shelvacu/nix-stuff
1
0
Fork 1
Code Issues Pull Requests Packages Projects Releases Wiki Activity

reorganize secrets and stuff

Browse Source
This commit is contained in:
Shelvacu
2025-08-22 14:01:09 -07:00
committed by Shelvacu on fw
parent 2fddd494ea
commit 29334bd8fe
19 changed files with 52 additions and 109 deletions
Download Patch File Download Diff File Expand all files Collapse all files

15
common/sops.nix
View File

@@ -6,7 +6,6 @@
... ...
}: }:
let let
inherit (builtins) head;
ssh-to-age = lib.getExe pkgs.ssh-to-age; ssh-to-age = lib.getExe pkgs.ssh-to-age;
sshToAge = sshToAge =
sshPubText: sshPubText:
@@ -17,12 +16,6 @@ let
userKeys = lib.attrValues config.vacu.ssh.authorizedKeys; userKeys = lib.attrValues config.vacu.ssh.authorizedKeys;
userKeysAge = map sshToAge userKeys; userKeysAge = map sshToAge userKeys;
agesOf = hostname: map sshToAge config.vacu.hosts.${hostname}.sshKeys; agesOf = hostname: map sshToAge config.vacu.hosts.${hostname}.sshKeys;
# liamKey = head config.vacu.hosts.liam.sshKeys;
# liamKeyAge = sshToAge liamKey;
# tripKey = head config.vacu.hosts.triple-dezert.sshKeys;
# tripKeyAge = sshToAge tripKey;
# propKey = head config.vacu.hosts.prophecy.sshKeys;
# propKeyAge = sshToAge propKey;
singleGroup = keys: [ { age = keys; } ]; singleGroup = keys: [ { age = keys; } ];
testAgeSecret = "AGE-SECRET-KEY-1QQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQPQQ94XCHF"; testAgeSecret = "AGE-SECRET-KEY-1QQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQPQQ94XCHF";
testAgePublic = vaculib.outputOf { testAgePublic = vaculib.outputOf {
@@ -36,19 +29,19 @@ let
key_groups = singleGroup userKeysAge; key_groups = singleGroup userKeysAge;
} }
{ {
path_regex = "/secrets/liam/[^/]+$"; path_regex = "/secrets/hosts/liam\\.yaml$";
key_groups = singleGroup (userKeysAge ++ agesOf "liam"); key_groups = singleGroup (userKeysAge ++ agesOf "liam");
} }
{ {
path_regex = "/secrets/triple-dezert/[^/]+$"; path_regex = "/secrets/hosts/triple-dezert\\.yaml$";
key_groups = singleGroup (userKeysAge ++ agesOf "triple-dezert"); key_groups = singleGroup (userKeysAge ++ agesOf "triple-dezert");
} }
{ {
path_regex = "/secrets/prophecy/[^/]+$"; path_regex = "/secrets/hosts/prophecy\\.yaml$";
key_groups = singleGroup (userKeysAge ++ agesOf "prophecy"); key_groups = singleGroup (userKeysAge ++ agesOf "prophecy");
} }
{ {
path_regex = "/secrets/solis\\.yaml$"; path_regex = "/secrets/hosts/solis\\.yaml$";
key_groups = singleGroup (userKeysAge ++ agesOf "solis"); key_groups = singleGroup (userKeysAge ++ agesOf "solis");
} }
{ {

6
hosts/fw/default.nix
View File

@@ -1,15 +1,15 @@
{ inputs, pkgs, ... }: { inputs, pkgs, vacuModules, ... }:
{ {
imports = [ imports = [
inputs.nixos-hardware.nixosModules.framework-16-7040-amd inputs.nixos-hardware.nixosModules.framework-16-7040-amd
../tf2 "${inputs.self}/tf2"
vacuModules.sops
./apex.nix ./apex.nix
./android.nix ./android.nix
./thunderbolt.nix ./thunderbolt.nix
./fwupd.nix ./fwupd.nix
./zfs.nix ./zfs.nix
./virtualbox.nix ./virtualbox.nix
./sops.nix
./radicle.nix ./radicle.nix
./tpm-fido.nix ./tpm-fido.nix
./podman.nix ./podman.nix

