remove move root passwords to agenix

2022-10-16 13:50:43 +02:00 · 2022-10-16 13:50:43 +02:00 · 1d9dad78ee
parent e12b96cf57
commit 1d9dad78ee
9 changed files with 45 additions and 8 deletions
--- a/.gitattributes
+++ b/.gitattributes
@ -1 +0,0 @@
-secrets.nix filter=git-crypt diff=git-crypt
--- a/nixos/machines/pennyworth/hetznercloud.nix
+++ b/nixos/machines/pennyworth/hetznercloud.nix
@ -1,6 +1,5 @@
 { config, lib, pkgs, modulesPath, ... }:
-let ipconf = (import ../../secrets.nix).ipconf.${config.networking.hostName};
-in {
+{
  imports = [ (modulesPath + "/profiles/qemu-guest.nix") ];

  boot.kernelPackages = pkgs.linuxPackages_latest;
--- a/nixos/roles/default.nix
+++ b/nixos/roles/default.nix
@ -1,5 +1,4 @@
-let secrets = import ../secrets.nix;
-in { config, pkgs, lib, name, inputs, ... }:
+{ config, pkgs, lib, name, inputs, ... }:
 let
  machine = name;
  vpn = import ../vpn.nix;
@ -14,6 +13,10 @@ in {
    ../modules/muflax-blog.nix
    ../services
  ];
+  age.secrets = {
+    root-user-pass.file = ../../secrets/root-user-pass.age;
+    yorick-user-pass.file = ../../secrets/yorick-user-pass.age;
+  };

  nix.nixPath = [];# "nixpkgs=${pkgs.path}" ];
  nix.registry.nixpkgs.flake = inputs.nixpkgs;
@ -26,7 +29,7 @@ in {
    openssh.authorizedKeys.keys =
      config.users.users.yorick.openssh.authorizedKeys.keys;
    # root password is useful from console, ssh has password logins disabled
-    hashedPassword = secrets.pennyworth_hashedPassword; # TODO: generate own
+    passwordFile = config.age.secrets.root-user-pass.path; # TODO: generate own

  };
  services.timesyncd.enable = true;
@ -36,7 +39,7 @@ in {
    extraGroups = [ "wheel" ];
    group = "users";
    openssh.authorizedKeys.keys = with (import ../sshkeys.nix); yorick;
-    hashedPassword = secrets.yorick_hashedPassword;
+    passwordFile = config.age.secrets.yorick-user-pass.path;
    createHome = true;
  };

--- a/nixos/secrets.nix
+++ b/nixos/secrets.nix
--- a/nixos/services/email.nix
+++ b/nixos/services/email.nix
@ -1,6 +1,7 @@
 { config, pkgs, lib, inputs, ... }:
 {
  imports = [ inputs.nixos-mailserver.nixosModule ];
+  age.secrets.yorick-mail-pass.file = ../../secrets/yorick-mail-pass.age;

