switch to agenix
parent
d50c02d708
commit
7a8b6de2a1
|
@ -1,4 +1 @@
|
|||
secrets.nix filter=git-crypt diff=git-crypt
|
||||
*.key filter=git-crypt diff=git-crypt
|
||||
deploy_key filter=git-crypt diff=git-crypt
|
||||
keys/** filter=git-crypt diff=git-crypt
|
||||
|
|
21
flake.lock
21
flake.lock
|
@ -1,5 +1,25 @@
|
|||
{
|
||||
"nodes": {
|
||||
"agenix": {
|
||||
"inputs": {
|
||||
"nixpkgs": [
|
||||
"nixpkgs"
|
||||
]
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1652712410,
|
||||
"narHash": "sha256-hMJ2TqLt0DleEnQFGUHK9sV2aAzJPU8pZeiZoqRozbE=",
|
||||
"owner": "ryantm",
|
||||
"repo": "agenix",
|
||||
"rev": "7e5e58b98c3dcbf497543ff6f22591552ebfe65b",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "ryantm",
|
||||
"repo": "agenix",
|
||||
"type": "github"
|
||||
}
|
||||
},
|
||||
"blobs": {
|
||||
"flake": false,
|
||||
"locked": {
|
||||
|
@ -259,6 +279,7 @@
|
|||
},
|
||||
"root": {
|
||||
"inputs": {
|
||||
"agenix": "agenix",
|
||||
"emacs-overlay": "emacs-overlay",
|
||||
"home-manager": "home-manager",
|
||||
"nixos-hardware": "nixos-hardware",
|
||||
|
|
|
@ -10,14 +10,17 @@
|
|||
nixpkgs-stable.url = "github:nixos/nixpkgs/nixos-21.05";
|
||||
nixos-mailserver.url = "gitlab:simple-nixos-mailserver/nixos-mailserver";
|
||||
nixos-mailserver.inputs.nixpkgs.follows = "nixpkgs";
|
||||
agenix.url = "github:ryantm/agenix";
|
||||
agenix.inputs.nixpkgs.follows = "nixpkgs";
|
||||
|
||||
};
|
||||
outputs = inputs@{ nixpkgs, home-manager, nixpkgs-mozilla, emacs-overlay
|
||||
, nixpkgs-wayland, nixpkgs-stable, nixos-hardware, self, ... }: {
|
||||
, nixpkgs-wayland, nixpkgs-stable, nixos-hardware, agenix, self, ... }: {
|
||||
overlay = nixpkgs.lib.composeManyExtensions [
|
||||
nixpkgs-wayland.overlay
|
||||
#nixpkgs-mozilla.overlay
|
||||
emacs-overlay.overlay
|
||||
agenix.overlay
|
||||
(import ./fixups.nix)
|
||||
(import ./pkgs)
|
||||
(import ./pkgs/mdr.nix)
|
||||
|
|
16
nixos/conf
16
nixos/conf
|
@ -4,12 +4,6 @@ cd "$( dirname "${BASH_SOURCE[0]}" )"
|
|||
export NIX_PATH=
|
||||
host=$1
|
||||
COPY_USER=yorick
|
||||
decrypt() {
|
||||
if ! [ -e secrets.nix ]
|
||||
then
|
||||
git crypt unlock
|
||||
fi
|
||||
}
|
||||
get_target_host() {
|
||||
TARGET_HOST=$(nix eval --raw -f vpn.nix ips.$host)
|
||||
TARGET_HOST=$(ssh $TARGET_HOST ip --json r get 1.1.1.1 | jq -r '.[0].prefsrc')
|
||||
|
@ -19,20 +13,12 @@ peek() {
|
|||
command "$@"
|
||||
}
|
||||
nix() {
|
||||
decrypt
|
||||
peek nix --extra-experimental-features nix-command "$@"
|
||||
peek nix --extra-experimental-features "nix-command flakes" "$@"
|
||||
}
|
||||
nix-build() {
|
||||
decrypt
|
||||
peek nix-build "$@"
|
||||
}
|
||||
case $2 in
|
||||
copy-keys)
|
||||
nix build -f ../. yorick.machine."$host".config.deployment.keys-copy --out-link copy-keys
