Configure secrets, configure ssh and add H4G0
This commit is contained in:
parent
fdc052d82c
commit
21fa5a8411
8 changed files with 124 additions and 7 deletions
|
@ -1,10 +1,13 @@
|
||||||
keys:
|
keys:
|
||||||
- &tdpeuter age1q2gqur3t4fu8flsuu2zdnule37vdkh6egpt6a2e3ytx433x8gpvsr4hw6l
|
- &tdpeuter age1fva6s64s884z0q2w7de024sp69ucvqu0pg9shrhhqsn3ewlpjfpsh6md7y
|
||||||
- &Tibo-NixDesk age1quvlqpznqkw2r0jhyx6p2hsq3dk93087yha46ugtce6ew9c64pgq4uhcvz
|
|
||||||
|
- &server_H4G0 age1d4gvqz3anf082ja6xt03hnkzazfum80um9t45m4rerl4n3va2yuqgnsg03
|
||||||
|
|
||||||
creation_rules:
|
creation_rules:
|
||||||
- path_regex: secrets/[^/]+\.yaml$
|
- path_regex: secrets/[^/]+\.(yaml|json|env|ini)$
|
||||||
key_groups:
|
key_groups:
|
||||||
- age:
|
- age:
|
||||||
- *tdpeuter
|
- *tdpeuter
|
||||||
|
|
||||||
|
- *server_H4G0
|
||||||
|
|
||||||
|
|
|
@ -18,7 +18,11 @@
|
||||||
users.users.tdpeuter = {
|
users.users.tdpeuter = {
|
||||||
description = "Tibo De Peuter";
|
description = "Tibo De Peuter";
|
||||||
isNormalUser = true;
|
isNormalUser = true;
|
||||||
extraGroups = [ "networkmanager" "wheel" ];
|
extraGroups = [
|
||||||
|
config.users.groups.keys.name
|
||||||
|
config.users.groups.networkmanager.name
|
||||||
|
config.users.groups.wheel.name
|
||||||
|
];
|
||||||
initialPassword = "ChangeMe";
|
initialPassword = "ChangeMe";
|
||||||
packages = with pkgs; [
|
packages = with pkgs; [
|
||||||
home-manager
|
home-manager
|
||||||
|
|
|
@ -1,6 +1,8 @@
|
||||||
{
|
{
|
||||||
imports = [
|
imports = [
|
||||||
./mpv
|
./mpv
|
||||||
|
./sops
|
||||||
|
./ssh
|
||||||
./vifm
|
./vifm
|
||||||
./vim
|
./vim
|
||||||
./zellij
|
./zellij
|
||||||
|
|
27
nixos/modules/utils/sops/default.nix
Normal file
27
nixos/modules/utils/sops/default.nix
Normal file
|
@ -0,0 +1,27 @@
|
||||||
|
{ config, lib, pkgs, ... }:
|
||||||
|
|
||||||
|
{
|
||||||
|
environment.systemPackages = with pkgs; [
|
||||||
|
sops
|
||||||
|
];
|
||||||
|
|
||||||
|
sops = {
|
||||||
|
# Add secrets.yml to the nix store
|
||||||
|
defaultSopsFile = ../../../secrets/secrets.yaml;
|
||||||
|
age = {
|
||||||
|
# Automatically import SSH keys as age keys
|
||||||
|
sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
|
||||||
|