2
hosts/fw/radicle.nix
View File

@@ -1,7 +1,7 @@
{ config, ... }: { config, ... }:
{ {
sops.secrets.radicle-key = { sops.secrets.radicle-key = {
sopsFile = ../secrets/radicle-private.key; sopsFile = "${config.vacu.sops.secretsPath}/radicle-private.key";
format = "binary"; # its actually an openssh private key which is kinda plaintext, but there is no plaintext option and treating it as opaque binary works fine format = "binary"; # its actually an openssh private key which is kinda plaintext, but there is no plaintext option and treating it as opaque binary works fine
}; };
services.radicle = { services.radicle = {

20
hosts/fw/sops.nix
View File

@@ -1,20 +0,0 @@
{
inputs,
lib,
config,
...
}:
{
imports = [ inputs.sops-nix.nixosModules.sops ];
options.vacu.secretsFolder = lib.mkOption {
type = lib.types.path;
default = ../secrets;
defaultText = "<nix-stuff>/secrets";
};
config = {
# sops.defaultSopsFile = config.vacu.secretsFolder + "/liam/main.yaml";
sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
};
}

14
hosts/liam/sops.nix
View File

@@ -1,21 +1,12 @@
{ {
inputs,
lib,
config, config,
vacuModules,
... ...
}: }:
{ {
imports = [ inputs.sops-nix.nixosModules.sops ]; imports = [ vacuModules.sops ];
options.vacu.secretsFolder = lib.mkOption {
type = lib.types.path;
default = ../secrets;
defaultText = "<nix-stuff>/secrets";
};
config.sops = { config.sops = {
defaultSopsFile = config.vacu.secretsFolder + "/liam/main.yaml";
age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
secrets.dovecot-passwd = { secrets.dovecot-passwd = {
restartUnits = [ "dovecot2.service" ]; restartUnits = [ "dovecot2.service" ];
}; };
@@ -28,6 +19,5 @@
restartUnits = [ "postfix.service" ]; restartUnits = [ "postfix.service" ];
owner = config.services.postfix.user; owner = config.services.postfix.user;
}; };
gnupg.sshKeyPaths = [ ]; # explicitly empty to disable gnupg; I don't use it and it takes up space on minimal configs
}; };
} }

4
hosts/prophecy/default.nix
View File

@@ -1,13 +1,13 @@
{ ... }: { vacuModules, ... }:
{ {
imports = [ imports = [
vacuModules.sops
./impermanence.nix ./impermanence.nix
./hardware.nix ./hardware.nix
./btrfs.nix ./btrfs.nix
./genieacs.nix ./genieacs.nix
./networking.nix ./networking.nix
./doof.nix ./doof.nix
./sops.nix
./gpu.nix ./gpu.nix
./propdata.nix ./propdata.nix
./silence.nix ./silence.nix

20
hosts/prophecy/sops.nix
View File

@@ -1,20 +0,0 @@
{
inputs,
lib,
config,
...
}:
{
imports = [ inputs.sops-nix.nixosModules.sops ];
options.vacu.secretsFolder = lib.mkOption {
type = lib.types.path;
default = ../secrets;
defaultText = "<nix-stuff>/secrets";
};
config.sops = {
defaultSopsFile = config.vacu.secretsFolder + "/prophecy/main.yaml";
age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
};
}

3
hosts/solis/default.nix
View File

@@ -1,14 +1,15 @@
{ {
vaculib, vaculib,
vacuModules,
... ...
}: }:
{ {
imports = [ imports = [
vacuModules.sops
./disko.nix ./disko.nix
./impermanence.nix ./impermanence.nix
./hardware.nix ./hardware.nix
./garage.nix ./garage.nix
./sops.nix
./caddy.nix ./caddy.nix
]; ];
options.vacu.this = vaculib.mkOutOptions { options.vacu.this = vaculib.mkOutOptions {

14
hosts/solis/sops.nix
View File

@@ -1,14 +0,0 @@
{
inputs,
...
}:
{
imports = [ inputs.sops-nix.nixosModules.sops ];
config = {
sops.defaultSopsFile = ../secrets/solis.yaml;
sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
};
}

3
hosts/triple-dezert/default.nix
View File

@@ -2,10 +2,12 @@
config, config,
pkgs, pkgs,
lib, lib,
vacuModules,
... ...
}: }:
{ {
imports = [ imports = [
vacuModules.sops
./hardware-configuration.nix ./hardware-configuration.nix
./awootrip.nix ./awootrip.nix
./database.nix ./database.nix
@@ -15,7 +17,6 @@
./yt-archiver.nix ./yt-archiver.nix
./proxied ./proxied
./gallerygrab.nix ./gallerygrab.nix
./sops.nix
# ./disko.nix # ./disko.nix
./docker.nix ./docker.nix
./dovecot-backup.nix ./dovecot-backup.nix

