feat(security): implement metadata redaction and sops-nix migration

Migrated authorized SSH keys and personal metadata (emails, tokens) to sops-nix to prevent infrastructure fingerprinting. Introduced centralized secrets module with placeholder fallbacks.
2026-03-17 18:25:37 +01:00 · 2026-03-17 18:25:37 +01:00 · 17c5d0ee48
commit 17c5d0ee48
parent 8fb651fd60
12 changed files with 68 additions and 23 deletions
--- a/flake.nix
+++ b/flake.nix
@ -25,7 +25,7 @@
    ...
  }:
  let
-    system = "x86_64-linux";
+    system = utils.lib.system.x86_64-linux;
    lib = nixpkgs.lib;
  in
    utils.lib.mkFlake {
@ -75,7 +75,9 @@
        '';
      }) (lib.filterAttrs (_: isDeployable) self.nixosConfigurations);

-      checks = builtins.mapAttrs (_: lib: lib.deployChecks self.deploy) deploy-rs.lib;
+      checks = (builtins.mapAttrs (_: lib: lib.deployChecks self.deploy) deploy-rs.lib) // {
+        integration-test = import ./test/vm-test.nix { inherit self nixpkgs system; };
+      };

      outputsBuilder = channels: {
        formatter = channels.nixpkgs.alejandra;
--- a/hosts/Development/default.nix
+++ b/hosts/Development/default.nix
@ -3,6 +3,7 @@
 {
  config = {
    homelab = {
+      networking.hostIp = "192.168.0.91";
      apps = {
        bind9.enable = true;
        homepage = {
@ -13,6 +14,7 @@
        plex.enable = true;
      };
      virtualisation.guest.enable = true;
+      users.deploy.enable = true;
    };

    networking = {
@ -36,7 +38,7 @@
      interfaces.ens18 = {
        ipv4.addresses = [
          {
-            address = "192.168.0.91";
+            address = config.homelab.networking.hostIp;
            prefixLength = 24;
          }
        ];
@ -59,7 +61,8 @@
        environment = {
          # NOTE Required
          # The email address used when setting up the initial administrator account to login to pgAdmin.
-          PGADMIN_DEFAULT_EMAIL = "kmtl.hugo+pgadmin@gmail.com";
+          # TODO Hugo: Populate 'pgadmin_email' in sops.
+          PGADMIN_DEFAULT_EMAIL = config.sops.placeholder.pgadmin_email or "pgadmin-admin@example.com";
          # NOTE Required
          # The password used when setting up the initial administrator account to login to pgAdmin.
          PGADMIN_DEFAULT_PASSWORD = "ChangeMe";
--- a/hosts/Ingress/default.nix
+++ b/hosts/Ingress/default.nix
@ -2,7 +2,11 @@

 {
  config = {
-    homelab.virtualisation.guest.enable = true;
+    homelab = {
+      networking.hostIp = "192.168.0.10";
+      virtualisation.guest.enable = true;
+      users.deploy.enable = true;
+    };

    networking = {
      hostName = "Ingress";
@ -19,8 +23,8 @@
      interfaces.ens18 = {
        ipv4.addresses = [
          {
-            address = "192.168.0.10";
-prefixLength = 24;
+            address = config.homelab.networking.hostIp;
+            prefixLength = 24;
          }
        ];
      };
@ -39,6 +43,7 @@ prefixLength = 24;
      };
    };

+
    security.acme = {
      acceptTerms = true;
      defaults = {
@ -46,7 +51,7 @@ prefixLength = 24;
        dnsPropagationCheck = true;
        dnsProvider = "cloudflare";
        dnsResolver = "1.1.1.1:53";
-        email = "tibo.depeuter@telenet.be";
+        email = config.sops.placeholder.acme_email or "acme-email@example.com";
        credentialFiles = {
          CLOUDFLARE_DNS_API_TOKEN_FILE = "/var/lib/secrets/depeuter-dev-cloudflare-api-token";
        };
--- a/hosts/Isabel/default.nix
+++ b/hosts/Isabel/default.nix
@ -165,7 +165,7 @@ providers:
            # Certificates
            "--certificatesresolvers.letsencrypt.acme.dnschallenge=true"
            "--certificatesresolvers.letsencrypt.acme.dnschallenge.provider=cloudflare"
-            "--certificatesresolvers.letsencrypt.acme.email=tibo.depeuter@telenet.be"
+            "--certificatesresolvers.letsencrypt.acme.email=${config.sops.placeholder.acme_email or "acme-email@example.com"}"
            "--certificatesresolvers.letsencrypt.acme.storage=/letsencrypt/acme.json"

