switch to agenix

auto-flake-update
Yorick van Pelt 7 months ago
parent d50c02d708
commit 7a8b6de2a1
Signed by: yorick
GPG Key ID: A36E70F9DC014A15
  1. 3
      .gitattributes
  2. 21
      flake.lock
  3. 5
      flake.nix
  4. 16
      nixos/conf
  5. 23
      nixos/deploy/keys.nix
  6. BIN
      nixos/keys/backup.pennyworth.key
  7. BIN
      nixos/keys/grafana.env
  8. BIN
      nixos/keys/http.muflax.key
  9. BIN
      nixos/keys/pennyworth_borg_repo.key
  10. BIN
      nixos/keys/pennyworth_borg_ssh.key
  11. BIN
      nixos/keys/pennyworth_borg_ssh.key.pub
  12. BIN
      nixos/keys/ssh.frumar.key
  13. BIN
      nixos/keys/ssh.jarvis.key
  14. BIN
      nixos/keys/ssh.pennyworth.key
  15. BIN
      nixos/keys/ssh.woodhouse.key
  16. BIN
      nixos/keys/wg.blackadder.key
  17. BIN
      nixos/keys/wg.frumar.key
  18. BIN
      nixos/keys/wg.jarvis.key
  19. BIN
      nixos/keys/wg.mullvad-nl3.key
  20. BIN
      nixos/keys/wg.mullvad-nl4.key
  21. BIN
      nixos/keys/wg.pennyworth.key
  22. BIN
      nixos/keys/wg.smithers.key
  23. BIN
      nixos/keys/wg.woodhouse.key
  24. BIN
      nixos/keys/wg.zazu.key
  25. BIN
      nixos/keys/yori-nix.key
  26. 6
      nixos/logical/frumar.nix
  27. 1
      nixos/logical/jarvis.nix
  28. 4
      nixos/logical/pennyworth.nix
  29. 4
      nixos/logical/zazu.nix
  30. 16
      nixos/modules/lumi-cache.nix
  31. 6
      nixos/roles/default.nix
  32. 12
      nixos/services/backup.nix
  33. 4
      nixos/services/torrent-wg.nix
  34. BIN
      secrets/grafana.env.age
  35. BIN
      secrets/http.muflax.age
  36. BIN
      secrets/nix-netrc.age
  37. 10
      secrets/pennyworth_borg_repo.age
  38. BIN
      secrets/pennyworth_borg_ssh.age
  39. BIN
      secrets/secrets.nix
  40. 11
      secrets/wg.blackadder.age
  41. 11
      secrets/wg.frumar.age
  42. BIN
      secrets/wg.jarvis.age
  43. 9
      secrets/wg.mullvad-nl4.age
  44. BIN
      secrets/wg.pennyworth.age
  45. BIN
      secrets/wg.smithers.age
  46. BIN
      secrets/wg.zazu.age

3
.gitattributes vendored

@ -1,4 +1 @@
secrets.nix filter=git-crypt diff=git-crypt
*.key filter=git-crypt diff=git-crypt
deploy_key filter=git-crypt diff=git-crypt
keys/** filter=git-crypt diff=git-crypt

@ -1,5 +1,25 @@
{
"nodes": {
"agenix": {
"inputs": {
"nixpkgs": [
"nixpkgs"
]
},
"locked": {
"lastModified": 1652712410,
"narHash": "sha256-hMJ2TqLt0DleEnQFGUHK9sV2aAzJPU8pZeiZoqRozbE=",
"owner": "ryantm",
"repo": "agenix",
"rev": "7e5e58b98c3dcbf497543ff6f22591552ebfe65b",
"type": "github"
},
"original": {
"owner": "ryantm",
"repo": "agenix",
"type": "github"
}
},
"blobs": {
"flake": false,
"locked": {
@ -259,6 +279,7 @@
},
"root": {
"inputs": {
"agenix": "agenix",
"emacs-overlay": "emacs-overlay",
"home-manager": "home-manager",
"nixos-hardware": "nixos-hardware",

@ -10,14 +10,17 @@
nixpkgs-stable.url = "github:nixos/nixpkgs/nixos-21.05";
nixos-mailserver.url = "gitlab:simple-nixos-mailserver/nixos-mailserver";
nixos-mailserver.inputs.nixpkgs.follows = "nixpkgs";
agenix.url = "github:ryantm/agenix";
agenix.inputs.nixpkgs.follows = "nixpkgs";
};
outputs = inputs@{ nixpkgs, home-manager, nixpkgs-mozilla, emacs-overlay
, nixpkgs-wayland, nixpkgs-stable, nixos-hardware, self, ... }: {
, nixpkgs-wayland, nixpkgs-stable, nixos-hardware, agenix, self, ... }: {
overlay = nixpkgs.lib.composeManyExtensions [
nixpkgs-wayland.overlay
#nixpkgs-mozilla.overlay
emacs-overlay.overlay
agenix.overlay
(import ./fixups.nix)
(import ./pkgs)
(import ./pkgs/mdr.nix)

