switch to agenix

auto-flake-update
Yorick van Pelt 2022-05-18 15:57:58 +02:00
parent d50c02d708
commit 7a8b6de2a1
Signed by: yorick
GPG Key ID: A36E70F9DC014A15
46 changed files with 86 additions and 76 deletions

3
.gitattributes vendored
View File

@ -1,4 +1 @@
secrets.nix filter=git-crypt diff=git-crypt
*.key filter=git-crypt diff=git-crypt
deploy_key filter=git-crypt diff=git-crypt
keys/** filter=git-crypt diff=git-crypt

View File

@ -1,5 +1,25 @@
{
"nodes": {
"agenix": {
"inputs": {
"nixpkgs": [
"nixpkgs"
]
},
"locked": {
"lastModified": 1652712410,
"narHash": "sha256-hMJ2TqLt0DleEnQFGUHK9sV2aAzJPU8pZeiZoqRozbE=",
"owner": "ryantm",
"repo": "agenix",
"rev": "7e5e58b98c3dcbf497543ff6f22591552ebfe65b",
"type": "github"
},
"original": {
"owner": "ryantm",
"repo": "agenix",
"type": "github"
}
},
"blobs": {
"flake": false,
"locked": {
@ -259,6 +279,7 @@
},
"root": {
"inputs": {
"agenix": "agenix",
"emacs-overlay": "emacs-overlay",
"home-manager": "home-manager",
"nixos-hardware": "nixos-hardware",

View File

@ -10,14 +10,17 @@
nixpkgs-stable.url = "github:nixos/nixpkgs/nixos-21.05";
nixos-mailserver.url = "gitlab:simple-nixos-mailserver/nixos-mailserver";
nixos-mailserver.inputs.nixpkgs.follows = "nixpkgs";
agenix.url = "github:ryantm/agenix";
agenix.inputs.nixpkgs.follows = "nixpkgs";
};
outputs = inputs@{ nixpkgs, home-manager, nixpkgs-mozilla, emacs-overlay
, nixpkgs-wayland, nixpkgs-stable, nixos-hardware, self, ... }: {
, nixpkgs-wayland, nixpkgs-stable, nixos-hardware, agenix, self, ... }: {
overlay = nixpkgs.lib.composeManyExtensions [
nixpkgs-wayland.overlay
#nixpkgs-mozilla.overlay
emacs-overlay.overlay
agenix.overlay
(import ./fixups.nix)
(import ./pkgs)
(import ./pkgs/mdr.nix)

View File

@ -4,12 +4,6 @@ cd "$( dirname "${BASH_SOURCE[0]}" )"
export NIX_PATH=
host=$1
COPY_USER=yorick
decrypt() {
if ! [ -e secrets.nix ]
then
git crypt unlock
fi
}
get_target_host() {
TARGET_HOST=$(nix eval --raw -f vpn.nix ips.$host)
TARGET_HOST=$(ssh $TARGET_HOST ip --json r get 1.1.1.1 | jq -r '.[0].prefsrc')
@ -19,20 +13,12 @@ peek() {
command "$@"
}
nix() {
decrypt
peek nix --extra-experimental-features nix-command "$@"
peek nix --extra-experimental-features "nix-command flakes" "$@"
}
nix-build() {
decrypt
peek nix-build "$@"
}
case $2 in
copy-keys)
nix build -f ../. yorick.machine."$host".config.deployment.keys-copy --out-link copy-keys
get_target_host
peek ./copy-keys/bin/copy-keys "$TARGET_HOST"
# rm ./copy-keys
;;
ssh)
get_target_host
peek ssh root@"$TARGET_HOST"

View File

@ -1,23 +0,0 @@
{ pkgs, lib, config, ... }:
with lib;
let cfg = config.deployment.keyys;
in {
options.deployment.keyys = mkOption {
type = types.listOf types.path;
default = [ ];
};
options.deployment.keys-copy = mkOption { type = types.package; };
config = {
deployment.keys-copy = pkgs.writeShellScriptBin "copy-keys"
(if cfg != [ ] then ''
set -e
ssh root@$1 "mkdir -p /root/keys"
scp ${concatMapStringsSep " " toString cfg} root@$1:/root/keys
echo "uploaded keys"
'' else ''
echo "no keys to upload"
'');
};
}

Binary file not shown.

