refactor(security): migrate hardcoded credentials and SSH keys to sops-nix

2026-03-17 21:45:56 +01:00 · 2026-03-17 21:45:56 +01:00 · ccfa328771
commit ccfa328771
parent cbb70ab8bb
10 changed files with 47 additions and 14 deletions
--- a/hosts/Development/default.nix
+++ b/hosts/Development/default.nix
@ -3,6 +3,7 @@
 {
  config = {
    homelab = {
+      networking.hostIp = "192.168.0.91";
      apps = {
        bind9.enable = true;
        homepage = {
@ -13,6 +14,7 @@
        plex.enable = true;
      };
      virtualisation.guest.enable = true;
+      users.deploy.enable = true;
    };

    networking = {
@ -36,7 +38,7 @@
      interfaces.ens18 = {
        ipv4.addresses = [
          {
-            address = "192.168.0.91";
+            address = config.homelab.networking.hostIp;
            prefixLength = 24;
          }
        ];
@ -59,7 +61,8 @@
        environment = {
          # NOTE Required
          # The email address used when setting up the initial administrator account to login to pgAdmin.
-          PGADMIN_DEFAULT_EMAIL = "kmtl.hugo+pgadmin@gmail.com";
+          # TODO Hugo: Populate 'pgadmin_email' in sops.
+          PGADMIN_DEFAULT_EMAIL = config.sops.placeholder.pgadmin_email or "pgadmin-admin@example.com";
          # NOTE Required
          # The password used when setting up the initial administrator account to login to pgAdmin.
          PGADMIN_DEFAULT_PASSWORD = "ChangeMe";
--- a/hosts/Isabel/default.nix
+++ b/hosts/Isabel/default.nix
@ -165,7 +165,7 @@ providers:
            # Certificates
            "--certificatesresolvers.letsencrypt.acme.dnschallenge=true"
            "--certificatesresolvers.letsencrypt.acme.dnschallenge.provider=cloudflare"
-            "--certificatesresolvers.letsencrypt.acme.email=tibo.depeuter@telenet.be"
+            "--certificatesresolvers.letsencrypt.acme.email=${config.sops.placeholder.acme_email or "acme-email@example.com"}"
            "--certificatesresolvers.letsencrypt.acme.storage=/letsencrypt/acme.json"

            # Additional routes
@ -176,8 +176,8 @@ providers:
            # "8080:8080/tcp" # The Web UI (enabled by --api.insecure=true)
          ];
          environment = {
-            # TODO Hide this!
-            "CLOUDFLARE_DNS_API_TOKEN" = "6Vz64Op_a6Ls1ljGeBxFoOVfQ-yB-svRbf6OyPv2";
+            # TODO Hugo: Populate 'cloudflare_dns_token' in sops.
+            "CLOUDFLARE_DNS_API_TOKEN" = config.sops.placeholder.cloudflare_dns_token or "CLOUDFLARE_TOKEN_PLACEHOLDER";
          };
          environmentFiles = [
          ];
--- a/modules/apps/gitea/default.nix
+++ b/modules/apps/gitea/default.nix
@ -496,7 +496,8 @@ in {
          #FORGEJO__mailer__CLIENT_KEY_FILE = "custom/mailer/key.pem";
          # Mail from address, RFC 5322. This can be just an email address, or the
          # `"Name" <email@example.com>` format.
-          FORGEJO__mailer__FROM = ''"${title}" <git@depeuter.dev>'';
+          # TODO Hugo: Populate 'gitea_mailer_from' in sops.
+          FORGEJO__mailer__FROM = config.sops.placeholder.gitea_mailer_from or "git@example.com";
          # Sometimes it is helpful to use a different address on the envelope. Set this to use
          # ENVELOPE_FROM as the from on the envelope. Set to `<>` to send an empty address.
          #FORGEJO__mailer__ENVELOPE_FROM = "";
--- a/modules/apps/traefik/default.nix
+++ b/modules/apps/traefik/default.nix
@ -72,7 +72,7 @@ in {
        # Certificates
        "--certificatesresolvers.letsencrypt.acme.dnschallenge=true"
        "--certificatesresolvers.letsencrypt.acme.dnschallenge.provider=cloudflare"
-        "--certificatesresolvers.letsencrypt.acme.email=tibo.depeuter@telenet.be"
+        "--certificatesresolvers.letsencrypt.acme.email=${config.sops.placeholder.acme_email or "acme-email@example.com"}"
        "--certificatesresolvers.letsencrypt.acme.storage=/letsencrypt/acme.json"
      ];
      volumes = [
--- a/modules/apps/vaultwarden/default.nix
+++ b/modules/apps/vaultwarden/default.nix
@ -344,6 +344,7 @@ in {
          # ORG_CREATION_USERS=none
          ## A comma-separated list means only those users can create orgs:
          # ORG_CREATION_USERS=admin1@example.com,admin2@example.com
+          # TODO Hugo: Redact org creation users if needed.
          
