diff --git a/.gitattributes b/.gitattributes index 5b6af4d..8f6057b 100644 --- a/.gitattributes +++ b/.gitattributes @@ -3,3 +3,4 @@ *.svg filter=lfs diff=lfs merge=lfs -text **/secrets/** filter=git-crypt diff=git-crypt +**/secrets.yaml diff=sops diff --git a/.sops.yaml b/.sops.yaml new file mode 100644 index 0000000..cfc3d33 --- /dev/null +++ b/.sops.yaml @@ -0,0 +1,28 @@ +keys: + - &simon 47E7559E037A35652DBBF8AA8D3C82F9F309F8EC + - &fuuko 2372651C56E22972C2D9F3F569C8187C9C43754E + - &nunotaba 8C5091AEA213FB0642BD46F943EE19743FAC1D5C + - &vueko BB046D773F54739757553A053CB9B8EFD7FED749 +creation_rules: + - path_regex: machines/nunotaba/secrets\.yaml$ + key_groups: + - pgp: + - *simon + - *nunotaba + - path_regex: machines/vueko/secrets\.yaml$ + key_groups: + - pgp: + - *simon + - *vueko + - path_regex: machines/fuuko/secrets\.yaml$ + key_groups: + - pgp: + - *simon + - *fuuko + - path_regex: secrets\.yaml$ + key_groups: + - pgp: + - *simon + - *nunotaba + - *vueko + - *fuuko diff --git a/README.md b/README.md index 7ad439e..5d6024b 100644 --- a/README.md +++ b/README.md @@ -23,9 +23,7 @@ * `users/simon`: [home-manager](https://github.com/nix-community/home-manager) configuration -Secrets are managed with krops’s integrated support for -[`pass`](https://www.passwordstore.org/). Permission management for them is -implemented in `modules/secrets.nix`. +Secrets are managed with [sops-nix](https://github.com/Mic92/sops-nix). ## How to install diff --git a/deploy.nix b/deploy.nix index 91e5b97..2cb74d2 100644 --- a/deploy.nix +++ b/deploy.nix @@ -8,7 +8,6 @@ let kropsDeploy = { hostname , target ? null - , secrets ? true , extraSources ? { } }: let @@ -46,12 +45,6 @@ let }; nixos-config.symlink = "config/machines/${hostname}/configuration.nix"; } - (lib.mkIf secrets { - secrets.pass = { - dir = toString ~/.password-store; - name = "nixos/machines/${hostname}"; - }; - }) extraSources ]; in diff --git a/keys/machines/fuuko.asc b/keys/machines/fuuko.asc new file mode 100644 index 0000000..50fe786 --- /dev/null +++ b/keys/machines/fuuko.asc @@ -0,0 +1,28 @@ +-----BEGIN PGP PUBLIC KEY BLOCK----- + +xsFNBAAAAAABEACkl9IfFWt7bGRtnJmDsv3sfotEQZusmFA6d9+Lh3J3Z5Ekx1Yz +wIf26Y2MgOtxv8AJJ8QW13wH8/NOrySTPUaaQwjmkiv+7Hp3Ez7uoSg7BRrUXVez +oo6dIStda5rNmx1ClYnzBVu0q54/mOayYWxeJOTl1YVKr7cSx2jcV+h5vEMZYeym +AkHGNoFz83dguwNWTZvURjp6B65G84w3YuZyG0YHeQ8Lr0gCJDEmrP2NzIuXeGWy +VEaE4XAUOF/9T+WVkuQmz6Drnqpw59Wc/J51Z2bz/2KL1oI1vR1HSzJlv7kc3joJ +63yYv0TXy4AeptWoY8FX2wtHxfIUK6ClHNfBhjis0cYgvru0KZSMNAGQutlGB0yA +2YHOS1vSPXfdyKbODCP08CpA1lufYapJwSNgU0c5d22OCCYvdwdr0HRc/0zmUoVH +/ge2SL0dRTm85ny/wEE5TgL9qnh3iWpWM60lCX3MgkHRnfgmSYn/FJHB4+3miQ31 +hYkw1X1ee5ZFNsptVT5vtz/b1reVA/+v6moReIsFaWKxEgGFHXBYCRt8HnxyYvcv +jv9B+qpL12p7gflMr/trA5xTu9yQLpLqxSRpl1vebLo5p6H084pUelwFtBq/hLs6 +bEPw5R/n/7EyPauDeEPb/xHKACez3hhdS+GqxgcaaLqQZN1w7/cxXBVSFQARAQAB +zSlyb290IChJbXBvcnRlZCBmcm9tIFNTSCkgPHJvb3RAbG9jYWxob3N0PsLBYgQT +AQgAFgUCAAAAAAkQacgYfJxDdU4CGw8CGQEAALeFEABb6uheTtzwh2pmbEfahsMf +3Umb9E1hGVaKz9KUez2gU/C3EbnELm7qPSP8Bj5gp5hF527YpwcPTGMKXD+SyyUE +w+1lFun6RNEEeeJoOEtDoQZA6j4bcpZqvR7r7jAhdU1LHuIjD+4AM4jrTF3B2BrN +LpuX70MO0zX0b6ryHeH+9y3iCDmxViXmn0EVG/MLAjguWMrimZ66R0raKfs4eRR4 +WbbFRl+xXPOv5JvPVhl0BQItVXrTTXFnRNF8y0AxmpxGZ8uFr3PwN9xB9I4o25mu +5Pj+aEfJkHTiMqzG44+TITu4pN3xvy32yqO9skn99pz16Q1jQy1cYYnl64nfktJ5 +cH9Unq5CQIzyugrHhFTruN4PZR07mMMoIHRNisKOVifoyEQPqKUEOsYsaEv+zeU3 +a42acC3AXJJrSgjN5XoA7bV4RRmU3QYQUsO87gJF2I3xnZwKkRL8R+g0cZeBTaG3 +U1DwKNfb2WhiAtagixVk7bsKknYJDar41LA0FM5i6uRez+Pb1y8yscD9TP3xiR5d +m+/mbrz4fF+5ifRqhvfsewcZIwkVVXR0pBK8c/eGL7YrZ1pJwt3JDsWfM50TGvS1 +O9LCghAw/SZPfyBik0vKc3R01Pfj3yC70gsG6DI9bIG1UavLhbGQCgDPcEpDZiIt +N7RsQdc2NwPnMMMH4mTAvg== +=9jYa +-----END PGP PUBLIC KEY BLOCK----- diff --git a/keys/machines/nunotaba.asc b/keys/machines/nunotaba.asc new file mode 100644 index 0000000..7ab5b65 --- /dev/null +++ b/keys/machines/nunotaba.asc @@ -0,0 +1,28 @@ +-----BEGIN PGP PUBLIC KEY BLOCK----- + +xsFNBAAAAAABEACo9KbNVEL7yttMyACGIxYS5UvkJDsXJiuIzPWmrzhVzDXTs1hi +3iS0EjkVB8mm8GLBKI25Pc9b7Rb2B3XeRcu2btUtWH61aBPOwcqpg8vt0MtcieZN +lpmwFBg0QtBdSrnUr/GdekRDcenSmIVPh8cyb9KCyJgcGxvTFWkd5lhrdQoAWAdM +TynUd8tKvmp9R6z54uPuGNUHbmNmHHDtv7LSOD79DIi+32bQGHevNTkCeXJNLO1P +5YJdz04xb7kGEhUodYoAx7RB2M18BdTk97XA7sHmoI3TayARHssPWtqJb1B8CK8x +uSHi1L7tHOF74pmo6V4Rt41gECMKjxLzXwB87hnrBxQ5UT8VZx5MBBQm+nfNKYH0 +MWAvWvaHGwBzNPabeGgaCoRT2OhC+0q4hPnYMxdSA61IYN6fch7LYfJdaPxOdGKH +/IMW091tS1JF9aY0ZGGy52DCVa+bC+4yHziqpCzf7aPJ4oCYtxZ904t6hocKlggG +bEM879Or9/nZ63smodUP907msUpFdvXUfFckAWAKms/SECN3lRvBnVj7VsHylvdi +gwUI+XkEw6NXscsTGepSWgQppz4hmQWFAhfkYZYl0P59HRyXa+PdyQeH+jDOlyNg +B6yIdCJWwDEiCvErqfJ9mulgrmZWePrjPYHOy1iFUueSoupxEbzBkm6LIwARAQAB +zSlyb290IChJbXBvcnRlZCBmcm9tIFNTSCkgPHJvb3RAbG9jYWxob3N0PsLBYgQT +AQgAFgUCAAAAAAkQQ+4ZdD+sHVwCGw8CGQEAAHFMEAAB8oxf8GD/w6932R30qybr +Y6kJukhmsTSPszeILmIU+F0BDBekgPxApFZRHRjAbAfra131emtj1xrUXGi+Y2UL +E4wN/Ebaxc5TfJk46iklxHsRUNG6ikJOcSz8zIl2LYN1BEOYOOGTtJqpWq607ngF +hkK6FDqKYcomrWGfGOzp33ts4j8t52zwsipms7Z1x9DqQmYEZcT6kvPbAUKQh2oj +chTI6FixsL63UH26JtlxPwrXqDGy1LwL2VUzlTHYYAuo3A+t6gEWveMCv99jLa2U +jVdjhjSTC6vX+7Rj3qko1Gns9h2JmsBSpocEvpsOGseAGA6uVoZcbWG5AzW/729b +xkQ9mL2Ya/htPwG/pzzuHvmK/YdFdUYQvZJr82Gvtkiu0/KUN21FU5BeE0Zg0kCk +pM5s8vJtj87eJ4UsUNlDtVX1DtwHAP8G2Dmpd2lWkD6ulovwpNcHLQ+Q+YH7UyU6 +OjZzlX5yf4Tndm+Gv8YhnTOm6Bo6jgiMIZpJh5qObA0oY8dEAiDdy7mVsNR0AFUn +lWBjVAfO4keEwMPqs/RBONofixRkZLoX54s3ypAS8ltr/Qlxjk3fzDLf/en01uL8 +qOjTkYBRwfGZdIPVuTYsncxBVSh9/MPKF1zEYpTSFF4hxhW+00R9mpvNiqO4CHia +x2KNnq/P36Mpcv6X7j4U4Q== +=5d0j +-----END PGP PUBLIC KEY BLOCK----- diff --git a/keys/machines/vueko.asc b/keys/machines/vueko.asc new file mode 100644 index 0000000..8148088 --- /dev/null +++ b/keys/machines/vueko.asc @@ -0,0 +1,28 @@ +-----BEGIN PGP PUBLIC KEY BLOCK----- + +xsFNBAAAAAABEADQYi6d6/laFq0OQWLZYL/48/SF1gnej22Ob+Cy0Tm0d2w9lU95 +hASROWy6ZqUFwVXKp85uh6UJtA6q2XpaodfurGciCW7DYOjPNexJ0o2xmyFqGB/s +PuQDB4NxGXhCyNBXa42adfIlDyYHo5zIDuglMbwr7CQ3RZ1ktxudaA6t9Zlw/5pM +c1RXuTwvlhLGstnAz/ojNFwEH4lzYIIRpW4GXmWrtnmjXL/z4LLplYrfPGnsPIij +Qf31vhIrEp42nzJIY2wjshZaTvj5y0QIBPfgy9Q9I8/YwxFSY2wt3x8ooGLkTw4v +bshqUReatSdoIL4snCaA1oFtnKpqv2vJy/Z6LvURA4e/sbD+c5lMBTE/EkVgvCkC +6AbvCxwYHxB2G+lizKgRrQ8tVNDEHOFJBKNMaJAXpzz50ItaSpC+8FrYEP+y7iHk +0SBzKlJv3F+yuo1WrD4gHyxHAxACa2eDUU+EikO9BrOh78unOmWYEWVCju+ICHHP +STpW8jvEkldttv9Zr4YBDe22sjLKGuqngqabfSCokjjtEPgABCuJMLaGMW5nQm1K +Qdr0OHjr1apQMG454CMl4SGoXuNv0XIAcDpaR9xUB5cbBmAmwOWtdrqP2z772+9E +jw2WwavW6bn/cApa6BHSK+PQhF9wWvASy138i4m7aCLC8cteukOd6jCexwARAQAB +zSlyb290IChJbXBvcnRlZCBmcm9tIFNTSCkgPHJvb3RAbG9jYWxob3N0PsLBYgQT +AQgAFgUCAAAAAAkQPLm479f+10kCGw8CGQEAABX4EAAT59Yhu+JwOlmSI9UlzM/E +FJ+A8AHijh7Fc8+TjqnA7HmUSlhhVzhuSpjsSt8f1wswNXdcM9N7A5p0DCPZ+caG +9TyUrQXktiUdOj3O8bAwnsp7c/GYSBpIjhK1ZN8giN/c66l6z5IcolLA/KBPkMOp +2ipPBNjD7bk4khAzAqbPxGxGcpHqaNCS/nC/ovRlcQ2O8rgedXhhRZackuy6gw5+ +fwGyrnAt9oVthBqhYSUNItQwEPWnEj1yZzsQVvpCX61Vkh7qfqiG/ewvWVVTVOL3 +lEV5EUsFhiNX5ORUm3pk2qqELR8FbcVzTWf8sLgRM3NeqnotPS3rcHFb11Crh5SD +kqoAK2U0oYdGj5wlOH/yNtO5Q1auKwQ0Unttj8zmy55tCwqTiSrahmVxksCyINJn +B7h4Xct0ENH9gK/03aEGSZCzLxNG3BpOAOjWU+Ir5W2QLVxZDJT1KiaSftf81h9I +k57QsrXAoJNfzwONphQGSVKADBa0Y1P/zkm91gOcuIh3WXZ7BRcn5YZ72POqf61o +4uvT5xnDH2Y7upsCMTQkOUCenRUspapQZEQP+tZgQIwli86UeXfcPsqXX8j5QiJD +5HOl1jSRt5Rh4rqHfWYyobvLaEnWFEc3H/tYWSkk/w1ideiB3jMCdw65clQHGqJy +benF3GpcdU5XwmnJZ3XrCA== +=4Idg +-----END PGP PUBLIC KEY BLOCK----- diff --git a/keys/users/simon.asc b/keys/users/simon.asc new file mode 100644 index 0000000..d5aa897 --- /dev/null +++ b/keys/users/simon.asc @@ -0,0 +1,52 @@ +-----BEGIN PGP PUBLIC KEY BLOCK----- + +mQINBF/lCz0BEADKOij3IA1IIiZc9c8rgxTUtrn4W1R8ncgsnFuXIDGD35dBB9e0 +wd5noQigoqts9N8ULHEV6J8AuBdl1IP2nAKAr6h3F+hrLjL5tZZCPpTN5fhxWguz +wt6aFZgcFwFmQfZHSInxO2XpcibyJAs5ZXW3cO+VYQdVxXLT6KOLKkqWCCGMlQSt +xNigzNbrjUcjrcGBcjNbFJs0P4BkVvD6+3xBerpT6zwAuFdBiUpZZk+XI1QCAuVF +6ld5A+x+pwvKoN/n040UAUAdLTne7oisNonLhSvZVrH2uH4dKkku/yi2glSkUwps +n+ffr0jD9VrdbxktcqQBE0WU2q7Eqe6EjSxURHI6uJ/wFh0QeYR8sT5mgPMt5O9T +T49Kz2uUdljuHW0eI37DJSUDcXWh0OtuENRFf7m0lvIIaaPpbPM4btS8j9lCFs9h +pJsQIQbNjV+UmIBvddDKGwcL+DHJFk0E2sqPYOwsebvbQLhVvPSPWWUVKrqMay9Y +Vd9KKy/KddESzM6c3TFmUbkEj1h4qWSZ0XX0vGL8LL68maaDHwO1nKuw/XfSpjAC +c+3wuqAgwFB+ihO/qWs8CB0z+wo+7NK9OUUVVucu2duUUjNknf6+v6fPedtziapp +SHVQQKWYvozxVa7XU+dnrU3ZUHzIrv6Fr6yTdGy6fw7pE3yPFIwbw9vsowARAQAB +tB9TaW1vbiBCcnVkZXIgPHNpbW9uQHNicnVkZXIuZGU+iQJSBBMBCgA8FiEER+dV +ngN6NWUtu/iqjTyC+fMJ+OwFAl/lCz0CGwMFCQeEzgAECwkIBwQVCgkIBRYCAwEA +Ah4BAheAAAoJEI08gvnzCfjsYFoP+weWMfiJ3mMeBeZBBcgp9NZTjrJoc2tKn/9s +RL4PL/3lwLRSEu6JS4LauAD6fW1d5QnNnUe4nIcvTO6RvJ7R/lDWg1KL+pdCfYtk +FiIesUkp+eW5Gqw5m6Bt1a9UjXdtHJuVGKQ/XjxC2914Ps6nhp5mY+NUm5zwZCBK +qbjiPjD17TeTCThEui3kwl0sgBhNX/eCPpJZtw3u7vzxpN24+sX8Ogo9r4nRtHKv +64vVggiT1Iu9JXm9KYlySFDZed9iVbgM2wKpylw1I0+F4VS8Jw/RDiIW61exKxAe +VuxPzbIGeJ0R8u0ZcvTiRbXr7op9barUDCQFn2K2oHXd8uCMUULinlO2pPYyshGh +znnZcZIvawqtWnImNnyTvKYe5Il9w2fmm6SzwRmcMvHBZ60eJC/PmnhpRcpBxyiG +mAWgFmmgMhc81wcPZFD0Mp91twMDHRchgfmBBlNdqMBt9nNJ2Mm7o52mVX/daMG4 +VCqLdvbW9mWkyQVjfBq30XabanzN8RST63LlZEwArQqFpH8OifNMHI22fW2xGvPq +09k6SLA9qbobGFw+OGKIaGHiVbFq5aeTkqHr0sgL8QBHUJWv+SE0q49GfDDvA4JE +iDsLW6RJuNFGTaBq/NzN3A7iT8tTcdClYc7MSQxsEyTpuU+BlC9ewNC4cV/PyJ8l +13yeMkdZuQINBF/lCz0BEADs+rV9/tDQ6hyJlgMEKA34LjV4OEBdpwnRS51juXYt +nJiRC22Ljs6FY3NivOQPUNJR4yLU7/FGCGgyXlsLEyMIqH5Lldq1iaTMY8FHSdc4 +e+BM4QYCiaYT05Jqeydorq0fZe0nIXobK7RqB4dG543JNzrttotQ94qpx/cFUy6i +ADxp216IyDFh0q10TKao/GB2gwkbOlRNuLYXXUMDON9i8VL0Yh7p0KhZuOl2vREm +9/IQDJJHFv4CbSTmdQ0de+k8rVgyiW05SdYq3vrqRmNuI9fbGTf3vw8bHljq1SiH +VoapbNJ8CnQCRzrsaX+pOlJwFVUUjxco7iyCHKFobfx+3ju5kwc+i/58nDiSkxMV +DPqfjFXnN+72EihfHiw56k1zIRhF9D9b8eq6aqGOIgTtjRujQUR9Rn5BJRZ87/pR +nlZsS3wE3nQxOo7fXKv9FU7TyEy6gu1LuK53dUk5xLlu4zMoIP8mc/mZchXqsksi +JSWPFDeXh9HLFhKyzintRxdXNp5xV5XaXsMlFkNiTBLUHLbU8Ln9tiLcuJZ29y3b +ynLtVo+GN4+G5b+koIoZ9065qSJ0coBPMUa6o7go2e1/oil+xKmtM3UHS+mMNa+4 +elSqSRdpv3Xgo5lLNP+e60FpN155/93Hq33UMvh8rS9KVaQgp0c1unP99ewY84ra +9QARAQABiQI8BBgBCgAmFiEER+dVngN6NWUtu/iqjTyC+fMJ+OwFAl/lCz0CGwwF +CQeEzgAACgkQjTyC+fMJ+OzfUBAAkVNY0chFGvzWHOxEKNJY9rW5EQrayrKPNhjr +3j9xHoD+1AO7Yinqgd8Ribw88l1+2lVQGHIpIQ2ZPDz/XGND5FvP5PrW71FcUJ/z +AKaEnYP4iZ1jgnjp280bJ2iHBMmHc5cs/7OwTCs1uos1kWhjLGA9M12OWDWN9iqB ++UJo5W8hs9c5LpYp7ByThQp+g0m3E/ZWSbfZqi0BqWX/X6QC1MMXYS1lZcg6qttF +rs6d9hquNHZO7PkI73Ph89DWdxMIirmmn4Iwv88w3jW1KJXiGJbp0N2yooZFtsq+ +Yd5SHexET9rtU49BfeggEcWuDWJCGvPqdqCfAH6lKe9ddXwQx/R4f+Ffib8WYA6k +49HA55U6WfPs74yfbR09mh79kDV2uQgtkaHFJyuVuO4e3oyUoqe3hQdqOMR2lCAR +NSc7j5JdR9LxkUDqjUT8ipjzsTxwgPHaO0QkUjugs2v1TpivsDSRooI7NzWFTxbk +MkUX5BGUnPnEivBiB3n++1o5kZp1jk3OAi8cqVkosOMjduWei8f6yKpQ4ZKg9cH7 +ovqpDS9R6CDrACDPNJSTBn2VyOdjGVc4FrhGsXp3FAe5prt1b9psvYTTuXrZZJZP +dI1cLPI0Knyymf56gVMGCjp+x1+w7ef0ylGLPtFEuy/6iqWR3H5htZDQo3AgOVgd +R7VFGCA= +=7eg7 +-----END PGP PUBLIC KEY BLOCK----- diff --git a/machines/fuuko/configuration.nix b/machines/fuuko/configuration.nix index 4f41cdb..6c2438d 100644 --- a/machines/fuuko/configuration.nix +++ b/machines/fuuko/configuration.nix @@ -50,7 +50,7 @@ }; }; networking.firewall.allowedTCPPorts = [ 80 443 ]; - users.users.nginx.extraGroups = [ "keys" ]; + systemd.services.nginx.serviceConfig.SupplementaryGroups = lib.singleton "keys"; services.postgresqlBackup = { enable = true; diff --git a/machines/fuuko/hardware-configuration.nix b/machines/fuuko/hardware-configuration.nix index caa280a..b43e25e 100644 --- a/machines/fuuko/hardware-configuration.nix +++ b/machines/fuuko/hardware-configuration.nix @@ -47,16 +47,10 @@ loader.grub.device = "/dev/disk/by-id/ata-CT240BX500SSD1_2045E4C67C52"; }; - krops.secrets.luks-data = { }; - - environment.etc.crypttab.text = - let - keyfile = config.krops.secrets.luks-data.source; # path is not yet available - in - '' - data0 UUID=aa692e73-2b75-4239-8a87-5f5b69ea56c5 ${keyfile} luks - data1 UUID=1f4120b6-a3a0-4973-8c4c-a4d6703eea2a ${keyfile} luks - ''; + environment.etc.crypttab.text = '' + data0 UUID=aa692e73-2b75-4239-8a87-5f5b69ea56c5 /root/luks-data luks + data1 UUID=1f4120b6-a3a0-4973-8c4c-a4d6703eea2a /root/luks-data luks + ''; fileSystems = { "/" = { diff --git a/machines/fuuko/secrets.yaml b/machines/fuuko/secrets.yaml new file mode 100644 index 0000000..f94fca0 --- /dev/null +++ b/machines/fuuko/secrets.yaml @@ -0,0 +1,60 @@ +drone-rpc-environment: ENC[AES256_GCM,data:2Alck43ZrOFzhY7fKonIyboROD5qGuKkalTXlUZM0vBYTNeFLblU4u4tIIaA4t9nNO4=,iv:EakQQ/8pVZlIzM9PbNB0EGzSW46t/dWbxOtQo6uVAhs=,tag:NEhSgzkx8AxIjqtGetGG9w==,type:str] +drone-server-environment: ENC[AES256_GCM,data:73uDSq+u3nGiKhLqdhdegTIvec9mF9jxVLJLtCjer5jUiFEZu5PkeYv0AWAyLWbB7s8b0V+4fxNQo/QsAfBWH0eP2TVOAy1TAo/sOso9PEVRaQCdilw39UJBdT8II3dy9YIfGFUXRUXCMU+1xfzUFjhU0s7sc+mYQ4jEj2ZX90UbUDcbgppNjC7KIHo8mQdrxFHeMq+wQpaoncwFMlwwzn8lFlG75+dMnkPGYa4xSqkwjHn2tewLM8f9dCiBQVoMVQCWo+1RieMq2cd3CYEkP7MPl+y3OA==,iv:kggBBXdN01LJ82azzxOZap1lfWglshCjkKqaU+oi+T4=,tag:Zg0Ay2aLGok4fgX3/y4ILA==,type:str] +gitea-mail: ENC[AES256_GCM,data:ck4S9YJ1BLUb6+mOrRmg22KWI1xQwsdIw1dowNk1OOk=,iv:+aQiTSGzmBOLYbIVgwH/SIhslKgdJKoL1ZaGAXCeqHY=,tag:H3vCEGMktqAV/9BASVR5tg==,type:str] +prometheus-htpasswd: ENC[AES256_GCM,data:eJOWrcTC3YISJJLuQV6sxzD0r8Gr8uoUt48D9sSEHhsbNUUy3pDgIPqJHrkG0ek2sIF6NvpWdDGK1kFcduRAL9h7nLxQLOtf7dxsdObGlPH5nwe6CwdR+1wTE/2WzrsmTGnUrMjMiBgLPV2yRiQg3VJ7W1Me8tHPYHrqYhM=,iv:WvgwIoIfxc3vyjF+znyUzOElv+sd/thoYpxWVaIavx0=,tag:9FnRw7ol++1PCbl1c2IyoA==,type:str] +restic-password: ENC[AES256_GCM,data:IVFXmuzzvvqDS0T3P0R5ZMIn2wdkbE1AqwDMkWqMpDdCOVMP4/HhP4jF+tEarq22,iv:Eu6Wspzm0rPl0CuSoYTTLz+MmaEtmwCD57nH2JTBuaA=,tag:tKqt5Z7nF7lLcSsDKS4E3A==,type:str] +restic-s3: ENC[AES256_GCM,data:VJ/jgYnUSkbsNMb1ciLiCcRVEpuaznsSFf0QkEnPhTRHpFv4Nt0f8ARnNtG5j3iXSIT4+H2+5HWKXEsjhvL85p0XE3xe4h45xGKnvvVO2obF+b/zsMDdceFJtLbcq+APzPBjchYU,iv:W+80GhAvYD/52dNZsNYiEhiLo4dhO8oxkd+GAbk42NU=,tag:Kj9CaGo/xAmYxdoLE/Lo1Q==,type:str] +synapse-registration-shared-secret: ENC[AES256_GCM,data:lNzK/7QAk4Scv+lNM8bTTKvowI139c4R4Y7Qpq60n8R61aahlxrnWc/PUEOv85Pdx+8IdBOLnV0kp7OQF6tStGBBCOkAicYmnsLoR36DmuDCvTSKVArryV7BrxL8pv0=,iv:ZT9IIF7W0NHqvnU3lPQclVS5uXXK5HIQUzXNYwYFMIo=,tag:a/sUixOlHEvn5ZOINPwQlg==,type:str] +synapse-turn-shared-secret: ENC[AES256_GCM,data:I5QbouvLvBpjroux5TTi8gIAHeyNb5KXV1g9sbTdqjD4YoMaedHSiC53h+ZMmqNCKor64e6iP58Y6SbMaTfFaEl0CyK2GqfcSBrlHxKj0GSWaopO5kLS,iv:qsfHxHykY+oZOaMGw5Tvq8a6zBUDxH3B5q8QKdT1oSk=,tag:75OOrVtztDsLYeTglKPYCQ==,type:str] +wg-aria-private-key: ENC[AES256_GCM,data:qbxpfNRocrXDbUJ3MwR5WMXX8LB4Vnv9HMXN403ANaBbCLrRTEL9hy93roY=,iv:l2DYXGY1wN1rP2bG/s9uSwRhbvCUm2T6IJy5LKzguqk=,tag:51S+m1P1EtHk1QWEjdUCUA==,type:str] +wg-home-private-key: ENC[AES256_GCM,data:6l3CgB4qCsPuyYOWuwU2vNiEeC0D1wl6yZvXGGYVsZfYvdPjRz8j5yV7ekQ=,iv:slB/qr+cxi8r7cnTuZAd8CuzWVnvp24Li6A/AnZaFzo=,tag:ynh1Z2+IELAJcgBbHwFC0A==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + lastmodified: '2021-04-06T11:40:14Z' + mac: ENC[AES256_GCM,data:k9GRiDmXoKFN96NMGHt0rjAMklKIsnFUgWRP7iUQeA5j0uG4lo92KzJCMsHCIicDdF+NnNmEigeXE1eI7iet8K+rAh9x1wO8CiO/5ITsNeCzJO/PsfVxZHL1h9dqirjMkqGvKA//2nocEGv9uT/k6xezriDktBkDbLBIWg3Jfek=,iv:T5mO4IuPqO7jRRhQm2LMoW51D659SL4zVXBHbdt0Qgg=,tag:ahtBYe/18kHpGWHtqeKlAA==,type:str] + pgp: + - created_at: '2021-04-06T11:27:21Z' + enc: | + -----BEGIN PGP MESSAGE----- + + hQIMAwDgSONkM+d4AQ/+KSo1N4aEuIAF2JMX+3RborUdEMIJNqIQsBYejPF4o5UD + 25XVDt+GrC4Lx6OJsWobLOHm+FDLPzm4Zfo+grU+JaEBo0ZSthUul610iqChwEGF + zVMkNKARsZE7lDQ3uN54Mq/A7RQaav4mrt1AbHTOwBR9UdG5hrEJ8JZjObS7Gqz2 + /OFpX4xr214IA9ALx+O2UIkSAJT9u9Ann/xcKL5GpwE9etcGZbYqOhAPaSzbOSDr + BtWuM8Z5nKb1O90pXEe16yVUmFXyO7T+lU1gDrDReSXJJFg7zcjMY4s9rro2H7xq + u0z/ufl4sf1E5u7fLLpzrVcqKJAOw+fvfoPeqMrNsGy3r3AdATw9jPp6giRoB8qL + xm3gGvs/VedBBqbXMDSCTIuhBcTu3/rrTWb0TJeuMz9RM01owkvtTrL3zjwK81BK + pNTwz2a49ylCiDS8Vin2u2jwjoRlri4mPTzw5pvcGqNAoNopv6cjawGQ2toCD5qG + tqx0hY0uXAE1cnfewFC63VGFbaBwfCYLryjGLefRH7XFOAcqZ3dlZFi5lJTVnnXO + 44uO7dW8wfJj45USIEoG6D0BiRU7JPUhgPIjMa1cEI4XpoBSj13EACxovE3z5AYa + pX72eJHMkKZ5u+eRrXkrFSGFWkYBGKtgIdbgXn1i9Zw/Ewbf7Qz8kC83kxkih7jS + XAEbvfL1DTAHDEyAXFoI2ekIoTTGAtCpsadQcTZ3+3DeWU5R8X29vflEG/kSeRO4 + m2npmJ9OCKyEN+zAd/WRIQ0wChFgadlTugsDcmXazdvzJ1qJiuNGmzpRn3QF + =dltN + -----END PGP MESSAGE----- + fp: 47E7559E037A35652DBBF8AA8D3C82F9F309F8EC + - created_at: '2021-04-06T11:27:21Z' + enc: | + -----BEGIN PGP MESSAGE----- + + hQIMA2nIGHycQ3VOAQ//RC1NMySQoeqfTGEKFB7LwC3o0yLTMHAqoi4qm2Q8jKxH + 6zSjHNoYI9+2VNEWJcSvUwd9ks79jkVOAWO+Lmv2h1QT3RrsSsj16VZwl+ORp50/ + +PDrZjaimMafAKaqGJ3HaPlzFX7jUjCHS0yCaF6WIU1ztRLVnHAv3p8dsPzQ1w+7 + p1h0oQ2noWibl2GLGI3+1O3sv1N5tusTGZWFacG6VsTbtbJmbVCO5FQRqX7vcJtM + xfClghFPoHCGbN5W1NWpo/a/lOLUucqO7bFB5DIOoXme6SSS7lrYQKtjBQy/4DRe + r3VIjvS6ncVUIYPPnEMlxI3MPUB2lwJLG2B89XNNWwfwREUXTG4DEg09Z6jMUqVr + yNO67YCF95fNUQFMQ0LWyVsWZW1n1ef7/iKtDHNoFubCVGjWimIa3ZDX/e4WemEN + ww7dab2RXEY3oTLJZwAFMN4jeqUfpgH1TOvcs9OHwF0CQjJIDyDj6uyt6wYqITT2 + dorhmn1FN/tUUNn4hE0iRjFaD1QrN30KZ4pQ1S/G3IkHGzJ4AlelO0j9yE2VMR2q + E8wEhVtDlO/VAYZSx7tJ7jd24gFsGlL70OfSXvo7jyNpo+OjaN9yy5Qy8iogwpGC + Jua/Y7+XORx3+SVB+1AUNSwCABOhWL2RQGnGxRRQrST4uEv2Gn6IV5sQuPz6my3S + TgEtH78YDDWHFdEE4b3lQaPAR8NGNvuE0btjpdeR7QoTOAkmg0SaUNqAoqrz80jj + 7kdIBtI8XA2CW/oXYcoxHlkqbPNqPAhaRu3YDci8oQ== + =ukYv + -----END PGP MESSAGE----- + fp: 2372651C56E22972C2D9F3F569C8187C9C43754E + unencrypted_suffix: _unencrypted + version: 3.6.0 diff --git a/machines/fuuko/services/drone/runner-exec.nix b/machines/fuuko/services/drone/runner-exec.nix index 0bbf1fb..362cc22 100644 --- a/machines/fuuko/services/drone/runner-exec.nix +++ b/machines/fuuko/services/drone/runner-exec.nix @@ -31,7 +31,7 @@ in PAGER = "cat"; }; serviceConfig = { - EnvironmentFile = lib.singleton config.krops.secrets.drone-rpc-environment.path; + EnvironmentFile = lib.singleton config.sops.secrets.drone-rpc-environment.path; BindPaths = [ "/nix/var/nix/daemon-socket/socket" "/run/nscd/socket" diff --git a/machines/fuuko/services/drone/server.nix b/machines/fuuko/services/drone/server.nix index 5df4522..6ab1266 100644 --- a/machines/fuuko/services/drone/server.nix +++ b/machines/fuuko/services/drone/server.nix @@ -5,9 +5,9 @@ let group = "drone-server"; in { - krops.secrets = { - drone-rpc-environment = { }; - drone-server-environment = { }; + sops.secrets = { + drone-rpc-environment.sopsFile = ../../secrets.yaml; + drone-server-environment.sopsFile = ../../secrets.yaml; }; systemd.services.drone-server = { @@ -24,7 +24,7 @@ in DRONE_USER_CREATE = "username:simon,admin:true"; }; serviceConfig = { - EnvironmentFile = with config.krops.secrets; [ + EnvironmentFile = with config.sops.secrets; [ drone-rpc-environment.path drone-server-environment.path ]; diff --git a/machines/fuuko/services/gitea.nix b/machines/fuuko/services/gitea.nix index 4d293a5..cb3088b 100644 --- a/machines/fuuko/services/gitea.nix +++ b/machines/fuuko/services/gitea.nix @@ -1,10 +1,13 @@ -{ config, pkgs, ... }: +{ config, lib, pkgs, ... }: let cfg = config.services.gitea; in { - krops.secrets.gitea-mail.owner = cfg.user; - users.users."${cfg.user}".extraGroups = [ "keys" ]; + sops.secrets.gitea-mail = { + owner = cfg.user; + sopsFile = ../secrets.yaml; + }; + systemd.services.gitea.serviceConfig.SupplementaryGroups = lib.singleton "keys"; services.gitea = { enable = true; @@ -32,7 +35,7 @@ in clonePort = 2022; }; database.type = "postgres"; - mailerPasswordFile = config.krops.secrets.gitea-mail.path; + mailerPasswordFile = config.sops.secrets.gitea-mail.path; settings = { mailer = { ENABLED = true; diff --git a/machines/fuuko/services/matrix/synapse.nix b/machines/fuuko/services/matrix/synapse.nix index 3cb45ef..90cad6e 100644 --- a/machines/fuuko/services/matrix/synapse.nix +++ b/machines/fuuko/services/matrix/synapse.nix @@ -6,11 +6,17 @@ let domain = "sbruder.de"; in { - krops.secrets = { - synapse-registration-shared-secret.group = "matrix-synapse"; - synapse-turn-shared-secret.group = "matrix-synapse"; + sops.secrets = { + synapse-registration-shared-secret = { + owner = "matrix-synapse"; + sopsFile = ../../secrets.yaml; + }; + synapse-turn-shared-secret = { + owner = "matrix-synapse"; + sopsFile = ../../secrets.yaml; + }; }; - users.users.matrix-synapse.extraGroups = [ "keys" ]; + systemd.services.matrix-synapse.serviceConfig.SupplementaryGroups = lib.singleton "keys"; services.matrix-synapse = { enable = true; @@ -71,7 +77,7 @@ in suppress_key_server_warning: true ''; - extraConfigFiles = with config.krops.secrets; [ + extraConfigFiles = with config.sops.secrets; [ synapse-registration-shared-secret.path synapse-turn-shared-secret.path ]; diff --git a/machines/fuuko/services/prometheus.nix b/machines/fuuko/services/prometheus.nix