shelvacu/nix-stuff
1
0
Fork 1
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Merge branch 'master' of git.uninsane.org:shelvacu/nix-stuff

Browse Source
This commit is contained in:
Shelvacu
2025-01-25 02:11:22 -08:00
committed by Shelvacu on legtop
parent 2c07e8efc9 adf895c65e
commit 5c4e4d8cf4
8 changed files with 234 additions and 27 deletions
Download Patch File Download Diff File Expand all files Collapse all files

88
common/sops.nix
View File

@@ -6,37 +6,75 @@
...
}:
let
userKeys = lib.attrValues config.vacu.ssh.authorizedKeys;
liamKey = config.vacu.ssh.knownHosts.liam.publicKey;
ssh-to-age = lib.getExe pkgs.ssh-to-age;
sopsConfig =
pkgs.runCommand "sops.yaml" { env.sshUserKeys = lib.concatStringsSep "\n" userKeys; }
''
set -e
liamKey="$(echo "${liamKey}" | ${ssh-to-age})"
declare -a userKeys
mapfile -t userKeys < <(echo "$sshUserKeys" | ${ssh-to-age})
declare -p userKeys
cat <<END >> $out
creation_rules:
- path_regex: secrets/misc/[^/]+$
key_groups:
- age: [$(printf '"%s", ' "''${userKeys[@]}")]
- path_regex: secrets/liam/[^/]+$
key_groups:
- age: ["$liamKey",$(printf '"%s", ' "''${userKeys[@]}")]
- path_regex: /tests/test_secrets/
key_groups:
- age: ["age1eqv5759uknu7d46rqyyzsmgt43qumsge3makeWrapp3yp2xygapprnt8zu3sqx6kt8w"]
END
'';
dumbDeriv = { allowSubstitutes = false; preferLocalBuild = true; };
sshToAgeDeriv = sshPubText: pkgs.runCommand "age.nix" dumbDeriv ''
age_key="$(echo ${lib.escapeShellArg sshPubText} | ${ssh-to-age})"
cat <<END > $out
"$age_key"
END
'';
sshToAge = sshPubText: import (sshToAgeDeriv sshPubText);
userKeys = lib.attrValues config.vacu.ssh.authorizedKeys;
userKeysAge = map sshToAge userKeys;
liamKey = config.vacu.ssh.knownHosts.liam.publicKey;
liamKeyAge = sshToAge liamKey;
singleGroup = keys: [ { age = keys; } ];
testAgeSecret = "AGE-SECRET-KEY-1QQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQPQQ94XCHF";
testAgePublic = import (pkgs.runCommand "test-age-public-key.nix" dumbDeriv ''
pubKey="$(echo ${lib.escapeShellArg testAgeSecret} | ${pkgs.age}/bin/age-keygen -y)"
cat <<END > $out
"$pubkey"
END
'');
sopsConfig = {
creation_rules = [
{
path_regex = "/secrets/misc/[^/]+$";
key_groups = singleGroup userKeysAge;
}
{
path_regex = "/secrets/liam/[^/]+$";
key_groups = singleGroup (userKeysAge ++ [ liamKeyAge ]);
}
{
path_regex = "/secrets/radicle-private.key$";
key_groups = singleGroup (userKeysAge ++ [ (sshToAge config.vacu.ssh.knownHosts.fw.publicKey) ]);
}
{
path_regex = "/tests/test_secrets/";
key_groups = singleGroup [ testAgePublic ];
}
];
};
sopsConfigFile = pkgs.writers.writeYAML "sops.yaml" sopsConfig;
# sopsConfig =
# pkgs.runCommand "sops.yaml" { env.sshUserKeys = lib.concatStringsSep "\n" userKeys; }
# ''
# set -e
# liamKey="$(echo "${liamKey}" | ${ssh-to-age})"
# declare -a userKeys
# mapfile -t userKeys < <(echo "$sshUserKeys" | ${ssh-to-age})
# declare -p userKeys
# cat <<END >> $out
# creation_rules:
# - path_regex: secrets/misc/[^/]+$
# key_groups:
# - age: [$(printf '"%s", ' "''${userKeys[@]}")]
# - path_regex: secrets/liam/[^/]+$
# key_groups:
# - age: ["$liamKey",$(printf '"%s", ' "''${userKeys[@]}")]
# - path_regex: /tests/test_secrets/
# key_groups:
# - age: ["age1eqv5759uknu7d46rqyyzsmgt43qumsge3makeWrapp3yp2xygapprnt8zu3sqx6kt8w"]
# END
# '';
wrappedSops = vaculib.makeWrapper {
original = lib.getExe pkgs.sops;
new = "vacu-nix-stuff-sops";
add_flags = [
"--config"
sopsConfig
sopsConfigFile
];
run = lib.singleton ''
set -e
@@ -49,6 +87,6 @@ let
};
in
{
options.vacu.sopsConfig = vaculib.mkOutOption sopsConfig;
options.vacu.sopsConfigFile = vaculib.mkOutOption sopsConfigFile;
options.vacu.wrappedSops = vaculib.mkOutOption wrappedSops;
}

