfaces.wan.IPv4.address}:${toString wireguardPort}"; Endpoint = "${interfaces.wan.IPv4.address}:${toString wireguardPort}";
PersistentKeepalive = 25; PersistentKeepalive = 25;
@ -116,7 +116,7 @@ in
# The "phone" peer. # The "phone" peer.
{ {
PublicKey = lib.readFile ../../plover/files/wireguard/wireguard-public-key-phone; PublicKey = lib.readFile ../../plover/files/wireguard/wireguard-public-key-phone;
PresharedKeyFile = config.sops.secrets."ni/wireguard/preshared-keys/phone".path; PresharedKeyFile = config.sops.secrets."wireguard/preshared-keys/phone".path;
AllowedIPs = lib.concatStringsSep "," wireguardAllowedIPs; AllowedIPs = lib.concatStringsSep "," wireguardAllowedIPs;
} }
]; ];

26
hosts/plover/default.nix
View File

@ -75,13 +75,13 @@ in
}; };
sops.secrets = lib.getSecrets ./secrets/secrets.yaml { sops.secrets = lib.getSecrets ./secrets/secrets.yaml {
"plover/ssh-key" = { }; "ssh-key" = { };
"plover/lego/env" = { }; "lego/env" = { };
"plover/borg/repos/host/patterns/keys" = { }; "borg/repos/host/patterns/keys" = { };
"plover/borg/repos/host/password" = { }; "borg/repos/host/password" = { };
"plover/borg/repos/services/password" = { }; "borg/repos/services/password" = { };
"plover/borg/ssh-key" = { }; "borg/ssh-key" = { };
}; };
# All of the keys required to deploy the secrets. # All of the keys required to deploy the secrets.
@ -100,7 +100,7 @@ in
email = "admin+acme@foodogsquared.one"; email = "admin+acme@foodogsquared.one";
dnsProvider = "rfc2136"; dnsProvider = "rfc2136";
dnsResolver = "1.1.1.1"; dnsResolver = "1.1.1.1";
credentialsFile = config.sops.secrets."plover/lego/env".path; credentialsFile = config.sops.secrets."lego/env".path;
}; };
# Enable generating new DH params. # Enable generating new DH params.
@ -108,7 +108,7 @@ in
# !!! The keys should be rotated at an interval here. # !!! The keys should be rotated at an interval here.
services.openssh.hostKeys = [{ services.openssh.hostKeys = [{
path = config.sops.secrets."plover/ssh-key".path; path = config.sops.secrets."ssh-key".path;
type = "ed25519"; type = "ed25519";
}]; }];
@ -148,7 +148,7 @@ in
yearly = 6; yearly = 6;
}; };
startAt = "monthly"; startAt = "monthly";
environment.BORG_RSH = "ssh -i ${config.sops.secrets."plover/borg/ssh-key".path}"; environment.BORG_RSH = "ssh -i ${config.sops.secrets."borg/ssh-key".path}";
}; };
borgRepo = path: "ssh://${hetzner-boxes-user}@${hetzner-boxes-server}:23/./borg/plover/${path}"; borgRepo = path: "ssh://${hetzner-boxes-user}@${hetzner-boxes-server}:23/./borg/plover/${path}";
@ -158,10 +158,10 @@ in
# acceptable for it to be backed up monthly. # acceptable for it to be backed up monthly.
host-backup = jobCommonSettings { host-backup = jobCommonSettings {
patternFiles = [ patternFiles = [
config.sops.secrets."plover/borg/repos/host/patterns/keys".path config.sops.secrets."borg/repos/host/patterns/keys".path
]; ];
repo = borgRepo "host"; repo = borgRepo "host";
passCommand = "cat ${config.sops.secrets."plover/borg/repos/host/password".path}"; passCommand = "cat ${config.sops.secrets."borg/repos/host/password".path}";
}; };
# Backups for various services. # Backups for various services.
@ -172,13 +172,13 @@ in
"/var/lib/acme" "/var/lib/acme"
]; ];
repo = borgRepo "services"; repo = borgRepo "services";
passCommand = "cat ${config.sops.secrets."plover/borg/repos/services/password".path}"; passCommand = "cat ${config.sops.secrets."borg/repos/services/password".path}";
} // { startAt = "weekly"; }; } // { startAt = "weekly"; };
}; };
programs.ssh.extraConfig = '' programs.ssh.extraConfig = ''
Host ${hetzner-boxes-server} Host ${hetzner-boxes-server}
IdentityFile ${config.sops.secrets."plover/borg/ssh-key".path} IdentityFile ${config.sops.secrets."borg/ssh-key".path}
''; '';
system.stateVersion = "23.05"; system.stateVersion = "23.05";