@ -4,12 +4,6 @@ cd "$( dirname "${BASH_SOURCE[0]}" )"
export NIX_PATH=
host=$1
COPY_USER=yorick
decrypt() {
if ! [ -e secrets.nix ]
then
git crypt unlock
fi
}
get_target_host() {
TARGET_HOST=$(nix eval --raw -f vpn.nix ips.$host)
TARGET_HOST=$(ssh $TARGET_HOST ip --json r get 1.1.1.1 | jq -r '.[0].prefsrc')
@ -19,20 +13,12 @@ peek() {
command "$@"
}
nix() {
decrypt
peek nix --extra-experimental-features nix-command "$@"
peek nix --extra-experimental-features "nix-command flakes" "$@"
}
nix-build() {
decrypt
peek nix-build "$@"
}
case $2 in
copy-keys)
nix build -f ../. yorick.machine."$host".config.deployment.keys-copy --out-link copy-keys
get_target_host
peek ./copy-keys/bin/copy-keys "$TARGET_HOST"
# rm ./copy-keys
;;
ssh)
get_target_host
peek ssh root@"$TARGET_HOST"

@ -1,23 +0,0 @@
{ pkgs, lib, config, ... }:
with lib;
let cfg = config.deployment.keyys;
in {
options.deployment.keyys = mkOption {
type = types.listOf types.path;
default = [ ];
};
options.deployment.keys-copy = mkOption { type = types.package; };
config = {
deployment.keys-copy = pkgs.writeShellScriptBin "copy-keys"
(if cfg != [ ] then ''
set -e
ssh root@$1 "mkdir -p /root/keys"
scp ${concatMapStringsSep " " toString cfg} root@$1:/root/keys
echo "uploaded keys"
'' else ''
echo "no keys to upload"
'');
};
}

Binary file not shown.

Binary file not shown.

Binary file not shown.

Binary file not shown.

Binary file not shown.

Binary file not shown.

Binary file not shown.

Binary file not shown.

Binary file not shown.

Binary file not shown.

Binary file not shown.

Binary file not shown.

Binary file not shown.

Binary file not shown.

Binary file not shown.

Binary file not shown.

Binary file not shown.

@ -6,8 +6,6 @@
../services/torrent-wg.nix
];
deployment.keyys = [ ../keys/grafana.env ];
system.stateVersion = "15.09";
networking.hostId = "0702dbe9";
@ -88,8 +86,8 @@
AUTH_GOOGLE_ALLOW_SIGN_UP = "false";
};
};
systemd.services.grafana.serviceConfig.EnvironmentFile =
"/root/keys/grafana.env";
age.secrets.grafana.file = ../../secrets/grafana.env.age;
systemd.services.grafana.serviceConfig.EnvironmentFile = config.age.secrets.grafana.path;
services.zfs = {
trim.enable = false; # no ssd's
autoScrub = {

@ -4,4 +4,5 @@
system.stateVersion = "17.09";
yorick.lumi-vpn.name = "yorick";
yorick.lumi-vpn.ip = "10.109.0.10";
}

@ -44,12 +44,13 @@ in {
};
};
age.secrets.muflax.file = ../../secrets/http.muflax.age;
services.muflax-blog = {
enable = true;
web-server = { port = 9001; };
hidden-service = {
hostname = "muflax65ngodyewp.onion";
private_key = "/root/keys/http.muflax.key";
private_key = config.age.secrets.muflax.path;
};
};
services.nginx.commonHttpConfig = ''
@ -89,7 +90,6 @@ in {
};
"media.yori.cc" = sslforward "http://${vpn.ips.frumar}:32001";
};
deployment.keyys = [ ../keys/http.muflax.key ];
networking.firewall.allowedUDPPorts = [ 31790 ]; # wg
networking.wireguard.interfaces.wg-y.peers = lib.mkForce (lib.mapAttrsToList
(machine: publicKey: {

@ -1,5 +1,5 @@
# Edit this configuration file to define what should be installed on your system. Help is available in the configuration.nix(5) man page and in the NixOS manual (accessible by running ‘nixos-help’).
{ config, lib, pkgs, inputs, ... }:
{ config, lib, pkgs, inputs, modulesPath, ... }:
{
imports = [ # Include the results of the hardware scan.
@ -7,7 +7,7 @@
#<yori-nix/roles/homeserver.nix>
../roles
inputs.nixos-hardware.nixosModules.pcengines-apu
<nixpkgs/nixos/modules/profiles/minimal.nix>
"${modulesPath}/profiles/minimal.nix"
];
boot.loader.grub.enable = true;

