From 29334bd8feb2ab79e93f77281b82ed5c275cf0cd Mon Sep 17 00:00:00 2001 From: Shelvacu Date: Fri, 22 Aug 2025 14:01:09 -0700 Subject: [PATCH] reorganize secrets and stuff --- common/sops.nix | 15 +++------ hosts/fw/default.nix | 6 ++-- hosts/fw/radicle.nix | 2 +- hosts/fw/sops.nix | 20 ------------ hosts/liam/sops.nix | 14 ++------- hosts/prophecy/default.nix | 4 +-- hosts/prophecy/sops.nix | 20 ------------ hosts/solis/default.nix | 3 +- hosts/solis/sops.nix | 14 --------- hosts/triple-dezert/default.nix | 3 +- hosts/triple-dezert/sops.nix | 21 ------------- modules/garage/module.nix | 2 +- modules/sops/module.nix | 31 +++++++++++++++++++ scripts/dns/default.nix | 3 +- scripts/update-git-keys.nix | 3 +- secrets/{liam/main.yaml => hosts/liam.yaml} | 0 .../main.yaml => hosts/prophecy.yaml} | 0 secrets/{ => hosts}/solis.yaml | 0 .../main.yaml => hosts/triple-dezert.yaml} | 0 19 files changed, 52 insertions(+), 109 deletions(-) delete mode 100644 hosts/fw/sops.nix delete mode 100644 hosts/prophecy/sops.nix delete mode 100644 hosts/solis/sops.nix delete mode 100644 hosts/triple-dezert/sops.nix create mode 100644 modules/sops/module.nix rename secrets/{liam/main.yaml => hosts/liam.yaml} (100%) rename secrets/{prophecy/main.yaml => hosts/prophecy.yaml} (100%) rename secrets/{ => hosts}/solis.yaml (100%) rename secrets/{triple-dezert/main.yaml => hosts/triple-dezert.yaml} (100%) diff --git a/common/sops.nix b/common/sops.nix index e1eaf4e..2ce6533 100644 --- a/common/sops.nix +++ b/common/sops.nix @@ -6,7 +6,6 @@ ... }: let - inherit (builtins) head; ssh-to-age = lib.getExe pkgs.ssh-to-age; sshToAge = sshPubText: @@ -17,12 +16,6 @@ let userKeys = lib.attrValues config.vacu.ssh.authorizedKeys; userKeysAge = map sshToAge userKeys; agesOf = hostname: map sshToAge config.vacu.hosts.${hostname}.sshKeys; - # liamKey = head config.vacu.hosts.liam.sshKeys; - # liamKeyAge = sshToAge liamKey; - # tripKey = head config.vacu.hosts.triple-dezert.sshKeys; - # tripKeyAge = sshToAge tripKey; - # propKey = head config.vacu.hosts.prophecy.sshKeys; - # propKeyAge = sshToAge propKey; singleGroup = keys: [ { age = keys; } ]; testAgeSecret = "AGE-SECRET-KEY-1QQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQPQQ94XCHF"; testAgePublic = vaculib.outputOf { @@ -36,19 +29,19 @@ let key_groups = singleGroup userKeysAge; } { - path_regex = "/secrets/liam/[^/]+$"; + path_regex = "/secrets/hosts/liam\\.yaml$"; key_groups = singleGroup (userKeysAge ++ agesOf "liam"); } { - path_regex = "/secrets/triple-dezert/[^/]+$"; + path_regex = "/secrets/hosts/triple-dezert\\.yaml$"; key_groups = singleGroup (userKeysAge ++ agesOf "triple-dezert"); } { - path_regex = "/secrets/prophecy/[^/]+$"; + path_regex = "/secrets/hosts/prophecy\\.yaml$"; key_groups = singleGroup (userKeysAge ++ agesOf "prophecy"); } { - path_regex = "/secrets/solis\\.yaml$"; + path_regex = "/secrets/hosts/solis\\.yaml$"; key_groups = singleGroup (userKeysAge ++ agesOf "solis"); } { diff --git a/hosts/fw/default.nix b/hosts/fw/default.nix index 60b0332..c8e25be 100644 --- a/hosts/fw/default.nix +++ b/hosts/fw/default.nix @@ -1,15 +1,15 @@ -{ inputs, pkgs, ... }: +{ inputs, pkgs, vacuModules, ... }: { imports = [ inputs.nixos-hardware.nixosModules.framework-16-7040-amd - ../tf2 + "${inputs.self}/tf2" + vacuModules.sops ./apex.nix ./android.nix ./thunderbolt.nix ./fwupd.nix ./zfs.nix ./virtualbox.nix - ./sops.nix ./radicle.nix ./tpm-fido.nix ./podman.nix diff --git a/hosts/fw/radicle.nix b/hosts/fw/radicle.nix index 703541b..495c574 100644 --- a/hosts/fw/radicle.nix +++ b/hosts/fw/radicle.nix @@ -1,7 +1,7 @@ { config, ... }: { sops.secrets.radicle-key = { - sopsFile = ../secrets/radicle-private.key; + sopsFile = "${config.vacu.sops.secretsPath}/radicle-private.key"; format = "binary"; # its actually an openssh private key which is kinda plaintext, but there is no plaintext option and treating it as opaque binary works fine }; services.radicle = { diff --git a/hosts/fw/sops.nix b/hosts/fw/sops.nix deleted file mode 100644 index dd0bd80..0000000 --- a/hosts/fw/sops.nix +++ /dev/null @@ -1,20 +0,0 @@ -{ - inputs, - lib, - config, - ... -}: -{ - imports = [ inputs.sops-nix.nixosModules.sops ]; - - options.vacu.secretsFolder = lib.mkOption { - type = lib.types.path; - default = ../secrets; - defaultText = "/secrets"; - }; - - config = { - # sops.defaultSopsFile = config.vacu.secretsFolder + "/liam/main.yaml"; - sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ]; - }; -} diff --git a/hosts/liam/sops.nix b/hosts/liam/sops.nix index 275c222..37cf651 100644 --- a/hosts/liam/sops.nix +++ b/hosts/liam/sops.nix @@ -1,21 +1,12 @@ { - inputs, - lib, config, + vacuModules, ... }: { - imports = [ inputs.sops-nix.nixosModules.sops ]; - - options.vacu.secretsFolder = lib.mkOption { - type = lib.types.path; - default = ../secrets; - defaultText = "/secrets"; - }; + imports = [ vacuModules.sops ]; config.sops = { - defaultSopsFile = config.vacu.secretsFolder + "/liam/main.yaml"; - age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ]; secrets.dovecot-passwd = { restartUnits = [ "dovecot2.service" ]; }; @@ -28,6 +19,5 @@ restartUnits = [ "postfix.service" ]; owner = config.services.postfix.user; }; - gnupg.sshKeyPaths = [ ]; # explicitly empty to disable gnupg; I don't use it and it takes up space on minimal configs }; } diff --git a/hosts/prophecy/default.nix b/hosts/prophecy/default.nix index 6bc9fc8..6e1b7d4 100644 --- a/hosts/prophecy/default.nix +++ b/hosts/prophecy/default.nix @@ -1,13 +1,13 @@ -{ ... }: +{ vacuModules, ... }: { imports = [ + vacuModules.sops ./impermanence.nix ./hardware.nix ./btrfs.nix ./genieacs.nix ./networking.nix ./doof.nix - ./sops.nix ./gpu.nix ./propdata.nix ./silence.nix diff --git a/hosts/prophecy/sops.nix b/hosts/prophecy/sops.nix deleted file mode 100644 index 7a35fec..0000000 --- a/hosts/prophecy/sops.nix +++ /dev/null @@ -1,20 +0,0 @@ -{ - inputs, - lib, - config, - ... -}: -{ - imports = [ inputs.sops-nix.nixosModules.sops ]; - - options.vacu.secretsFolder = lib.mkOption { - type = lib.types.path; - default = ../secrets; - defaultText = "/secrets"; - }; - - config.sops = { - defaultSopsFile = config.vacu.secretsFolder + "/prophecy/main.yaml"; - age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ]; - }; -} diff --git a/hosts/solis/default.nix b/hosts/solis/default.nix index d143514..7ef75f2 100644 --- a/hosts/solis/default.nix +++ b/hosts/solis/default.nix @@ -1,14 +1,15 @@ { vaculib, + vacuModules, ... }: { imports = [ + vacuModules.sops ./disko.nix ./impermanence.nix ./hardware.nix ./garage.nix - ./sops.nix ./caddy.nix ]; options.vacu.this = vaculib.mkOutOptions { diff --git a/hosts/solis/sops.nix b/hosts/solis/sops.nix deleted file mode 100644 index a00c6b4..0000000 --- a/hosts/solis/sops.nix +++ /dev/null @@ -1,14 +0,0 @@ -{ - inputs, - ... -}: -{ - imports = [ inputs.sops-nix.nixosModules.sops ]; - - config = { - sops.defaultSopsFile = ../secrets/solis.yaml; - sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ]; - }; -} - - diff --git a/hosts/triple-dezert/default.nix b/hosts/triple-dezert/default.nix index 1dec965..7888e23 100644 --- a/hosts/triple-dezert/default.nix +++ b/hosts/triple-dezert/default.nix @@ -2,10 +2,12 @@ config, pkgs, lib, + vacuModules, ... }: { imports = [ + vacuModules.sops ./hardware-configuration.nix ./awootrip.nix ./database.nix @@ -15,7 +17,6 @@ ./yt-archiver.nix ./proxied ./gallerygrab.nix - ./sops.nix # ./disko.nix ./docker.nix ./dovecot-backup.nix diff --git a/hosts/triple-dezert/sops.nix b/hosts/triple-dezert/sops.nix