10
hosts/plover/modules/services/bind.nix
View File

@ -60,9 +60,9 @@ in
}; };
in in
lib.getSecrets ../../secrets/secrets.yaml { lib.getSecrets ../../secrets/secrets.yaml {
"plover/dns/${domain}/mailbox-security-key" = dnsFileAttribute; "dns/${domain}/mailbox-security-key" = dnsFileAttribute;
"plover/dns/${domain}/mailbox-security-key-record" = dnsFileAttribute; "dns/${domain}/mailbox-security-key-record" = dnsFileAttribute;
"plover/dns/${domain}/rfc2136-key" = dnsFileAttribute // { "dns/${domain}/rfc2136-key" = dnsFileAttribute // {
reloadUnits = [ "bind.service" ]; reloadUnits = [ "bind.service" ];
}; };
}; };
@ -138,7 +138,7 @@ in
''; '';
extraConfig = '' extraConfig = ''
include "${config.sops.secrets."plover/dns/${domain}/rfc2136-key".path}"; include "${config.sops.secrets."dns/${domain}/rfc2136-key".path}";
acl trusted { ${lib.concatStringsSep "; " (clientNetworks ++ serverNetworks)}; localhost; }; acl trusted { ${lib.concatStringsSep "; " (clientNetworks ++ serverNetworks)}; localhost; };
@ -186,7 +186,7 @@ in
let let
domainZone' = zoneFile domain; domainZone' = zoneFile domain;
fqdnZone' = zoneFile fqdn; fqdnZone' = zoneFile fqdn;
secretPath = path: config.sops.secrets."plover/dns/${path}".path; secretPath = path: config.sops.secrets."dns/${path}".path;
in lib.mkAfter '' in lib.mkAfter ''
[ -f '${domainZone'}' ] || { [ -f '${domainZone'}' ] || {
install -Dm0600 '${domainZone}' '${domainZone'}' install -Dm0600 '${domainZone}' '${domainZone'}'

8
hosts/plover/modules/services/gitea.nix
View File

@ -12,8 +12,8 @@ let
in in
{ {
sops.secrets = lib.getSecrets ../../secrets/secrets.yaml { sops.secrets = lib.getSecrets ../../secrets/secrets.yaml {
"plover/gitea/db/password".owner = giteaUser; "gitea/db/password".owner = giteaUser;
"plover/gitea/smtp/password".owner = giteaUser; "gitea/smtp/password".owner = giteaUser;
}; };
services.gitea = { services.gitea = {
@ -21,7 +21,7 @@ in
appName = "foodogsquared's code forge"; appName = "foodogsquared's code forge";
database = { database = {
type = "postgres"; type = "postgres";
passwordFile = config.sops.secrets."plover/gitea/db/password".path; passwordFile = config.sops.secrets."gitea/db/password".path;
}; };
# Allow Gitea to take a dump. # Allow Gitea to take a dump.
@ -33,7 +33,7 @@ in
# There are a lot of services in port 3000 so we'll change it. # There are a lot of services in port 3000 so we'll change it.
lfs.enable = true; lfs.enable = true;
mailerPasswordFile = config.sops.secrets."plover/gitea/smtp/password".path; mailerPasswordFile = config.sops.secrets."gitea/smtp/password".path;
# You can see the available configuration options at # You can see the available configuration options at
# https://docs.gitea.io/en-us/config-cheat-sheet/. # https://docs.gitea.io/en-us/config-cheat-sheet/.