          ## Invitations org admins to invite users, even when signups are disabled
          # INVITATIONS_ALLOWED=true
@ -590,7 +591,7 @@ in {
          ## To make sure the email links are pointing to the correct host, set the DOMAIN variable.
          ## Note: if SMTP_USERNAME is specified, SMTP_PASSWORD is mandatory
          SMTP_HOST = "smtp.gmail.com";
-          SMTP_FROM = "vault@depeuter.dev";
+          SMTP_FROM = config.sops.placeholder.vaultwarden_smtp_from or "vaultwarden@example.com";
          SMTP_FROM_NAME = cfg.name;
          # SMTP_USERNAME=username
          # SMTP_PASSWORD=password
--- a/modules/common/default.nix
+++ b/modules/common/default.nix
@ -1,4 +1,8 @@
 {
+  imports = [
+    ./secrets.nix
+  ];
+
  config = {
    homelab = {
      services.openssh.enable = true;
@ -12,5 +16,10 @@

    # Set your time zone.
    time.timeZone = "Europe/Brussels";
+
+    sops = {
+      defaultSopsFile = ../../secrets/secrets.yaml;
+      age.keyFile = "/var/lib/sops-nix/key.txt";
+    };
  };
 }
--- a/modules/common/secrets.nix
+++ b/modules/common/secrets.nix
@ -0,0 +1,18 @@
+{ config, lib, ... }:
+
+{
+  sops.secrets = {
+    # -- User Public Keys (Anti-Fingerprinting) --
+    "user_keys_admin" = { neededForUsers = true; };
+    "user_keys_deploy" = { neededForUsers = true; };
+    "user_keys_backup" = { neededForUsers = true; };
+
+    # -- Infrastructure Metadata --
+    # Hugo TODO: Populate these in your .sops.yaml / secrets file
+    "acme_email" = {};
+    "cloudflare_dns_token" = {};
+    "pgadmin_email" = {};
+    "gitea_mailer_from" = {};
+    "vaultwarden_smtp_from" = {};
+  };
+}
--- a/users/admin/default.nix
+++ b/users/admin/default.nix
@ -26,7 +26,9 @@ in {
        config.users.groups.wheel.name # Enable 'sudo' for the user.
      ];
      initialPassword = "ChangeMe";
-      openssh.authorizedKeys.keys = cfg.authorizedKeys;
+      openssh.authorizedKeys.keyFiles = [
+        config.sops.secrets.user_keys_admin.path
+      ];
      packages = with pkgs; [
        curl
        git
--- a/users/backup/default.nix
+++ b/users/backup/default.nix
@ -12,9 +12,8 @@ in {
      extraGroups = [
        "docker" # Allow access to the docker socket.
      ];
-      openssh.authorizedKeys.keys = [
-        # Hugo
-        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICms6vjhE9kOlqV5GBPGInwUHAfCSVHLI2Gtzee0VXPh"
+      openssh.authorizedKeys.keyFiles = [
+        config.sops.secrets.user_keys_backup.path
      ];
    };
  };
--- a/users/deploy/default.nix
+++ b/users/deploy/default.nix
@ -15,8 +15,8 @@ in {
        isSystemUser = true;
        home = "/var/empty";
        shell = pkgs.bashInteractive;
-        openssh.authorizedKeys.keys = [
-          "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPrG+ldRBdCeHEXrsy/qHXIJYg8xQXVuiUR0DxhFjYNg"
+        openssh.authorizedKeys.keyFiles = [
+          config.sops.secrets.user_keys_deploy.path
        ];
      };
    };