From 591c0cd6b588e7a826c8ae81b5681b440e7e109c Mon Sep 17 00:00:00 2001 From: Rouven Seifert Date: Thu, 16 Nov 2023 13:29:18 +0100 Subject: [PATCH] start replacing sops with agenix --- flake.lock | 6 +++--- flake.nix | 2 ++ hosts/thinkpad/default.nix | 5 +++-- hosts/thinkpad/modules/backup/default.nix | 6 ++++-- hosts/thinkpad/modules/networks/default.nix | 15 ++++++++++----- hosts/thinkpad/modules/networks/uni.nix | 9 ++++++--- secrets.nix | 14 ++++++++++++++ secrets/thinkpad/borg/key.age | Bin 0 -> 1302 bytes secrets/thinkpad/borg/passphrase.age | Bin 0 -> 480 bytes secrets/thinkpad/tud.age | 9 +++++++++ secrets/thinkpad/wireguard/dorm/preshared.age | Bin 0 -> 510 bytes secrets/thinkpad/wireguard/dorm/private.age | 9 +++++++++ secrets/thinkpad/wireless.age | Bin 0 -> 754 bytes shared/default.nix | 1 - shared/zsh.nix | 2 +- 15 files changed, 61 insertions(+), 17 deletions(-) create mode 100644 secrets.nix create mode 100644 secrets/thinkpad/borg/key.age create mode 100644 secrets/thinkpad/borg/passphrase.age create mode 100644 secrets/thinkpad/tud.age create mode 100644 secrets/thinkpad/wireguard/dorm/preshared.age create mode 100644 secrets/thinkpad/wireguard/dorm/private.age create mode 100644 secrets/thinkpad/wireless.age diff --git a/flake.lock b/flake.lock index e4ad16a..14b6436 100644 --- a/flake.lock +++ b/flake.lock @@ -179,11 +179,11 @@ ] }, "locked": { - "lastModified": 1699783872, - "narHash": "sha256-4zTwLT2LL45Nmo6iwKB3ls3hWodVP9DiSWxki/oewWE=", + "lastModified": 1700087144, + "narHash": "sha256-LJP1RW0hKNWmv2yRhnjkUptMXInKpn/rV6V6ofuZkHU=", "owner": "nix-community", "repo": "home-manager", - "rev": "280721186ab75a76537713ec310306f0eba3e407", + "rev": "ab1459a1fb646c40419c732d05ec0bf2416d4506", "type": "github" }, "original": { diff --git a/flake.nix b/flake.nix index 9e94b4f..a9cd5b5 100644 --- a/flake.nix +++ b/flake.nix @@ -112,6 +112,7 @@ impermanence.nixosModules.impermanence ./hosts/nuc ./shared + ./shared/sops.nix sops-nix.nixosModules.sops { nixpkgs.overlays = [ self.overlays.default ]; @@ -124,6 +125,7 @@ modules = [ ./hosts/falkenstein-1 ./shared + ./shared/sops.nix { nixpkgs.overlays = [ self.overlays.default ]; } diff --git a/hosts/thinkpad/default.nix b/hosts/thinkpad/default.nix index 01d43fa..e721bc4 100755 --- a/hosts/thinkpad/default.nix +++ b/hosts/thinkpad/default.nix @@ -49,8 +49,9 @@ ]; }; # impermanence fixes - sops.age.sshKeyPaths = lib.mkForce [ "/nix/persist/system/etc/ssh/ssh_host_ed25519_key" ]; - sops.gnupg.sshKeyPaths = lib.mkForce [ ]; + # sops.age.sshKeyPaths = lib.mkForce [ "/nix/persist/system/etc/ssh/ssh_host_ed25519_key" ]; + # sops.gnupg.sshKeyPaths = lib.mkForce [ ]; + age.identityPaths = [ "/nix/persist/system/etc/ssh/ssh_host_ed25519_key" ]; time.timeZone = "Europe/Berlin"; i18n.defaultLocale = "en_US.UTF-8"; diff --git a/hosts/thinkpad/modules/backup/default.nix b/hosts/thinkpad/modules/backup/default.nix index 8794cf2..3bd4286 100644 --- a/hosts/thinkpad/modules/backup/default.nix +++ b/hosts/thinkpad/modules/backup/default.nix @@ -1,6 +1,8 @@ { config, pkgs, ... }: { - sops.secrets."borg/passphrase" = { }; + age.secrets."borg/passphrase" = { + file = ../../../../secrets/thinkpad/borg/passphrase.age; + }; environment.systemPackages = [ pkgs.borgbackup ]; services.borgmatic = { enable = true; @@ -32,7 +34,7 @@ "/home/*/.local/share" "/home/*/Linux/Isos" ]; - encryption_passcommand = "${pkgs.coreutils}/bin/cat ${config.sops.secrets."borg/passphrase".path}"; + encryption_passcommand = "${pkgs.coreutils}/bin/cat ${config.age.secrets."borg/passphrase".path}"; compression = "lz4"; keep_daily = 7; keep_weekly = 4; diff --git a/hosts/thinkpad/modules/networks/default.nix b/hosts/thinkpad/modules/networks/default.nix index 4c446b7..65e6e7e 100644 --- a/hosts/thinkpad/modules/networks/default.nix +++ b/hosts/thinkpad/modules/networks/default.nix @@ -2,14 +2,19 @@ { imports = [ ./uni.nix ]; - sops.secrets = { - "wireless-env" = { }; + age.secrets = { + wireless = { + file = ../../../../secrets/thinkpad/wireless.age; + }; "wireguard/dorm/private" = { + file = ../../../../secrets/thinkpad/wireguard/dorm/private.age; owner = config.users.users.systemd-network.name; }; "wireguard/dorm/preshared" = { + file = ../../../../secrets/thinkpad/wireguard/dorm/preshared.age; owner = config.users.users.systemd-network.name; }; + }; services.lldpd.enable = true; services.resolved = { @@ -32,7 +37,7 @@ wireless = { enable = true; userControlled.enable = true; - environmentFile = config.sops.secrets."wireless-env".path; + environmentFile = config.age.secrets.wireless.path; networks = { "@HOME_SSID@" = { psk = "@HOME_PSK@"; @@ -109,14 +114,14 @@ Name = "wg0"; }; wireguardConfig = { - PrivateKeyFile = config.sops.secrets."wireguard/dorm/private".path; + PrivateKeyFile = config.age.secrets."wireguard/dorm/private".path; ListenPort = 51820; }; wireguardPeers = [ { wireguardPeerConfig = { PublicKey = "Z5lwwHTCDr6OF4lfaCdSHNveunOn4RzuOQeyB+El9mQ="; - PresharedKeyFile = config.sops.secrets."wireguard/dorm/preshared".path; + PresharedKeyFile = config.age.secrets."wireguard/dorm/preshared".path; Endpoint = "141.30.227.6:51820"; AllowedIPs = "192.168.42.0/24, 192.168.43.0/24"; }; diff --git a/hosts/thinkpad/modules/networks/uni.nix b/hosts/thinkpad/modules/networks/uni.nix index f048184..f0bca5e 100644 --- a/hosts/thinkpad/modules/networks/uni.nix +++ b/hosts/thinkpad/modules/networks/uni.nix @@ -1,6 +1,9 @@ { config, ... }: { - sops.secrets."uni/zih" = { }; + # sops.secrets."uni/zih" = { }; + age.secrets.tud = { + file = ../../../../secrets/thinkpad/tud.age; + }; networking = { wireless.networks = { eduroam = { @@ -60,7 +63,7 @@ protocol = "anyconnect"; gateway = "vpn2.zih.tu-dresden.de"; user = "rose159e@tu-dresden.de"; - passwordFile = config.sops.secrets."uni/zih".path; + passwordFile = config.age.secrets.tud.path; autoStart = false; extraOptions = { authgroup = "A-Tunnel-TU-Networks"; @@ -71,7 +74,7 @@ protocol = "anyconnect"; gateway = "vpn2.zih.tu-dresden.de"; user = "rose159e@tu-dresden.de"; - passwordFile = config.sops.secrets."uni/zih".path; + passwordFile = config.age.secrets.tud.path; autoStart = false; extraOptions = { authgroup = "C-Tunnel-All-Networks"; diff --git a/secrets.nix b/secrets.nix new file mode 100644 index 0000000..be768fa --- /dev/null +++ b/secrets.nix @@ -0,0 +1,14 @@ +let + thinkpad = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJ2X5hdT9/6BIrRWSE+XBbc4+ocVkPqoAGO2DMSYiJB/"; + nuc = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIH6pI2rVvnEMG7oHzA47NRahEKQj99pagrat+Q7pOT2v"; + falkenstein = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJxar1P+KXVPzHCaIcGg33Gvog+a5Z8snHWSFqbY3WC6"; + rouven = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILkxTuzjS3EswMfj+wSKu9ciRyStvjDlDUXzkqEUGDaP"; +in +{ + "secrets/thinkpad/wireless.age".publicKeys = [ rouven thinkpad ]; + "secrets/thinkpad/tud.age".publicKeys = [ rouven thinkpad ]; + "secrets/thinkpad/wireguard/dorm/private.age".publicKeys = [ rouven thinkpad ]; + "secrets/thinkpad/wireguard/dorm/preshared.age".publicKeys = [ rouven thinkpad ]; + "secrets/thinkpad/borg/passphrase.age".publicKeys = [ rouven thinkpad ]; + "secrets/thinkpad/borg/key.age".publicKeys = [ rouven thinkpad ]; +} diff --git a/secrets/thinkpad/borg/key.age b/secrets/thinkpad/borg/key.age new file mode 100644 index 0000000000000000000000000000000000000000..74e3a032035e5c9b07ed3c97a843e42c2fca2777 GIT binary patch literal 1302 zcmV+x1?l=>XJsvAZewzJaCB*JZZ2pNqK5H zIeJf8P;FW=YG-3uPESx~GDvbOFL`x2WJXqGc|u8PPjd<_J|J^*Xf0)AGBq_ZIUq$= zdUQEaAT>d3L~dn9dUPac(v+IC^?