4
flake.nix
View File

@@ -215,7 +215,7 @@
shel-installer = mkNixosConfig { module = ./installer.nix; };
fw = mkNixosConfig {
module = ./fw;
inp = [ "nixos-hardware" ];
inp = [ "nixos-hardware" "sops-nix" ];
};
legtop = mkNixosConfig {
module = ./legtop;
@@ -436,7 +436,7 @@
update-git-keys = pkgs-stable.callPackage ./scripts/update-git-keys.nix {
inherit (plain) config;
};
sopsConfig = plain.config.vacu.sopsConfig;
sopsConfig = plain.config.vacu.sopsConfigFile;
wrappedSops = plain.config.vacu.wrappedSops;
dns = import ./scripts/dns {
inherit pkgs lib inputs;

8
fw/default.nix
View File

@@ -12,6 +12,8 @@
./fwupd.nix
./zfs.nix
./virtualbox.nix
./sops.nix
./radicle.nix
];
vacu.hostName = "fw";
@@ -76,6 +78,12 @@
flac
imagemagickBig
anki
openshot-qt
kdePackages.kdenlive
shotcut
radicle-node
josm
merkaartor
])
++ [ inputs.self.packages.${pkgs.system}.sm64coopdx ];

19
fw/radicle.nix Normal file
View File

@@ -0,0 +1,19 @@
{
config,
...
}:
{
sops.secrets.radicle-key = {
sopsFile = ../secrets/radicle-private.key;
format = "binary"; #its actually an openssh private key which is kinda plaintext, but there is no plaintext option and treating it as opaque binary works fine
};
services.radicle = {
enable = false;
publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC2HqXfjT4vPEqqM5Pty7EuswzeO80IgG6MtCvDAqOkD";
privateKeyFile = config.sops.secrets.radicle-key.path;
settings = {
node.alias = "shelvacu-fw";
seedingPolicy.default = "block";
};
};
}

19
fw/sops.nix Normal file
View File

@@ -0,0 +1,19 @@
{
inputs,
lib,
config,
...
}:
{
imports = [ inputs.sops-nix.nixosModules.sops ];
options.vacu.secretsFolder = lib.mkOption {
type = lib.types.path;
default = ../secrets;
};
config = {
# sops.defaultSopsFile = config.vacu.secretsFolder + "/liam/main.yaml";
sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
};
}

