Use sops for secrets

Since I currently do not have access to sayuri, sayuri’s migration is
not done yet. The host keys and wg-home-private-key secret still have to
be added.
This commit is contained in:
Simon Bruder 2021-03-01 15:27:18 +01:00
parent b595aceb7c
commit 4a8a7e0a4f
Signed by: simon
GPG key ID: 8D3C82F9F309F8EC
29 changed files with 500 additions and 118 deletions

1
.gitattributes vendored
View file

@ -3,3 +3,4 @@
*.svg filter=lfs diff=lfs merge=lfs -text
**/secrets/** filter=git-crypt diff=git-crypt
**/secrets.yaml diff=sops

28
.sops.yaml Normal file
View file

@ -0,0 +1,28 @@
keys:
- &simon 47E7559E037A35652DBBF8AA8D3C82F9F309F8EC
- &fuuko 2372651C56E22972C2D9F3F569C8187C9C43754E
- &nunotaba 8C5091AEA213FB0642BD46F943EE19743FAC1D5C
- &vueko BB046D773F54739757553A053CB9B8EFD7FED749
creation_rules:
- path_regex: machines/nunotaba/secrets\.yaml$
key_groups:
- pgp:
- *simon
- *nunotaba
- path_regex: machines/vueko/secrets\.yaml$
key_groups:
- pgp:
- *simon
- *vueko
- path_regex: machines/fuuko/secrets\.yaml$
key_groups:
- pgp:
- *simon
- *fuuko
- path_regex: secrets\.yaml$
key_groups:
- pgp:
- *simon
- *nunotaba
- *vueko
- *fuuko

View file

@ -23,9 +23,7 @@
* `users/simon`: [home-manager](https://github.com/nix-community/home-manager)
configuration
Secrets are managed with kropss integrated support for
[`pass`](https://www.passwordstore.org/). Permission management for them is
implemented in `modules/secrets.nix`.
Secrets are managed with [sops-nix](https://github.com/Mic92/sops-nix).
## How to install

View file

@ -8,7 +8,6 @@ let
kropsDeploy =
{ hostname
, target ? null
, secrets ? true
, extraSources ? { }
}:
let
@ -46,12 +45,6 @@ let
};
nixos-config.symlink = "config/machines/${hostname}/configuration.nix";
}
(lib.mkIf secrets {
secrets.pass = {
dir = toString ~/.password-store;
name = "nixos/machines/${hostname}";
};
})
extraSources
];
in

28
keys/machines/fuuko.asc Normal file
View file

@ -0,0 +1,28 @@
-----BEGIN PGP PUBLIC KEY BLOCK-----
xsFNBAAAAAABEACkl9IfFWt7bGRtnJmDsv3sfotEQZusmFA6d9+Lh3J3Z5Ekx1Yz
wIf26Y2MgOtxv8AJJ8QW13wH8/NOrySTPUaaQwjmkiv+7Hp3Ez7uoSg7BRrUXVez
oo6dIStda5rNmx1ClYnzBVu0q54/mOayYWxeJOTl1YVKr7cSx2jcV+h5vEMZYeym
AkHGNoFz83dguwNWTZvURjp6B65G84w3YuZyG0YHeQ8Lr0gCJDEmrP2NzIuXeGWy
VEaE4XAUOF/9T+WVkuQmz6Drnqpw59Wc/J51Z2bz/2KL1oI1vR1HSzJlv7kc3joJ
63yYv0TXy4AeptWoY8FX2wtHxfIUK6ClHNfBhjis0cYgvru0KZSMNAGQutlGB0yA
2YHOS1vSPXfdyKbODCP08CpA1lufYapJwSNgU0c5d22OCCYvdwdr0HRc/0zmUoVH
/ge2SL0dRTm85ny/wEE5TgL9qnh3iWpWM60lCX3MgkHRnfgmSYn/FJHB4+3miQ31
hYkw1X1ee5ZFNsptVT5vtz/b1reVA/+v6moReIsFaWKxEgGFHXBYCRt8HnxyYvcv
jv9B+qpL12p7gflMr/trA5xTu9yQLpLqxSRpl1vebLo5p6H084pUelwFtBq/hLs6
bEPw5R/n/7EyPauDeEPb/xHKACez3hhdS+GqxgcaaLqQZN1w7/cxXBVSFQARAQAB
zSlyb290IChJbXBvcnRlZCBmcm9tIFNTSCkgPHJvb3RAbG9jYWxob3N0PsLBYgQT
AQgAFgUCAAAAAAkQacgYfJxDdU4CGw8CGQEAALeFEABb6uheTtzwh2pmbEfahsMf
3Umb9E1hGVaKz9KUez2gU/C3EbnELm7qPSP8Bj5gp5hF527YpwcPTGMKXD+SyyUE
w+1lFun6RNEEeeJoOEtDoQZA6j4bcpZqvR7r7jAhdU1LHuIjD+4AM4jrTF3B2BrN
LpuX70MO0zX0b6ryHeH+9y3iCDmxViXmn0EVG/MLAjguWMrimZ66R0raKfs4eRR4
WbbFRl+xXPOv5JvPVhl0BQItVXrTTXFnRNF8y0AxmpxGZ8uFr3PwN9xB9I4o25mu
5Pj+aEfJkHTiMqzG44+TITu4pN3xvy32yqO9skn99pz16Q1jQy1cYYnl64nfktJ5
cH9Unq5CQIzyugrHhFTruN4PZR07mMMoIHRNisKOVifoyEQPqKUEOsYsaEv+zeU3
a42acC3AXJJrSgjN5XoA7bV4RRmU3QYQUsO87gJF2I3xnZwKkRL8R+g0cZeBTaG3
U1DwKNfb2WhiAtagixVk7bsKknYJDar41LA0FM5i6uRez+Pb1y8yscD9TP3xiR5d
m+/mbrz4fF+5ifRqhvfsewcZIwkVVXR0pBK8c/eGL7YrZ1pJwt3JDsWfM50TGvS1
O9LCghAw/SZPfyBik0vKc3R01Pfj3yC70gsG6DI9bIG1UavLhbGQCgDPcEpDZiIt
N7RsQdc2NwPnMMMH4mTAvg==
=9jYa
-----END PGP PUBLIC KEY BLOCK-----

View file

@ -0,0 +1,28 @@
-----BEGIN PGP PUBLIC KEY BLOCK-----
xsFNBAAAAAABEACo9KbNVEL7yttMyACGIxYS5UvkJDsXJiuIzPWmrzhVzDXTs1hi
3iS0EjkVB8mm8GLBKI25Pc9b7Rb2B3XeRcu2btUtWH61aBPOwcqpg8vt0MtcieZN
lpmwFBg0QtBdSrnUr/GdekRDcenSmIVPh8cyb9KCyJgcGxvTFWkd5lhrdQoAWAdM
TynUd8tKvmp9R6z54uPuGNUHbmNmHHDtv7LSOD79DIi+32bQGHevNTkCeXJNLO1P
5YJdz04xb7kGEhUodYoAx7RB2M18BdTk97XA7sHmoI3TayARHssPWtqJb1B8CK8x
uSHi1L7tHOF74pmo6V4Rt41gECMKjxLzXwB87hnrBxQ5UT8VZx5MBBQm+nfNKYH0
MWAvWvaHGwBzNPabeGgaCoRT2OhC+0q4hPnYMxdSA61IYN6fch7LYfJdaPxOdGKH
/IMW091tS1JF9aY0ZGGy52DCVa+bC+4yHziqpCzf7aPJ4oCYtxZ904t6hocKlggG
bEM879Or9/nZ63smodUP907msUpFdvXUfFckAWAKms/SECN3lRvBnVj7VsHylvdi
gwUI+XkEw6NXscsTGepSWgQppz4hmQWFAhfkYZYl0P59HRyXa+PdyQeH+jDOlyNg
B6yIdCJWwDEiCvErqfJ9mulgrmZWePrjPYHOy1iFUueSoupxEbzBkm6LIwARAQAB
zSlyb290IChJbXBvcnRlZCBmcm9tIFNTSCkgPHJvb3RAbG9jYWxob3N0PsLBYgQT
AQgAFgUCAAAAAAkQQ+4ZdD+sHVwCGw8CGQEAAHFMEAAB8oxf8GD/w6932R30qybr
Y6kJukhmsTSPszeILmIU+F0BDBekgPxApFZRHRjAbAfra131emtj1xrUXGi+Y2UL
E4wN/Ebaxc5TfJk46iklxHsRUNG6ikJOcSz8zIl2LYN1BEOYOOGTtJqpWq607ngF
hkK6FDqKYcomrWGfGOzp33ts4j8t52zwsipms7Z1x9DqQmYEZcT6kvPbAUKQh2oj
chTI6FixsL63UH26JtlxPwrXqDGy1LwL2VUzlTHYYAuo3A+t6gEWveMCv99jLa2U
jVdjhjSTC6vX+7Rj3qko1Gns9h2JmsBSpocEvpsOGseAGA6uVoZcbWG5AzW/729b
xkQ9mL2Ya/htPwG/pzzuHvmK/YdFdUYQvZJr82Gvtkiu0/KUN21FU5BeE0Zg0kCk
pM5s8vJtj87eJ4UsUNlDtVX1DtwHAP8G2Dmpd2lWkD6ulovwpNcHLQ+Q+YH7UyU6
OjZzlX5yf4Tndm+Gv8YhnTOm6Bo6jgiMIZpJh5qObA0oY8dEAiDdy7mVsNR0AFUn
lWBjVAfO4keEwMPqs/RBONofixRkZLoX54s3ypAS8ltr/Qlxjk3fzDLf/en01uL8
qOjTkYBRwfGZdIPVuTYsncxBVSh9/MPKF1zEYpTSFF4hxhW+00R9mpvNiqO4CHia
x2KNnq/P36Mpcv6X7j4U4Q==
=5d0j
-----END PGP PUBLIC KEY BLOCK-----

