diff --git a/.sops.yaml b/.sops.yaml new file mode 100644 index 00000000..9034a521 --- /dev/null +++ b/.sops.yaml @@ -0,0 +1,9 @@ +keys: + - &user_desko_colin age1tnl4jfgacwkargzeqnhzernw29xx8mkv73xh6ufdyde6q7859slsnzf24x + - &host_desko age1s0v4fm203ap6mckcz3djw8hx30uqu87xfhfdajpmyf8rfrf5xs5swpz6m6 +creation_rules: + - path_regex: secrets/[^/]+\.yaml$ + key_groups: + - age: + - *user_desko_colin + - *host_desko diff --git a/configuration.nix b/configuration.nix index e8f4fdb0..377dadc4 100644 --- a/configuration.nix +++ b/configuration.nix @@ -8,7 +8,7 @@ # nix-option ## query options -- including their SET VALUE; similar to search: https://search.nixos.org/options # nixos-rebuild switch --upgrade ## pull changes from the nixos channel (e.g. security updates) and rebuild -{ pkgs, ... }: +{ config, pkgs, ... }: { @@ -21,5 +21,52 @@ experimental-features = nix-command flakes ''; }; + + # SOPS configuration: + # docs: https://github.com/Mic92/sops-nix + # + # for each new user you want to edit sops files: + # create a private age key from ssh key: + # $ mkdir -p ~/.config/sops/age; ssh-to-age -private-key -i ~/.ssh/id_ed25519 > ~/.config/sops/age/keys.txt; chmod 600 ~/.config/sops/age/keys.txt + # if the private key was password protected, then first decrypt it: + # $ cp ~/.ssh/id_ed25519 /tmp/id_ed25519 + # $ ssh-keygen -p -N "" -f /tmp/id_ed25519 + # + # for each user you want to decrypt secrets: + # $ cat ~/.ssh/id_ed25519.pub | ssh-to-age + # add the result to .sops.yaml + # + # for each machine you want to decrypt secrets: + # $ cat /etc/ssh/ssh_host_ed25519_key.pub | ssh-to-age + # add the result to .sops.yaml + # you may need to re-encode all the secrets (even physically deleting and recreating them). + # + # to create a new secret: + # $ sops secrets/example.yaml + # control access below (sops.secret..owner = ...) + # + # to read a secret: + # $ cat /run/secrets/example_key + + # sops.age.sshKeyPaths = [ "/home/colin/.ssh/id_ed25519_dec" ]; + # This will add secrets.yml to the nix store + # You can avoid this by adding a string to the full path instead, i.e. + # sops.defaultSopsFile = "/root/.sops/secrets/example.yaml"; + sops.defaultSopsFile = ./secrets/example.yaml; + # This will automatically import SSH keys as age keys + sops.age.sshKeyPaths = [ + "/etc/ssh/ssh_host_ed25519_key" + # "/home/colin/.ssh/id_ed25519_dec" + ]; + # This is using an age key that is expected to already be in the filesystem + # sops.age.keyFile = "/home/colin/.ssh/age.pub"; + # sops.age.keyFile = "/var/lib/sops-nix/key.txt"; + # This will generate a new key if the key specified above does not exist + # sops.age.generateKey = true; + # This is the actual specification of the secrets. + sops.secrets.example_key = { + owner = config.users.users.colin.name; + }; + # sops.secrets."myservice/my_subdir/my_secret" = {}; } diff --git a/flake.lock b/flake.lock index 1f68161b..a175786c 100644 --- a/flake.lock +++ b/flake.lock @@ -52,6 +52,54 @@ "type": "indirect" } }, + "nixpkgs-21_11": { + "locked": { + "lastModified": 1654346688, + "narHash": "sha256-Y7QtZkfdxTvACCvWmDjpN6qOf4OKkZATufHcJP2VMKM=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "2de556c4cd46a59e8ce2f85ee4dd400983213d45", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "release-21.11", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs-22_05": { + "locked": { + "lastModified": 1654373220, + "narHash": "sha256-3vKFnZz2oYHo4YcelaNOhO4XQ2jiIEXrp1s4w+e773c=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "d6cb04299ce8964290ae7fdcb87aa50da0500b5c", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "release-22.05", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs_2": { + "locked": { + "lastModified": 1654245945, + "narHash": "sha256-PV6MZ+HuNnyLxQGa2rwt0BmCRkQS2xqhc+SeJLQM+WU=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "442db9429b9fbdb6352cfb937afc8ecccfe2633f", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixpkgs-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, "nurpkgs": { "locked": { "lastModified": 1654488445, @@ -72,7 +120,28 @@ "home-manager": "home-manager", "mobile-nixos": "mobile-nixos", "nixpkgs": "nixpkgs", - "nurpkgs": "nurpkgs" + "nurpkgs": "nurpkgs", + "sops-nix": "sops-nix" + } + }, + "sops-nix": { + "inputs": { + "nixpkgs": "nixpkgs_2", + "nixpkgs-21_11": "nixpkgs-21_11", + "nixpkgs-22_05": "nixpkgs-22_05" + }, + "locked": { + "lastModified": 1654401128, + "narHash": "sha256-uCdQ2fzIPGakHw2TkvOncUvCl7Fo7z/vagpDWYooO7s=", + "owner": "Mic92", + "repo": "sops-nix", + "rev": "f075361ecbde21535b38e41dfaa28a28f160855c", + "type": "github" + }, + "original": { + "owner": "Mic92", + "repo": "sops-nix", + "type": "github" } } }, diff --git a/flake.nix b/flake.nix index 18749644..4b8798a5 100644 --- a/flake.nix +++ b/flake.nix @@ -15,9 +15,10 @@ inputs.nixpkgs.follows = "nixpkgs"; }; nurpkgs.url = "github:nix-community/NUR"; + sops-nix.url = "github:Mic92/sops-nix"; }; - outputs = { self, nixpkgs, mobile-nixos, home-manager, nurpkgs }: { + outputs = { self, nixpkgs, mobile-nixos, home-manager, nurpkgs, sops-nix }: { machines.uninsane = self.decl-bootable-machine { name = "uninsane"; system = "aarch64-linux"; }; machines.desko = self.decl-bootable-machine { name = "desko"; system = "x86_64-linux"; }; machines.lappy = self.decl-bootable-machine { name = "lappy"; system = "x86_64-linux"; }; @@ -68,6 +69,7 @@ ./machines/${name} (import ./helpers/set-hostname.nix name) (self.overlaysModule system) + sops-nix.nixosModules.sops ] ++ extraModules; }); diff --git a/helpers/home-manager-gen-colin.nix b/helpers/home-manager-gen-colin.nix index 7611ae9f..50af643c 100644 --- a/helpers/home-manager-gen-colin.nix +++ b/helpers/home-manager-gen-colin.nix @@ -472,6 +472,7 @@ # pkgs.nettools pkgs.nmap pkgs.obsidian + pkgs.openssl pkgs.parted pkgs.pciutils # pkgs.ponymix @@ -482,6 +483,8 @@ pkgs.smartmontools pkgs.snapper pkgs.socat + pkgs.sops + pkgs.ssh-to-age pkgs.sudo pkgs.usbutils pkgs.wget diff --git a/secrets/example.yaml b/secrets/example.yaml new file mode 100644 index 00000000..3e6a1975 --- /dev/null +++ b/secrets/example.yaml @@ -0,0 +1,39 @@ +#ENC[AES256_GCM,data:AAbDZxW7S1fPR86UqIUvZZEKp9LPhZFBz6WtBFmRqeYaPKOJpQMr0UqJzF1r9Qy8Mhl9Ruc=,iv:8CkXkab3jkLx1F6yFGwvS8AObP0+zVqthuEZxD6fVFQ=,tag:NTXhSKgr3nLEuqVUU2qPeg==,type:comment] +example_key: ENC[AES256_GCM,data:gag/QcjPTiwcnOTs6w==,iv:3WbDtKwoZdZl0M87pWFxGCEsdbEDoCpnN9nJ0s+4uFg=,tag:UmDD/dTU96QsvSjKVLm8nQ==,type:str] +#ENC[AES256_GCM,data:qwFF9yIBquSi77GLsqoh5Vg=,iv:hJCpayOTOJndiwmxb32pO4RhH+92C8tFo3CThLBUzg4=,tag:I+fM3LE+8a7sSiNhA9xPIg==,type:comment] +#ENC[AES256_GCM,data:pOJQW/WI9kB9oBRBZUk=,iv:nbc7gmgwvp2+e81gXJb7oGJFxd0IL3ezEzTRhZvZPks=,tag:Xeeh+LYR8IrVjSQMxCDR/A==,type:comment] +#ENC[AES256_GCM,data:cFpWD8Ul9rZovu+gXHUK5qY2T74=,iv:wE1ykWPxNegTOBrOZKuXDS/ToTQ7uSQ5Ipk77zBeva4=,tag:HoW8U9HZGSG7qwVr10gBHA==,type:comment] +#ENC[AES256_GCM,data:lNhCWy1l2tZ5smucunZFszd7dIY=,iv:vHOxwiyubDskeoENEwlzDV3pmxEKU0P+KJmwLijzj/Q=,tag:3iLW04LWFiznc+gKOOCYtw==,type:comment] +#ENC[AES256_GCM,data:DE55QRx9NQjaPoTFVPDHtmxEvNSJRZTdQIo=,iv:MI67iZuHlwuKg4gkeSCutaNGWaFmF7eymuGkPsZSi94=,tag:YUb+62kKPcKU/WunbwqrzQ==,type:comment] +#ENC[AES256_GCM,data:XiLZ7+vIX4bpeeEbsP0DpAA=,iv:HsmzKRESXMStssiECODj9bcsahmzxqtzOfodQ3Ze4Fo=,tag:gUBEreck3v9ySvAle9LIyQ==,type:comment] +#ENC[AES256_GCM,data:exigJhzg3dKrLw==,iv:ZiTyNtYSbJpy7k86oOm5jNp/Aj+u+WVjr4hoDha3Jfw=,tag:e1IrQ7GL9StnLXeSeMN6vQ==,type:comment] +#ENC[AES256_GCM,data:pwKO2o2lgbAFR9g=,iv:GF0NtijdFrXLPbKN6nMXavvdSV0jCaey3qm+8JxC9bk=,tag:XZ80r545lJEdTZ9XWhBABg==,type:comment] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1tnl4jfgacwkargzeqnhzernw29xx8mkv73xh6ufdyde6q7859slsnzf24x + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBtUWdZeHhjQnU0MVpQNTNy + WTEyVVVMVlpaL3duWkNnRE55RFltcWo0SzAwCkYra2hMdk9hdGR2dXo0SDVDb0Zy + Y3lvblhzSy9aWjQzOE5nR1lvaXg5dVEKLS0tIDhlVERraFgzeVlBbmxPZit5MzAv + dEIzelZ0M1Nuektzb1lSWXl1bGVWYVEK1sbgSBu/yjtbgAMUNO/U7vX++zuUoCj5 + IZqsQ1Jofw4VGukUt+vUloWJ9W+uysRveDbqTX2x2XiRLqJXaKVIZQ== + -----END AGE ENCRYPTED FILE----- + - recipient: age1s0v4fm203ap6mckcz3djw8hx30uqu87xfhfdajpmyf8rfrf5xs5swpz6m6 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBNL1NKVjRRbFUzYUZzakw0 + S1Jhc1Y3dlJ5WWxYcHNUVytDZ25jU1ZIWkdJCkRpY3dwakk4NWw0VWVGYllNQ0x5 + ZTB1aVh1QlJBdmZld0EzVXVCZkpqZlEKLS0tIG1kcHVwNjhLaVFsVk9vWXpJZmhN + RHAyR2poZWkydUpVTEo4NXNvS1RwUE0KDWF9jDZP1cOMxE4iZzhN+eKJakEYK4g8 + RQX7A5W1chN8Qh7KYPWZiGOL6FfcWUxFt8mfrUPKrxkGnM7zcz9Xrw== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2022-06-06T23:21:20Z" + mac: ENC[AES256_GCM,data:pU5882gcNu2hmINn/xnDriHX8PvrEqepnf8/B+WGYrkd6yqpsVPCivlhGFmPvPaRt/o0AVMuH7Wbwm3+rmOpR1LFfJUtnFcejWVpVNE6BuxuWTdF90EENUStKg3DWV4uspRlQds856GR7pkDblkmAOgWZ7zD3ILS3sF/fLuFLr0=,iv:TCsuetCjhhJc/0K4UQrCD9+zWEVssI6Yx0AQ/+eDSn0=,tag:ZsKZZB5S9bgLIRJBLO/KgQ==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.7.3