deleted file mode 100644 index 4901a13..0000000 --- a/hosts/triple-dezert/sops.nix +++ /dev/null @@ -1,21 +0,0 @@ -{ - inputs, - config, - lib, - ... -}: -{ - imports = [ inputs.sops-nix.nixosModules.sops ]; - - options.vacu.secretsFolder = lib.mkOption { - type = lib.types.path; - default = ../secrets; - defaultText = "/secrets"; - }; - - config = { - sops.defaultSopsFile = config.vacu.secretsFolder + "/triple-dezert/main.yaml"; - sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ]; - # sops.secrets.vacustore_smtp_key = {}; - }; -} diff --git a/modules/garage/module.nix b/modules/garage/module.nix index 9c83432..d2f452b 100644 --- a/modules/garage/module.nix +++ b/modules/garage/module.nix @@ -50,7 +50,7 @@ in }; sops.secrets.garageRpcKey = { owner = "garage"; - sopsFile = ../../secrets/garage-rpc.key; + sopsFile = "${config.vacu.sops.secretsPath}/garage-rpc.key"; format = "binary"; restartUnits = [ "garage.service" ]; }; diff --git a/modules/sops/module.nix b/modules/sops/module.nix new file mode 100644 index 0000000..66e9788 --- /dev/null +++ b/modules/sops/module.nix @@ -0,0 +1,31 @@ +{ + config, + lib, + inputs, + ... +}: +let + inherit (lib) mkOption types; + cfg = config.vacu.sops; +in +{ + imports = [ inputs.sops-nix.nixosModules.sops ]; + options.vacu.sops = { + enable = mkOption { + type = types.bool; + default = true; + }; + secretsFolder = mkOption { + type = types.path; + default = "${inputs.self}/secrets"; + defaultText = "/secrets"; + }; + }; + config = lib.mkIf cfg.enable { + sops = { + defaultSopsFile = lib.mkDefault (cfg.secretsFolder + "/hosts/${config.vacu.hostname}.yaml"); + age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ]; + gnupg.sshKeyPaths = [ ]; # explicitly empty to disable gnupg; I don't use it and it takes up space on minimal configs + }; + }; +} diff --git a/scripts/dns/default.nix b/scripts/dns/default.nix index 1d49786..ff8d46d 100644 --- a/scripts/dns/default.nix +++ b/scripts/dns/default.nix @@ -2,13 +2,14 @@ pkgs, config, lib, + inputs, ... }: let pythEscape = x: builtins.replaceStrings [ ''"'' "\n" "\\" ] [ ''\"'' "\\n" "\\\\" ] x; pythonScript = builtins.replaceStrings [ "@sops@" "@dns_secrets_file@" "@data@" ] (map pythEscape [ (lib.getExe config.vacu.wrappedSops) - (builtins.toString ../../secrets/misc/cloudns.json) + "${inputs.self}/secrets/misc/cloudns.json" (builtins.toJSON config.vacu.dns) ]) (builtins.readFile ./script.py); libraries = with pkgs.python3Packages; [ diff --git a/scripts/update-git-keys.nix b/scripts/update-git-keys.nix index 1a9290a..ed3ef35 100644 --- a/scripts/update-git-keys.nix +++ b/scripts/update-git-keys.nix @@ -3,12 +3,13 @@ writers, curl, lib, + inputs, ... }: writers.writeBashBin "update-git-keys" '' set -xev domain="$1" - api_key="$(${lib.getExe config.vacu.wrappedSops} --extract '["'$domain'"]' -d ${../secrets/misc/git-keys.json})" + api_key="$(${lib.getExe config.vacu.wrappedSops} --extract '["'$domain'"]' -d ${"${inputs.self}/secrets/misc/git-keys.json"})" if [ $domain = github.com ]; then url_base="https://api.github.com" elif [ $domain = gitlab.com ]; then diff --git a/secrets/liam/main.yaml b/secrets/hosts/liam.yaml similarity index 100% rename from secrets/liam/main.yaml rename to secrets/hosts/liam.yaml diff --git a/secrets/prophecy/main.yaml b/secrets/hosts/prophecy.yaml similarity index 100% rename from secrets/prophecy/main.yaml rename to secrets/hosts/prophecy.yaml diff --git a/secrets/solis.yaml b/secrets/hosts/solis.yaml similarity index 100% rename from secrets/solis.yaml rename to secrets/hosts/solis.yaml diff --git a/secrets/triple-dezert/main.yaml b/secrets/hosts/triple-dezert.yaml similarity index 100% rename from secrets/triple-dezert/main.yaml rename to secrets/hosts/triple-dezert.yaml