  mailserver = rec {
    enable = true;
@ -8,7 +9,7 @@
    domains = [ "yori.cc" "yorickvanpelt.nl" ];
    loginAccounts = {
      "yorick@yori.cc" = {
-        hashedPassword = (import ../secrets.nix).yorick_mailPassword;
+        hashedPasswordFile = config.age.secrets.yorick-mail-pass.path;
        catchAll = domains;
        aliases = [ "@yori.cc" "@yorickvanpelt.nl" ];
      };
--- a/secrets/root-user-pass.age
+++ b/secrets/root-user-pass.age
@ -0,0 +1,17 @@
+age-encryption.org/v1
+-> X25519 gPpu3IUM4XCFLGCw0g01q4SLCR8Y06X0RUKcxw3qCWY
+tif176GtYNaHhKRTcA/5mWJtagrXnKjB+aWB3RhkDy4
+-> ssh-ed25519 4Ui0LA Z8AR/i/rCXoHsgCcA+qJ7OUCIljG9u9s1AvHeosCziI
+l/kblqmAyuZuofz2csDaLIOjsc9qGDZW4zbC54lgJnE
+-> ssh-ed25519 ZzuO9Q Ae1zb6275GCkj2y3eZDO/R35OaH/AYGpZN9jY7BCT2o
+ULdKtq4v4H7C3/h1/GN1ZobLtgiXnepjIRUk/AeQD04
+-> ssh-ed25519 n7yA6g BRIx6Nvp9S6XLKWOok4UM06LxFSP9aSXDtfyECncYGY
+lL0sEX9hQ3spt12KA5ubQu1zzbaMrY1XqlWPfB2Sv+s
+-> ssh-ed25519 dY0yIg oG+tsYKk9TrcMzy0P1571mvS8J8UspfutBo7int0uF0
+suWCupM+FkKeKVDRd3ptHybUAVqnYMwXch4C0pwCYak
+-> ssh-ed25519 6AxuSw oWDbYV22o2ygCa5k7KgweCOiPCpAITlz7+1x3nNmwno
+TDFCdFLEGtyCEJBZnEniwbDQeEr/Vk+MjwYuILFO/OY
+-> pdIe+-grease s7,&$< 8t"N$R! &y~Q( ?
+GM8wkE42tIdCNDsc7pnPVhVnXqckaAQE5jF8qM2zug
+--- 4mXrKFGwxnRIfetWC8pOPEiQEOImCfD2/Mox+Mz7OkU
+AöÛE<C39B>R¸Ù8è½`Ó«¼0{<7B><¢D÷»4³n<C2B3>È«ß6uí+Â?!ÉŒŠörQî^} ¨ª‡õ
AbÝ<©s•A‚èªäz¸+yÖÁj¹ÕA<C395>Iæ<49>†q|ìÁšë‚û×Xå—#úËuV6cOm]ô_M]ªœê•h”ªÌ?…,
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
--- a/secrets/yorick-mail-pass.age
+++ b/secrets/yorick-mail-pass.age
--- a/secrets/yorick-user-pass.age
+++ b/secrets/yorick-user-pass.age
@ -0,0 +1,18 @@
+age-encryption.org/v1
+-> X25519 igjeVk7K5wMss9d8iN2VMGKzfyA8YGbw/ivdRre+mlc
+PyTIOfIsw/lMTWE7boTfhcU3ptMyc/YEMNC4gc9VXwc
+-> ssh-ed25519 4Ui0LA tAap3xK2PMYD/l63tSCr8RAuMgEhn27ttvLD6rOwLhk
+3KHv27a82wBlFkBxjGpoRnSl6AlAVp3l5aigHLzYFv8
+-> ssh-ed25519 ZzuO9Q P3oDE31Cr5ql9D1qQIL8uJfPVz8Z34nI1WRR+r3eSFs
+a+vYQu6gia+k5MsVBVhfAXNdK/Pt4IxKmL+sTamq0Ls
+-> ssh-ed25519 n7yA6g HdhF4DdyYUxRRzRBiafAiDal6WrP7DKlzg3t2IaL8z4
+6GacnfLEbzlea8kreVbuLT+Tb14gNWhcp1mY6RUvkM4
+-> ssh-ed25519 dY0yIg 6/yte4riBsTStcfe6dC/rsHDDt9FkYo3dGDXfNTN6mc
+243hlNW1NMytmUaqIdFxKVbGCE9OE+Z52xmXAY7Gw+c
+-> ssh-ed25519 6AxuSw sgXEUYw26qprK1UqqmSSCH3d6wSTx36tXchnvHyKsQs
+kBr7+RpIvcpiLcdu+dev9JIud5fR20TEKH+DsTh+wgY
+-> esWzRZ6-grease ?.lfCo <`o0)Ty Z]mJ
+SvD8QrEVlF4Npprb6An3L0QBUOqb8RACypF4EcYFweoHY6JG2Y+aDnl3ua0t+0Ax
+wFFo3nOCoyXiXckyo/53PNl+jp7JwS3BqHowihtn3TO9ZcLHch9vIbQVpTAezw
+--- XRCsY00QWQn6g6+wP1QSL8in7DIaks72mgA3awvmPEc
+¸mntÊ1¨ÒÌD±*_÷Ò,/¢Ã+”Ï«âÜ—t8Åq¯lÝ3˜zïg
I3¼¯WD$uaòŒ’GIR0b ºu<ÒßwJ‚]±«²¨m‘»ó°Ærÿ
¹oCbÝ³è˜¬iM×¤f	(Ô~Ä@Nêð)&·íö‡ŸwÛ<77>¯gç3XN