60
secrets/radicle-private.key Normal file
View File

@@ -0,0 +1,60 @@
{
"data": "ENC[AES256_GCM,data:1AZGyo4sBRuwljs/4mbUH3AkB0Rih7SuTn+X31ptGUjMeScKqjcDBRRCIkDiyDRUhr887MkFWcKqA/951nE05ScvlVBOLjv6DoUnuo1wSRTnbQKJfvxqrzPPvHNqZNiJktc5Yfrqz1K+EBpt50gojuBGHyshbV9d0U7owdkm/JnstzUfXPYkPRwCgIKcdYo+1N/NknnBjE9i30z9fMdJZ8J+dkDVSV6ig1UeitoGBD3beg9QdKwFezA+B0+3sm1iKI8bVfdvq5I/xTMYxTPd7bkz7zKqjf+aq9iOcdsXzfkZaUoqzqTIokB3VdNUe7X/lhbtMOouyyUprNrG/xlL4UHkeRRRVMvUZsYukQq6SkyyCKORYwC+YOCgUsSMpkJBfqAdGGDs4dck7e+myRW2B3I2AqJuSV50dfLIZ5ZxJuDTooFL77tVJ+weOekdIf2vPAVNlSUOASlh1HJmpImedh+AKUtRZil4PbpaGaNofVy6OQa+V4sZR19cfWyMjdH1Ac/2TbEE33PhuHKmrSxu,iv:z+xGBa05A5agXOSt+dO0lMTiVpoLAL86O1kmDy+iVPs=,tag:2+DUbHv9/Lx9P9GznT463A==,type:str]",
"sops": {
"kms": null,
"gcp_kms": null,
"azure_kv": null,
"hc_vault": null,
"age": [
{
"recipient": "age1dzdf4rgep3ctk3dnrmrqtdgrchaa8nszfc4dp29gqwsst3z6jyrq57vfsj",
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA0OXI4SVhtUmh3WDNSSXRS\nODhUQWk5Ly9nTkVyS0VlNkNmOGJtTXRyRldvCjluY1NwajBrTmJWTWRQblZidHdu\nbFM4dUY5V2FWVkVER1BTbmZOL2liaUEKLS0tIHh1dVdqRzFOODFPbVNxVis5ZEp1\nMGNjKzJaY1NNMStjZFh1UnJQVzV2YTAKgvYRIOkDWiXb+QGbIZWc9lLCOOyJ3hpR\nF25XLASe6qaWGZz5Icl0NEmg97aA/8OId5qSdR+OO3fZFWx/a56gVQ==\n-----END AGE ENCRYPTED FILE-----\n"
},
{
"recipient": "age1rz75dqzfd6gulwh270ukmt5amcau6j8dpxgzx8fm6u8sjkyx9usq69y4s2",
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBFd3l0KzFIMzRIT1JsWTh4\nS2R3ZzVGQjJubHZ2aDJTam45SEJQQUVpUlh3CjQrUUlZUVdxVlBwZUFUa0xJQ054\naUUvcEk4QjBTQ3VUNmN1MUlGK1pRSDAKLS0tIGhsS2R0TjNEMXBOZDZEOG8yanZK\na3NCdkRqT2hFM1EyNllmU0NGY0hjMUUKxKRU8/MN4w3EL9OT/rijqoT1oZHy1oJe\nuZodDbwjyIZJW9kNOxRj8ENahQQ8pmnc2c51W59voS9mjLSitbmrtw==\n-----END AGE ENCRYPTED FILE-----\n"
},
{
"recipient": "age13x0f3glnz4jvqty2v92cxrrnjcna6ed4qegrhulw9jjy08zuy3aqzvrfc6",
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBCSm5xczl5bHJoUW5MZVUw\nYk9TWENWUDgxKzRFdHIwWUZpUDM2VXpKTXk0CmFYaW9YTUhhUmx1NkV1RUNvWndw\nOHlnZWRZRGxXYm5sM0tSTmtxbE56bncKLS0tIGFydERjdmlVai8xQmxXK2VMOVRN\nQUdQTisxZE50elZkMG5vRWE5Yyt2bE0KyQdDYbAe+Qgw++gyxxqVh3u762u4Oz9P\n2QQ0vtbPWK2d2DDZ+kzSFJSTwiB4pK8lpnRgcxeGqftWLin9xs8sig==\n-----END AGE ENCRYPTED FILE-----\n"
},
{
"recipient": "age13j6l33g0ghk4vezn0qwfal2qmcgqwkv89ejwezpe3n47mw8yxyuslj6y7d",
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA2RzBTOE5KUkVyTVlLajdG\nQ2JzRSs1ZHZlY3VFWkFqMHdQQk5pWnB4QjE4CjNxZEtISDlVMmVVaEVtc3cyb25i\naE1Sbk93M0x4MjhTVC9Ta3lCbnlUQ00KLS0tIHBWVkdZRmNWeWVjS3M0QjByQlUz\nREJ5ZXNodlQxWFRMYzVaYjlmb0VsWG8KDOVV0tB7kaDlJ1Okfa+31zHbJ4XroL0z\nfaXqy5d59u3RFjpPKNxLmB6NrHCXKr17Y8CzZ+aDvBTSIKWKho+qAA==\n-----END AGE ENCRYPTED FILE-----\n"
},
{
"recipient": "age1vla9w33lsp03s46p9p6gc2mvr844vthdqhc2hzau2ph6h60gmyqqh9sf57",
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBtVXgvU0hoOG9NLzB2SWVn\nckZ2VzNVL0JOZFFraTkyNHgzei9UYUd2cFFzClRnSExTZW5rRjMwSnRvdStIcHc1\nNHpPcmg0Tko5UTBGd1RDYStheU8xcFkKLS0tIGY4dXpBYnF6aWtWZ2x3WXAwbzFz\nTnMvT3lTU0ZuS0NrclU2RERsbXlmWmcKQzwjWgWNC6+jQ21ns079Rv6yrdQ3SpGm\nnP+Hh8tU4b0bnCKwlmAPR69Gz3AP6KfDHnT96yrI5fgnk7ADxPF/Xg==\n-----END AGE ENCRYPTED FILE-----\n"
},
{