index 8a020d8..2445d7c 100644 --- a/machines/fuuko/services/prometheus.nix +++ b/machines/fuuko/services/prometheus.nix @@ -184,15 +184,16 @@ in # get rid of “could not call action: authorization required” every scrape systemd.services.prometheus-fritzbox-exporter.serviceConfig.StandardOutput = "null"; - krops.secrets.prometheus-htpasswd = { - group = "nginx"; + sops.secrets.prometheus-htpasswd = { + owner = "nginx"; + sopsFile = ../secrets.yaml; }; services.nginx.virtualHosts."prometheus.sbruder.de" = { enableACME = true; forceSSL = true; - basicAuthFile = config.krops.secrets.prometheus-htpasswd.path; + basicAuthFile = config.sops.secrets.prometheus-htpasswd.path; locations = { "/".proxyPass = "http://${cfg.listenAddress}:${toString cfg.port}"; diff --git a/machines/fuuko/services/torrent.nix b/machines/fuuko/services/torrent.nix index d5e2bb9..5224ee7 100644 --- a/machines/fuuko/services/torrent.nix +++ b/machines/fuuko/services/torrent.nix @@ -98,14 +98,14 @@ in "d '${homeDir}' 0771 aria2 aria2 - -" ]; - krops.secrets.wg-aria-private-key = { }; + sops.secrets.wg-aria-private-key.sopsFile = ../secrets.yaml; networking.wireguard.interfaces.wg-aria = { interfaceNamespace = "aria2"; preSetup = "ip netns add aria2 && ip -n aria2 link set lo up"; postShutdown = "ip netns del aria2"; - privateKeyFile = config.krops.secrets.wg-aria-private-key.path; + privateKeyFile = config.sops.secrets.wg-aria-private-key.path; } // (import ../secrets/aria2-wireguard.nix); # potentially sensitive data environment.etc."netns/aria2/resolv.conf".text = '' diff --git a/machines/nunotaba/secrets.yaml b/machines/nunotaba/secrets.yaml new file mode 100644 index 0000000..c9bc258 --- /dev/null +++ b/machines/nunotaba/secrets.yaml @@ -0,0 +1,51 @@ +wg-home-private-key: ENC[AES256_GCM,data:u4svQwAMai742deedGbhr2Pk6wGdmztb1L+93ZQl9eZ8qAfOPhDrcmXAVSQ=,iv:ilMwQGV8+9Bk78lq6slLgKtQaWPgdTbwgA6pxgK5gLY=,tag:Vui4xbbvreC6j2UxrR0o3A==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + lastmodified: '2021-04-06T11:11:35Z' + mac: ENC[AES256_GCM,data:mP+I2i2Iam02GnIwnzO+AfQNaPKPyHR7JhVf5zrt2p1MuMBkDH5LZp3BT4YDxetj9u5bevyTuC4x2gZ+H2lcBUNovuXYLPEoNqE+MvwRHitSkDEV6qR5CPaA63AJll9dW6P0+c7Dv0QZTyO2Zs71Hk9hJEnUEmNbqo1xhgATvFw=,iv:hJ/Yaa55/O5XnRie8MKbe+vz4C4qFF8npOLy4E+9jBk=,tag:9ljgygjLx3fcid4XuJcebg==,type:str] + pgp: + - created_at: '2021-04-06T11:11:32Z' + enc: | + -----BEGIN PGP MESSAGE----- + + hQIMAwDgSONkM+d4ARAAwkb7dnfNKpXcCxT+G9lgoS78eIlMQz/y5Ask6ENviXun + reSn7/DQJeFBhtK6XODqDUjYkg0VihviFGl47Fw7HfVZKYpG1KB7bXMiBBPycwAB + b0OmBMAwfH6tdfIye6shcal+4I1qlhCKmWBtNcg0KKd95EMK3sGki5l8cRlsFO/e + IA1f5Xw2/t8tfFdYIXrSqwInGcMIOKLBCO/NH7Fcw0enqZz4L9X5StfdxeHnirnt + QFw05FoH2LgTfDiF2MRbllRIVQD0XwylleL+4EAZGl83vsn95j/1CPuBtAq+Nnen + uKpVTyCMUiaokKHOMlNsv6elqxCHEs9ai9pwFkVZrBAoofjVEzuPoFw+2E9Fpvtk + hsAoSEPFLL9SKHpVTzaC3h272jrImQWitkqlZYzpaWAdDnG/3imRXx1cqX1AgJdz + hE6GHoBkDZ/TmE5DBNqQZ7h1JXvJPecu8EFaGwPKcq/AR3zgH6D1iUfpAPfoMpir + ngTHeZAsfUcaQ1h3KP9d6Atq6Q13C3SJL9DyE2NYl5NVMwLcBx8qSetItzwMpix4 + XqEj9jjpiUNYaY8oM9uzuGSDHlGsFPBEsvpqnDV2a2FqOmDS+faEgH7eXnqdbXgp + xBHH4F6hgUees0gpsum8Uf5yaZilaGkNJjKfpGPgI3W4WyFq10kk4lu4Zbgg3VfS + XgHcM8JkYx9cvsPO/QFbcOhVZeV60kyjHZY+bOufJ6iG9f8MrtsXY5IVx2I/wjCM + j3/YrY7vXK31i8toVf7+sPxipjoMItkppBg2Uo5SJg7hqksfBan/emVVT8zrOcY= + =swUH + -----END PGP MESSAGE----- + fp: 47E7559E037A35652DBBF8AA8D3C82F9F309F8EC + - created_at: '2021-04-06T11:11:32Z' + enc: | + -----BEGIN PGP MESSAGE----- + + hQIMA0PuGXQ/rB1cAQ//T/ieiP/sj93zsDnMZNuahlyONBeY3Z5IbKCCi6iAl05b + 9bKKcKr37nPm/np2pAZjmGftNEpkwjfF047Qg9AcmnwyoIeOiYIGR6ILtnRwtjri + tx5RBDMpmPs/h3xocaqAWfHKxXGT452GKy6taOiHitjJcIWUKX0pFdOucw5u5/AL + mimc4S0W1iLUxXmNJAy/YxQKvBzkXtDx6/ixEm5JnxSG6Xn+q6Go9VPFGBOQLKnt + 1WHSUVu/6gHjtYmnt5VqDKjVY/pjZZrsLfFHAH8RlYPJMp48jQjoXptrZgdtPV7p + +fu+sEgMBal8W4YaI8bHG6iliYvSZoMcpvFsdoIhxThXzyZjMZCEY/h9a8oYqmdk + 6RQZl63LlxsZi5v5Db31pbaiPC30R6rTuCm5n4wTiOKqQ4WG61yd9Sc/R/3vT6ux + hZRywmZUVjVBT+TnZ+Eclcg2xm27Tk+uIRMYq4mjP0XV3oYCA+1o+La6YBpmBgMH + kpFbx3IcxHJT2gRFTg7bg78NYvgb5CYRFGz0sfnhlrwjLgYQFzJT7l2w/2yFDQdo + u+bDwF7cvNyGQiEEJilcuh1Cf/lk/1Ol+9LQftF2bNNzoKn2QzDeTp11bTrhPJnj + HNLwZjNord4fF7pak7bSkjYYKrhW+NpzN1oT7ioQ7V3If99Em4wMssGLRrzvBgLS + UAGk4FkNoLosNdxNDovwHwUK2T0zPWuOZ+wvRPcZQk9fTycdXo8MhiyaLaU09Nsh + mWG2tdK/8KDP1aXupXzT70XQUk2q8QxwRYAJOa3NupXV + =pjuj + -----END PGP MESSAGE----- + fp: 8C5091AEA213FB0642BD46F943EE19743FAC1D5C + unencrypted_suffix: _unencrypted + version: 3.6.0 diff --git a/machines/sayuri/hardware-configuration.nix b/machines/sayuri/hardware-configuration.nix index 3ad71c6..e8a6808 100644 --- a/machines/sayuri/hardware-configuration.nix +++ b/machines/sayuri/hardware-configuration.nix @@ -43,7 +43,7 @@ label = "data"; enable = true; blkDev = "/dev/disk/by-uuid/576088d4-9aae-4159-a028-feadb2621a1a"; - keyFile = "/mnt-root" + toString + "/luks-data"; + keyFile = "/mnt-root/root/luks-data"; }; }; }; diff --git a/machines/vueko/configuration.nix b/machines/vueko/configuration.nix index fb7724a..7ff84e5 100644 --- a/machines/vueko/configuration.nix +++ b/machines/vueko/configuration.nix @@ -100,12 +100,15 @@ in }; }; - krops.secrets.murmur-superuser.owner = config.users.users.murmur.name; + sops.secrets.murmur-superuser = { + owner = config.users.users.murmur.name; + sopsFile = ./secrets.yaml; + }; services.murmur = { enable = true; openFirewall = true; - superuserPasswordFile = config.krops.secrets.murmur-superuser.path; + superuserPasswordFile = config.sops.secrets.murmur-superuser.path; acmeDomain = "mumble.sbruder.de"; config = { bandwidth = "128000"; diff --git a/machines/vueko/secrets.yaml b/machines/vueko/secrets.yaml new file mode 100644 index 0000000..8ddf328 --- /dev/null +++ b/machines/vueko/secrets.yaml @@ -0,0 +1,52 @@ +murmur-superuser: ENC[AES256_GCM,data:jTVEa1KmbGAIxxFS2/uIlDCnnJTtGmKFZQ==,iv:YJIfcXlgKEwIRzFEY94dgReNjWZqLAqL0Rb6TG4IHIE=,tag:MVzaRkb24QyyNyFCEMwmzQ==,type:str] +wg-home-private-key: ENC[AES256_GCM,data:/RHNF6Zw6CTWa9ahUhGWRfkR8KIj+HdqUIojA1w6HQBFbZ/+Vo+CcYTYO5I=,iv:2sDH1P3VRjmLw6Ilkq0rw/hossHrNWP5uRvX9yr5fLE=,tag:KIT5GCfXuhg6RjA8+Nmtnw==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + lastmodified: '2021-04-06T11:14:32Z' + mac: ENC[AES256_GCM,data:eMx+ls4NHFqKNwW4XmrtVsizbtnASeO38cw3oPeSlvW8NbT8yUZWRxRofhzg3nD3icyGcwhImVMKHgVz5305zwvrjx0D9n+URe733WPcMmfR39G0FfXz+9kob6p5TVruKjL6qTPmyNRD+8E8CvmBmnwPwRW46F5Pvadum2SZJ3c=,iv:zVxvTUJaTx57KAglUkSNzGsxcX0csPU4qYkkLHwl7bs=,tag:a2Al47gGxFm6XubaTAdw9A==,type:str] + pgp: + - created_at: '2021-04-06T11:13:54Z' + enc: | + -----BEGIN PGP MESSAGE----- + + hQIMAwDgSONkM+d4ARAAxn8UVtRKn0s+wpuUBpk3cCwSSa3te4BjHshyNrI3TyZ9 + A2jEVz7xfZXItD5VMs9cZmwhm5kD5qC+2qFauwAnQA8JVn5pCKL1gVxGZURZHgPe + eLON75sxWCt6+A+HCXvl8x8ay2ZMSgQ3N+SSuqrihMKe0UcsngzAJQS4qIUPIrQd + YQYkm2Nf6n1Ya+t05W0CRqyHLLkwObOF0OWN/t8wvBOh4HY2UCRqvXqSEz6nCb06 + 8jDfy6GLhJBjSMV5000/GTvnbVNH11vYjqq0U/2k33HYD/ddX2TPRarWKQsWi8Fe + QYYMjU/zIubNQ1y2Iv89zzpd7DBVFlnCkjnSIjxop+eR4Kk8EUkJnGFHlRek67lc + k9le8sdlBTYBahT48igpKWfxrZ3bky27O39TLY7luLAXxpjWTGZ//8WD3eJyiY9d + k/TmI7ZLLtR42NKeD/anVmHpSf/rHtgHWwYm1m0Qz0/mvKWhZbdkFTPGWMPVAPNu + hBiBjuXd1Gt8ekKr3jZxLR4uRCzzeCA/zXib4x7HvYs/9cLib2UblHsB2hLYwZQ8 + ah59+O51SrcJWcq56kRhwKbrqh6Oui/KCXUSTdbO2auwtzBxUMmcbJAZV5cxRdtA + eD9RXW8WfXVtcmvJ+B9Ab52+RfdYmd/bVpljLPY1kmUEKZG08jDfH08kAtcScyLS + XgG0mxcyhD+ZiGIeLgIPUwFC0UT8FT2V0+VAAso1CVH+iIzdF+9BiGPpc2usoOiY + XDcaU74seCR/EeiuMWfEeNasu6EULEG+AKOnG9s8zoPp5730EG9v8r4q7ma89jc= + =JlIF + -----END PGP MESSAGE----- + fp: 47E7559E037A35652DBBF8AA8D3C82F9F309F8EC + - created_at: '2021-04-06T11:13:54Z' + enc: | + -----BEGIN PGP MESSAGE----- + + hQIMAzy5uO/X/tdJAQ/9Hx6h7IIjr4vwFPC3UCx07rt/lljWHwqA8d8bN3VIcVWJ + 39doJ3DigerCeZWZo/5Wvdm1TBLnbvnQndl+7EcP5mbAuGUmNo2VajTBOkFoySLa + A6g0HwkztuftjtxQV2ICunw1NEsqBCWlNKziGKBjEzsDgOuXLzIaN5ArJAkiUFel + kH8jGyHCP6W+nplHE1zOD20SA/oIyRfLW1m+G7d8KU6EuluaPSgASocS6t4oGtsG + gnApj6WwWOdM3tDefxtYxa/PlPDXo4gj+Dhak6mOMK88UW/wrDC/f4fYL9JrILmT + ImjtA+BIWCI9nLkeo3FTTFhtfr+evOhCsLc8qGL/NMCVZOXB0gK7rpCsReBRQS09 + 4t2KGI1Jti01rNFYvdTN16o59+oF0DoFYnE2dXHAnBA4jmWt+9eDqd5TPmlsuIyr + XBiqBcKK+1z0/3ad7nv7vb8jOYkUjKasJl+qhLUaUD5ehojfaCawDMUVia7Y2k72 + yS77m3m/hCEq0vVvUvMev7hvSTKbfQy3gQkjcnWGavbFfdz64pVBI/KgSJPBM5YE + 1VFRFZIf30wOF9Xlt++9Cc6xFMQH9JVLG/WouK5On4mfdWwcfnMLgpu83qmYtS6b + 30hYAuuqKUwWDMbZtXsYOrfb6HXGqs0mtBfpJzgFaiZyHyIVVhb/blXF4ML4dfnS + UAGUryszfSsH+ag2oerNKEaDFmgdktmL0FdpP3ycf2qVkMmBNbTpTf2BZaVPcrzF + mSfsOU6k+KcWtXYpurZr31zUVK626Re0fsr5XbPSj+9G + =Grqu + -----END PGP MESSAGE----- + fp: BB046D773F54739757553A053CB9B8EFD7FED749 + unencrypted_suffix: _unencrypted + version: 3.6.0 diff --git a/modules/default.nix b/modules/default.nix index f67a5bc..b5ff055 100644 --- a/modules/default.nix +++ b/modules/default.nix @@ -59,6 +59,8 @@ in ./udev.nix ./unfree.nix ./wireguard + + "${(import ../nix/sources.nix).sops-nix}/modules/sops" ]; config = lib.mkMerge [ diff --git a/modules/media-proxy.nix b/modules/media-proxy.nix index c66592d..b9b3ea6 100644 --- a/modules/media-proxy.nix +++ b/modules/media-proxy.nix @@ -2,19 +2,19 @@ let port = 8888; services = { - "media" = config.krops.secrets.media-proxy-auth.path; - "torrent" = config.krops.secrets.torrent-proxy-auth.path; + "media" = config.sops.secrets.media-proxy-auth.path; + "torrent" = config.sops.secrets.torrent-proxy-auth.path; }; in { options.sbruder.media-proxy.enable = lib.mkEnableOption "media proxy"; config = lib.mkIf config.sbruder.media-proxy.enable { - krops.secrets = { - torrent-proxy-auth.group = "nginx"; - media-proxy-auth.group = "nginx"; + sops.secrets = { + torrent-proxy-auth.owner = "nginx"; + media-proxy-auth.owner = "nginx"; }; - users.users.nginx.extraGroups = [ "keys" ]; + systemd.services.nginx.serviceConfig.SupplementaryGroups = lib.singleton config.users.groups.keys.name; # otherwise name resolution fails systemd.services.nginx.after = [ "network-online.target" ]; diff --git a/modules/restic/system.nix b/modules/restic/system.nix index cf96530..84d71df 100644 --- a/modules/restic/system.nix +++ b/modules/restic/system.nix @@ -67,7 +67,7 @@ in }; config = lib.mkIf cfg.enable { - krops.secrets = { + sops.secrets = { restic-password = { }; restic-s3 = { }; }; @@ -75,8 +75,8 @@ in