@ -1,27 +1,15 @@
{ config, lib, pkgs, ... }:
let
cfg = config.yorick.lumi-cache;
nixNetrcFile = pkgs.runCommand "nix-netrc-file" {
hostname = "cache.lumi.guide";
username = "lumi";
} ''
cat > $out <<EOI
machine $hostname
login $username
password ${
builtins.readFile
/home/yorick/engineering/lumi/secrets/shared/passwords/nix-serve-password
}
EOI
'';
in {
options.yorick.lumi-cache = with lib; {
enable = mkEnableOption "lumi cache";
};
config = lib.mkIf cfg.enable {
age.secrets.nix-netrc.file = ../../secrets/nix-netrc.age;
nix = {
settings.substituters = [ "https://cache.lumi.guide/" ];
settings.netrc-file = nixNetrcFile;
settings.netrc-file = config.age.secrets.nix-netrc.path;
settings.trusted-public-keys = [
"cache.lumi.guide-1:z813xH+DDlh+wvloqEiihGvZqLXFmN7zmyF8wR47BHE="
];

@ -5,11 +5,11 @@ let
vpn = import ../vpn.nix;
in {
imports = [
inputs.agenix.nixosModule
../modules/tor-hidden-service.nix
../modules/nginx.nix
../modules/lumi-cache.nix
../modules/lumi-vpn.nix
../deploy/keys.nix
../services
];
@ -106,9 +106,9 @@ in {
ipv6 = true;
hostName = machine;
};
deployment.keyys = [ (../keys + "/wg.${machine}.key") ];
age.secrets.wg.file = ../../secrets/wg.${machine}.age;
networking.wireguard.interfaces.wg-y = {
privateKeyFile = "/root/keys/wg.${machine}.key";
privateKeyFile = config.age.secrets.wg.path;
ips = [ vpn.ips.${machine} ];
listenPort = 31790;
peers = [{

@ -1,22 +1,20 @@
{ name, ... }: {
deployment.keyys = [
(../keys + "/${name}_borg_repo.key")
(../keys + "/${name}_borg_ssh.key")
];
{ name, config, ... }: {
age.secrets.backup_repo.file = ../../secrets/${name}_borg_repo.age;
age.secrets.backup_ssh.file = ../../secrets/${name}_borg_ssh.age;
services.borgbackup.jobs.backup = {
encryption = {
# Keep the encryption key in the repo itself
mode = "repokey-blake2";
# Password is used to decrypt the encryption key from the repo
passCommand = "cat /root/keys/${name}_borg_repo.key";
passCommand = "cat ${config.age.secrets.backup_repo.path}";
};
environment = {
# Make sure we're using Borg >= 1.0
BORG_REMOTE_PATH = "borg1";
# SSH key is specific to the subaccount defined in the repo username
BORG_RSH = "ssh -i /root/keys/${name}_borg_ssh.key";
BORG_RSH = "ssh -i ${config.age.secrets.backup_ssh.path}";
};
# Define schedule

@ -7,11 +7,11 @@ in {
namespace = mkOption { type = types.str; };
};
config = {
deployment.keyys = [ (../keys + "/wg.${cfg.name}.key") ];
age.secrets.wg-torrent.file = ../../secrets/wg.${cfg.name}.age;
networking.wireguard.interfaces.${cfg.name} = {
# curl -s https://api.mullvad.net/www/relays/all/ | jq '.[] | select(.type == "wireguard" and .country_code == "nl")'
ips = [ "10.66.30.26/32" "fc00:bbbb:bbbb:bb01::3:1e19/128" ];
privateKeyFile = "/root/keys/wg.${cfg.name}.key";
privateKeyFile = config.age.secrets.wg-torrent.path;
peers = [{
publicKey = "hnRyse6QxPPcZOoSwRsHUtK1W+APWXnIoaDTmH6JsHQ=";
allowedIPs = [ "0.0.0.0/0" "::0/0" ];

Binary file not shown.

Binary file not shown.

Binary file not shown.