"recipient": "age1jy8mxcndkw6zd6q99tjgz3gsynn78x2lwtrff85u6ud9g9y9z5mspvhufl",
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBDR2M4blIxYi8wRTRVUzls\nNGgvQlByOXdaRTZPeWt1Y1JjWXBJcDlVM0JNCldrVkxMRmc5Ujc5RysyamJhNkt0\nTmlVWms3Nk1paUJkOUFBckFjYzlvREEKLS0tIEVnZDFPenorSGFGS1NmVVh5M3hX\nNmlvQm13TVpOT29ONCtuZmRzNHg5bFEKM/HHqeXGrUHtDZdQ6pieUFNCEyCIwE7/\nwazdCA/m2DtPUrTIBC8YNrNYXiOfJNmzQPWyEmvLgiL/1guVHZJrAQ==\n-----END AGE ENCRYPTED FILE-----\n"
},
{
"recipient": "age148huz6rc3q9xx5t873ncx75sja2sazlescwspxl7lsmxsqkz0apsy8cldp",
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA5MTVXdDQwbmpkSi81NHNl\nTzh0VUQ5RDh4MXV6UmdkODhYVHBvMFZpR2hNCjZOb1AyL0FsVzRVd21zNk1EUnBl\nYmZpQjlYN285NWcrQ1lXbGxxcTVOVU0KLS0tIFg4RUQwV245YjhNTXdsVkc0VkNS\nWlFLN1Jic3pKNzBmOXl1YU1BcEtDWkUKCivry9k9ScbS+2Eq+AfaFA6QKZijThEc\nru5w0TA5q4WY2qPvPkUvqUWk/G49Zh7wZgPU7QNivLjvWMugQqjzZQ==\n-----END AGE ENCRYPTED FILE-----\n"
},
{
"recipient": "age1y2gpd2k6yh06uxvg6e6xflqrprv40euur27ucgyp8xd24u0pkctsknc44f",
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBKRmhmSmgvWVF5Ri9lWFVI\neHBad1BkeU9CaFhOQ2xjbmd0b0lCVUpEN0ZNCnRhRDJCNHZqQk8zd2pUT21ZQ3U1\nVE1kRWdLTzRNYTdXRXZhQWcvMEdHUWcKLS0tIDY3aXV2YXhlSERjOEhINmViRXdq\nNW9xK0tmbUc5emR3NVVqemxmNHFjeGcKiqlTl2b4McNTnFCjMuCFpB9gNsKTF54O\nwOrT7cGbAzGJ+Wfzyg0AHiMfYCt0aiZYTzQQNwBdiQQqRrpviNFl/w==\n-----END AGE ENCRYPTED FILE-----\n"
},
{
"recipient": "age197a33mlf5294amjx59hycctu6wm4l3cu3w7n9rv3fs9340ql64rqjzpr7s",
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB6OTJ4SUtnMldmWlV5S0RV\nY0ZXbkhrYjhPVFNlaDhXTXhkTVQvNGRFU0M4ClBKRUhYNXhwYTY2SEpocVNqam1K\nbGtXVElLZXJYcVZ5T0Rva3BrRXZhUGsKLS0tIDF6WWFiN3ZvQ3I3aTdRNnRhSmxo\nWlkrN3YyNXhNTDE4Q3lRWDZqYnBYK1UKyq9sttrSmTRs5kMCXAympRuSs9R4a3ff\nP7Y23GKpZyecDX9WlrInPZVdXMRXbpblv17ZAbNT4BAgcxCkq2Io4Q==\n-----END AGE ENCRYPTED FILE-----\n"
},
{
"recipient": "age1sqj8z3feqm2dk3gj8mxpfn5dpqnsmus862e8ayd0d4cdresqffdswcf9ru",
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBQNkhacHdTNk9BT1kwRTIr\nNGlDL1ExMlQwOFBkL3hMU3ZsL2JyUW1UTWxzCnhpWFFqcmhtTDE2SWs5R01HdU1r\nQmp0VVNFdG9UWVREVE52bzZ4YkRRN0kKLS0tIEZmTUdQc1VPejA5R2hIWGxpUU9a\nZHlKQlY3Y2RpNCs1SFE3N0FPaDFzZWMKeAfCDiRxeDS0GRsqxP6y5xr3vLb0FbjY\nbfeHN4hIp8pBpjKRs/pRk6Gl6X0Zh2eicDAMpGfQ4ODuKUhcbmErNw==\n-----END AGE ENCRYPTED FILE-----\n"
},
{
"recipient": "age17nfdtrwdtkk7rm43c0yyxc6xz7fag8gkxtvel2tuv69ugg9w0vvs3mur62",
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA1aFNqd3RBVS9QTmdNaS9K\nWk1BTkRFVm02aEliSG9TbGt4N3I2U3p5VGgwCnd1VElYSWZJNHFIbGhjMktwcEll\nQkphK1dGcytKZmV3dmJjZGRiOHAxVW8KLS0tIHUrb3NQTmJtNVNEamJ2azF3NGh3\nd2N2d0lnYTBtSmIrNHIzZWRzZGFCc0kKg8TpX30YfBlCJTy0/pIsN5tsheWrCmDI\nL2yTq9WdSogvv9DcLmVeWEut2v9xAC2s5FTO5i2Gq9la+VKPpKVbmA==\n-----END AGE ENCRYPTED FILE-----\n"
}
],
"lastmodified": "2025-01-23T00:54:30Z",
"mac": "ENC[AES256_GCM,data:VAiYnA9OUK6yKHzEERnvQ0t2qCamiFGas42eBuecGWO0M1BXhuuH04qUrNsO8tJ6IIUrtfi4UJBQ3nE06SaqNgHOy7Z63SMmKm4lOZOr5DIE5qHNYKhT+dIU8BNHp/UX6G8H7o4I9a2v3Q8eg11sNn3q6kJ955DDBGJSt3PHHIc=,iv:nXfr3Nk8j4pAnJ7QkegeQPbI1XmRZiKcLAIH6Dnssrg=,tag:yvA7PMIjLuCGviIt4oGn5w==,type:str]",
"pgp": null,
"unencrypted_suffix": "_unencrypted",
"version": "3.9.2"
}
}