# Use an age key that is expected to already be in the filesystem
|
||||||
|
keyFile = "/var/lib/sops-nix/key.txt";
|
||||||
|
# Generate new keys if the key specified above does not exist
|
||||||
|
generateKey = true;
|
||||||
|
};
|
||||||
|
secrets = {
|
||||||
|
"H4G0/ssh" = {
|
||||||
|
format = "yaml";
|
||||||
|
sopsFile = ../../../secrets/H4G0.yaml;
|
||||||
|
owner = config.users.users.tdpeuter.name;
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
}
|
|
@ -5,4 +5,18 @@
|
||||||
enable = true;
|
enable = true;
|
||||||
passwordAuthentication = false;
|
passwordAuthentication = false;
|
||||||
};
|
};
|
||||||
|
|
||||||
|
home-manager.users.tdpeuter = {
|
||||||
|
programs.ssh = {
|
||||||
|
enable = true;
|
||||||
|
matchBlocks = {
|
||||||
|
"H4G0" = {
|
||||||
|
hostname = "192.168.0.11";
|
||||||
|
identitiesOnly = true;
|
||||||
|
identityFile = "/run/secrets/H4G0/ssh";
|
||||||
|
user = "admin";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
}
|
}
|
||||||
|
|
31
nixos/secrets/H4G0.yaml
Normal file
31
nixos/secrets/H4G0.yaml
Normal file
|
@ -0,0 +1,31 @@
|
||||||
|
H4G0:
|
||||||
|
ssh: ENC[AES256_GCM,data:UfO/9VpMNP4A1qjgCYg5hGDu5/e3nHXJY0ozKt9nSfuDON/wjxCT7wTjbBOpVH1u6fvUQRE6+YEw5/oOf/+3U324a5TQ7WzfhOqgdkOxJswQRYL+hghzWDQUoxWFwO/gmLH+gJY2qTOs1VODgnaccadaewhIcw9DWYytTeF6PP3Hx4mXMMzsJ5AUur7Wl86geUmD0H5P9uG7dZNfe3r1CZKIdxYo9CLzx2zdHfKHjFh8C0gJgZA8xRZiq870t24807eetayWtEpAcbnCW7zpMnjMhtV8MxNsd5ImapShGaei4xHfZ4o1q592eXix75nqvkg25+mP4XWfNpuqFqbWHAespbUn3WFa5t1ose+D9ZTCa9JyeVvSRZSqCOdb2RwvtWowRAAo/OdyXGBQ/v25TIeuhUyZq5ndjS5g57K+70BGCt3IluFHQj9DvKyB433s0FUSy8xR/tq3mSIAwmrLlw7Ip/xjnhsn1lK2jvMOUSwLwZt7qMnWPIZRFA4PF6g8jL7BWv0imp00q54mTUby2vBkdJV6sAZMo2uU,iv:rYOykB1uj8oqdBIYsmD9H4Zg1RPTNamVhky2Rtfmvbw=,tag:mZzyg1Ez16M7ltxPUh5ktg==,type:str]
|
||||||
|
sops:
|
||||||
|
kms: []
|
||||||
|
gcp_kms: []
|
||||||
|
azure_kv: []
|
||||||
|
hc_vault: []
|
||||||
|
age:
|
||||||
|
- recipient: age1fva6s64s884z0q2w7de024sp69ucvqu0pg9shrhhqsn3ewlpjfpsh6md7y
|
||||||
|
enc: |
|
||||||
|
-----BEGIN AGE ENCRYPTED FILE-----
|
||||||
|
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBYWWFUdnpERVlkK29TQ09k
|
||||||
|
SnJMVm5rUEV6S0huSzJ2YjFFQ3pNR0pmZWprClZEVDloeDE2ODNkMVVJTUtqaENz
|
||||||
|
ZzhwTTA4V2xOeW55WGtPZU5FWElQNDAKLS0tIFh5ZWtmZHRBWTAvM3ZwY3pKQ0R6