services.restic.backups.system = { inherit repository; inherit (cfg) timerConfig; - passwordFile = config.krops.secrets.restic-password.path; - s3CredentialsFile = config.krops.secrets.restic-s3.path; + passwordFile = config.sops.secrets.restic-password.path; + s3CredentialsFile = config.sops.secrets.restic-s3.path; paths = [ "/etc" "/home" diff --git a/modules/secrets.nix b/modules/secrets.nix index 3ea55cf..e8c615e 100644 --- a/modules/secrets.nix +++ b/modules/secrets.nix @@ -1,66 +1,3 @@ -# Adapted from https://github.com/Mic92/dotfiles/blob/23f163cae52545d44a7e379dc204010b013d679a/nixos/vms/modules/secrets.nix -# -# All of the users wanting to access any key under /run/keys have to be a -# member of the keys group (or be root). This is a hard coded limitation of -# NixOS and I haven’t found a way to allow everyone to access /run/keys/ (not a -# security problem since the keys themselves are given the right permissions). -{ config, lib, pkgs, ... }: -let - secret = lib.types.submodule ({ config, ... }: { - options = { - name = lib.mkOption { - type = lib.types.str; - default = config._module.args.name; - }; - path = lib.mkOption { - type = lib.types.str; - default = "/run/keys/${config.name}"; - }; - mode = lib.mkOption { - type = lib.types.str; - default = "0440"; - }; - owner = lib.mkOption { - type = lib.types.str; - default = "root"; - }; - group = lib.mkOption { - type = lib.types.str; - default = "root"; - }; - source = lib.mkOption { - type = lib.types.str; - default = toString + "/${config.name}"; - }; - }; - }); -in { - options.krops.secrets = lib.mkOption { - type = lib.types.attrsOf secret; - default = { }; - }; - config = lib.mkIf (config.krops.secrets != { }) { - system.activationScripts.setup-secrets = - let - script = '' - echo "setting up secrets…" - '' + lib.concatMapStringsSep - "\n" - (secret: '' - ${pkgs.coreutils}/bin/install \ - -D \ - --compare \ - --verbose \ - --mode=${lib.escapeShellArg secret.mode} \ - --owner=${lib.escapeShellArg secret.owner} \ - --group=${lib.escapeShellArg secret.group} \ - ${lib.escapeShellArg secret.source} \ - ${lib.escapeShellArg secret.path} \ - || echo "failed to copy ${secret.source} to ${secret.path}" - '') - (lib.attrValues config.krops.secrets); - in - lib.stringAfter [ "users" "groups" ] "source ${pkgs.writeText "setup-secrets.sh" script}"; - }; + sops.defaultSopsFile = ../secrets.yaml; } diff --git a/modules/wireguard/home.nix b/modules/wireguard/home.nix index d309bb2..98dac66 100644 --- a/modules/wireguard/home.nix +++ b/modules/wireguard/home.nix @@ -36,12 +36,14 @@ in }; config = lib.mkIf cfg.enable { - krops.secrets.wg-home-private-key = { }; + sops.secrets.wg-home-private-key = { + sopsFile = builtins.path { path = "${toString ./.}/../../machines/${config.networking.hostName}/secrets.yaml"; }; + }; sbruder.wireguard.home.address = peers."${config.networking.hostName}".address; networking.wireguard.interfaces.wg-home = { - privateKeyFile = config.krops.secrets.wg-home-private-key.path; + privateKeyFile = config.sops.secrets.wg-home-private-key.path; ips = [ "${cfg.address}/24" ]; listenPort = if enableServer then 51820 else null; peers = diff --git a/nix/sources.json b/nix/sources.json index e7e3ea9..ae6c1e4 100644 --- a/nix/sources.json +++ b/nix/sources.json @@ -70,5 +70,17 @@ "type": "tarball", "url": "https://github.com/cachix/pre-commit-hooks.nix/archive/c7e3896e35ceea480a7484ec1709be7bdda8849d.tar.gz", "url_template": "https://github.com///archive/.tar.gz" + }, + "sops-nix": { + "branch": "master", + "description": "Atomic secret provisioning for NixOS based on sops", + "homepage": "", + "owner": "Mic92", + "repo": "sops-nix", + "rev": "441227c4fd831818fb55f366ea16ea6364850102", + "sha256": "0dv8kbax83rrvq599q5m2x4xi805iv343r68fmh7k2i44c0s4kck", + "type": "tarball", + "url": "https://github.com/Mic92/sops-nix/archive/441227c4fd831818fb55f366ea16ea6364850102.tar.gz", + "url_template": "https://github.com///archive/.tar.gz" } } diff --git a/secrets.yaml b/secrets.yaml new file mode 100644 index 0000000..1df4ae7 --- /dev/null +++ b/secrets.yaml @@ -0,0 +1,94 @@ +media-proxy-auth: ENC[AES256_GCM,data:KaYd8TCMVlHbgoj1QQfRwTXAK2hJUDr0UJqhTXvILylyR+mdJy7smn5EtFdNNFWZk6eJituvGG7naT2/UiNoYne4ljlJhu/IuObTLY5AI9ELDtYBDQ==,iv:qo6SOaHrWsXfvRwgSKDTSnreOcO9xy3RKrfE2k+VLEg=,tag:SND1zp2Cd2gqQdOVWw2eWw==,type:str] +torrent-proxy-auth: ENC[AES256_GCM,data:9XuDRdUjOClPuZFvI7VwYQdbegzg400zfmFmE3qt5kTo6bD7m74V9F3b73aUueqMQ+80PxBc1KusTTlPYy2LAf6mT4PQ2TpqSu0kBXAezfL4e5fxdQ==,iv:26d+hQ9yn5CzDGNZvi9A5bvzgo87IrJHz67xTac4UA4=,tag:5FtjmtIY1gSixu/9UZhBVA==,type:str] +restic-s3: ENC[AES256_GCM,data:lRcwoChzSX+ICXyafAtBGjkBTBdzL5v/imUL2yHtApMOe+MkP5CjXr47WoWGt17tdLPVRQ9v7/6jcagTKIk3IfjmhRhMip3CMyPkio62uDxArlaKpi9GoZNQOCt+XHWlpiBJ609H,iv:yrp2QZLXJypWh5XjsAHcpiXEPUcYF8A+mQZ+W2w7zpU=,tag:Xis3NQ2KNQqG+Rmgzpy3Tg==,type:str] +restic-password: ENC[AES256_GCM,data:Bi/WJAVECgBegIZMV/MZN8kvHyxsh/xERAnZ6TQ1OIOkffqkWBwx6DCS1cVJ0Nzz,iv:8/WPCuGfLkd0LkLTEr7pjpT8kb/P64VICppDeEcKDIE=,tag:JLgYEekrZG91AapztOYBTw==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + lastmodified: '2021-04-06T11:12:39Z' + mac: ENC[AES256_GCM,data:guWWnJb9153SmSFwvDEqru0GGYUgQCmCtDb/bmKCehUvQ2ecVDulYYKAQ5jq2v3Eo5pfKmdrtIMV/jf6TOwNyEqBuWxU5aUODMheSqYgDNKAcFSvwpdldyVATspt7XT0s0waUbFBPjMOmQC0TEp5rtZXS7PlRT8DgohUlyy6jhI=,iv:Eh3Uwctaw0hrI6Ux2q0WUixZiLF5Fdj3/AVG8PluCHc=,tag:Jo3bzKNQzH7tsatfLphagQ==,type:str] + pgp: + - created_at: '2021-04-06T11:13:25Z' + enc: | + -----BEGIN PGP MESSAGE----- + + hQIMAwDgSONkM+d4AQ/7BodHEMmqPhO3VSvOa8lqTHHXv9HxL5T9MkaMlclTGW4W + EVaVsUUbONpsUUXxS0l8hOFBOwZuZMJyDVhtyjdRAnFYFjbbM35iKIaaDgn159nq + VJC4uwFuU90+Ps8zoxRdf9I+0hYv/LOCI9FDlUY6gTRNvf1Nv2Lh3uPXRjZQJE6q + U12IAfqSL/o3UWsozR/8qcaHIBx8nOS5eb1r4PSKikvmigz0KUyyOmZSh5GYXVIo + HoJOG5goCX1Fo6in4slW15CAwyir+owwtN0mQPH9tgoOSeEUK00c2VrUc2gf7wxg + Le65pTZ3YP1ghqsEJupkjRMCuguKCb6TRwBhR3rQ+xvqqGDxplYMD7q6XtSh0PJx + LSHllk9nl7u5tjs9vwN0RxVQ7aG7ORPPSp1tjolxtLMQ8l0Vd0EssAqoeaqbrkDa + Iz8qYFICzvkJKJ3lsXKylhbf2iSPu10aLU4nW0GgArUhNnKOIi90ndzPjo23jB8D + KXuJMWDhaH2K/TAwM99IfOeYnRkx63ctPNVvyo+nyJYlthrkO/77k0SxG/RI/2W+ + 8muO8ZXBcp3SyyQp2P/xkx/O2YBvSxx3MBnyzL9B3+tgbls02cQh9MmYY0OB7MLR + D56HXV0odIfovqYnHFLN6g3nhUtRohwak1QrsmP8Fgw6qcMlrRgKDFsewe8xeQfS + XAEH6WarsCSJAerz1HDftOCkcWXorq/bCqygebk2V6OfftaIRKoMqXxJQXESN3sY + Kvr0nEjwFRydxy6/I61Z/hFlb2P7OBaReNBA2zve1OAIvBRUNI+m6Tl/7O/M + =cMUp + -----END PGP MESSAGE----- + fp: 47E7559E037A35652DBBF8AA8D3C82F9F309F8EC + - created_at: '2021-04-06T11:13:25Z' + enc: | + -----BEGIN PGP MESSAGE----- + + hQIMA0PuGXQ/rB1cAQ//TcQhviuRMst0/kj2TgK7+qK4JoFwVcuesI9syp7LR2YE + nBEyr/a4ifnqD7M/A84FZZqvK/2Sx2yHuX/Qjz6UvI6E8gWgdBtSPI7zgJqgQd/f + wmeHFpDZGx3rwpzgOKHreVY+Lk4/u30GfxDHFpCu81HHI8SDVPF9/SxyxLEmIvqw + zCAdmHR52Fvha2yis7Rz4iZEmOPcpFfVNaLJRJM6wTQKao4l6ANmW10GZle02/eN + u/lHg1caLsZIX6L0TuEK5c9iMZLmxH/UXg6poDbwB9jFpdolBSV/p/j5S3FdALVw + a7VTyyT80am48iuD/WTIwPqcUfL66RpJmbz6p+UzknFlJmdvPcujWlx7svBWKhf0 + 5pukqTapM5VXYguzGjl363JV60gAP/i51873kV+qnn3DQAw93JXZz1rbLFKT6zGm + LhemAqqrz8kDXdEaO+sfQb/ZAKJsPAcNKVr/Au3Ekig4hKYysvhoMzhFnBlUDTe8 + 2tKtYCUfun5XYuoy+4f1XpI25KZd3sow1KiKFU7QhTgE75rjxXNRLgbuiHKoYvVs + jELUszztxGsMdGUT3UOUZAS2Aj+G+fqsnMVh+yMfvNMKx6IWFTC9qjG5isaWHYfO + b5aqq/dOaqwyO4+nvd4Akj8rEVYqz2jh8nAaBvcJBryQSbY1wnZj/k/vl8B8gYnS + TgHSC/a/G0NLJ4HPYJb7DvlQcBLwRbbF3tUFVl8K/1rKTNOa23ucUm2G2iF1HyFg + E8hygSkmtAa9rmhWpyPQ3fkh5mpm6Xmdx9FtLXY6JQ== + =UwEc + -----END PGP MESSAGE----- + fp: 8C5091AEA213FB0642BD46F943EE19743FAC1D5C + - created_at: '2021-04-06T11:13:25Z' + enc: | + -----BEGIN PGP MESSAGE----- + + hQIMAzy5uO/X/tdJAQ/+JaLUL8RuXCyqrOARepnU1tgAyWB1GsUjYEXd83k72ZOr + QN3IRQJr3tE6eT4lusBSXI/9wIm102EsnIHs+RROUdjnic2RLkYUUS3vN6mtE+Lc + 8FwcbhUIzWnzSOTUSEFGeDxarD/X5bXEXWoUKWsJuZv5gZIIgvNNxKSCkT4vwqUQ + E8ljMy7J25D0tiT0XIHqj2sNzrdtYf0tdmAMDTHvHWkBTTo+dPw5moLI69yBRUC6 + k+hhuELJiNkuOIj1+hOBOKkiin1vCsnccen7nmQ4OmZ1N+2zNGucq0zbBQITSp63 + kooVpvgb3B1uyglOqTvvlRnBsoY7h1LEgkyx/lTvrfjCpY1VWHGIiTGz2Mt5R2GL + SelAtk3kh1SV1FQrgyZUMp7XEHxs1P9Dl3halWqK2aPCpzDk++qgNeOJ2DRg+yzM + iTtPwrBiWSENDAJgyafqG8vQRlZD2SLahxM0Vk0TqnG4VPlPj9j1PSr7IgEKDNWN + 7COE9mq0sYdK4DAbu+ML9X52e7PpakcsnCr5kQtMvaRIZDxXpDurSvWRf28s/Kne + RjackUCPtjfdN3dG6qnBXykkZJPZLeTRA/rsxENvQbuFuTi2eUyGygsg1xO+xnsz + k6z08LrA6u+TwGKVwUy16mURPRhmwr02DwMx5D8+zzQT+SdMFo7kFDc7KnXpDEzS + TgG8d5bYZblY1wGGYcGt8VJzGvHUwTA5HlKhE/14+ONXLfnylUmysV6GjC9XgPeP + 9a6rxtvE50BO2lCRwN5DeEPnKENEumCslUkjvFHQGQ== + =fIUQ + -----END PGP MESSAGE----- + fp: BB046D773F54739757553A053CB9B8EFD7FED749 + - created_at: '2021-04-06T11:13:25Z' + enc: | + -----BEGIN PGP MESSAGE----- + + hQIMA2nIGHycQ3VOAQ/9HgTHU/5EYiHDRf65WHtQxfXSJ4Mv16IHemfRSITh9u/N + oJvbr/UPaAojzKYyh/HRlUq+H3FDM0x77JGaS/YTEpW89lmcLsOHmHe30Me9hlWQ + yiVIlIzJsXHls0lbtU765EU83C8d//eQjHf5hfqHlyXLZUtdziXqF1Adi1HOZdC/ + MCvLfDePwTZjKmToJLZY1jljARuxl6LcLUwq2XQvCL84BJMCg8vOJJw/JvBo+kZN + 2nDHfKrFk5P3kztCBY3ScgJSzIAxB8E1NhOtLORMwMuwh2WSu2rDw6Owf5VetusF + ioFbsL+qEUn8gljLGjRGXd0Xsxgem7BZtmbWl4KUx39aWzXRDDswB7GI/8AkWmB+ + bHIGAEKh7mbs1buNmnxBoJbLmFhY5CR88Aru6T31gDLpvlJgq09XLJkm/Xk8XkiC + PBgYC6nqws2Lo0UE8p1ArLchSYHzXt77Q3Ymlo3Wa3YkO8ZVv5yyQ1DSYUs90IJV + Dy0QVAP7hdKjeCloinyzhHqZw6fxDusKeb9w52y31foh/qXaXzXLC2dWQPEEfq4V + LGxXpxaV09bIOVy6c40y2Pk/w1ZeCyyflyjK5hvgn8Tj0VAlR3I1hTwHTa+UMCn6 + IwsCtjMJAgboB3pMMTZIEwteYW0coq3fyX95E3PSWhgzjP7E0TLDfzjcOJ7QxiPS + TgEZPWn4QIjnivTNgHnlHqMHJTg4mePyq//Mpw7ECIf+LkYoJ2l/1pG0VmpoJMv+ + cLTcQfThrWSoXSiBq9+Mr8bwQpnTJf3lrPGx4YPZ3g== + =QcVc + -----END PGP MESSAGE----- + fp: 2372651C56E22972C2D9F3F569C8187C9C43754E + unencrypted_suffix: _unencrypted + version: 3.6.0 diff --git a/shell.nix b/shell.nix index 74be3ff..2c39b5a 100644 --- a/shell.nix +++ b/shell.nix @@ -42,6 +42,10 @@ let "root@$hostname" \ "cat > /crypt-ramfs/passphrase" < <(pass "devices/$machine/luks") ''; + + show-key-fingerprint = '' + gpg --with-fingerprint --with-colons --show-key "$1" | awk -F: '$1 == "fpr" { print $10; exit }' + ''; }; in pkgs.mkShell { @@ -49,8 +53,13 @@ pkgs.mkShell { git niv nixpkgs-fmt + sops + ssh-to-pgp ]) ++ (pkgs.lib.mapAttrsToList pkgs.writeShellScriptBin scripts); + shellHook = '' ${pre-commit-check.shellHook} + + find ${./. + "/keys"} -type f -print0 | xargs -0 gpg --quiet --import ''; }