|X=*`OWMNNv zQEYKXQgKsDYj}50Hfb?ZI5}!?OlMVVc{Wm0LsCaXG;(ls3UYZ#YjAEWHdRn>cu_%2 zZcI0Jbz^HeP)C9K?({j zEiE8rL_$h5ZeeauFJ(kSFLp0NHd8iLG;(ffS6F6iWp7V+OgLI_Z&NX7H+Kr#G|M9H zYe=ffh!@qeNun~-8(6`b^iQ*d%=^+ibc~eiVyN-7B_sN28r}h?2&)kK;0zT$QX;GF zH#SDegY3h0DFaNS7p=|di^uDa3b;?0pM9(0jSsV;!!DoUC zCUyqDL~ZSq@{he~?+gh8q6IP%kYiw;-pOVf&FJjlqDTM6^5}#HC{sTUOdeJe`Sol` z)uEGgan!IVjjYH61sAGQ zQuV_GvB`DOtXVQ=tmC;OqL5m&v5T|POx~5^A?xrfV&s;q=SYaMA)1ob^se`G_voR% zZcRdF`C6dtAFhWkQ%i{y7n{JU5cqoNyNc1D{sIgC?n%&J$X=O{T@2i+;`XHf*XY1s z+Z^O%UKL`ROgM@bE&B>;naaq}VBP&@?S8r0_t>{d}V=~lT-qxwq z@G%ePOrXD&2Rl$FR_0FRo+J_(_BO?|11cX=d+ph_VeMIHKAn3@%SxDVXjJ9s0zwb{ zlu$1}LpeiG^9;L*h7ggR#`zTNwP(^|3SOSpXc1HX8u71|lyphg!Gm+itfJWo$w z%2JPQ%L3c848gvl=adAFy>d5uE;5K81PlN^X5yz3oL=2`AvZzwyQY_;KGV99wtaA@ z-2;3XDfl(aOK;T|f~A`e7DOSYTeVr(HpheWpVt_q5E-<=9dD_Jn`9);7;W;g&b%_U MMGhmIXdzEaGE{FlOaK4? literal 0 HcmV?d00001 diff --git a/secrets/thinkpad/borg/passphrase.age b/secrets/thinkpad/borg/passphrase.age new file mode 100644 index 0000000000000000000000000000000000000000..7c291252799e76f60e2d7601415f5818af45ff34 GIT binary patch literal 480 zcmZ9_y^oVn003}jW{oRxxTWDJrH|t+=am*{@9t4(OQCF~g-1*I=%aj;i@D^CgVDvr z7*_{l9Naaz%{aK};HsO0_Yau37*~J)z;BK{#)}tZpYB#ke3%f-797PK(^(cU-m(P% z2kG2$JAH$e{XB)Dvp&-})nA8Duy&{))UcNg$9ls6&DIfua-fa*lIlr3oL5_QVoX~T zep4Lz{Yhsqgdu>*GRC>75f9YP9=qoMn>?*|(4a}l4hb6PW|9b?CFrifH``lY0o7Ki z1Fyx$a)B}dj$(t7fMRjyN~VRgp&QQj;&chxT!HmkD8p3`Z%4Y=<}gMM`nRDIR)ys~ z$YA2lGmm~yHPb0|x@bo8Ad6yagKTl&sHGxx)m3EVk=?KaGuo+=Z)T^)BoH~AiwQ)j zR$0+j61pa63zU?}ywtEu+u6-RATB#3*oU&yTo2MtpoP|~SHv=FFA7XC3`2_var^y& zECn1^%*xCOM3K`iG^-Y%6_U_$K-B=g-e^+!emwbfes=x)>dURi nU*A?2FJHfS^Zxts&uRSb?nn0U^5)ge!NJ4f$+Jh_?%e(hiI1eQ literal 0 HcmV?d00001 diff --git a/secrets/thinkpad/tud.age b/secrets/thinkpad/tud.age new file mode 100644 index 0000000..5b64041 --- /dev/null +++ b/secrets/thinkpad/tud.age @@ -0,0 +1,9 @@ +age-encryption.org/v1 +-> ssh-ed25519 uWbAHQ 8qDAQ233j/CRqJRSjx0CIMNyBl5y/D03ujizUlyeDQk +YvxS49YognMr1d9ldJP0R4RKxZMLKxLk4G6juMpufag +-> ssh-ed25519 EVzt9Q z5q719PZfij/wMAzL/Co+zn5fItb2d1ixaLETSYBcHc +GHe/BBkAva/H3XE7Es6quxcVetNPhrjQvhqpskHzRuc +-> >!3iN~0CYK8>A1|~N`a*r7>fr8n z7iawi4(cy(aMIju7bl~m&Mppqtp0)LaRQI>R&!LQd6=y3CMc*rq6z9jCCeb?xiyxh