|
||||||
|
aDNUbFlhWWVoOWpjVlV1VTVJejlSMjQK6wCeCRdHY5oyTX6/R1U5AOGJyp0exi1A
|
||||||
|
dWPUMfkKBBBkrR+G6ougd8o3FwFf+yfb5RhaTxxqjit6p2RyMjR64w==
|
||||||
|
-----END AGE ENCRYPTED FILE-----
|
||||||
|
- recipient: age1d4gvqz3anf082ja6xt03hnkzazfum80um9t45m4rerl4n3va2yuqgnsg03
|
||||||
|
enc: |
|
||||||
|
-----BEGIN AGE ENCRYPTED FILE-----
|
||||||
|
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB6WVcwYVFWbG1ucEtTSTI5
|
||||||
|
Y0pxZ1FidjVURlVxZTdTSHdzME05Z0hyblJBCkQ5R2F1a2IyRVIvYjlmY1p3S3VR
|
||||||
|
OW1zcnp2Z1Zydlpjd2tBU2RHajhoamMKLS0tIG9oMWtHVU1nTHBtcGM3OWxVNFZL
|
||||||
|
K3NaMitlT2orSVhHVmFRVmhPUXhBSGMKAqVqH9hT9NL5D6Fsovn67GY056B6Ttwg
|
||||||
|
fr9y+8rkG43LbuehpKktv2I/UP64QKcYgqWDOWOmicHYx8pOXKLHkA==
|
||||||
|
-----END AGE ENCRYPTED FILE-----
|
||||||
|
lastmodified: "2023-09-10T20:16:08Z"
|
||||||
|
mac: ENC[AES256_GCM,data:/LEOHaf9No6KORPvM2yjLTfHA2aI+A5+vvjIRIcJVaMoHf6a0bommokhiujZTXxj8G234YMRXldfnY1nJd7lF0x5lrx6Gf39EHSmxztGJXsuzdN+oGc/zlnWO/+XoB2hc2dMGYP3vswru07bFxu9qpiVQLsBhv20hzhJA2Ex4nc=,iv:5R+qtwW8xKd8nUN6VBeT+7b73qlQtqcEEAJRaJzk/+g=,tag:dngDfl2/pHiXY23aJppRkw==,type:str]
|
||||||
|
pgp: []
|
||||||
|
unencrypted_suffix: _unencrypted
|
||||||
|
version: 3.7.3
|
39
nixos/secrets/secrets.yaml
Normal file
39
nixos/secrets/secrets.yaml
Normal file
|
@ -0,0 +1,39 @@
|
||||||
|
hello: ENC[AES256_GCM,data:Qs69AsC8Yz+2RWSMvZp3zw==,iv:9p9bf2MI0HFwPB5qu0nTy3riyE6xUqsdObaXv3vgs3c=,tag:fjwrOPR/2vIeNgPDEVI+LQ==,type:str]
|
||||||
|
example_key: ENC[AES256_GCM,data:JaknfPEPPtIotkwWpQ==,iv:OQy1S24scW0Ac9omkHg1HSCH6b7cClBMDH1GXZkzUBY=,tag:ItO6EdXKy4zOuZ2DROI+Tg==,type:str]
|
||||||
|
#ENC[AES256_GCM,data:Pok2Tcvryb59LmHDanq5/Q==,iv:Wl2nAb0X7s3bFeGeVUAHb+FMqrKHSJwwHulhdwhPkuE=,tag:YxicHwyrYLZZ6sFGNvkMMA==,type:comment]
|
||||||
|
example_array:
|
||||||
|
- ENC[AES256_GCM,data:ULZ3vixg/k1biadqhw8=,iv:7NMuh30RkiBGpXO/sd5WKzBggNnMZkV8eD16w39utd4=,tag:+ReYo3sQf2rgK0nTXAq1UA==,type:str]
|
||||||
|
- ENC[AES256_GCM,data:VawE9ClM28rRQPScWAM=,iv:XKiKDFGy6Io5gyp/FHLXIs7CpT41E6KAKHQmuZLRVHE=,tag:FSIdSnI/emPwHk0dQVT/TQ==,type:str]
|
||||||
|
example_number: ENC[AES256_GCM,data:yd6R8u2Nd5effA==,iv:7NO330iRkYO42a4AjBr5Ebv/nxx5J0/OpWKIqMTqdPQ=,tag:N/RK1+Q+QqnVPCkGPA1/AQ==,type:float]
|
||||||
|
example_booleans:
|
||||||
|
- ENC[AES256_GCM,data:Ul7fKA==,iv:U51FhTsWwkbhUWGsO8D+bl2mLdTIfapIB+OGJEOAiRA=,tag:9NJLKp8s2TSKLyXwM8OncA==,type:bool]
|
||||||
|
- ENC[AES256_GCM,data:LVU1a90=,iv:1X1qV+8iIe1i5hIrqyB3tJew9hsHjJHlATmkEmwRA0Y=,tag:ko/5OwmJH/6HKPsvbkoRpw==,type:bool]
|
||||||
|
sops:
|
||||||
|
kms: []
|
||||||
|
gcp_kms: []
|
||||||
|
azure_kv: []
|
||||||
|
hc_vault: []
|
||||||
|
age:
|
||||||
|
- recipient: age1fva6s64s884z0q2w7de024sp69ucvqu0pg9shrhhqsn3ewlpjfpsh6md7y
|
||||||
|
enc: |
|
||||||
|
-----BEGIN AGE ENCRYPTED FILE-----
|
||||||
|
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA3ekx1bzluY0ZhYmhnRmhW
|
||||||
|
b3pzM2RlKzFrREpMK3RNU1MweldNRXJ5NjE4CmNRbnFvbk1EN0V0ZWJiVzFmL3Jt
|
||||||
|
N1Vpb3NEdXFzdzU4MjN1elp1RWZ5THcKLS0tIDR4cTFJNVFveEdxaEYvZndKbURa
|
||||||
|
UHpaNENhL3c1K3RXc05hUmdNZVBpT2MKwBj4+Gb7giVJIoPWiwY3tvugEAexXy6Q
|
||||||
|
YTWgZQZk96r5aF2mBjRCFCc7prj85PsUN/UXOPjPLVAFG3lwS0Eaog==
|
||||||
|
-----END AGE ENCRYPTED FILE-----
|
||||||
|
- recipient: age1d4gvqz3anf082ja6xt03hnkzazfum80um9t45m4rerl4n3va2yuqgnsg03
|
||||||
|
enc: |
|
||||||
|
-----BEGIN AGE ENCRYPTED FILE-----
|
||||||
|
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBDWkE3SW14Kzh6dlNHeE1S
|
||||||
|
dzUvTTN0bHZESy9vVy9DMXBuNjNneXdlWEFRCkZ1b1Znd2IweG1pNmloOFVjQkpa
|
||||||
|
LzZjZ051L0ZBTzNQd0N2LzRwNkZUOEUKLS0tIE4vQWk4cXlyUDAzM3VNaDVHaXNi
|
||||||
|
QXBOc1VXcXFlL2hNK2lTT2ZBeFNUd2sKjuy8anUcn8MCWe6TohLcIIPynBXqEZy/
|
||||||
|
C3F94k4aniG0MK/yPoBpoCP9tquIw4zKHJ5syorUJR69LqupgfB6qA==
|
||||||
|
-----END AGE ENCRYPTED FILE-----
|
||||||
|
lastmodified: "2023-09-10T20:20:18Z"
|
||||||
|
mac: ENC[AES256_GCM,data:yfmYEo8pdlG3tu4Fabwde57igIvpt4UuhQqStVlV36rvPnv9dc42+6iduu+heuQ2OAVw0jk6/o6SWJpcms2DReOAMGDOgt+zV3TgJym52YdMcjTNJTo+4loULhvaWyN9ZdPJjSYKEoSgOZi+oMx4BpwreQEaPaYUxcbTqrWCUa8=,iv:Mb81sBxibRxSaC2kgakhy2pyEmW0MDobF+lHF7cny5E=,tag:DCqTWSnf5Gv5YfAGSEC2yw==,type:str]
|
||||||
|
pgp: []
|
||||||
|
unencrypted_suffix: _unencrypted
|
||||||
|
version: 3.7.3
|
|
@ -1,3 +0,0 @@
|
||||||
# created: 2023-04-11T14:44:53+02:00
|
|
||||||
# public key: age1q2gqur3t4fu8flsuu2zdnule37vdkh6egpt6a2e3ytx433x8gpvsr4hw6l
|
|
||||||
AGE-SECRET-KEY-10J7MWCWQQY33TVNMQ9AMH4TH5LULSVAZ539P9QG3NA2Z3LTMXAFS2QQ4NG
|
|
Loading…
Reference in a new issue