Binary file not shown.

Binary file not shown.

Binary file not shown.

Binary file not shown.

Binary file not shown.

Binary file not shown.

Binary file not shown.

Binary file not shown.

Binary file not shown.

Binary file not shown.

Binary file not shown.

Binary file not shown.

Binary file not shown.

Binary file not shown.

Binary file not shown.

Binary file not shown.

Binary file not shown.

Binary file not shown.

View File

@ -6,8 +6,6 @@
../services/torrent-wg.nix
];
deployment.keyys = [ ../keys/grafana.env ];
system.stateVersion = "15.09";
networking.hostId = "0702dbe9";
@ -88,8 +86,8 @@
AUTH_GOOGLE_ALLOW_SIGN_UP = "false";
};
};
systemd.services.grafana.serviceConfig.EnvironmentFile =
"/root/keys/grafana.env";
age.secrets.grafana.file = ../../secrets/grafana.env.age;
systemd.services.grafana.serviceConfig.EnvironmentFile = config.age.secrets.grafana.path;
services.zfs = {
trim.enable = false; # no ssd's
autoScrub = {

View File

@ -4,4 +4,5 @@
system.stateVersion = "17.09";
yorick.lumi-vpn.name = "yorick";
yorick.lumi-vpn.ip = "10.109.0.10";
}

View File

@ -44,12 +44,13 @@ in {
};
};
age.secrets.muflax.file = ../../secrets/http.muflax.age;
services.muflax-blog = {
enable = true;
web-server = { port = 9001; };
hidden-service = {
hostname = "muflax65ngodyewp.onion";
private_key = "/root/keys/http.muflax.key";
private_key = config.age.secrets.muflax.path;
};
};
services.nginx.commonHttpConfig = ''
@ -89,7 +90,6 @@ in {
};
"media.yori.cc" = sslforward "http://${vpn.ips.frumar}:32001";
};
deployment.keyys = [ ../keys/http.muflax.key ];
networking.firewall.allowedUDPPorts = [ 31790 ]; # wg
networking.wireguard.interfaces.wg-y.peers = lib.mkForce (lib.mapAttrsToList
(machine: publicKey: {

View File

@ -1,5 +1,5 @@
# Edit this configuration file to define what should be installed on your system. Help is available in the configuration.nix(5) man page and in the NixOS manual (accessible by running nixos-help).
{ config, lib, pkgs, inputs, ... }:
{ config, lib, pkgs, inputs, modulesPath, ... }:
{
imports = [ # Include the results of the hardware scan.
@ -7,7 +7,7 @@
#<yori-nix/roles/homeserver.nix>
../roles
inputs.nixos-hardware.nixosModules.pcengines-apu
<nixpkgs/nixos/modules/profiles/minimal.nix>
"${modulesPath}/profiles/minimal.nix"
];
boot.loader.grub.enable = true;

View File

@ -1,27 +1,15 @@
{ config, lib, pkgs, ... }:
let
cfg = config.yorick.lumi-cache;
nixNetrcFile = pkgs.runCommand "nix-netrc-file" {
hostname = "cache.lumi.guide";
username = "lumi";
} ''
cat > $out <<EOI
machine $hostname
login $username
password ${
builtins.readFile
/home/yorick/engineering/lumi/secrets/shared/passwords/nix-serve-password
}
EOI
'';
in {
options.yorick.lumi-cache = with lib; {
enable = mkEnableOption "lumi cache";
};
config = lib.mkIf cfg.enable {
age.secrets.nix-netrc.file = ../../secrets/nix-netrc.age;
nix = {
settings.substituters = [ "https://cache.lumi.guide/" ];
settings.netrc-file = nixNetrcFile;
settings.netrc-file = config.age.secrets.nix-netrc.path;
settings.trusted-public-keys = [
"cache.lumi.guide-1:z813xH+DDlh+wvloqEiihGvZqLXFmN7zmyF8wR47BHE="
];