|
||||
get_target_host
|
||||
peek ./copy-keys/bin/copy-keys "$TARGET_HOST"
|
||||
# rm ./copy-keys
|
||||
;;
|
||||
ssh)
|
||||
get_target_host
|
||||
peek ssh root@"$TARGET_HOST"
|
||||
|
|
|
@ -1,23 +0,0 @@
|
|||
{ pkgs, lib, config, ... }:
|
||||
with lib;
|
||||
let cfg = config.deployment.keyys;
|
||||
in {
|
||||
options.deployment.keyys = mkOption {
|
||||
type = types.listOf types.path;
|
||||
default = [ ];
|
||||
};
|
||||
options.deployment.keys-copy = mkOption { type = types.package; };
|
||||
config = {
|
||||
deployment.keys-copy = pkgs.writeShellScriptBin "copy-keys"
|
||||
(if cfg != [ ] then ''
|
||||
set -e
|
||||
ssh root@$1 "mkdir -p /root/keys"
|
||||
scp ${concatMapStringsSep " " toString cfg} root@$1:/root/keys
|
||||
echo "uploaded keys"
|
||||
'' else ''
|
||||
echo "no keys to upload"
|
||||
'');
|
||||
|
||||
};
|
||||
|
||||
}
|
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
|
@ -6,8 +6,6 @@
|
|||
../services/torrent-wg.nix
|
||||
];
|
||||
|
||||
deployment.keyys = [ ../keys/grafana.env ];
|
||||
|
||||
system.stateVersion = "15.09";
|
||||
networking.hostId = "0702dbe9";
|
||||
|
||||
|
@ -88,8 +86,8 @@
|
|||
AUTH_GOOGLE_ALLOW_SIGN_UP = "false";
|
||||
};
|
||||
};
|
||||
systemd.services.grafana.serviceConfig.EnvironmentFile =
|
||||
"/root/keys/grafana.env";
|
||||
age.secrets.grafana.file = ../../secrets/grafana.env.age;
|
||||
systemd.services.grafana.serviceConfig.EnvironmentFile = config.age.secrets.grafana.path;
|
||||
services.zfs = {
|
||||
trim.enable = false; # no ssd's
|
||||
autoScrub = {
|
||||
|
|
|
@ -4,4 +4,5 @@
|
|||
system.stateVersion = "17.09";
|
||||
|
||||
yorick.lumi-vpn.name = "yorick";
|
||||
yorick.lumi-vpn.ip = "10.109.0.10";
|
||||
}
|
||||
|
|
|
@ -44,12 +44,13 @@ in {
|
|||
};
|
||||
};
|
||||
|
||||
age.secrets.muflax.file = ../../secrets/http.muflax.age;
|
||||
services.muflax-blog = {
|
||||
enable = true;
|
||||
web-server = { port = 9001; };
|
||||
hidden-service = {
|
||||
hostname = "muflax65ngodyewp.onion";
|
||||
private_key = "/root/keys/http.muflax.key";
|
||||
private_key = config.age.secrets.muflax.path;
|
||||
};
|
||||
};
|
||||
services.nginx.commonHttpConfig = ''
|
||||
|
@ -89,7 +90,6 @@ in {
|
|||
};
|
||||
"media.yori.cc" = sslforward "http://${vpn.ips.frumar}:32001";
|
||||
};
|
||||
deployment.keyys = [ ../keys/http.muflax.key ];
|
||||
networking.firewall.allowedUDPPorts = [ 31790 ]; # wg
|
||||
networking.wireguard.interfaces.wg-y.peers = lib.mkForce (lib.mapAttrsToList
|
||||
(machine: publicKey: {
|
||||
|
|
|
@ -1,5 +1,5 @@
|
|||
# Edit this configuration file to define what should be installed on your system. Help is available in the configuration.nix(5) man page and in the NixOS manual (accessible by running ‘nixos-help’).