z>y^!TCbrEAqFZIV>5(aK6{=fh!)OsHg@UlAM;+*kHCeBx^Po43Fp-1yxYw}OtlG*% zQfu1LHr4|v3=Odm#_M9x9T}x>2hOtd|JJm&dEKluY`JC)hgz6SbUFG9<*@T`n60Z| z+Ev;>g(Jru#FK4&FCm<9658${>%=*??GqxfYh{FzFN;#5iQ?6T(vlZY?E1Om^ zK~YqN8Rf;G)e_}upsHQeHd{1E{H9xPIB*>3n(apn-R(2OA|Sq=fA;bmb>r-~FYX+j zSaJI8*G1#j$Lps*+@q@>z~15g_xWY@%I>xD^V>^`q3(V ssh-ed25519 uWbAHQ wNqtwu/45ALrTdTmuEhYq2HpRA8s2DnHX1Hocw3zFCM +1QvOewuqXACyFTJqzypf6cxZdM0MgXl9KACvl40qTN0 +-> ssh-ed25519 EVzt9Q fXLkwuPJ5y8ODKFpmDWVsma5sgx3WUMeqM/NRXiIbys +VM8XIkPplNiFxjKvHjjVWkBHt2EyLD3Ngdjtlor3yzs +-> (+cA16G-grease b`HZ0&CK +CjJd2a8z/BrTQXKduxMh1vc9AaHJT8O+jEyxHBrKBpHIF2Q +--- V/8tACrExnaGyEr7LJgeMtnfi+YGe631Z/FG7qoI/VM +Ó@Ö¤À 1ŽÝýNÌØpÌ5$‰ê×zƒf°fQ«½8ÑCâ”òKJ׸òûzØ.}îÌ›E-â¹¥¯ü²ó›ÖPª+ó”r0 \ No newline at end of file diff --git a/secrets/thinkpad/wireless.age b/secrets/thinkpad/wireless.age new file mode 100644 index 0000000000000000000000000000000000000000..3d89e87e0d5bb510c72eb4443ff47814c55a7a42 GIT binary patch literal 754 zcmVu3D{FQ%Xh}|4G)ga0ZZHZ&RW?;+Mp{xu zXHZ!+MOH6)MrT?}Np^N}RCs81V>M=FIe2MkFlKTuP;&|`J|J^*Xf0)AGBq_ZIUq$= zdUQEaAUIP)Q*vT>cuq4*S57Z;Nh?B4aAb0KR!uW;NH9(}PHc8FP-8W9S4ek33R7uv zHbgHgW>08KSTs3scR6uEFfc_nLP2b0Q7bcVYiU_HRZ~@1P)%fW3N1b$T4_jBP)tNE zXL4m>b7dfDIDAuWC@^0jQZy_iX*_--AUt((J}EFRC?G31LOvlY3UPERcT9OUH$!we zMRa&gS~pHtS$SqbO>}iQL18mxMq)5_S8_8?W=wiWN^3PuQcp!OSVloPdShB>L@P*6 zR|-p6Ff?LUHEm5xQ8qR+adbj9a7|%R3N0-yAW%$ldNgq_ZAV#UbVo~7NlHdZSw&E3 zO*K|AHco0`XD@nlQZsCHMMPzH3U(;&{n>mFZzV~&&Q?V_S#?Civg}-DF86Egsq1;< z8*DuZf6;UOT!m^*^wStwpC#2|L1?GUOg~q8?v;H3_jp9jr>dq%@&cBKS@k>Ry7l)C zTp`r^_o2#R8=3qRu`fC&PzB|cIPIZe2>_=|I^p5$Qvac=EAm?Z!QW~*TW&ctD9|?u zcn(;FAm^&i!!D~ANu#yrdNeq8L`mL>AoeZ-4&Qg(9<9YxmTNJ`cc1mKUA$bU8PTq6 z)(hd`PgnOZ_MOC1qv-ZL*eXinr)TIJSbFD_I}rvp+w0|E0$XO8X8N5k-XXEtANXfS zoD<*Z;vz9~XB8CLhZJ3h6_$iK^)i`eH*EQm>h(%8EJ(?4{+srFI}oa;-4VAgPy|V< kB{#;z_|F2Ozn25n^C9^d8EVzuAFgTa$a#DAQ{T57y8vM;E&u=k literal 0 HcmV?d00001 diff --git a/shared/default.nix b/shared/default.nix index 86b38d0..8659bc7 100644 --- a/shared/default.nix +++ b/shared/default.nix @@ -4,7 +4,6 @@ imports = [ ./activation.nix ./gpg.nix - ./sops.nix ./vim.nix ./nix.nix ./tmux.nix diff --git a/shared/zsh.nix b/shared/zsh.nix index 09aab50..3b50c9a 100644 --- a/shared/zsh.nix +++ b/shared/zsh.nix @@ -25,7 +25,7 @@ la = "ls -a"; less = "bat"; update = "cd /etc/nixos && nix flake update"; - mosh = "f() {mosh $1 zsh};f"; + msh = "f() {mosh $1 zsh};f"; }; histSize = 100000; histFile = "~/.local/share/zsh/history";