View File

@ -5,11 +5,11 @@ let
vpn = import ../vpn.nix;
in {
imports = [
inputs.agenix.nixosModule
../modules/tor-hidden-service.nix
../modules/nginx.nix
../modules/lumi-cache.nix
../modules/lumi-vpn.nix
../deploy/keys.nix
../services
];
@ -106,9 +106,9 @@ in {
ipv6 = true;
hostName = machine;
};
deployment.keyys = [ (../keys + "/wg.${machine}.key") ];
age.secrets.wg.file = ../../secrets/wg.${machine}.age;
networking.wireguard.interfaces.wg-y = {
privateKeyFile = "/root/keys/wg.${machine}.key";
privateKeyFile = config.age.secrets.wg.path;
ips = [ vpn.ips.${machine} ];
listenPort = 31790;
peers = [{

View File

@ -1,22 +1,20 @@
{ name, ... }: {
deployment.keyys = [
(../keys + "/${name}_borg_repo.key")
(../keys + "/${name}_borg_ssh.key")
];
{ name, config, ... }: {
age.secrets.backup_repo.file = ../../secrets/${name}_borg_repo.age;
age.secrets.backup_ssh.file = ../../secrets/${name}_borg_ssh.age;
services.borgbackup.jobs.backup = {
encryption = {
# Keep the encryption key in the repo itself
mode = "repokey-blake2";
# Password is used to decrypt the encryption key from the repo
passCommand = "cat /root/keys/${name}_borg_repo.key";
passCommand = "cat ${config.age.secrets.backup_repo.path}";
};
environment = {
# Make sure we're using Borg >= 1.0
BORG_REMOTE_PATH = "borg1";
# SSH key is specific to the subaccount defined in the repo username
BORG_RSH = "ssh -i /root/keys/${name}_borg_ssh.key";
BORG_RSH = "ssh -i ${config.age.secrets.backup_ssh.path}";
};
# Define schedule

View File

@ -7,11 +7,11 @@ in {
namespace = mkOption { type = types.str; };
};
config = {
deployment.keyys = [ (../keys + "/wg.${cfg.name}.key") ];
age.secrets.wg-torrent.file = ../../secrets/wg.${cfg.name}.age;
networking.wireguard.interfaces.${cfg.name} = {
# curl -s https://api.mullvad.net/www/relays/all/ | jq '.[] | select(.type == "wireguard" and .country_code == "nl")'
ips = [ "10.66.30.26/32" "fc00:bbbb:bbbb:bb01::3:1e19/128" ];
privateKeyFile = "/root/keys/wg.${cfg.name}.key";
privateKeyFile = config.age.secrets.wg-torrent.path;
peers = [{
publicKey = "hnRyse6QxPPcZOoSwRsHUtK1W+APWXnIoaDTmH6JsHQ=";
allowedIPs = [ "0.0.0.0/0" "::0/0" ];

BIN
secrets/grafana.env.age Normal file

Binary file not shown.

BIN
secrets/http.muflax.age Normal file

Binary file not shown.

BIN
secrets/nix-netrc.age Normal file

Binary file not shown.

View File

@ -0,0 +1,10 @@
age-encryption.org/v1
-> ssh-ed25519 lYFcsw HsqJA3brEYXwaJT7VjTassnpzZSBsa+968Oe6BC7FFA
rwqKJVSh2BkXpUbnkegEOKMWV68CXZnOg5HJlFhGWmY
-> ssh-ed25519 ZzuO9Q SbeT6ExvwzTog2HXThI8OOgJQoMqWOOtU6gmU+v/x28
pgEYyg6EuRsIW1shMlvQfTGxwyq0/uFHQumDmB0QzZM
-> P*s7TnXP-grease C O$
KXqmSEK5b3oWErBT6A5w5A
--- 7XjRgeS86xeERnenf8zSZPb47lV2GiSa55ZPKEvjJBc
äx6
úKOŠ+<2B>S¬öíUaH r»-A<>C<EFBFBD>M·nˆ<66>Ós;bB»dñé©ù;üL9à2¼ ÛLSRÓ÷Ï<06>ÍžÜtÑ ¿ônnÊN

Binary file not shown.