28
keys/machines/vueko.asc Normal file
View file

@ -0,0 +1,28 @@
-----BEGIN PGP PUBLIC KEY BLOCK-----
xsFNBAAAAAABEADQYi6d6/laFq0OQWLZYL/48/SF1gnej22Ob+Cy0Tm0d2w9lU95
hASROWy6ZqUFwVXKp85uh6UJtA6q2XpaodfurGciCW7DYOjPNexJ0o2xmyFqGB/s
PuQDB4NxGXhCyNBXa42adfIlDyYHo5zIDuglMbwr7CQ3RZ1ktxudaA6t9Zlw/5pM
c1RXuTwvlhLGstnAz/ojNFwEH4lzYIIRpW4GXmWrtnmjXL/z4LLplYrfPGnsPIij
Qf31vhIrEp42nzJIY2wjshZaTvj5y0QIBPfgy9Q9I8/YwxFSY2wt3x8ooGLkTw4v
bshqUReatSdoIL4snCaA1oFtnKpqv2vJy/Z6LvURA4e/sbD+c5lMBTE/EkVgvCkC
6AbvCxwYHxB2G+lizKgRrQ8tVNDEHOFJBKNMaJAXpzz50ItaSpC+8FrYEP+y7iHk
0SBzKlJv3F+yuo1WrD4gHyxHAxACa2eDUU+EikO9BrOh78unOmWYEWVCju+ICHHP
STpW8jvEkldttv9Zr4YBDe22sjLKGuqngqabfSCokjjtEPgABCuJMLaGMW5nQm1K
Qdr0OHjr1apQMG454CMl4SGoXuNv0XIAcDpaR9xUB5cbBmAmwOWtdrqP2z772+9E
jw2WwavW6bn/cApa6BHSK+PQhF9wWvASy138i4m7aCLC8cteukOd6jCexwARAQAB
zSlyb290IChJbXBvcnRlZCBmcm9tIFNTSCkgPHJvb3RAbG9jYWxob3N0PsLBYgQT
AQgAFgUCAAAAAAkQPLm479f+10kCGw8CGQEAABX4EAAT59Yhu+JwOlmSI9UlzM/E
FJ+A8AHijh7Fc8+TjqnA7HmUSlhhVzhuSpjsSt8f1wswNXdcM9N7A5p0DCPZ+caG
9TyUrQXktiUdOj3O8bAwnsp7c/GYSBpIjhK1ZN8giN/c66l6z5IcolLA/KBPkMOp
2ipPBNjD7bk4khAzAqbPxGxGcpHqaNCS/nC/ovRlcQ2O8rgedXhhRZackuy6gw5+
fwGyrnAt9oVthBqhYSUNItQwEPWnEj1yZzsQVvpCX61Vkh7qfqiG/ewvWVVTVOL3
lEV5EUsFhiNX5ORUm3pk2qqELR8FbcVzTWf8sLgRM3NeqnotPS3rcHFb11Crh5SD
kqoAK2U0oYdGj5wlOH/yNtO5Q1auKwQ0Unttj8zmy55tCwqTiSrahmVxksCyINJn
B7h4Xct0ENH9gK/03aEGSZCzLxNG3BpOAOjWU+Ir5W2QLVxZDJT1KiaSftf81h9I
k57QsrXAoJNfzwONphQGSVKADBa0Y1P/zkm91gOcuIh3WXZ7BRcn5YZ72POqf61o
4uvT5xnDH2Y7upsCMTQkOUCenRUspapQZEQP+tZgQIwli86UeXfcPsqXX8j5QiJD
5HOl1jSRt5Rh4rqHfWYyobvLaEnWFEc3H/tYWSkk/w1ideiB3jMCdw65clQHGqJy
benF3GpcdU5XwmnJZ3XrCA==
=4Idg
-----END PGP PUBLIC KEY BLOCK-----