|
||||
{ config, lib, pkgs, inputs, ... }:
|
||||
{ config, lib, pkgs, inputs, modulesPath, ... }:
|
||||
|
||||
{
|
||||
imports = [ # Include the results of the hardware scan.
|
||||
|
@ -7,7 +7,7 @@
|
|||
#<yori-nix/roles/homeserver.nix>
|
||||
../roles
|
||||
inputs.nixos-hardware.nixosModules.pcengines-apu
|
||||
<nixpkgs/nixos/modules/profiles/minimal.nix>
|
||||
"${modulesPath}/profiles/minimal.nix"
|
||||
];
|
||||
|
||||
boot.loader.grub.enable = true;
|
||||
|
|
|
@ -1,27 +1,15 @@
|
|||
{ config, lib, pkgs, ... }:
|
||||
let
|
||||
cfg = config.yorick.lumi-cache;
|
||||
nixNetrcFile = pkgs.runCommand "nix-netrc-file" {
|
||||
hostname = "cache.lumi.guide";
|
||||
username = "lumi";
|
||||
} ''
|
||||
cat > $out <<EOI
|
||||
machine $hostname
|
||||
login $username
|
||||
password ${
|
||||
builtins.readFile
|
||||
/home/yorick/engineering/lumi/secrets/shared/passwords/nix-serve-password
|
||||
}
|
||||
EOI
|
||||
'';
|
||||
in {
|
||||
options.yorick.lumi-cache = with lib; {
|
||||
enable = mkEnableOption "lumi cache";
|
||||
};
|
||||
config = lib.mkIf cfg.enable {
|
||||
age.secrets.nix-netrc.file = ../../secrets/nix-netrc.age;
|
||||
nix = {
|
||||
settings.substituters = [ "https://cache.lumi.guide/" ];
|
||||
settings.netrc-file = nixNetrcFile;
|
||||
settings.netrc-file = config.age.secrets.nix-netrc.path;
|
||||
settings.trusted-public-keys = [
|
||||
"cache.lumi.guide-1:z813xH+DDlh+wvloqEiihGvZqLXFmN7zmyF8wR47BHE="
|
||||
];
|
||||
|
|
|
@ -5,11 +5,11 @@ let
|
|||
vpn = import ../vpn.nix;
|
||||
in {
|
||||
imports = [
|
||||
inputs.agenix.nixosModule
|
||||
../modules/tor-hidden-service.nix
|
||||
../modules/nginx.nix
|
||||
../modules/lumi-cache.nix
|
||||
../modules/lumi-vpn.nix
|
||||
../deploy/keys.nix
|
||||
../services
|
||||
];
|
||||
|
||||
|
@ -106,9 +106,9 @@ in {
|
|||
ipv6 = true;
|
||||
hostName = machine;
|
||||
};
|
||||
deployment.keyys = [ (../keys + "/wg.${machine}.key") ];
|
||||
age.secrets.wg.file = ../../secrets/wg.${machine}.age;
|
||||
networking.wireguard.interfaces.wg-y = {
|
||||
privateKeyFile = "/root/keys/wg.${machine}.key";
|
||||
privateKeyFile = config.age.secrets.wg.path;
|
||||
ips = [ vpn.ips.${machine} ];
|
||||
listenPort = 31790;
|
||||
peers = [{
|
||||
|
|
|
@ -1,22 +1,20 @@
|
|||
{ name, ... }: {
|
||||
deployment.keyys = [
|
||||