BIN
secrets/secrets.nix Normal file

Binary file not shown.

11
secrets/wg.blackadder.age Normal file
View File

@ -0,0 +1,11 @@
age-encryption.org/v1
-> ssh-ed25519 lYFcsw v6eGXaE307KPZGNPiZizSUSiJ4om5/igqveCtyXJpVA
7tJ+o/YBYrHF+DeLaHeBdV6ZVPEV7w9Dxq/4HcpGdDc
-> ssh-ed25519 4Ui0LA 2gDiPTnSkhgMySIeIITAUmTRzCDHwFH73BKayFzIBmE
mc8SgUhs7WSR9sl+Y1ZkQahwJ2zXdbkEekZkGXiL7ss
-> !ff-grease BK qoe krs&bJ
pKON54F5tCt2T9YGQM920TxaK+l08X/1xCSIpSLy0WwpzJYeFu6XRT6VoPTga/hG
tDqS6PvXw12729k5JH7qMS2XzDEuh+6NIRnDuwGC/ttfk+2HJe25FifbZhE+1YNC
9A
--- BxJEHO4W1sUHQ2pk8CZViEDCy+WhyzVdWlZUZHIHlBE
-fV7½O²9Ÿò_Bí?Z /ìá¨çÛTQ¡ Åûì+í3ÓBº*«•…wÿvûá/ í©^™@Xè¥çÿ!¨/ñžuÒª

11
secrets/wg.frumar.age Normal file
View File

@ -0,0 +1,11 @@
age-encryption.org/v1
-> ssh-ed25519 lYFcsw vv0M0zAhNZ8dsIuOI6p1Y++WusqBwdYJqzXuK4IXflo
MERLtcazm/pWBSvyISDLoil5eiNDDwAYDY+H1pTrYN4
-> ssh-ed25519 n7yA6g dV0UCZeAfZIxaoNYM5OZnbLRHiad1XJdYcidUCa6qj8
7PJAgRS4r+oQiQAM4Lt+yvQXRZzrOEMp0RwlwTge6Ic
-> D-grease 9p~L6^ #_8k_6RW <A:we
g88QsMIGbjOJjIvb9WjroQaPCN9YWHNaK7icMSAEf6xJE1V3a9Bu/7v0JqgZGV8f
szEC2UtY6bUYdRPUhwsS0V2N9lds7Gg65kYrAHylRL8w9uFJJmydcb9Bgw
--- ZWYEvPCTLh1Vh05yX4zmH+YOjlW6yaaAQZcp1WeAUnA
<EFBFBD>†(çäEÍHëŐEEôjśW˛mÓrţ<72>ńtęO
ďf<­Ă"o˝=+Ň ˛†+<2B>sĂ/Ł×_3]Ź˝“wŻ[ţÍĘÇ<35>öa"ş

BIN
secrets/wg.jarvis.age Normal file

Binary file not shown.

View File

@ -0,0 +1,9 @@
age-encryption.org/v1
-> ssh-ed25519 lYFcsw TtNKEpF1PW3hFdAR6yvwlppBsb4aS8G7GxpBhtpwvVQ
p4VgueR9Evc7lxckk9psbD/i0su9XSzfns8/YnroKVY
-> ssh-ed25519 n7yA6g YRrCJZMq/Rz3VRlOXSM6QFsRLK+S7H/ThVigcin21Gk
S4X0SNQUtxLpsDei6PkzQm+cFxL9cyLubTlVXrdZmHE
-> 6LOV|>L-grease ;6R Kod}I/ bmRbO|
SPzo5pVPaREotXuB0w
--- UfqolORCJHBYP9FQU/cxuRbPuQBWAX8bqUWrrUx3GTQ
¤ù¥ß†ÀC=%Ý‹Ô ¥Äk±Ê˜säx.öC㤼ð5~d Íù<C38D>åôcå4Ìè¢åð Ã$§†üá yV)æ÷æq

BIN
secrets/wg.pennyworth.age Normal file

Binary file not shown.

BIN
secrets/wg.smithers.age Normal file

Binary file not shown.

BIN
secrets/wg.zazu.age Normal file

Binary file not shown.