52
keys/users/simon.asc Normal file
View file

@ -0,0 +1,52 @@
-----BEGIN PGP PUBLIC KEY BLOCK-----
mQINBF/lCz0BEADKOij3IA1IIiZc9c8rgxTUtrn4W1R8ncgsnFuXIDGD35dBB9e0
wd5noQigoqts9N8ULHEV6J8AuBdl1IP2nAKAr6h3F+hrLjL5tZZCPpTN5fhxWguz
wt6aFZgcFwFmQfZHSInxO2XpcibyJAs5ZXW3cO+VYQdVxXLT6KOLKkqWCCGMlQSt
xNigzNbrjUcjrcGBcjNbFJs0P4BkVvD6+3xBerpT6zwAuFdBiUpZZk+XI1QCAuVF
6ld5A+x+pwvKoN/n040UAUAdLTne7oisNonLhSvZVrH2uH4dKkku/yi2glSkUwps
n+ffr0jD9VrdbxktcqQBE0WU2q7Eqe6EjSxURHI6uJ/wFh0QeYR8sT5mgPMt5O9T
T49Kz2uUdljuHW0eI37DJSUDcXWh0OtuENRFf7m0lvIIaaPpbPM4btS8j9lCFs9h
pJsQIQbNjV+UmIBvddDKGwcL+DHJFk0E2sqPYOwsebvbQLhVvPSPWWUVKrqMay9Y
Vd9KKy/KddESzM6c3TFmUbkEj1h4qWSZ0XX0vGL8LL68maaDHwO1nKuw/XfSpjAC
c+3wuqAgwFB+ihO/qWs8CB0z+wo+7NK9OUUVVucu2duUUjNknf6+v6fPedtziapp
SHVQQKWYvozxVa7XU+dnrU3ZUHzIrv6Fr6yTdGy6fw7pE3yPFIwbw9vsowARAQAB
tB9TaW1vbiBCcnVkZXIgPHNpbW9uQHNicnVkZXIuZGU+iQJSBBMBCgA8FiEER+dV
ngN6NWUtu/iqjTyC+fMJ+OwFAl/lCz0CGwMFCQeEzgAECwkIBwQVCgkIBRYCAwEA
Ah4BAheAAAoJEI08gvnzCfjsYFoP+weWMfiJ3mMeBeZBBcgp9NZTjrJoc2tKn/9s
RL4PL/3lwLRSEu6JS4LauAD6fW1d5QnNnUe4nIcvTO6RvJ7R/lDWg1KL+pdCfYtk
FiIesUkp+eW5Gqw5m6Bt1a9UjXdtHJuVGKQ/XjxC2914Ps6nhp5mY+NUm5zwZCBK
qbjiPjD17TeTCThEui3kwl0sgBhNX/eCPpJZtw3u7vzxpN24+sX8Ogo9r4nRtHKv
64vVggiT1Iu9JXm9KYlySFDZed9iVbgM2wKpylw1I0+F4VS8Jw/RDiIW61exKxAe
VuxPzbIGeJ0R8u0ZcvTiRbXr7op9barUDCQFn2K2oHXd8uCMUULinlO2pPYyshGh
znnZcZIvawqtWnImNnyTvKYe5Il9w2fmm6SzwRmcMvHBZ60eJC/PmnhpRcpBxyiG
mAWgFmmgMhc81wcPZFD0Mp91twMDHRchgfmBBlNdqMBt9nNJ2Mm7o52mVX/daMG4
VCqLdvbW9mWkyQVjfBq30XabanzN8RST63LlZEwArQqFpH8OifNMHI22fW2xGvPq
09k6SLA9qbobGFw+OGKIaGHiVbFq5aeTkqHr0sgL8QBHUJWv+SE0q49GfDDvA4JE
iDsLW6RJuNFGTaBq/NzN3A7iT8tTcdClYc7MSQxsEyTpuU+BlC9ewNC4cV/PyJ8l
13yeMkdZuQINBF/lCz0BEADs+rV9/tDQ6hyJlgMEKA34LjV4OEBdpwnRS51juXYt
nJiRC22Ljs6FY3NivOQPUNJR4yLU7/FGCGgyXlsLEyMIqH5Lldq1iaTMY8FHSdc4
e+BM4QYCiaYT05Jqeydorq0fZe0nIXobK7RqB4dG543JNzrttotQ94qpx/cFUy6i
ADxp216IyDFh0q10TKao/GB2gwkbOlRNuLYXXUMDON9i8VL0Yh7p0KhZuOl2vREm
9/IQDJJHFv4CbSTmdQ0de+k8rVgyiW05SdYq3vrqRmNuI9fbGTf3vw8bHljq1SiH
VoapbNJ8CnQCRzrsaX+pOlJwFVUUjxco7iyCHKFobfx+3ju5kwc+i/58nDiSkxMV
DPqfjFXnN+72EihfHiw56k1zIRhF9D9b8eq6aqGOIgTtjRujQUR9Rn5BJRZ87/pR
nlZsS3wE3nQxOo7fXKv9FU7TyEy6gu1LuK53dUk5xLlu4zMoIP8mc/mZchXqsksi
JSWPFDeXh9HLFhKyzintRxdXNp5xV5XaXsMlFkNiTBLUHLbU8Ln9tiLcuJZ29y3b
ynLtVo+GN4+G5b+koIoZ9065qSJ0coBPMUa6o7go2e1/oil+xKmtM3UHS+mMNa+4
elSqSRdpv3Xgo5lLNP+e60FpN155/93Hq33UMvh8rS9KVaQgp0c1unP99ewY84ra
9QARAQABiQI8BBgBCgAmFiEER+dVngN6NWUtu/iqjTyC+fMJ+OwFAl/lCz0CGwwF
CQeEzgAACgkQjTyC+fMJ+OzfUBAAkVNY0chFGvzWHOxEKNJY9rW5EQrayrKPNhjr
3j9xHoD+1AO7Yinqgd8Ribw88l1+2lVQGHIpIQ2ZPDz/XGND5FvP5PrW71FcUJ/z
AKaEnYP4iZ1jgnjp280bJ2iHBMmHc5cs/7OwTCs1uos1kWhjLGA9M12OWDWN9iqB
+UJo5W8hs9c5LpYp7ByThQp+g0m3E/ZWSbfZqi0BqWX/X6QC1MMXYS1lZcg6qttF
rs6d9hquNHZO7PkI73Ph89DWdxMIirmmn4Iwv88w3jW1KJXiGJbp0N2yooZFtsq+
Yd5SHexET9rtU49BfeggEcWuDWJCGvPqdqCfAH6lKe9ddXwQx/R4f+Ffib8WYA6k
49HA55U6WfPs74yfbR09mh79kDV2uQgtkaHFJyuVuO4e3oyUoqe3hQdqOMR2lCAR
NSc7j5JdR9LxkUDqjUT8ipjzsTxwgPHaO0QkUjugs2v1TpivsDSRooI7NzWFTxbk
MkUX5BGUnPnEivBiB3n++1o5kZp1jk3OAi8cqVkosOMjduWei8f6yKpQ4ZKg9cH7
ovqpDS9R6CDrACDPNJSTBn2VyOdjGVc4FrhGsXp3FAe5prt1b9psvYTTuXrZZJZP
dI1cLPI0Knyymf56gVMGCjp+x1+w7ef0ylGLPtFEuy/6iqWR3H5htZDQo3AgOVgd
R7VFGCA=
=7eg7
-----END PGP PUBLIC KEY BLOCK-----

View file

@ -50,7 +50,7 @@
};
};
networking.firewall.allowedTCPPorts = [ 80 443 ];
users.users.nginx.extraGroups = [ "keys" ];
systemd.services.nginx.serviceConfig.SupplementaryGroups = lib.singleton "keys";
services.postgresqlBackup = {
enable = true;

View file

@ -47,15 +47,9 @@
loader.grub.device = "/dev/disk/by-id/ata-CT240BX500SSD1_2045E4C67C52";
};
krops.secrets.luks-data = { };
environment.etc.crypttab.text =
let
keyfile = config.krops.secrets.luks-data.source; # path is not yet available
in
''
data0 UUID=aa692e73-2b75-4239-8a87-5f5b69ea56c5 ${keyfile} luks
data1 UUID=1f4120b6-a3a0-4973-8c4c-a4d6703eea2a ${keyfile} luks
environment.etc.crypttab.text = ''
data0 UUID=aa692e73-2b75-4239-8a87-5f5b69ea56c5 /root/luks-data luks
data1 UUID=1f4120b6-a3a0-4973-8c4c-a4d6703eea2a /root/luks-data luks
'';
fileSystems = {