(../keys + "/${name}_borg_repo.key")
|
||||
(../keys + "/${name}_borg_ssh.key")
|
||||
];
|
||||
{ name, config, ... }: {
|
||||
age.secrets.backup_repo.file = ../../secrets/${name}_borg_repo.age;
|
||||
age.secrets.backup_ssh.file = ../../secrets/${name}_borg_ssh.age;
|
||||
services.borgbackup.jobs.backup = {
|
||||
encryption = {
|
||||
# Keep the encryption key in the repo itself
|
||||
mode = "repokey-blake2";
|
||||
|
||||
# Password is used to decrypt the encryption key from the repo
|
||||
passCommand = "cat /root/keys/${name}_borg_repo.key";
|
||||
passCommand = "cat ${config.age.secrets.backup_repo.path}";
|
||||
};
|
||||
environment = {
|
||||
# Make sure we're using Borg >= 1.0
|
||||
BORG_REMOTE_PATH = "borg1";
|
||||
|
||||
# SSH key is specific to the subaccount defined in the repo username
|
||||
BORG_RSH = "ssh -i /root/keys/${name}_borg_ssh.key";
|
||||
BORG_RSH = "ssh -i ${config.age.secrets.backup_ssh.path}";
|
||||
};
|
||||
|
||||
# Define schedule
|
||||
|
|
|
@ -7,11 +7,11 @@ in {
|
|||
namespace = mkOption { type = types.str; };
|
||||
};
|
||||
config = {
|
||||
deployment.keyys = [ (../keys + "/wg.${cfg.name}.key") ];
|
||||
age.secrets.wg-torrent.file = ../../secrets/wg.${cfg.name}.age;
|
||||
networking.wireguard.interfaces.${cfg.name} = {
|
||||
# curl -s https://api.mullvad.net/www/relays/all/ | jq '.[] | select(.type == "wireguard" and .country_code == "nl")'
|
||||
ips = [ "10.66.30.26/32" "fc00:bbbb:bbbb:bb01::3:1e19/128" ];
|
||||
privateKeyFile = "/root/keys/wg.${cfg.name}.key";
|
||||
privateKeyFile = config.age.secrets.wg-torrent.path;
|
||||
peers = [{
|
||||
publicKey = "hnRyse6QxPPcZOoSwRsHUtK1W+APWXnIoaDTmH6JsHQ=";
|
||||
allowedIPs = [ "0.0.0.0/0" "::0/0" ];
|
||||
|
|
Binary file not shown.
Binary file not shown.
Binary file not shown.
|
@ -0,0 +1,10 @@
|
|||
age-encryption.org/v1
|
||||
-> ssh-ed25519 lYFcsw HsqJA3brEYXwaJT7VjTassnpzZSBsa+968Oe6BC7FFA
|
||||
rwqKJVSh2BkXpUbnkegEOKMWV68CXZnOg5HJlFhGWmY
|
||||
-> ssh-ed25519 ZzuO9Q SbeT6ExvwzTog2HXThI8OOgJQoMqWOOtU6gmU+v/x28
|
||||
pgEYyg6EuRsIW1shMlvQfTGxwyq0/uFHQumDmB0QzZM
|
||||
-> P*s7TnXP-grease C O$
|
||||
KXqmSEK5b3oWErBT6A5w5A
|
||||
--- 7XjRgeS86xeERnenf8zSZPb47lV2GiSa55ZPKEvjJBc
|
||||
äx6
|
||||
úKOŠ+<2B>S¬öíUaH r»-A<>C<EFBFBD>M·nˆfà<66>Ós;bB»dñé©ù;üL9à2¼ÛLSRÓ÷Ï<06>ÍžÜtÑ¿ônnÊN
|
Binary file not shown.