2
triple-dezert/proxied/default.nix
View File

@@ -14,6 +14,7 @@
./services/dufs.nix
./services/firefly.nix
./services/jobs.nix
./services/radicle.nix
];
vacu.proxiedServices = {
@@ -28,6 +29,7 @@
firefly.enable = true;
firefly-importer.enable = true;
jobs.enable = true;
radicle.enable = true;
keycloak.enable = false;
kanidm.enable = false;

61
triple-dezert/proxied/services/radicle.nix Normal file
View File

@@ -0,0 +1,61 @@
{
...
}:
let
nodePort = 6794;
in
{
vacu.proxiedServices.rad = {
domain = "rad.shelvacu.com";
fromContainer = "rad";
port = 80;
forwardFor = true;
maxConnections = 100;
};
containers.rad = {
privateNetwork = true;
hostAddress = "192.168.100.36";
localAddress = "192.168.100.37";
autoStart = true;
ephemeral = false;
restartIfChanged = true;
forwardPorts = [{
hostPort = nodePort;
containerPort = nodePort;
}];
config =
{
lib,
...
}:
{
system.stateVersion = "24.11";
networking.firewall.enable = false;
networking.useHostResolvConf = lib.mkForce false;
services.resolved.enable = true;
services.radicle = {
enable = true;
# publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC2HqXfjT4vPEqqM5Pty7EuswzeO80IgG6MtCvDAqOkD";
# privateKeyFile = config.sops.secrets.radicle-key.path;
settings = {
node.alias = "trip-seeder";
node.externalAddresses = [
"rad.shelvacu.com:${toString nodePort}"
"powerhouse.shelvacu.com:${toString nodePort}"
];
seedingPolicy.default = "block";
};
httpd = {
enable = true;
listenPort = 80;
listenAddress = "[::]";
};
};
};
};
}