4
hosts/plover/modules/services/portunus.nix
View File

@ -9,7 +9,7 @@ let
in in
{ {
sops.secrets = lib.getSecrets ../../secrets/secrets.yaml { sops.secrets = lib.getSecrets ../../secrets/secrets.yaml {
"plover/ldap/users/foodogsquared/password".owner = portunusUser; "ldap/users/foodogsquared/password".owner = portunusUser;
}; };
services.portunus = { services.portunus = {
@ -51,7 +51,7 @@ in
../../../../users/home-manager/foo-dogsquared/files/ssh-key.pub ../../../../users/home-manager/foo-dogsquared/files/ssh-key.pub
../../../../users/home-manager/foo-dogsquared/files/ssh-key-2.pub ../../../../users/home-manager/foo-dogsquared/files/ssh-key-2.pub
]; ];
password.from_command = [ "${pkgs.coreutils}/bin/cat" config.sops.secrets."plover/ldap/users/foodogsquared/password".path ]; password.from_command = [ "${pkgs.coreutils}/bin/cat" config.sops.secrets."ldap/users/foodogsquared/password".path ];
} }
]; ];
}; };

4
hosts/plover/modules/services/vaultwarden.nix
View File

@ -13,13 +13,13 @@ let
in in
{ {
sops.secrets = lib.getSecrets ../../secrets/secrets.yaml { sops.secrets = lib.getSecrets ../../secrets/secrets.yaml {
"plover/vaultwarden/env".owner = vaultwardenUser; "vaultwarden/env".owner = vaultwardenUser;
}; };
services.vaultwarden = { services.vaultwarden = {
enable = true; enable = true;
dbBackend = "postgresql"; dbBackend = "postgresql";
environmentFile = config.sops.secrets."plover/vaultwarden/env".path; environmentFile = config.sops.secrets."vaultwarden/env".path;
config = { config = {
DOMAIN = "https://${passwordManagerDomain}"; DOMAIN = "https://${passwordManagerDomain}";

12
hosts/plover/modules/services/wireguard.nix
View File

@ -25,9 +25,9 @@ in
}; };
in in
lib.getSecrets ../../secrets/secrets.yaml { lib.getSecrets ../../secrets/secrets.yaml {
"plover/wireguard/private-key" = systemdNetworkdPermission; "wireguard/private-key" = systemdNetworkdPermission;
"plover/wireguard/preshared-keys/ni" = systemdNetworkdPermission; "wireguard/preshared-keys/ni" = systemdNetworkdPermission;
"plover/wireguard/preshared-keys/phone" = systemdNetworkdPermission; "wireguard/preshared-keys/phone" = systemdNetworkdPermission;
}; };
networking.firewall = { networking.firewall = {
@ -67,7 +67,7 @@ in
}; };
wireguardConfig = { wireguardConfig = {
PrivateKeyFile = config.sops.secrets."plover/wireguard/private-key".path; PrivateKeyFile = config.sops.secrets."wireguard/private-key".path;
ListenPort = wireguardPort; ListenPort = wireguardPort;
}; };
@ -76,7 +76,7 @@ in
{ {
wireguardPeerConfig = { wireguardPeerConfig = {
PublicKey = lib.readFile ../../../ni/files/wireguard/wireguard-public-key-ni; PublicKey = lib.readFile ../../../ni/files/wireguard/wireguard-public-key-ni;
PresharedKeyFile = config.sops.secrets."plover/wireguard/preshared-keys/ni".path; PresharedKeyFile = config.sops.secrets."wireguard/preshared-keys/ni".path;
AllowedIPs = lib.concatStringsSep "," desktopPeerAddresses; AllowedIPs = lib.concatStringsSep "," desktopPeerAddresses;
}; };
} }
@ -85,7 +85,7 @@ in
{ {
wireguardPeerConfig = { wireguardPeerConfig = {
PublicKey = lib.readFile ../../files/wireguard/wireguard-public-key-phone; PublicKey = lib.readFile ../../files/wireguard/wireguard-public-key-phone;
PresharedKeyFile = config.sops.secrets."plover/wireguard/preshared-keys/phone".path; PresharedKeyFile = config.sops.secrets."wireguard/preshared-keys/phone".path;
AllowedIPs = lib.concatStringsSep "," phonePeerAddresses; AllowedIPs = lib.concatStringsSep "," phonePeerAddresses;
}; };
} }