Binary file not shown.
|
@ -0,0 +1,11 @@
|
|||
age-encryption.org/v1
|
||||
-> ssh-ed25519 lYFcsw v6eGXaE307KPZGNPiZizSUSiJ4om5/igqveCtyXJpVA
|
||||
7tJ+o/YBYrHF+DeLaHeBdV6ZVPEV7w9Dxq/4HcpGdDc
|
||||
-> ssh-ed25519 4Ui0LA 2gDiPTnSkhgMySIeIITAUmTRzCDHwFH73BKayFzIBmE
|
||||
mc8SgUhs7WSR9sl+Y1ZkQahwJ2zXdbkEekZkGXiL7ss
|
||||
-> !ff-grease BK qoe krs&bJ
|
||||
pKON54F5tCt2T9YGQM920TxaK+l08X/1xCSIpSLy0WwpzJYeFu6XRT6VoPTga/hG
|
||||
tDqS6PvXw12729k5JH7qMS2XzDEuh+6NIRnDuwGC/ttfk+2HJe25FifbZhE+1YNC
|
||||
9A
|
||||
--- BxJEHO4W1sUHQ2pk8CZViEDCy+WhyzVdWlZUZHIHlBE
|
||||
-fV‚7½O²9Ÿò_Bí?Z /ìá¨çÛTQ¡ Åû–ì+í3ÓBº*«•…wÿvûá/í©^™@Xè¥çÿ!¨/ñžuÒª
|
|
@ -0,0 +1,11 @@
|
|||
age-encryption.org/v1
|
||||
-> ssh-ed25519 lYFcsw vv0M0zAhNZ8dsIuOI6p1Y++WusqBwdYJqzXuK4IXflo
|
||||
MERLtcazm/pWBSvyISDLoil5eiNDDwAYDY+H1pTrYN4
|
||||
-> ssh-ed25519 n7yA6g dV0UCZeAfZIxaoNYM5OZnbLRHiad1XJdYcidUCa6qj8
|
||||
7PJAgRS4r+oQiQAM4Lt+yvQXRZzrOEMp0RwlwTge6Ic
|
||||
-> D-grease 9p~L6^ #_8k_6RW <A:we
|
||||
g88QsMIGbjOJjIvb9WjroQaPCN9YWHNaK7icMSAEf6xJE1V3a9Bu/7v0JqgZGV8f
|
||||
szEC2UtY6bUYdRPUhwsS0V2N9lds7Gg65kYrAHylRL8w9uFJJmydcb9Bgw
|
||||
--- ZWYEvPCTLh1Vh05yX4zmH+YOjlW6yaaAQZcp1WeAUnA
|
||||
<EFBFBD>†(çäEÍHëŐEEôjśW˛mÓrţ<72>ń›tęO
|
||||
ďf<Ă"o˝=+Ň ˛†+<2B>sĂ/Ł×_3]Ź˝›“wŻ[ţÍĘÇ5Ź<35>öa"ş
|
Binary file not shown.
|
@ -0,0 +1,9 @@
|
|||
age-encryption.org/v1
|
||||
-> ssh-ed25519 lYFcsw TtNKEpF1PW3hFdAR6yvwlppBsb4aS8G7GxpBhtpwvVQ
|
||||
p4VgueR9Evc7lxckk9psbD/i0su9XSzfns8/YnroKVY
|
||||
-> ssh-ed25519 n7yA6g YRrCJZMq/Rz3VRlOXSM6QFsRLK+S7H/ThVigcin21Gk
|
||||
S4X0SNQUtxLpsDei6PkzQm+cFxL9cyLubTlVXrdZmHE
|
||||
-> 6LOV|>L-grease ;6R Kod}I/ bmRbO|
|
||||
SPzo5pVPaREotXuB0w
|
||||
--- UfqolORCJHBYP9FQU/cxuRbPuQBWAX8bqUWrrUx3GTQ
|
||||
¤ù¥ß†À›C=%Ý‹Ôuƒ¥Äk±Ê˜säx.öC㤼ð5~d Íù<C38D>åôcå4Ìè¢åð Ã$§†üáyV)æ÷–æq
|
Binary file not shown.
Binary file not shown.
Binary file not shown.
Loading…
Reference in New Issue