21
hosts/triple-dezert/sops.nix
View File

@@ -1,21 +0,0 @@
{
inputs,
config,
lib,
...
}:
{
imports = [ inputs.sops-nix.nixosModules.sops ];
options.vacu.secretsFolder = lib.mkOption {
type = lib.types.path;
default = ../secrets;
defaultText = "<nix-stuff>/secrets";
};
config = {
sops.defaultSopsFile = config.vacu.secretsFolder + "/triple-dezert/main.yaml";
sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
# sops.secrets.vacustore_smtp_key = {};
};
}

2
modules/garage/module.nix
View File

@@ -50,7 +50,7 @@ in
}; };
sops.secrets.garageRpcKey = { sops.secrets.garageRpcKey = {
owner = "garage"; owner = "garage";
sopsFile = ../../secrets/garage-rpc.key; sopsFile = "${config.vacu.sops.secretsPath}/garage-rpc.key";
format = "binary"; format = "binary";
restartUnits = [ "garage.service" ]; restartUnits = [ "garage.service" ];
}; };

31
modules/sops/module.nix Normal file
View File

@@ -0,0 +1,31 @@
{
config,
lib,
inputs,
...
}:
let
inherit (lib) mkOption types;
cfg = config.vacu.sops;
in
{
imports = [ inputs.sops-nix.nixosModules.sops ];
options.vacu.sops = {
enable = mkOption {
type = types.bool;
default = true;
};
secretsFolder = mkOption {
type = types.path;
default = "${inputs.self}/secrets";
defaultText = "<nix-stuff>/secrets";
};
};
config = lib.mkIf cfg.enable {
sops = {
defaultSopsFile = lib.mkDefault (cfg.secretsFolder + "/hosts/${config.vacu.hostname}.yaml");
age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
gnupg.sshKeyPaths = [ ]; # explicitly empty to disable gnupg; I don't use it and it takes up space on minimal configs
};
};
}

3
scripts/dns/default.nix
View File

@@ -2,13 +2,14 @@
pkgs, pkgs,
config, config,
lib, lib,
inputs,
... ...
}: }:
let let
pythEscape = x: builtins.replaceStrings [ ''"'' "\n" "\\" ] [ ''\"'' "\\n" "\\\\" ] x; pythEscape = x: builtins.replaceStrings [ ''"'' "\n" "\\" ] [ ''\"'' "\\n" "\\\\" ] x;
pythonScript = builtins.replaceStrings [ "@sops@" "@dns_secrets_file@" "@data@" ] (map pythEscape [ pythonScript = builtins.replaceStrings [ "@sops@" "@dns_secrets_file@" "@data@" ] (map pythEscape [
(lib.getExe config.vacu.wrappedSops) (lib.getExe config.vacu.wrappedSops)
(builtins.toString ../../secrets/misc/cloudns.json) "${inputs.self}/secrets/misc/cloudns.json"
(builtins.toJSON config.vacu.dns) (builtins.toJSON config.vacu.dns)
]) (builtins.readFile ./script.py); ]) (builtins.readFile ./script.py);
libraries = with pkgs.python3Packages; [ libraries = with pkgs.python3Packages; [

3
scripts/update-git-keys.nix
View File

@@ -3,12 +3,13 @@
writers, writers,
curl, curl,
lib, lib,
inputs,
... ...
}: }:
writers.writeBashBin "update-git-keys" '' writers.writeBashBin "update-git-keys" ''
set -xev set -xev
domain="$1" domain="$1"
api_key="$(${lib.getExe config.vacu.wrappedSops} --extract '["'$domain'"]' -d ${../secrets/misc/git-keys.json})" api_key="$(${lib.getExe config.vacu.wrappedSops} --extract '["'$domain'"]' -d ${"${inputs.self}/secrets/misc/git-keys.json"})"
if [ $domain = github.com ]; then if [ $domain = github.com ]; then
url_base="https://api.github.com" url_base="https://api.github.com"
elif [ $domain = gitlab.com ]; then elif [ $domain = gitlab.com ]; then

0
secrets/liam/main.yaml → secrets/hosts/liam.yaml
View File

0
secrets/prophecy/main.yaml → secrets/hosts/prophecy.yaml
View File

0
secrets/solis.yaml → secrets/hosts/solis.yaml
View File

0
secrets/triple-dezert/main.yaml → secrets/hosts/triple-dezert.yaml
View File