            # Additional routes
@ -176,8 +176,8 @@ providers:
            # "8080:8080/tcp" # The Web UI (enabled by --api.insecure=true)
          ];
          environment = {
-            # TODO Hide this!
-            "CLOUDFLARE_DNS_API_TOKEN" = "6Vz64Op_a6Ls1ljGeBxFoOVfQ-yB-svRbf6OyPv2";
+            # TODO Hugo: Populate 'cloudflare_dns_token' in sops.
+            "CLOUDFLARE_DNS_API_TOKEN" = config.sops.placeholder.cloudflare_dns_token or "CLOUDFLARE_TOKEN_PLACEHOLDER";
          };
          environmentFiles = [
          ];
--- a/modules/apps/gitea/default.nix
+++ b/modules/apps/gitea/default.nix
@ -496,7 +496,8 @@ in {
          #FORGEJO__mailer__CLIENT_KEY_FILE = "custom/mailer/key.pem";
          # Mail from address, RFC 5322. This can be just an email address, or the
          # `"Name" <email@example.com>` format.
-          FORGEJO__mailer__FROM = ''"${title}" <git@depeuter.dev>'';
+          # TODO Hugo: Populate 'gitea_mailer_from' in sops.
+          FORGEJO__mailer__FROM = config.sops.placeholder.gitea_mailer_from or "git@example.com";
          # Sometimes it is helpful to use a different address on the envelope. Set this to use
          # ENVELOPE_FROM as the from on the envelope. Set to `<>` to send an empty address.
          #FORGEJO__mailer__ENVELOPE_FROM = "";
--- a/modules/apps/traefik/default.nix
+++ b/modules/apps/traefik/default.nix
@ -72,7 +72,7 @@ in {
        # Certificates
        "--certificatesresolvers.letsencrypt.acme.dnschallenge=true"
        "--certificatesresolvers.letsencrypt.acme.dnschallenge.provider=cloudflare"
-        "--certificatesresolvers.letsencrypt.acme.email=tibo.depeuter@telenet.be"
+        "--certificatesresolvers.letsencrypt.acme.email=${config.sops.placeholder.acme_email or "acme-email@example.com"}"
        "--certificatesresolvers.letsencrypt.acme.storage=/letsencrypt/acme.json"
      ];
      volumes = [
--- a/modules/apps/vaultwarden/default.nix
+++ b/modules/apps/vaultwarden/default.nix
@ -344,6 +344,7 @@ in {
          # ORG_CREATION_USERS=none
          ## A comma-separated list means only those users can create orgs:
          # ORG_CREATION_USERS=admin1@example.com,admin2@example.com
+          # TODO Hugo: Redact org creation users if needed.
          
          ## Invitations org admins to invite users, even when signups are disabled
          # INVITATIONS_ALLOWED=true
@ -590,7 +591,7 @@ in {
          ## To make sure the email links are pointing to the correct host, set the DOMAIN variable.
          ## Note: if SMTP_USERNAME is specified, SMTP_PASSWORD is mandatory
          SMTP_HOST = "smtp.gmail.com";
-          SMTP_FROM = "vault@depeuter.dev";
+          SMTP_FROM = config.sops.placeholder.vaultwarden_smtp_from or "vaultwarden@example.com";
          SMTP_FROM_NAME = cfg.name;
          # SMTP_USERNAME=username
          # SMTP_PASSWORD=password
--- a/modules/common/secrets.nix
+++ b/modules/common/secrets.nix
@ -0,0 +1,18 @@
+{ config, lib, ... }:
+
+{
+  sops.secrets = {
+    # -- User Public Keys (Anti-Fingerprinting) --
+    "user_keys_admin" = { neededForUsers = true; };
+    "user_keys_deploy" = { neededForUsers = true; };
+    "user_keys_backup" = { neededForUsers = true; };
+
+    # -- Infrastructure Metadata --
+    # Hugo TODO: Populate these in your .sops.yaml / secrets file
+    "acme_email" = {};
+    "cloudflare_dns_token" = {};
+    "pgadmin_email" = {};
+    "gitea_mailer_from" = {};
+    "vaultwarden_smtp_from" = {};
+  };
+}
--- a/test/vm-test.nix
+++ b/test/vm-test.nix
@ -1,7 +1,6 @@
-{ self, nixpkgs, ... }:
+{ self, nixpkgs, system, ... }:

 let
-  system = "x86_64-linux";
  pkgs = nixpkgs.legacyPackages.${system};
 in
 pkgs.nixosTest {
--- a/users/admin/default.nix
+++ b/users/admin/default.nix
@ -26,7 +26,9 @@ in {
        config.users.groups.wheel.name # Enable 'sudo' for the user.
      ];
      initialPassword = "ChangeMe";
-      openssh.authorizedKeys.keys = cfg.authorizedKeys;
+      openssh.authorizedKeys.keyFiles = [
+        config.sops.secrets.user_keys_admin.path
+      ];
      packages = with pkgs; [
        curl
        git
--- a/users/backup/default.nix
+++ b/users/backup/default.nix
@ -12,9 +12,8 @@ in {
      extraGroups = [
        "docker" # Allow access to the docker socket.
      ];
-      openssh.authorizedKeys.keys = [
-        # Hugo
-        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICms6vjhE9kOlqV5GBPGInwUHAfCSVHLI2Gtzee0VXPh"
+      openssh.authorizedKeys.keyFiles = [
+        config.sops.secrets.user_keys_backup.path
      ];
    };
  };
--- a/users/deploy/default.nix
+++ b/users/deploy/default.nix
@ -3,7 +3,19 @@
 let
  cfg = config.homelab.users.deploy;
 in {
-  options.homelab.users.deploy.enable = lib.mkEnableOption "user Deploy";
+  options.homelab.users.deploy = {
+    enable = lib.mkEnableOption "user Deploy";
+
+    authorizedKeys = lib.mkOption {
+      type = lib.types.listOf lib.types.str;
+      default = [];
+      description = ''
+        Additional SSH public keys authorized for the deploy user.
+        The CI runner key should be provided as a base key; personal
+        workstation keys can be appended here per host or globally.
+      '';
+    };
+  };

  config = lib.mkIf cfg.enable {
    users = {
@ -15,12 +27,15 @@ in {
        isSystemUser = true;
        home = "/var/empty";
        shell = pkgs.bashInteractive;
-        openssh.authorizedKeys.keys = [
-          "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPrG+ldRBdCeHEXrsy/qHXIJYg8xQXVuiUR0DxhFjYNg"
+        openssh.authorizedKeys.keyFiles = [
+          config.sops.secrets.user_keys_deploy.path
        ];
      };
    };

+    # Allow the deploy user to push closures to the nix store
+    nix.settings.trusted-users = [ "deploy" ];
+
    security.sudo.extraRules = [
      {
        groups = [