View file

@ -0,0 +1,60 @@
drone-rpc-environment: ENC[AES256_GCM,data:2Alck43ZrOFzhY7fKonIyboROD5qGuKkalTXlUZM0vBYTNeFLblU4u4tIIaA4t9nNO4=,iv:EakQQ/8pVZlIzM9PbNB0EGzSW46t/dWbxOtQo6uVAhs=,tag:NEhSgzkx8AxIjqtGetGG9w==,type:str]
drone-server-environment: ENC[AES256_GCM,data:73uDSq+u3nGiKhLqdhdegTIvec9mF9jxVLJLtCjer5jUiFEZu5PkeYv0AWAyLWbB7s8b0V+4fxNQo/QsAfBWH0eP2TVOAy1TAo/sOso9PEVRaQCdilw39UJBdT8II3dy9YIfGFUXRUXCMU+1xfzUFjhU0s7sc+mYQ4jEj2ZX90UbUDcbgppNjC7KIHo8mQdrxFHeMq+wQpaoncwFMlwwzn8lFlG75+dMnkPGYa4xSqkwjHn2tewLM8f9dCiBQVoMVQCWo+1RieMq2cd3CYEkP7MPl+y3OA==,iv:kggBBXdN01LJ82azzxOZap1lfWglshCjkKqaU+oi+T4=,tag:Zg0Ay2aLGok4fgX3/y4ILA==,type:str]
gitea-mail: ENC[AES256_GCM,data:ck4S9YJ1BLUb6+mOrRmg22KWI1xQwsdIw1dowNk1OOk=,iv:+aQiTSGzmBOLYbIVgwH/SIhslKgdJKoL1ZaGAXCeqHY=,tag:H3vCEGMktqAV/9BASVR5tg==,type:str]
prometheus-htpasswd: ENC[AES256_GCM,data:eJOWrcTC3YISJJLuQV6sxzD0r8Gr8uoUt48D9sSEHhsbNUUy3pDgIPqJHrkG0ek2sIF6NvpWdDGK1kFcduRAL9h7nLxQLOtf7dxsdObGlPH5nwe6CwdR+1wTE/2WzrsmTGnUrMjMiBgLPV2yRiQg3VJ7W1Me8tHPYHrqYhM=,iv:WvgwIoIfxc3vyjF+znyUzOElv+sd/thoYpxWVaIavx0=,tag:9FnRw7ol++1PCbl1c2IyoA==,type:str]
restic-password: ENC[AES256_GCM,data:IVFXmuzzvvqDS0T3P0R5ZMIn2wdkbE1AqwDMkWqMpDdCOVMP4/HhP4jF+tEarq22,iv:Eu6Wspzm0rPl0CuSoYTTLz+MmaEtmwCD57nH2JTBuaA=,tag:tKqt5Z7nF7lLcSsDKS4E3A==,type:str]
restic-s3: ENC[AES256_GCM,data:VJ/jgYnUSkbsNMb1ciLiCcRVEpuaznsSFf0QkEnPhTRHpFv4Nt0f8ARnNtG5j3iXSIT4+H2+5HWKXEsjhvL85p0XE3xe4h45xGKnvvVO2obF+b/zsMDdceFJtLbcq+APzPBjchYU,iv:W+80GhAvYD/52dNZsNYiEhiLo4dhO8oxkd+GAbk42NU=,tag:Kj9CaGo/xAmYxdoLE/Lo1Q==,type:str]
synapse-registration-shared-secret: ENC[AES256_GCM,data:lNzK/7QAk4Scv+lNM8bTTKvowI139c4R4Y7Qpq60n8R61aahlxrnWc/PUEOv85Pdx+8IdBOLnV0kp7OQF6tStGBBCOkAicYmnsLoR36DmuDCvTSKVArryV7BrxL8pv0=,iv:ZT9IIF7W0NHqvnU3lPQclVS5uXXK5HIQUzXNYwYFMIo=,tag:a/sUixOlHEvn5ZOINPwQlg==,type:str]
synapse-turn-shared-secret: ENC[AES256_GCM,data:I5QbouvLvBpjroux5TTi8gIAHeyNb5KXV1g9sbTdqjD4YoMaedHSiC53h+ZMmqNCKor64e6iP58Y6SbMaTfFaEl0CyK2GqfcSBrlHxKj0GSWaopO5kLS,iv:qsfHxHykY+oZOaMGw5Tvq8a6zBUDxH3B5q8QKdT1oSk=,tag:75OOrVtztDsLYeTglKPYCQ==,type:str]
wg-aria-private-key: ENC[AES256_GCM,data:qbxpfNRocrXDbUJ3MwR5WMXX8LB4Vnv9HMXN403ANaBbCLrRTEL9hy93roY=,iv:l2DYXGY1wN1rP2bG/s9uSwRhbvCUm2T6IJy5LKzguqk=,tag:51S+m1P1EtHk1QWEjdUCUA==,type:str]
wg-home-private-key: ENC[AES256_GCM,data:6l3CgB4qCsPuyYOWuwU2vNiEeC0D1wl6yZvXGGYVsZfYvdPjRz8j5yV7ekQ=,iv:slB/qr+cxi8r7cnTuZAd8CuzWVnvp24Li6A/AnZaFzo=,tag:ynh1Z2+IELAJcgBbHwFC0A==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
lastmodified: '2021-04-06T11:40:14Z'
mac: ENC[AES256_GCM,data:k9GRiDmXoKFN96NMGHt0rjAMklKIsnFUgWRP7iUQeA5j0uG4lo92KzJCMsHCIicDdF+NnNmEigeXE1eI7iet8K+rAh9x1wO8CiO/5ITsNeCzJO/PsfVxZHL1h9dqirjMkqGvKA//2nocEGv9uT/k6xezriDktBkDbLBIWg3Jfek=,iv:T5mO4IuPqO7jRRhQm2LMoW51D659SL4zVXBHbdt0Qgg=,tag:ahtBYe/18kHpGWHtqeKlAA==,type:str]
pgp:
- created_at: '2021-04-06T11:27:21Z'
enc: |
-----BEGIN PGP MESSAGE-----
hQIMAwDgSONkM+d4AQ/+KSo1N4aEuIAF2JMX+3RborUdEMIJNqIQsBYejPF4o5UD
25XVDt+GrC4Lx6OJsWobLOHm+FDLPzm4Zfo+grU+JaEBo0ZSthUul610iqChwEGF
zVMkNKARsZE7lDQ3uN54Mq/A7RQaav4mrt1AbHTOwBR9UdG5hrEJ8JZjObS7Gqz2
/OFpX4xr214IA9ALx+O2UIkSAJT9u9Ann/xcKL5GpwE9etcGZbYqOhAPaSzbOSDr
BtWuM8Z5nKb1O90pXEe16yVUmFXyO7T+lU1gDrDReSXJJFg7zcjMY4s9rro2H7xq
u0z/ufl4sf1E5u7fLLpzrVcqKJAOw+fvfoPeqMrNsGy3r3AdATw9jPp6giRoB8qL
xm3gGvs/VedBBqbXMDSCTIuhBcTu3/rrTWb0TJeuMz9RM01owkvtTrL3zjwK81BK
pNTwz2a49ylCiDS8Vin2u2jwjoRlri4mPTzw5pvcGqNAoNopv6cjawGQ2toCD5qG
tqx0hY0uXAE1cnfewFC63VGFbaBwfCYLryjGLefRH7XFOAcqZ3dlZFi5lJTVnnXO
44uO7dW8wfJj45USIEoG6D0BiRU7JPUhgPIjMa1cEI4XpoBSj13EACxovE3z5AYa
pX72eJHMkKZ5u+eRrXkrFSGFWkYBGKtgIdbgXn1i9Zw/Ewbf7Qz8kC83kxkih7jS
XAEbvfL1DTAHDEyAXFoI2ekIoTTGAtCpsadQcTZ3+3DeWU5R8X29vflEG/kSeRO4
m2npmJ9OCKyEN+zAd/WRIQ0wChFgadlTugsDcmXazdvzJ1qJiuNGmzpRn3QF
=dltN
-----END PGP MESSAGE-----
fp: 47E7559E037A35652DBBF8AA8D3C82F9F309F8EC
- created_at: '2021-04-06T11:27:21Z'
enc: |
-----BEGIN PGP MESSAGE-----
hQIMA2nIGHycQ3VOAQ//RC1NMySQoeqfTGEKFB7LwC3o0yLTMHAqoi4qm2Q8jKxH
6zSjHNoYI9+2VNEWJcSvUwd9ks79jkVOAWO+Lmv2h1QT3RrsSsj16VZwl+ORp50/
+PDrZjaimMafAKaqGJ3HaPlzFX7jUjCHS0yCaF6WIU1ztRLVnHAv3p8dsPzQ1w+7
p1h0oQ2noWibl2GLGI3+1O3sv1N5tusTGZWFacG6VsTbtbJmbVCO5FQRqX7vcJtM
xfClghFPoHCGbN5W1NWpo/a/lOLUucqO7bFB5DIOoXme6SSS7lrYQKtjBQy/4DRe
r3VIjvS6ncVUIYPPnEMlxI3MPUB2lwJLG2B89XNNWwfwREUXTG4DEg09Z6jMUqVr
yNO67YCF95fNUQFMQ0LWyVsWZW1n1ef7/iKtDHNoFubCVGjWimIa3ZDX/e4WemEN
ww7dab2RXEY3oTLJZwAFMN4jeqUfpgH1TOvcs9OHwF0CQjJIDyDj6uyt6wYqITT2
dorhmn1FN/tUUNn4hE0iRjFaD1QrN30KZ4pQ1S/G3IkHGzJ4AlelO0j9yE2VMR2q
E8wEhVtDlO/VAYZSx7tJ7jd24gFsGlL70OfSXvo7jyNpo+OjaN9yy5Qy8iogwpGC
Jua/Y7+XORx3+SVB+1AUNSwCABOhWL2RQGnGxRRQrST4uEv2Gn6IV5sQuPz6my3S
TgEtH78YDDWHFdEE4b3lQaPAR8NGNvuE0btjpdeR7QoTOAkmg0SaUNqAoqrz80jj
7kdIBtI8XA2CW/oXYcoxHlkqbPNqPAhaRu3YDci8oQ==
=ukYv
-----END PGP MESSAGE-----
fp: 2372651C56E22972C2D9F3F569C8187C9C43754E
unencrypted_suffix: _unencrypted
version: 3.6.0

View file

@ -31,7 +31,7 @@ in
PAGER = "cat";
};
serviceConfig = {
EnvironmentFile = lib.singleton config.krops.secrets.drone-rpc-environment.path;
EnvironmentFile = lib.singleton config.sops.secrets.drone-rpc-environment.path;
BindPaths = [
"/nix/var/nix/daemon-socket/socket"
"/run/nscd/socket"

View file

@ -5,9 +5,9 @@ let
group = "drone-server";
in
{
krops.secrets = {
drone-rpc-environment = { };
drone-server-environment = { };
sops.secrets = {
drone-rpc-environment.sopsFile = ../../secrets.yaml;
drone-server-environment.sopsFile = ../../secrets.yaml;
};
systemd.services.drone-server = {
@ -24,7 +24,7 @@ in
DRONE_USER_CREATE = "username:simon,admin:true";
};
serviceConfig = {
EnvironmentFile = with config.krops.secrets; [
EnvironmentFile = with config.sops.secrets; [
drone-rpc-environment.path
drone-server-environment.path
];

