diff --git a/flake.lock b/flake.lock index e4ad16a..14b6436 100644 --- a/flake.lock +++ b/flake.lock @@ -179,11 +179,11 @@ ] }, "locked": { - "lastModified": 1699783872, - "narHash": "sha256-4zTwLT2LL45Nmo6iwKB3ls3hWodVP9DiSWxki/oewWE=", + "lastModified": 1700087144, + "narHash": "sha256-LJP1RW0hKNWmv2yRhnjkUptMXInKpn/rV6V6ofuZkHU=", "owner": "nix-community", "repo": "home-manager", - "rev": "280721186ab75a76537713ec310306f0eba3e407", + "rev": "ab1459a1fb646c40419c732d05ec0bf2416d4506", "type": "github" }, "original": { diff --git a/flake.nix b/flake.nix index 9e94b4f..a9cd5b5 100644 --- a/flake.nix +++ b/flake.nix @@ -112,6 +112,7 @@ impermanence.nixosModules.impermanence ./hosts/nuc ./shared + ./shared/sops.nix sops-nix.nixosModules.sops { nixpkgs.overlays = [ self.overlays.default ]; @@ -124,6 +125,7 @@ modules = [ ./hosts/falkenstein-1 ./shared + ./shared/sops.nix { nixpkgs.overlays = [ self.overlays.default ]; } diff --git a/hosts/thinkpad/default.nix b/hosts/thinkpad/default.nix index 01d43fa..e721bc4 100755 --- a/hosts/thinkpad/default.nix +++ b/hosts/thinkpad/default.nix @@ -49,8 +49,9 @@ ]; }; # impermanence fixes - sops.age.sshKeyPaths = lib.mkForce [ "/nix/persist/system/etc/ssh/ssh_host_ed25519_key" ]; - sops.gnupg.sshKeyPaths = lib.mkForce [ ]; + # sops.age.sshKeyPaths = lib.mkForce [ "/nix/persist/system/etc/ssh/ssh_host_ed25519_key" ]; + # sops.gnupg.sshKeyPaths = lib.mkForce [ ]; + age.identityPaths = [ "/nix/persist/system/etc/ssh/ssh_host_ed25519_key" ]; time.timeZone = "Europe/Berlin"; i18n.defaultLocale = "en_US.UTF-8"; diff --git a/hosts/thinkpad/modules/backup/default.nix b/hosts/thinkpad/modules/backup/default.nix index 8794cf2..3bd4286 100644 --- a/hosts/thinkpad/modules/backup/default.nix +++ b/hosts/thinkpad/modules/backup/default.nix @@ -1,6 +1,8 @@ { config, pkgs, ... }: { - sops.secrets."borg/passphrase" = { }; + age.secrets."borg/passphrase" = { + file = ../../../../secrets/thinkpad/borg/passphrase.age; + }; environment.systemPackages = [ pkgs.borgbackup ]; services.borgmatic = { enable = true; @@ -32,7 +34,7 @@ "/home/*/.local/share" "/home/*/Linux/Isos" ]; - encryption_passcommand = "${pkgs.coreutils}/bin/cat ${config.sops.secrets."borg/passphrase".path}"; + encryption_passcommand = "${pkgs.coreutils}/bin/cat ${config.age.secrets."borg/passphrase".path}"; compression = "lz4"; keep_daily = 7; keep_weekly = 4; diff --git a/hosts/thinkpad/modules/networks/default.nix b/hosts/thinkpad/modules/networks/default.nix index 4c446b7..65e6e7e 100644 --- a/hosts/thinkpad/modules/networks/default.nix +++ b/hosts/thinkpad/modules/networks/default.nix @@ -2,14 +2,19 @@ { imports = [ ./uni.nix ]; - sops.secrets = { - "wireless-env" = { }; + age.secrets = { + wireless = { + file = ../../../../secrets/thinkpad/wireless.age; + }; "wireguard/dorm/private" = { + file = ../../../../secrets/thinkpad/wireguard/dorm/private.age; owner = config.users.users.systemd-network.name; }; "wireguard/dorm/preshared" = { + file = ../../../../secrets/thinkpad/wireguard/dorm/preshared.age; owner = config.users.users.systemd-network.name; }; + }; services.lldpd.enable = true; services.resolved = { @@ -32,7 +37,7 @@ wireless = { enable = true; userControlled.enable = true; - environmentFile = config.sops.secrets."wireless-env".path; + environmentFile = config.age.secrets.wireless.path; networks = { "@HOME_SSID@" = { psk = "@HOME_PSK@"; @@ -109,14 +114,14 @@ Name = "wg0"; }; wireguardConfig = { - PrivateKeyFile = config.sops.secrets."wireguard/dorm/private".path; + PrivateKeyFile = config.age.secrets."wireguard/dorm/private".path; ListenPort = 51820; }; wireguardPeers = [ { wireguardPeerConfig = { PublicKey = "Z5lwwHTCDr6OF4lfaCdSHNveunOn4RzuOQeyB+El9mQ="; - PresharedKeyFile = config.sops.secrets."wireguard/dorm/preshared".path; + PresharedKeyFile = config.age.secrets."wireguard/dorm/preshared".path; Endpoint = "141.30.227.6:51820"; AllowedIPs = "192.168.42.0/24, 192.168.43.0/24"; }; diff --git a/hosts/thinkpad/modules/networks/uni.nix