shelvacu/nix-stuff
1
0
Fork 1
Code Issues Pull Requests Packages Projects Releases Wiki Activity

reorganize secrets and stuff

Browse Source
This commit is contained in:
Shelvacu
2025-08-22 14:01:09 -07:00
committed by Shelvacu on fw
parent 2fddd494ea
commit 29334bd8fe
19 changed files with 52 additions and 109 deletions
Download Patch File Download Diff File Expand all files Collapse all files

15
common/sops.nix
View File

@@ -6,7 +6,6 @@
...
}:
let
inherit (builtins) head;
ssh-to-age = lib.getExe pkgs.ssh-to-age;
sshToAge =
sshPubText:
@@ -17,12 +16,6 @@ let
userKeys = lib.attrValues config.vacu.ssh.authorizedKeys;
userKeysAge = map sshToAge userKeys;
agesOf = hostname: map sshToAge config.vacu.hosts.${hostname}.sshKeys;
# liamKey = head config.vacu.hosts.liam.sshKeys;
# liamKeyAge = sshToAge liamKey;
# tripKey = head config.vacu.hosts.triple-dezert.sshKeys;
# tripKeyAge = sshToAge tripKey;
# propKey = head config.vacu.hosts.prophecy.sshKeys;
# propKeyAge = sshToAge propKey;
singleGroup = keys: [ { age = keys; } ];
testAgeSecret = "AGE-SECRET-KEY-1QQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQPQQ94XCHF";
testAgePublic = vaculib.outputOf {
@@ -36,19 +29,19 @@ let
key_groups = singleGroup userKeysAge;
}
{
path_regex = "/secrets/liam/[^/]+$";
path_regex = "/secrets/hosts/liam\\.yaml$";
key_groups = singleGroup (userKeysAge ++ agesOf "liam");
}
{
path_regex = "/secrets/triple-dezert/[^/]+$";
path_regex = "/secrets/hosts/triple-dezert\\.yaml$";
key_groups = singleGroup (userKeysAge ++ agesOf "triple-dezert");
}
{
path_regex = "/secrets/prophecy/[^/]+$";
path_regex = "/secrets/hosts/prophecy\\.yaml$";
key_groups = singleGroup (userKeysAge ++ agesOf "prophecy");
}
{
path_regex = "/secrets/solis\\.yaml$";
path_regex = "/secrets/hosts/solis\\.yaml$";
key_groups = singleGroup (userKeysAge ++ agesOf "solis");
}
{

6
hosts/fw/default.nix
View File

@@ -1,15 +1,15 @@
{ inputs, pkgs, ... }:
{ inputs, pkgs, vacuModules, ... }:
{
imports = [
inputs.nixos-hardware.nixosModules.framework-16-7040-amd
../tf2
"${inputs.self}/tf2"
vacuModules.sops
./apex.nix
./android.nix
./thunderbolt.nix
./fwupd.nix
./zfs.nix
./virtualbox.nix
./sops.nix
./radicle.nix
./tpm-fido.nix
./podman.nix

2
hosts/fw/radicle.nix
View File

@@ -1,7 +1,7 @@
{ config, ... }:
{
sops.secrets.radicle-key = {
sopsFile = ../secrets/radicle-private.key;
sopsFile = "${config.vacu.sops.secretsPath}/radicle-private.key";
format = "binary"; # its actually an openssh private key which is kinda plaintext, but there is no plaintext option and treating it as opaque binary works fine
};
services.radicle = {

20
hosts/fw/sops.nix
View File

@@ -1,20 +0,0 @@
{
inputs,
lib,
config,
...
}:
{
imports = [ inputs.sops-nix.nixosModules.sops ];
options.vacu.secretsFolder = lib.mkOption {
type = lib.types.path;
default = ../secrets;
defaultText = "<nix-stuff>/secrets";
};
config = {
# sops.defaultSopsFile = config.vacu.secretsFolder + "/liam/main.yaml";
sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
};
}

14
hosts/liam/sops.nix
View File

@@ -1,21 +1,12 @@
{
inputs,
lib,
config,
vacuModules,
...
}:
{
imports = [ inputs.sops-nix.nixosModules.sops ];
options.vacu.secretsFolder = lib.mkOption {
type = lib.types.path;
default = ../secrets;
defaultText = "<nix-stuff>/secrets";
};
imports = [ vacuModules.sops ];
config.sops = {
defaultSopsFile = config.vacu.secretsFolder + "/liam/main.yaml";
age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
secrets.dovecot-passwd = {
restartUnits = [ "dovecot2.service" ];
};
@@ -28,6 +19,5 @@
restartUnits = [ "postfix.service" ];
owner = config.services.postfix.user;
};
gnupg.sshKeyPaths = [ ]; # explicitly empty to disable gnupg; I don't use it and it takes up space on minimal configs
};
}

4
hosts/prophecy/default.nix
View File

@@ -1,13 +1,13 @@
{ ... }:
{ vacuModules, ... }:
{
imports = [
vacuModules.sops
./impermanence.nix
./hardware.nix
./btrfs.nix
./genieacs.nix
./networking.nix
./doof.nix
./sops.nix
./gpu.nix
./propdata.nix
./silence.nix