View file

@ -1,10 +1,13 @@
{ config, pkgs, ... }:
{ config, lib, pkgs, ... }:
let
cfg = config.services.gitea;
in
{
krops.secrets.gitea-mail.owner = cfg.user;
users.users."${cfg.user}".extraGroups = [ "keys" ];
sops.secrets.gitea-mail = {
owner = cfg.user;
sopsFile = ../secrets.yaml;
};
systemd.services.gitea.serviceConfig.SupplementaryGroups = lib.singleton "keys";
services.gitea = {
enable = true;
@ -32,7 +35,7 @@ in
clonePort = 2022;
};
database.type = "postgres";
mailerPasswordFile = config.krops.secrets.gitea-mail.path;
mailerPasswordFile = config.sops.secrets.gitea-mail.path;
settings = {
mailer = {
ENABLED = true;

View file

@ -6,11 +6,17 @@ let
domain = "sbruder.de";
in
{
krops.secrets = {
synapse-registration-shared-secret.group = "matrix-synapse";
synapse-turn-shared-secret.group = "matrix-synapse";
sops.secrets = {
synapse-registration-shared-secret = {
owner = "matrix-synapse";
sopsFile = ../../secrets.yaml;
};
users.users.matrix-synapse.extraGroups = [ "keys" ];
synapse-turn-shared-secret = {
owner = "matrix-synapse";
sopsFile = ../../secrets.yaml;
};
};
systemd.services.matrix-synapse.serviceConfig.SupplementaryGroups = lib.singleton "keys";
services.matrix-synapse = {
enable = true;
@ -71,7 +77,7 @@ in
suppress_key_server_warning: true
'';
extraConfigFiles = with config.krops.secrets; [
extraConfigFiles = with config.sops.secrets; [
synapse-registration-shared-secret.path
synapse-turn-shared-secret.path
];

View file

@ -184,15 +184,16 @@ in
# get rid of “could not call action: authorization required” every scrape
systemd.services.prometheus-fritzbox-exporter.serviceConfig.StandardOutput = "null";
krops.secrets.prometheus-htpasswd = {
group = "nginx";
sops.secrets.prometheus-htpasswd = {
owner = "nginx";
sopsFile = ../secrets.yaml;
};
services.nginx.virtualHosts."prometheus.sbruder.de" = {
enableACME = true;
forceSSL = true;
basicAuthFile = config.krops.secrets.prometheus-htpasswd.path;
basicAuthFile = config.sops.secrets.prometheus-htpasswd.path;
locations = {
"/".proxyPass = "http://${cfg.listenAddress}:${toString cfg.port}";

View file

@ -98,14 +98,14 @@ in
"d '${homeDir}' 0771 aria2 aria2 - -"
];
krops.secrets.wg-aria-private-key = { };
sops.secrets.wg-aria-private-key.sopsFile = ../secrets.yaml;
networking.wireguard.interfaces.wg-aria = {
interfaceNamespace = "aria2";
preSetup = "ip netns add aria2 && ip -n aria2 link set lo up";
postShutdown = "ip netns del aria2";
privateKeyFile = config.krops.secrets.wg-aria-private-key.path;
privateKeyFile = config.sops.secrets.wg-aria-private-key.path;
} // (import ../secrets/aria2-wireguard.nix); # potentially sensitive data
environment.etc."netns/aria2/resolv.conf".text = ''

View file

@ -0,0 +1,51 @@
wg-home-private-key: ENC[AES256_GCM,data:u4svQwAMai742deedGbhr2Pk6wGdmztb1L+93ZQl9eZ8qAfOPhDrcmXAVSQ=,iv:ilMwQGV8+9Bk78lq6slLgKtQaWPgdTbwgA6pxgK5gLY=,tag:Vui4xbbvreC6j2UxrR0o3A==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
lastmodified: '2021-04-06T11:11:35Z'
mac: ENC[AES256_GCM,data:mP+I2i2Iam02GnIwnzO+AfQNaPKPyHR7JhVf5zrt2p1MuMBkDH5LZp3BT4YDxetj9u5bevyTuC4x2gZ+H2lcBUNovuXYLPEoNqE+MvwRHitSkDEV6qR5CPaA63AJll9dW6P0+c7Dv0QZTyO2Zs71Hk9hJEnUEmNbqo1xhgATvFw=,iv:hJ/Yaa55/O5XnRie8MKbe+vz4C4qFF8npOLy4E+9jBk=,tag:9ljgygjLx3fcid4XuJcebg==,type:str]
pgp:
- created_at: '2021-04-06T11:11:32Z'
enc: |
-----BEGIN PGP MESSAGE-----
hQIMAwDgSONkM+d4ARAAwkb7dnfNKpXcCxT+G9lgoS78eIlMQz/y5Ask6ENviXun
reSn7/DQJeFBhtK6XODqDUjYkg0VihviFGl47Fw7HfVZKYpG1KB7bXMiBBPycwAB
b0OmBMAwfH6tdfIye6shcal+4I1qlhCKmWBtNcg0KKd95EMK3sGki5l8cRlsFO/e
IA1f5Xw2/t8tfFdYIXrSqwInGcMIOKLBCO/NH7Fcw0enqZz4L9X5StfdxeHnirnt
QFw05FoH2LgTfDiF2MRbllRIVQD0XwylleL+4EAZGl83vsn95j/1CPuBtAq+Nnen
uKpVTyCMUiaokKHOMlNsv6elqxCHEs9ai9pwFkVZrBAoofjVEzuPoFw+2E9Fpvtk
hsAoSEPFLL9SKHpVTzaC3h272jrImQWitkqlZYzpaWAdDnG/3imRXx1cqX1AgJdz
hE6GHoBkDZ/TmE5DBNqQZ7h1JXvJPecu8EFaGwPKcq/AR3zgH6D1iUfpAPfoMpir
ngTHeZAsfUcaQ1h3KP9d6Atq6Q13C3SJL9DyE2NYl5NVMwLcBx8qSetItzwMpix4
XqEj9jjpiUNYaY8oM9uzuGSDHlGsFPBEsvpqnDV2a2FqOmDS+faEgH7eXnqdbXgp
xBHH4F6hgUees0gpsum8Uf5yaZilaGkNJjKfpGPgI3W4WyFq10kk4lu4Zbgg3VfS
XgHcM8JkYx9cvsPO/QFbcOhVZeV60kyjHZY+bOufJ6iG9f8MrtsXY5IVx2I/wjCM
j3/YrY7vXK31i8toVf7+sPxipjoMItkppBg2Uo5SJg7hqksfBan/emVVT8zrOcY=
=swUH
-----END PGP MESSAGE-----
fp: 47E7559E037A35652DBBF8AA8D3C82F9F309F8EC
- created_at: '2021-04-06T11:11:32Z'
enc: |
-----BEGIN PGP MESSAGE-----
hQIMA0PuGXQ/rB1cAQ//T/ieiP/sj93zsDnMZNuahlyONBeY3Z5IbKCCi6iAl05b
9bKKcKr37nPm/np2pAZjmGftNEpkwjfF047Qg9AcmnwyoIeOiYIGR6ILtnRwtjri
tx5RBDMpmPs/h3xocaqAWfHKxXGT452GKy6taOiHitjJcIWUKX0pFdOucw5u5/AL
mimc4S0W1iLUxXmNJAy/YxQKvBzkXtDx6/ixEm5JnxSG6Xn+q6Go9VPFGBOQLKnt
1WHSUVu/6gHjtYmnt5VqDKjVY/pjZZrsLfFHAH8RlYPJMp48jQjoXptrZgdtPV7p
+fu+sEgMBal8W4YaI8bHG6iliYvSZoMcpvFsdoIhxThXzyZjMZCEY/h9a8oYqmdk
6RQZl63LlxsZi5v5Db31pbaiPC30R6rTuCm5n4wTiOKqQ4WG61yd9Sc/R/3vT6ux
hZRywmZUVjVBT+TnZ+Eclcg2xm27Tk+uIRMYq4mjP0XV3oYCA+1o+La6YBpmBgMH
kpFbx3IcxHJT2gRFTg7bg78NYvgb5CYRFGz0sfnhlrwjLgYQFzJT7l2w/2yFDQdo
u+bDwF7cvNyGQiEEJilcuh1Cf/lk/1Ol+9LQftF2bNNzoKn2QzDeTp11bTrhPJnj
HNLwZjNord4fF7pak7bSkjYYKrhW+NpzN1oT7ioQ7V3If99Em4wMssGLRrzvBgLS
UAGk4FkNoLosNdxNDovwHwUK2T0zPWuOZ+wvRPcZQk9fTycdXo8MhiyaLaU09Nsh
mWG2tdK/8KDP1aXupXzT70XQUk2q8QxwRYAJOa3NupXV
=pjuj
-----END PGP MESSAGE-----
fp: 8C5091AEA213FB0642BD46F943EE19743FAC1D5C
unencrypted_suffix: _unencrypted
version: 3.6.0