@ -0,0 +1,10 @@
age-encryption.org/v1
-> ssh-ed25519 lYFcsw HsqJA3brEYXwaJT7VjTassnpzZSBsa+968Oe6BC7FFA
rwqKJVSh2BkXpUbnkegEOKMWV68CXZnOg5HJlFhGWmY
-> ssh-ed25519 ZzuO9Q SbeT6ExvwzTog2HXThI8OOgJQoMqWOOtU6gmU+v/x28
pgEYyg6EuRsIW1shMlvQfTGxwyq0/uFHQumDmB0QzZM
-> P*s7TnXP-grease C O$
KXqmSEK5b3oWErBT6A5w5A
--- 7XjRgeS86xeERnenf8zSZPb47lV2GiSa55ZPKEvjJBc
äx6
úKOŠ+<EFBFBD>S¬öíUaH r»-A<EFBFBD>C<EFBFBD>M·nˆ<EFBFBD>Ós;bB»dñé©ù;üL9à2¼ ÛLSRÓ÷Ï<EFBFBD>ÍžÜtÑ ¿ônnÊN

Binary file not shown.

Binary file not shown.

@ -0,0 +1,11 @@
age-encryption.org/v1
-> ssh-ed25519 lYFcsw v6eGXaE307KPZGNPiZizSUSiJ4om5/igqveCtyXJpVA
7tJ+o/YBYrHF+DeLaHeBdV6ZVPEV7w9Dxq/4HcpGdDc
-> ssh-ed25519 4Ui0LA 2gDiPTnSkhgMySIeIITAUmTRzCDHwFH73BKayFzIBmE
mc8SgUhs7WSR9sl+Y1ZkQahwJ2zXdbkEekZkGXiL7ss
-> !ff-grease BK qoe krs&bJ
pKON54F5tCt2T9YGQM920TxaK+l08X/1xCSIpSLy0WwpzJYeFu6XRT6VoPTga/hG
tDqS6PvXw12729k5JH7qMS2XzDEuh+6NIRnDuwGC/ttfk+2HJe25FifbZhE+1YNC
9A
--- BxJEHO4W1sUHQ2pk8CZViEDCy+WhyzVdWlZUZHIHlBE
-fV‚7½O²9Ÿò_Bí?Z /ìá¨çÛTQ¡ Åû–ì+í3ÓBº*«•…wÿvûá/ í©^™@Xè¥çÿ!¨/ñžuÒª

@ -0,0 +1,11 @@
age-encryption.org/v1
-> ssh-ed25519 lYFcsw vv0M0zAhNZ8dsIuOI6p1Y++WusqBwdYJqzXuK4IXflo
MERLtcazm/pWBSvyISDLoil5eiNDDwAYDY+H1pTrYN4
-> ssh-ed25519 n7yA6g dV0UCZeAfZIxaoNYM5OZnbLRHiad1XJdYcidUCa6qj8
7PJAgRS4r+oQiQAM4Lt+yvQXRZzrOEMp0RwlwTge6Ic
-> D-grease 9p~L6^ #_8k_6RW <A:we
g88QsMIGbjOJjIvb9WjroQaPCN9YWHNaK7icMSAEf6xJE1V3a9Bu/7v0JqgZGV8f
szEC2UtY6bUYdRPUhwsS0V2N9lds7Gg65kYrAHylRL8w9uFJJmydcb9Bgw
--- ZWYEvPCTLh1Vh05yX4zmH+YOjlW6yaaAQZcp1WeAUnA
<EFBFBD>†(çäEÍHëŐEEôjśW˛mÓrţ<EFBFBD>ń›tęO
ďf<­Ă"o˝= ˛†+<EFBFBD>sĂ/Ł×_3]Ź˝›“wŻ[ţÍĘÇ<EFBFBD>öa"ş

Binary file not shown.

@ -0,0 +1,9 @@
age-encryption.org/v1
-> ssh-ed25519 lYFcsw TtNKEpF1PW3hFdAR6yvwlppBsb4aS8G7GxpBhtpwvVQ
p4VgueR9Evc7lxckk9psbD/i0su9XSzfns8/YnroKVY
-> ssh-ed25519 n7yA6g YRrCJZMq/Rz3VRlOXSM6QFsRLK+S7H/ThVigcin21Gk
S4X0SNQUtxLpsDei6PkzQm+cFxL9cyLubTlVXrdZmHE
-> 6LOV|>L-grease ;6R Kod}I/ bmRbO|
SPzo5pVPaREotXuB0w
--- UfqolORCJHBYP9FQU/cxuRbPuQBWAX8bqUWrrUx3GTQ
¤ù¥ß†À›C=%Ý‹Ô ¥Äk±Ê˜säx.öC㤼ð5~d Íù<EFBFBD>åôcå4Ìè¢åð Ã$§†üá yV)æ÷–æq

Binary file not shown.

Binary file not shown.

Binary file not shown.
Loading…
Cancel
Save