20
hosts/prophecy/sops.nix
View File

@@ -1,20 +0,0 @@
{
inputs,
lib,
config,
...
}:
{
imports = [ inputs.sops-nix.nixosModules.sops ];
options.vacu.secretsFolder = lib.mkOption {
type = lib.types.path;
default = ../secrets;
defaultText = "<nix-stuff>/secrets";
};
config.sops = {
defaultSopsFile = config.vacu.secretsFolder + "/prophecy/main.yaml";
age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
};
}

3
hosts/solis/default.nix
View File

@@ -1,14 +1,15 @@
{
vaculib,
vacuModules,
...
}:
{
imports = [
vacuModules.sops
./disko.nix
./impermanence.nix
./hardware.nix
./garage.nix
./sops.nix
./caddy.nix
];
options.vacu.this = vaculib.mkOutOptions {

14
hosts/solis/sops.nix
View File

@@ -1,14 +0,0 @@
{
inputs,
...
}:
{
imports = [ inputs.sops-nix.nixosModules.sops ];
config = {
sops.defaultSopsFile = ../secrets/solis.yaml;
sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
};
}

3
hosts/triple-dezert/default.nix
View File

@@ -2,10 +2,12 @@
config,
pkgs,
lib,
vacuModules,
...
}:
{
imports = [
vacuModules.sops
./hardware-configuration.nix
./awootrip.nix
./database.nix
@@ -15,7 +17,6 @@
./yt-archiver.nix
./proxied
./gallerygrab.nix
./sops.nix
# ./disko.nix
./docker.nix
./dovecot-backup.nix

21
hosts/triple-dezert/sops.nix
View File

@@ -1,21 +0,0 @@
{
inputs,
config,
lib,
...
}:
{
imports = [ inputs.sops-nix.nixosModules.sops ];
options.vacu.secretsFolder = lib.mkOption {
type = lib.types.path;
default = ../secrets;
defaultText = "<nix-stuff>/secrets";
};
config = {
sops.defaultSopsFile = config.vacu.secretsFolder + "/triple-dezert/main.yaml";
sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
# sops.secrets.vacustore_smtp_key = {};
};
}

2
modules/garage/module.nix
View File

@@ -50,7 +50,7 @@ in
};
sops.secrets.garageRpcKey = {
owner = "garage";
sopsFile = ../../secrets/garage-rpc.key;
sopsFile = "${config.vacu.sops.secretsPath}/garage-rpc.key";
format = "binary";
restartUnits = [ "garage.service" ];
};

31
modules/sops/module.nix Normal file
View File

@@ -0,0 +1,31 @@
{
config,
lib,
inputs,
...
}:
let
inherit (lib) mkOption types;
cfg = config.vacu.sops;
in
{
imports = [ inputs.sops-nix.nixosModules.sops ];
options.vacu.sops = {
enable = mkOption {
type = types.bool;
default = true;
};
secretsFolder = mkOption {
type = types.path;
default = "${inputs.self}/secrets";
defaultText = "<nix-stuff>/secrets";
};
};
config = lib.mkIf cfg.enable {
sops = {
defaultSopsFile = lib.mkDefault (cfg.secretsFolder + "/hosts/${config.vacu.hostname}.yaml");
age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
gnupg.sshKeyPaths = [ ]; # explicitly empty to disable gnupg; I don't use it and it takes up space on minimal configs
};
};
}

3
scripts/dns/default.nix
View File

@@ -2,13 +2,14 @@
pkgs,
config,
lib,
inputs,
...
}:
let
pythEscape = x: builtins.replaceStrings [ ''"'' "\n" "\\" ] [ ''\"'' "\\n" "\\\\" ] x;
pythonScript = builtins.replaceStrings [ "@sops@" "@dns_secrets_file@" "@data@" ] (map pythEscape [
(lib.getExe config.vacu.wrappedSops)
(builtins.toString ../../secrets/misc/cloudns.json)
"${inputs.self}/secrets/misc/cloudns.json"
(builtins.toJSON config.vacu.dns)
]) (builtins.readFile ./script.py);
libraries = with pkgs.python3Packages; [

3
scripts/update-git-keys.nix
View File

@@ -3,12 +3,13 @@
writers,
curl,
lib,
inputs,
...
}:
writers.writeBashBin "update-git-keys" ''
set -xev
domain="$1"
api_key="$(${lib.getExe config.vacu.wrappedSops} --extract '["'$domain'"]' -d ${../secrets/misc/git-keys.json})"
api_key="$(${lib.getExe config.vacu.wrappedSops} --extract '["'$domain'"]' -d ${"${inputs.self}/secrets/misc/git-keys.json"})"
if [ $domain = github.com ]; then
url_base="https://api.github.com"
elif [ $domain = gitlab.com ]; then

0
secrets/liam/main.yaml → secrets/hosts/liam.yaml
View File

0
secrets/prophecy/main.yaml → secrets/hosts/prophecy.yaml
View File

0
secrets/solis.yaml → secrets/hosts/solis.yaml
View File

0
secrets/triple-dezert/main.yaml → secrets/hosts/triple-dezert.yaml
View File