View file

@ -43,7 +43,7 @@
label = "data";
enable = true;
blkDev = "/dev/disk/by-uuid/576088d4-9aae-4159-a028-feadb2621a1a";
keyFile = "/mnt-root" + toString <secrets> + "/luks-data";
keyFile = "/mnt-root/root/luks-data";
};
};
};

View file

@ -100,12 +100,15 @@ in
};
};
krops.secrets.murmur-superuser.owner = config.users.users.murmur.name;
sops.secrets.murmur-superuser = {
owner = config.users.users.murmur.name;
sopsFile = ./secrets.yaml;
};
services.murmur = {
enable = true;
openFirewall = true;
superuserPasswordFile = config.krops.secrets.murmur-superuser.path;
superuserPasswordFile = config.sops.secrets.murmur-superuser.path;
acmeDomain = "mumble.sbruder.de";
config = {
bandwidth = "128000";

View file

@ -0,0 +1,52 @@
murmur-superuser: ENC[AES256_GCM,data:jTVEa1KmbGAIxxFS2/uIlDCnnJTtGmKFZQ==,iv:YJIfcXlgKEwIRzFEY94dgReNjWZqLAqL0Rb6TG4IHIE=,tag:MVzaRkb24QyyNyFCEMwmzQ==,type:str]
wg-home-private-key: ENC[AES256_GCM,data:/RHNF6Zw6CTWa9ahUhGWRfkR8KIj+HdqUIojA1w6HQBFbZ/+Vo+CcYTYO5I=,iv:2sDH1P3VRjmLw6Ilkq0rw/hossHrNWP5uRvX9yr5fLE=,tag:KIT5GCfXuhg6RjA8+Nmtnw==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
lastmodified: '2021-04-06T11:14:32Z'
mac: ENC[AES256_GCM,data:eMx+ls4NHFqKNwW4XmrtVsizbtnASeO38cw3oPeSlvW8NbT8yUZWRxRofhzg3nD3icyGcwhImVMKHgVz5305zwvrjx0D9n+URe733WPcMmfR39G0FfXz+9kob6p5TVruKjL6qTPmyNRD+8E8CvmBmnwPwRW46F5Pvadum2SZJ3c=,iv:zVxvTUJaTx57KAglUkSNzGsxcX0csPU4qYkkLHwl7bs=,tag:a2Al47gGxFm6XubaTAdw9A==,type:str]
pgp:
- created_at: '2021-04-06T11:13:54Z'
enc: |
-----BEGIN PGP MESSAGE-----
hQIMAwDgSONkM+d4ARAAxn8UVtRKn0s+wpuUBpk3cCwSSa3te4BjHshyNrI3TyZ9
A2jEVz7xfZXItD5VMs9cZmwhm5kD5qC+2qFauwAnQA8JVn5pCKL1gVxGZURZHgPe
eLON75sxWCt6+A+HCXvl8x8ay2ZMSgQ3N+SSuqrihMKe0UcsngzAJQS4qIUPIrQd
YQYkm2Nf6n1Ya+t05W0CRqyHLLkwObOF0OWN/t8wvBOh4HY2UCRqvXqSEz6nCb06
8jDfy6GLhJBjSMV5000/GTvnbVNH11vYjqq0U/2k33HYD/ddX2TPRarWKQsWi8Fe
QYYMjU/zIubNQ1y2Iv89zzpd7DBVFlnCkjnSIjxop+eR4Kk8EUkJnGFHlRek67lc
k9le8sdlBTYBahT48igpKWfxrZ3bky27O39TLY7luLAXxpjWTGZ//8WD3eJyiY9d
k/TmI7ZLLtR42NKeD/anVmHpSf/rHtgHWwYm1m0Qz0/mvKWhZbdkFTPGWMPVAPNu
hBiBjuXd1Gt8ekKr3jZxLR4uRCzzeCA/zXib4x7HvYs/9cLib2UblHsB2hLYwZQ8
ah59+O51SrcJWcq56kRhwKbrqh6Oui/KCXUSTdbO2auwtzBxUMmcbJAZV5cxRdtA
eD9RXW8WfXVtcmvJ+B9Ab52+RfdYmd/bVpljLPY1kmUEKZG08jDfH08kAtcScyLS
XgG0mxcyhD+ZiGIeLgIPUwFC0UT8FT2V0+VAAso1CVH+iIzdF+9BiGPpc2usoOiY
XDcaU74seCR/EeiuMWfEeNasu6EULEG+AKOnG9s8zoPp5730EG9v8r4q7ma89jc=
=JlIF
-----END PGP MESSAGE-----
fp: 47E7559E037A35652DBBF8AA8D3C82F9F309F8EC
- created_at: '2021-04-06T11:13:54Z'
enc: |
-----BEGIN PGP MESSAGE-----
hQIMAzy5uO/X/tdJAQ/9Hx6h7IIjr4vwFPC3UCx07rt/lljWHwqA8d8bN3VIcVWJ
39doJ3DigerCeZWZo/5Wvdm1TBLnbvnQndl+7EcP5mbAuGUmNo2VajTBOkFoySLa
A6g0HwkztuftjtxQV2ICunw1NEsqBCWlNKziGKBjEzsDgOuXLzIaN5ArJAkiUFel
kH8jGyHCP6W+nplHE1zOD20SA/oIyRfLW1m+G7d8KU6EuluaPSgASocS6t4oGtsG
gnApj6WwWOdM3tDefxtYxa/PlPDXo4gj+Dhak6mOMK88UW/wrDC/f4fYL9JrILmT
ImjtA+BIWCI9nLkeo3FTTFhtfr+evOhCsLc8qGL/NMCVZOXB0gK7rpCsReBRQS09
4t2KGI1Jti01rNFYvdTN16o59+oF0DoFYnE2dXHAnBA4jmWt+9eDqd5TPmlsuIyr
XBiqBcKK+1z0/3ad7nv7vb8jOYkUjKasJl+qhLUaUD5ehojfaCawDMUVia7Y2k72
yS77m3m/hCEq0vVvUvMev7hvSTKbfQy3gQkjcnWGavbFfdz64pVBI/KgSJPBM5YE
1VFRFZIf30wOF9Xlt++9Cc6xFMQH9JVLG/WouK5On4mfdWwcfnMLgpu83qmYtS6b
30hYAuuqKUwWDMbZtXsYOrfb6HXGqs0mtBfpJzgFaiZyHyIVVhb/blXF4ML4dfnS
UAGUryszfSsH+ag2oerNKEaDFmgdktmL0FdpP3ycf2qVkMmBNbTpTf2BZaVPcrzF
mSfsOU6k+KcWtXYpurZr31zUVK626Re0fsr5XbPSj+9G
=Grqu
-----END PGP MESSAGE-----
fp: BB046D773F54739757553A053CB9B8EFD7FED749
unencrypted_suffix: _unencrypted
version: 3.6.0

View file

@ -59,6 +59,8 @@ in
./udev.nix
./unfree.nix
./wireguard
"${(import ../nix/sources.nix).sops-nix}/modules/sops"
];
config = lib.mkMerge [

View file

@ -2,19 +2,19 @@
let
port = 8888;
services = {
"media" = config.krops.secrets.media-proxy-auth.path;
"torrent" = config.krops.secrets.torrent-proxy-auth.path;
"media" = config.sops.secrets.media-proxy-auth.path;
"torrent" = config.sops.secrets.torrent-proxy-auth.path;
};
in
{
options.sbruder.media-proxy.enable = lib.mkEnableOption "media proxy";
config = lib.mkIf config.sbruder.media-proxy.enable {
krops.secrets = {
torrent-proxy-auth.group = "nginx";
media-proxy-auth.group = "nginx";
sops.secrets = {
torrent-proxy-auth.owner = "nginx";
media-proxy-auth.owner = "nginx";
};
users.users.nginx.extraGroups = [ "keys" ];
systemd.services.nginx.serviceConfig.SupplementaryGroups = lib.singleton config.users.groups.keys.name;
# otherwise name resolution fails
systemd.services.nginx.after = [ "network-online.target" ];