b/hosts/thinkpad/modules/networks/uni.nix index f048184..f0bca5e 100644 --- a/hosts/thinkpad/modules/networks/uni.nix +++ b/hosts/thinkpad/modules/networks/uni.nix @@ -1,6 +1,9 @@ { config, ... }: { - sops.secrets."uni/zih" = { }; + # sops.secrets."uni/zih" = { }; + age.secrets.tud = { + file = ../../../../secrets/thinkpad/tud.age; + }; networking = { wireless.networks = { eduroam = { @@ -60,7 +63,7 @@ protocol = "anyconnect"; gateway = "vpn2.zih.tu-dresden.de"; user = "rose159e@tu-dresden.de"; - passwordFile = config.sops.secrets."uni/zih".path; + passwordFile = config.age.secrets.tud.path; autoStart = false; extraOptions = { authgroup = "A-Tunnel-TU-Networks"; @@ -71,7 +74,7 @@ protocol = "anyconnect"; gateway = "vpn2.zih.tu-dresden.de"; user = "rose159e@tu-dresden.de"; - passwordFile = config.sops.secrets."uni/zih".path; + passwordFile = config.age.secrets.tud.path; autoStart = false; extraOptions = { authgroup = "C-Tunnel-All-Networks"; diff --git a/secrets.nix b/secrets.nix new file mode 100644 index 0000000..be768fa --- /dev/null +++ b/secrets.nix @@ -0,0 +1,14 @@ +let + thinkpad = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJ2X5hdT9/6BIrRWSE+XBbc4+ocVkPqoAGO2DMSYiJB/"; + nuc = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIH6pI2rVvnEMG7oHzA47NRahEKQj99pagrat+Q7pOT2v"; + falkenstein = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJxar1P+KXVPzHCaIcGg33Gvog+a5Z8snHWSFqbY3WC6"; + rouven = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILkxTuzjS3EswMfj+wSKu9ciRyStvjDlDUXzkqEUGDaP"; +in +{ + "secrets/thinkpad/wireless.age".publicKeys = [ rouven thinkpad ]; + "secrets/thinkpad/tud.age".publicKeys = [ rouven thinkpad ]; + "secrets/thinkpad/wireguard/dorm/private.age".publicKeys = [ rouven thinkpad ]; + "secrets/thinkpad/wireguard/dorm/preshared.age".publicKeys = [ rouven thinkpad ]; + "secrets/thinkpad/borg/passphrase.age".publicKeys = [ rouven thinkpad ]; + "secrets/thinkpad/borg/key.age".publicKeys = [ rouven thinkpad ]; +} diff --git a/secrets/thinkpad/borg/key.age b/secrets/thinkpad/borg/key.age new file mode 100644 index 0000000..74e3a03 Binary files /dev/null and b/secrets/thinkpad/borg/key.age differ diff --git a/secrets/thinkpad/borg/passphrase.age b/secrets/thinkpad/borg/passphrase.age new file mode 100644 index 0000000..7c29125 Binary files /dev/null and b/secrets/thinkpad/borg/passphrase.age differ diff --git a/secrets/thinkpad/tud.age b/secrets/thinkpad/tud.age new file mode 100644 index 0000000..5b64041 --- /dev/null +++ b/secrets/thinkpad/tud.age @@ -0,0 +1,9 @@ +age-encryption.org/v1 +-> ssh-ed25519 uWbAHQ 8qDAQ233j/CRqJRSjx0CIMNyBl5y/D03ujizUlyeDQk +YvxS49YognMr1d9ldJP0R4RKxZMLKxLk4G6juMpufag +-> ssh-ed25519 EVzt9Q z5q719PZfij/wMAzL/Co+zn5fItb2d1ixaLETSYBcHc +GHe/BBkAva/H3XE7Es6quxcVetNPhrjQvhqpskHzRuc +-> ssh-ed25519 uWbAHQ wNqtwu/45ALrTdTmuEhYq2HpRA8s2DnHX1Hocw3zFCM +1QvOewuqXACyFTJqzypf6cxZdM0MgXl9KACvl40qTN0 +-> ssh-ed25519 EVzt9Q fXLkwuPJ5y8ODKFpmDWVsma5sgx3WUMeqM/NRXiIbys +VM8XIkPplNiFxjKvHjjVWkBHt2EyLD3Ngdjtlor3yzs +-> (+cA16G-grease b`HZ0&CK +CjJd2a8z/BrTQXKduxMh1vc9AaHJT8O+jEyxHBrKBpHIF2Q +--- V/8tACrExnaGyEr7LJgeMtnfi+YGe631Z/FG7qoI/VM +Ó@Ö¤À 1ŽÝýNÌØpÌ5$‰ê×zƒf°fQ«½8ÑCâ”òKJ׸òûzØ.}îÌ›E-â¹¥¯ü²ó›ÖPª+ó”r0 \ No newline at end of file diff --git a/secrets/thinkpad/wireless.age b/secrets/thinkpad/wireless.age new file mode 100644 index 0000000..3d89e87 Binary files /dev/null and b/secrets/thinkpad/wireless.age differ diff --git a/shared/default.nix b/shared/default.nix index 86b38d0..8659bc7 100644 --- a/shared/default.nix +++ b/shared/default.nix @@ -4,7 +4,6 @@ imports = [ ./activation.nix ./gpg.nix - ./sops.nix ./vim.nix ./nix.nix ./tmux.nix diff --git a/shared/zsh.nix b/shared/zsh.nix index 09aab50..3b50c9a 100644 --- a/shared/zsh.nix +++ b/shared/zsh.nix @@ -25,7 +25,7 @@ la = "ls -a"; less = "bat"; update = "cd /etc/nixos && nix flake update"; - mosh = "f() {mosh $1 zsh};f"; + msh = "f() {mosh $1 zsh};f"; }; histSize = 100000; histFile = "~/.local/share/zsh/history";