View file

@ -67,7 +67,7 @@ in
};
config = lib.mkIf cfg.enable {
krops.secrets = {
sops.secrets = {
restic-password = { };
restic-s3 = { };
};
@ -75,8 +75,8 @@ in
services.restic.backups.system = {
inherit repository;
inherit (cfg) timerConfig;
passwordFile = config.krops.secrets.restic-password.path;
s3CredentialsFile = config.krops.secrets.restic-s3.path;
passwordFile = config.sops.secrets.restic-password.path;
s3CredentialsFile = config.sops.secrets.restic-s3.path;
paths = [
"/etc"
"/home"

View file

@ -1,66 +1,3 @@
# Adapted from https://github.com/Mic92/dotfiles/blob/23f163cae52545d44a7e379dc204010b013d679a/nixos/vms/modules/secrets.nix
#
# All of the users wanting to access any key under /run/keys have to be a
# member of the keys group (or be root). This is a hard coded limitation of
# NixOS and I havent found a way to allow everyone to access /run/keys/ (not a
# security problem since the keys themselves are given the right permissions).
{ config, lib, pkgs, ... }:
let
secret = lib.types.submodule ({ config, ... }: {
options = {
name = lib.mkOption {
type = lib.types.str;
default = config._module.args.name;
};
path = lib.mkOption {
type = lib.types.str;
default = "/run/keys/${config.name}";
};
mode = lib.mkOption {
type = lib.types.str;
default = "0440";
};
owner = lib.mkOption {
type = lib.types.str;
default = "root";
};
group = lib.mkOption {
type = lib.types.str;
default = "root";
};
source = lib.mkOption {
type = lib.types.str;
default = toString <secrets> + "/${config.name}";
};
};
});
in
{
options.krops.secrets = lib.mkOption {
type = lib.types.attrsOf secret;
default = { };
};
config = lib.mkIf (config.krops.secrets != { }) {
system.activationScripts.setup-secrets =
let
script = ''
echo "setting up secrets"
'' + lib.concatMapStringsSep
"\n"
(secret: ''
${pkgs.coreutils}/bin/install \
-D \
--compare \
--verbose \
--mode=${lib.escapeShellArg secret.mode} \
--owner=${lib.escapeShellArg secret.owner} \
--group=${lib.escapeShellArg secret.group} \
${lib.escapeShellArg secret.source} \
${lib.escapeShellArg secret.path} \
|| echo "failed to copy ${secret.source} to ${secret.path}"
'')
(lib.attrValues config.krops.secrets);
in
lib.stringAfter [ "users" "groups" ] "source ${pkgs.writeText "setup-secrets.sh" script}";
};
sops.defaultSopsFile = ../secrets.yaml;
}

View file

@ -36,12 +36,14 @@ in
};
config = lib.mkIf cfg.enable {
krops.secrets.wg-home-private-key = { };
sops.secrets.wg-home-private-key = {
sopsFile = builtins.path { path = "${toString ./.}/../../machines/${config.networking.hostName}/secrets.yaml"; };
};
sbruder.wireguard.home.address = peers."${config.networking.hostName}".address;
networking.wireguard.interfaces.wg-home = {
privateKeyFile = config.krops.secrets.wg-home-private-key.path;
privateKeyFile = config.sops.secrets.wg-home-private-key.path;
ips = [ "${cfg.address}/24" ];
listenPort = if enableServer then 51820 else null;
peers =

View file

@ -70,5 +70,17 @@
"type": "tarball",
"url": "https://github.com/cachix/pre-commit-hooks.nix/archive/c7e3896e35ceea480a7484ec1709be7bdda8849d.tar.gz",
"url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz"
},
"sops-nix": {
"branch": "master",
"description": "Atomic secret provisioning for NixOS based on sops",
"homepage": "",
"owner": "Mic92",
"repo": "sops-nix",
"rev": "441227c4fd831818fb55f366ea16ea6364850102",
"sha256": "0dv8kbax83rrvq599q5m2x4xi805iv343r68fmh7k2i44c0s4kck",
"type": "tarball",
"url": "https://github.com/Mic92/sops-nix/archive/441227c4fd831818fb55f366ea16ea6364850102.tar.gz",
"url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz"
}
}

94
secrets.yaml Normal file
View file

@ -0,0 +1,94 @@
media-proxy-auth: ENC[AES256_GCM,data:KaYd8TCMVlHbgoj1QQfRwTXAK2hJUDr0UJqhTXvILylyR+mdJy7smn5EtFdNNFWZk6eJituvGG7naT2/UiNoYne4ljlJhu/IuObTLY5AI9ELDtYBDQ==,iv:qo6SOaHrWsXfvRwgSKDTSnreOcO9xy3RKrfE2k+VLEg=,tag:SND1zp2Cd2gqQdOVWw2eWw==,type:str]
torrent-proxy-auth: ENC[AES256_GCM,data:9XuDRdUjOClPuZFvI7VwYQdbegzg400zfmFmE3qt5kTo6bD7m74V9F3b73aUueqMQ+80PxBc1KusTTlPYy2LAf6mT4PQ2TpqSu0kBXAezfL4e5fxdQ==,iv:26d+hQ9yn5CzDGNZvi9A5bvzgo87IrJHz67xTac4UA4=,tag:5FtjmtIY1gSixu/9UZhBVA==,type:str]
restic-s3: ENC[AES256_GCM,data:lRcwoChzSX+ICXyafAtBGjkBTBdzL5v/imUL2yHtApMOe+MkP5CjXr47WoWGt17tdLPVRQ9v7/6jcagTKIk3IfjmhRhMip3CMyPkio62uDxArlaKpi9GoZNQOCt+XHWlpiBJ609H,iv:yrp2QZLXJypWh5XjsAHcpiXEPUcYF8A+mQZ+W2w7zpU=,tag:Xis3NQ2KNQqG+Rmgzpy3Tg==,type:str]
restic-password: ENC[AES256_GCM,data:Bi/WJAVECgBegIZMV/MZN8kvHyxsh/xERAnZ6TQ1OIOkffqkWBwx6DCS1cVJ0Nzz,iv:8/WPCuGfLkd0LkLTEr7pjpT8kb/P64VICppDeEcKDIE=,tag:JLgYEekrZG91AapztOYBTw==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
lastmodified: '2021-04-06T11:12:39Z'
mac: ENC[AES256_GCM,data:guWWnJb9153SmSFwvDEqru0GGYUgQCmCtDb/bmKCehUvQ2ecVDulYYKAQ5jq2v3Eo5pfKmdrtIMV/jf6TOwNyEqBuWxU5aUODMheSqYgDNKAcFSvwpdldyVATspt7XT0s0waUbFBPjMOmQC0TEp5rtZXS7PlRT8DgohUlyy6jhI=,iv:Eh3Uwctaw0hrI6Ux2q0WUixZiLF5Fdj3/AVG8PluCHc=,tag:Jo3bzKNQzH7tsatfLphagQ==,type:str]
pgp:
- created_at: '2021-04-06T11:13:25Z'
enc: |
-----BEGIN PGP MESSAGE-----
hQIMAwDgSONkM+d4AQ/7BodHEMmqPhO3VSvOa8lqTHHXv9HxL5T9MkaMlclTGW4W
EVaVsUUbONpsUUXxS0l8hOFBOwZuZMJyDVhtyjdRAnFYFjbbM35iKIaaDgn159nq
VJC4uwFuU90+Ps8zoxRdf9I+0hYv/LOCI9FDlUY6gTRNvf1Nv2Lh3uPXRjZQJE6q
U12IAfqSL/o3UWsozR/8qcaHIBx8nOS5eb1r4PSKikvmigz0KUyyOmZSh5GYXVIo
HoJOG5goCX1Fo6in4slW15CAwyir+owwtN0mQPH9tgoOSeEUK00c2VrUc2gf7wxg
Le65pTZ3YP1ghqsEJupkjRMCuguKCb6TRwBhR3rQ+xvqqGDxplYMD7q6XtSh0PJx
LSHllk9nl7u5tjs9vwN0RxVQ7aG7ORPPSp1tjolxtLMQ8l0Vd0EssAqoeaqbrkDa
Iz8qYFICzvkJKJ3lsXKylhbf2iSPu10aLU4nW0GgArUhNnKOIi90ndzPjo23jB8D
KXuJMWDhaH2K/TAwM99IfOeYnRkx63ctPNVvyo+nyJYlthrkO/77k0SxG/RI/2W+
8muO8ZXBcp3SyyQp2P/xkx/O2YBvSxx3MBnyzL9B3+tgbls02cQh9MmYY0OB7MLR
D56HXV0odIfovqYnHFLN6g3nhUtRohwak1QrsmP8Fgw6qcMlrRgKDFsewe8xeQfS
XAEH6WarsCSJAerz1HDftOCkcWXorq/bCqygebk2V6OfftaIRKoMqXxJQXESN3sY
Kvr0nEjwFRydxy6/I61Z/hFlb2P7OBaReNBA2zve1OAIvBRUNI+m6Tl/7O/M
=cMUp
-----END PGP MESSAGE-----
fp: 47E7559E037A35652DBBF8AA8D3C82F9F309F8EC
- created_at: '2021-04-06T11:13:25Z'
enc: |
-----BEGIN PGP MESSAGE-----
hQIMA0PuGXQ/rB1cAQ//TcQhviuRMst0/kj2TgK7+qK4JoFwVcuesI9syp7LR2YE
nBEyr/a4ifnqD7M/A84FZZqvK/2Sx2yHuX/Qjz6UvI6E8gWgdBtSPI7zgJqgQd/f
wmeHFpDZGx3rwpzgOKHreVY+Lk4/u30GfxDHFpCu81HHI8SDVPF9/SxyxLEmIvqw
zCAdmHR52Fvha2yis7Rz4iZEmOPcpFfVNaLJRJM6wTQKao4l6ANmW10GZle02/eN
u/lHg1caLsZIX6L0TuEK5c9iMZLmxH/UXg6poDbwB9jFpdolBSV/p/j5S3FdALVw
a7VTyyT80am48iuD/WTIwPqcUfL66RpJmbz6p+UzknFlJmdvPcujWlx7svBWKhf0
5pukqTapM5VXYguzGjl363JV60gAP/i51873kV+qnn3DQAw93JXZz1rbLFKT6zGm
LhemAqqrz8kDXdEaO+sfQb/ZAKJsPAcNKVr/Au3Ekig4hKYysvhoMzhFnBlUDTe8
2tKtYCUfun5XYuoy+4f1XpI25KZd3sow1KiKFU7QhTgE75rjxXNRLgbuiHKoYvVs
jELUszztxGsMdGUT3UOUZAS2Aj+G+fqsnMVh+yMfvNMKx6IWFTC9qjG5isaWHYfO
b5aqq/dOaqwyO4+nvd4Akj8rEVYqz2jh8nAaBvcJBryQSbY1wnZj/k/vl8B8gYnS
TgHSC/a/G0NLJ4HPYJb7DvlQcBLwRbbF3tUFVl8K/1rKTNOa23ucUm2G2iF1HyFg
E8hygSkmtAa9rmhWpyPQ3fkh5mpm6Xmdx9FtLXY6JQ==
=UwEc
-----END PGP MESSAGE-----
fp: 8C5091AEA213FB0642BD46F943EE19743FAC1D5C
- created_at: '2021-04-06T11:13:25Z'
enc: |
-----BEGIN PGP MESSAGE-----
hQIMAzy5uO/X/tdJAQ/+JaLUL8RuXCyqrOARepnU1tgAyWB1GsUjYEXd83k72ZOr
QN3IRQJr3tE6eT4lusBSXI/9wIm102EsnIHs+RROUdjnic2RLkYUUS3vN6mtE+Lc
8FwcbhUIzWnzSOTUSEFGeDxarD/X5bXEXWoUKWsJuZv5gZIIgvNNxKSCkT4vwqUQ
E8ljMy7J25D0tiT0XIHqj2sNzrdtYf0tdmAMDTHvHWkBTTo+dPw5moLI69yBRUC6
k+hhuELJiNkuOIj1+hOBOKkiin1vCsnccen7nmQ4OmZ1N+2zNGucq0zbBQITSp63
kooVpvgb3B1uyglOqTvvlRnBsoY7h1LEgkyx/lTvrfjCpY1VWHGIiTGz2Mt5R2GL
SelAtk3kh1SV1FQrgyZUMp7XEHxs1P9Dl3halWqK2aPCpzDk++qgNeOJ2DRg+yzM
iTtPwrBiWSENDAJgyafqG8vQRlZD2SLahxM0Vk0TqnG4VPlPj9j1PSr7IgEKDNWN
7COE9mq0sYdK4DAbu+ML9X52e7PpakcsnCr5kQtMvaRIZDxXpDurSvWRf28s/Kne
RjackUCPtjfdN3dG6qnBXykkZJPZLeTRA/rsxENvQbuFuTi2eUyGygsg1xO+xnsz
k6z08LrA6u+TwGKVwUy16mURPRhmwr02DwMx5D8+zzQT+SdMFo7kFDc7KnXpDEzS
TgG8d5bYZblY1wGGYcGt8VJzGvHUwTA5HlKhE/14+ONXLfnylUmysV6GjC9XgPeP
9a6rxtvE50BO2lCRwN5DeEPnKENEumCslUkjvFHQGQ==
=fIUQ
-----END PGP MESSAGE-----
fp: BB046D773F54739757553A053CB9B8EFD7FED749
- created_at: '2021-04-06T11:13:25Z'
enc: |
-----BEGIN PGP MESSAGE-----
hQIMA2nIGHycQ3VOAQ/9HgTHU/5EYiHDRf65WHtQxfXSJ4Mv16IHemfRSITh9u/N
oJvbr/UPaAojzKYyh/HRlUq+H3FDM0x77JGaS/YTEpW89lmcLsOHmHe30Me9hlWQ
yiVIlIzJsXHls0lbtU765EU83C8d//eQjHf5hfqHlyXLZUtdziXqF1Adi1HOZdC/
MCvLfDePwTZjKmToJLZY1jljARuxl6LcLUwq2XQvCL84BJMCg8vOJJw/JvBo+kZN
2nDHfKrFk5P3kztCBY3ScgJSzIAxB8E1NhOtLORMwMuwh2WSu2rDw6Owf5VetusF
ioFbsL+qEUn8gljLGjRGXd0Xsxgem7BZtmbWl4KUx39aWzXRDDswB7GI/8AkWmB+
bHIGAEKh7mbs1buNmnxBoJbLmFhY5CR88Aru6T31gDLpvlJgq09XLJkm/Xk8XkiC
PBgYC6nqws2Lo0UE8p1ArLchSYHzXt77Q3Ymlo3Wa3YkO8ZVv5yyQ1DSYUs90IJV
Dy0QVAP7hdKjeCloinyzhHqZw6fxDusKeb9w52y31foh/qXaXzXLC2dWQPEEfq4V
LGxXpxaV09bIOVy6c40y2Pk/w1ZeCyyflyjK5hvgn8Tj0VAlR3I1hTwHTa+UMCn6
IwsCtjMJAgboB3pMMTZIEwteYW0coq3fyX95E3PSWhgzjP7E0TLDfzjcOJ7QxiPS
TgEZPWn4QIjnivTNgHnlHqMHJTg4mePyq//Mpw7ECIf+LkYoJ2l/1pG0VmpoJMv+
cLTcQfThrWSoXSiBq9+Mr8bwQpnTJf3lrPGx4YPZ3g==
=QcVc
-----END PGP MESSAGE-----
fp: 2372651C56E22972C2D9F3F569C8187C9C43754E
unencrypted_suffix: _unencrypted
version: 3.6.0

View file

@ -42,6 +42,10 @@ let
"root@$hostname" \
"cat > /crypt-ramfs/passphrase" < <(pass "devices/$machine/luks")
'';
show-key-fingerprint = ''
gpg --with-fingerprint --with-colons --show-key "$1" | awk -F: '$1 == "fpr" { print $10; exit }'
'';
};
in
pkgs.mkShell {
@ -49,8 +53,13 @@ pkgs.mkShell {
git
niv
nixpkgs-fmt
sops
ssh-to-pgp
]) ++ (pkgs.lib.mapAttrsToList pkgs.writeShellScriptBin scripts);
shellHook = ''
${pre-commit-check.shellHook}
find ${./. + "/keys"} -type f -print0 | xargs -0 gpg --quiet --import
'';
}