From fa685385b74137dcfa4338ef9d443c565ac5d3cf Mon Sep 17 00:00:00 2001 From: Rouven Seifert Date: Tue, 27 Dec 2022 17:46:57 +0100 Subject: [PATCH] configured sops No real secrets are added yet --- .sops.yaml | 10 +++++ flake.lock | 66 +++++++++++++++++++++++++--- flake.nix | 4 +- hosts/thinkpad/default.nix | 7 ++- keys/gpg/rouven.asc | 88 ++++++++++++++++++++++++++++++++++++++ secrets/thinkpad.yaml | 41 ++++++++++++++++++ shared/sops.nix | 9 ++++ 7 files changed, 215 insertions(+), 10 deletions(-) create mode 100644 .sops.yaml create mode 100644 keys/gpg/rouven.asc create mode 100644 secrets/thinkpad.yaml create mode 100644 shared/sops.nix diff --git a/.sops.yaml b/.sops.yaml new file mode 100644 index 0000000..9d697e5 --- /dev/null +++ b/.sops.yaml @@ -0,0 +1,10 @@ +keys: + - &rouven 116987A8DD3F78FF8601BF4DB95E8FE6B11C4D09 + - &thinkpad age1s5aes35ku7d2600mwxu8jndvngqrpuuu2h6yrcetytgstkuzlsvstut3ge +creation_rules: + - path_regex: secrets/thinkpad\.yaml$ + key_groups: + - pgp: + - *rouven + age: + - *thinkpad diff --git a/flake.lock b/flake.lock index 97fa35d..d8ad5df 100644 --- a/flake.lock +++ b/flake.lock @@ -6,11 +6,11 @@ "utils": "utils" }, "locked": { - "lastModified": 1671459164, - "narHash": "sha256-RbkDnvLV7WjbiF4Dpiezrf8kXxwieQXAVtY8ciRQj6Q=", + "lastModified": 1671966569, + "narHash": "sha256-jbLgfSnmLchARBNFRvCic63CFQ9LAyvlXnBpc2kwjQc=", "owner": "nix-community", "repo": "home-manager", - "rev": "e7eba9cc46547ae86642ad3c6a9a4fb22c07bc26", + "rev": "c55fa26ce05fee8e063db22918d05a73d430b2ea", "type": "github" }, "original": { @@ -35,13 +35,29 @@ "type": "github" } }, + "nixpkgs-stable": { + "locked": { + "lastModified": 1671923641, + "narHash": "sha256-flPauiL5UrfRJD+1oAcEefpEIUqTqnyKScWe/UUU+lE=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "939c05a176b8485971463c18c44f48e56a7801c9", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "release-22.11", + "repo": "nixpkgs", + "type": "github" + } + }, "nixpkgs_2": { "locked": { - "lastModified": 1671313200, - "narHash": "sha256-itZTrtHeDJjV696+ur0/TzkTqb5y3Eb57WRLRPK3rwA=", + "lastModified": 1671883564, + "narHash": "sha256-C15oAtyupmLB3coZY7qzEHXjhtUx/+77olVdqVMruAg=", "owner": "nixos", "repo": "nixpkgs", - "rev": "0938d73bb143f4ae037143572f11f4338c7b2d1c", + "rev": "dac57a4eccf1442e8bf4030df6fcbb55883cb682", "type": "github" }, "original": { @@ -51,10 +67,46 @@ "type": "github" } }, + "nixpkgs_3": { + "locked": { + "lastModified": 1671877799, + "narHash": "sha256-jjC0NtPOT4huSwyichdrKHVCjuGr1al7Wu6PcHo5XZs=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "8351f271f85dae1ee28269028acde661e60394dd", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixpkgs-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, "root": { "inputs": { "home-manager": "home-manager", - "nixpkgs": "nixpkgs_2" + "nixpkgs": "nixpkgs_2", + "sops-nix": "sops-nix" + } + }, + "sops-nix": { + "inputs": { + "nixpkgs": "nixpkgs_3", + "nixpkgs-stable": "nixpkgs-stable" + }, + "locked": { + "lastModified": 1671937829, + "narHash": "sha256-YtaNB+mLw0d67JFYNjRWM+/AL3JCXuD/DGlnTlyX1tY=", + "owner": "Mic92", + "repo": "sops-nix", + "rev": "855b8d51fc3991bd817978f0f093aa6ae0fae738", + "type": "github" + }, + "original": { + "owner": "Mic92", + "repo": "sops-nix", + "type": "github" } }, "utils": { diff --git a/flake.nix b/flake.nix index 6f797da..2d96740 100644 --- a/flake.nix +++ b/flake.nix @@ -3,9 +3,10 @@ inputs = { nixpkgs.url = github:nixos/nixpkgs/nixos-22.11; home-manager.url = github:nix-community/home-manager; + sops-nix.url = github:Mic92/sops-nix; }; - outputs = { self, nixpkgs, home-manager }: { + outputs = { self, nixpkgs, home-manager, sops-nix }: { nixosConfigurations = { thinkpad = nixpkgs.lib.nixosSystem { system = "x86_64-linux"; @@ -13,6 +14,7 @@ ./hosts/thinkpad ./users/rouven home-manager.nixosModules.home-manager + sops-nix.nixosModules.sops ]; }; }; diff --git a/hosts/thinkpad/default.nix b/hosts/thinkpad/default.nix index 69e2d30..b88d3a9 100755 --- a/hosts/thinkpad/default.nix +++ b/hosts/thinkpad/default.nix @@ -7,6 +7,7 @@ ./modules/autorandr ../../shared/vim.nix ../../shared/input.nix + ../../shared/sops.nix ]; nix.settings.experimental-features = [ "nix-command" "flakes" ]; @@ -15,8 +16,9 @@ boot.loader.systemd-boot.enable = true; boot.loader.efi.canTouchEfiVariables = true; - networking.hostName = "thinkpad"; # Define your hostname. - networking.networkmanager.enable = true; # Easiest to use and most distros use this by default. + networking.hostName = "thinkpad"; + sops.defaultSopsFile = ../../secrets/thinkpad.yaml; + networking.networkmanager.enable = true; networking.firewall = { allowedUDPPorts = [ 51820 ]; # used for wireguard checkReversePath = false; @@ -90,6 +92,7 @@ printing.enable = true; fprintd.enable = true; # log in using fingerprint picom.enable = true; + openssh.enable = true; }; programs.steam.enable = true; # putting steam in here since home manager weirdly complains about it diff --git a/keys/gpg/rouven.asc b/keys/gpg/rouven.asc new file mode 100644 index 0000000..f5e36ca --- /dev/null +++ b/keys/gpg/rouven.asc @@ -0,0 +1,88 @@ +-----BEGIN PGP PUBLIC KEY BLOCK----- + +mQINBGMtdrMBEADV2urYH833EH9HjrJnCMivOEoPHUUP7XWygyzhEMeKwAAX57qr +JMmnKcaX/KNmt5ZuwJRR9YwG1NCR5a5ukAkkNhFsQov6ntd2HfCAanC/1lIWrII6 +8bGMIZEb3FXNOMfqOKpCAKfJ91KCEF9kIe0h8+hqvWyhG/hBSO5pkL1tDm2MXhaA +jAF4q3uYaMqoBtSES1AbnHyLoqnqlENeTvwqA9+XoR1KisQcFAk+2Q5RPuz8OvLq +OM3vdyspa1zx/tnjcek+G9VyIYJIW6oNT8tyjrs92sSGzjjBwv6flyR2L6t/zxR7 +ffdPzR90R7wa3I6o560i4uVzzFH6k4kgvCn2hoI55L7coHO9LEIE9ZPHpBagQM6N +Z62/7GGOYRHiMx7x68BC7XH6+1x2VBwo3GoVGzGeP8cuLo0J76GDWykupWSIX0yc +F6pCCjjxqwVKpcYRKm9yrQr3zitMxVg4tzDc01AZ32V+OG+w6mTT4qcO/LWlXiad +Ho2VfNL+wXzTVJfjHGgTscwBBFLwUF1yuEI2UPx4z2IRIpPrMBraHHAaZR1auRAr +IRU7g6tP5Ekz9/IWgLO0W1dcfhLa4iUzTCtzh3vG3FUY/7aERIZryR25ettsTQNa +YxRFdGrf3C7oFHWcMPcLT+L49ZGzX8TOOi7BcDO7iCJdIt05PY8HXSBOuwARAQAB +tDVSb3V2ZW4gU2VpZmVydCA8cm91dmVuLnNlaWZlcnRAbWFpbGJveC50dS1kcmVz +ZGVuLmRlPokCVAQTAQgAPhYhBBFph6jdP3j/hgG/Tblej+axHE0JBQJjQGulAhsD +BQkFo5qABQsJCAcCBhUKCQgLAgQWAgMBAh4BAheAAAoJELlej+axHE0J8lUQAMZX +IqSX67I5sdnRbeZDn0WBAtuEInJlK/ZywAQ8MGn1TokMg1fdBoY7v/ehHn1V/3d7 +5Ax6UvHrsSwqwMMKykRbeTbmNIyBdsmgDDbmlt4hlr6V0kLrGvr3e8bBVgL63uLb +98EtP4raYaZuXrby9hP+uwRvRaxlsBMH2+dbZ62qPlmnLnlw9yZ9K1qH8bhLzQ7C +IXLog/DHHQMnfAqHE0vJBReJAtfR/AW8JqW+GTJBpTjiiiaeBWFmBY8z4RhGOA0M ++SxD7MukgSbEjtbZavf6+Hr+n4zqVFoUZm+Py8qtq8nnL2M96TdCPlWOibT5yHae +eCzVq42MWEZri0Y0+/rzsaVgGkS/Es3SoSWfcUgF1TSnK0tgxM0o415L+cbRxVKh +Q3zu7BzUaVZocdVQ1B244GKUUBzghy/rOkPdj7eC9trc3O2sdCrhARnMw50b9Mso +fGwppasWVrl7obgESy63b1JlIxnThh65XbK9Ma/GxwyLBqVQsoGDIE6skovrnKnD +HJizsQkN66FGA0QS9o6A3LhprFBuvEPW0ZugRiFi6HW7MWEaQASn0k0uKkjUF2MX +vp5b9yCV8Tt1LsPPPW18z47nclcQmqpktiOLw/fJ+eWgJ28za5Y8Sg3pcCb+8wMg +7ZKn6oPUTQ9pzmQSN5JD8LE0UAmHSzXeotn2bm1UtCBSb3V2ZW4gU2VpZmVydCA8 +cm91dmVuQHJmaXZlLmRlPokCVAQTAQgAPhYhBBFph6jdP3j/hgG/Tblej+axHE0J +BQJjLXazAhsDBQkFo5qABQsJCAcCBhUKCQgLAgQWAgMBAh4BAheAAAoJELlej+ax +HE0JWlUP/0nfVRPbeFhrgKBQKuph+sAiTl5b82BDOvDaBEMgIVuKJq5YST1zZLT2 +WmBHHS0offYYGcn8PW23m2hneOc19zE5vJzztc+5jY7IeQzuNANkVqib7pFV8tFU +pc7q4TD12mw2CI/bhhXcSuygCFh4lp2wEwpmbXD/vBpF5oP/OHJrF8/pgPIrRAhL +6H03hY4nYlCnRz0VJ+KoXqq79Y8lW0bDC2Iy2hTaF69z1OzbYZeikbOI8sJOx8q7 +uZ7uOceKoev9wQt2/FHx2RNnRQNG8lm1rJcjHkKARMvJZt3AGDn2z5X4ye55wtgq +oQ4Fo7J3xUebFIZFAHfWQuFhT6yWjjml+TwF7de7TBUDE3FreoNM1avaSF+DDaaD +0p6j0mSwis/epzj85bLxb76/lxxoEJPEtv9x0/iHlQg3aFtnjT3LoSEPdLSjjwP1 +kPlQ9vm2ph8FtyN11YdG7W6c1DQ0OG0kvZCuFeAr9sMuFGSHyiYw7jThoNnAQVI3 +7tVspHSaSVg5mZ/9HF+WIH7pUMY+Jl4v0/MVG7th4sbXDAx3r6zYPP2JxytW4F9c +Y+KKbmHHU8h/XtiTm+19T6gAJX0+Ijn43G1cjnDw++iLKWOf/+XniTsnCyNAp2CL +jp+/EUsj4/tY+Q+yzk5WAY1Zwn2LJ91mfVmkjFzoCfi9mGsBfDrXuQINBGMtdrMB +EACZnGENDIdFCslo/8eGod8JCg3sSWYeTj6zjorTZA0HZjLkZ+YZw6Ufp5l9qnAX +HvJJ1jtDI3NF+vO+XkwpFbg0mFDE7J6FT/8R3u7oj5zxqbxpEjRsHrsx/b1FvIv3 +BWNGep6PLKAHlpaGX9aCZjygGVundnvHeNmUQyG1XWWRp1rZHKPVvNjuyljtr07s +uF55RFi/RjK2VGUwKWFgY4u2X7sxfrMJIft1JGXd9TiPEn7uckS/jR7c0oGrzFEy +X9hQCIMIgg6OqoKSchxbMTdfEcfMfAtF1dOt77kG2rmKCf2OMXYjP7i04C9hPcKa +8dulatE+GnikD9qSQTybvvbQwDwL6h7TvmTKZcBbkRsJ6i/LOdsqErV85MGDNDzw +R6HITLWGDF2IpzUhsCL70WM/NYNseFZqBqeoPadNwvqzSfiXwEHgwWSflB/bdzZG +PCUphO8erU4RsVyrLcMge/nctFgo4MdVpf31bm2+kQksHtOxx4t5QKULWd4b5Rku +lAMCYMCIhz1zLSUl/XeDk3R+ogKEfvoI/QgS4NwSvA/C6NuNsSYw1ExkVwsPmXsP +juA9DTcVc8AgT1cheUCPLQuCJ5kKOdnZFxWArgc3fPt5PHNwqXXpfY+X0faEpPBN +Mfugjir8nUV8EdxJM8m0ZqPm6zgqjr04bBTmy1IBfQs/iQARAQABiQI8BBgBCAAm +FiEEEWmHqN0/eP+GAb9NuV6P5rEcTQkFAmMtdrMCGwwFCQWjmoAACgkQuV6P5rEc +TQm8TBAAyIe2EehTZHegPoThuKKiqdYPLRPivhaePdogsirLq6EQ9/pRQgXS2VVr +SAwACSnZpYWUm3CE7NDvcf0F3aHTujkLTcD0UGpQMeR9HTl7V+P7goKbm7Vl0RSu +oI4kpGC5iqfpEk7hMQSEaeL1SgoU+B0Y5QwO26dFNd9KeOaMbi4RGf3S7+d+taBL +ctjMKgf0B6MIz0OAXVB4Ulg3QHOiwdxpGB8a/VrBjTOu11+lsEh4fZdS4o4fzgrb +rlS8DQyuCJuxG41f+KgSsfKdeWt2LWowP+EFc+dJ+9La4PMWWWlhTcVoYSi84bx0 +URHTzvpacRSPFhCWQ31BSgM6USejn1oyrdb6vmWxc3UqbqM40J1NPzP4IQxc8pdh +N19ffC2aDkqApKPTzZ2xXmF0QOOGBqMnF4ge/dSGvao9FgK53RwpZfFJEFSK1N7h +Yrh/rxSGQRpl6LhR8gK+jX7Ocu8RXQ1i8VkvqjFnwVVGYPLpWkwiKybeyoCbbXP8 +YJI9R5vlth5jPY3emFpRmNaTNYm5mWb63IQpI+ItCeXDxU+WAws5AYzuBl1eOoS7 +G7tnsuSLpdQxSEm8JqyFigcXw40iWBMUWc+V7gzDCd+0DR9u7F2Kvlr4k1JL/DhC +Q45kNrCpgazaquAecdL8WPzUgzNJptP0bGMaL/IW70Y4y/nrJEy5Ag0EY1RWbQEQ +ANxWRFzIW0s+3yHVz9GHfoZ7001XIAmqhUrz1kALGG/dBSmF4kRQ91GzlzSjWFEM +/ZbTIIe/lehTufBzqItfgw3WfQnc7bhUBTdIsqORu8c9LSxEjbAYh2koRRRRdY85 +mY7dblh3Mg4i/rWUV4SLnG/iy64XGLzVtw90IIc1W2ijRXlCkjEQsYwXTqshKmiS +v0x/CIAaz5koYex3Pozr9EEP0vJA/cJ7WoTOCZml08Ly7LwIClbM83ZvlmTnUtGB +WVQ+Wmh05ZKEmPv7jQaZN7AqLaHimM7NHV7MddfcPvgFJc4ZF6IX/rNjM+R3DkuC +86vuzMIggzbxPAVCK7VY0gqhoA0qB6V1jbeWD9nulZJN9QUdiEtmKq1hmZADTvU5 +HJs1XtSVCb8rFa+Th0xcC8n1cB96uiF/FWenCxvIXF/CNYclhuUqd6P0SfqHZ/Jr +IDMB7s4KU6mLdy5AIBnIqI276cegiFi1U+5QsDfSp/8cgT5gwT9zuE7lrsW5/27U +DvIzYACK7Hkl3c3F2EetqAWf3A1DeK8XYItwUC7kwcSy+7HZApOOYgRubgzRF1b3 +PJn0eGkKOL7asRXU719vEm8+ic3AxIBA9KCh3BEDepNzBVFfpFZo9zMzU02I9FT8 +G7eAVMgPFmO3wUWC7wP2ioHrZnFfyLebMl8pfT0QW+TjABEBAAGJAjYEGAEIACAW +IQQRaYeo3T94/4YBv025Xo/msRxNCQUCY1RWbQIbIAAKCRC5Xo/msRxNCZw4D/92 +YNPzMsao30cCJ3WJb6QoiI8RwE1gDdKcjWbnGobyCKg++oWtQQl6R5PoHH9/eR5U +O8XgqYP8da9y4mAKSDximhuCLhATUpDGSte7N+eVmokmPCxIHSL3Cm/hZ/mM0Qhk +eT95MHcLzx0onrzw1KhvNFvucsvhT40JkLIAECGUL8F9KQhQVkCaCAHpaZbBzEfd +vAHVYgm7KvwtAGt2Lv88GhIR2AOSj6ijQC4sAGQyKARixsoRlqzjkveqtci06mB8 +kff6BoqSf0sGzEkOlZkctoEXdz9f6mCMvpH3skYmcK6WTDbQYno8yxCC/tfqjYp6 +vlYetURLjdpawghhhlvSceJEwt796Eii3YrBvARs1CDM43hP/MfmjJiD4kKDkI/R +xa14JTfJgcr5xhRUIPQLdfFGVnn7aF16nN0N1QMOeIDxbckPjFzgTIDjEbmWaogw +QGjc7hoaHVR2d7Jwz3acRV18WN6vMwohsU513LY+2skRgahkotFMcNmO4cuBp07b +Js9gxmueL2pQ1NxwFdouVxceUGgnIuhG93OI8UZPJpnd4KeURfI8wMW5kv0wF1hy +nyxDASxiYkMLUgFRehh02ShI2Y9LTLBvRTbVoxpnitZ6HHiZ4LI0Qk78gF0LNkXj +XIponcFa0+0w3inIywIIYRs/wTPxAMheeclH9zW18w== +=JFdx +-----END PGP PUBLIC KEY BLOCK----- diff --git a/secrets/thinkpad.yaml b/secrets/thinkpad.yaml new file mode 100644 index 0000000..09794d5 --- /dev/null +++ b/secrets/thinkpad.yaml @@ -0,0 +1,41 @@ +o: ENC[AES256_GCM,data:OQ==,iv:bxliflmDvVoZkuJXrOGc1kh8/urnWdbt3wFcLmPcDf8=,tag:dk0FgO/KZGou4ujnZTpmOA==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1s5aes35ku7d2600mwxu8jndvngqrpuuu2h6yrcetytgstkuzlsvstut3ge + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBpbk81MnpjSzRBdmFJNFhV + RE9oZHFuUzd3bWRuNDI3VEpYK2VTMXdBSlNVCkJjS0dnc1NzenpzYWdydkJ0enVB + dGJVU2hTKzV1bDV2VnJ1Y0xBaHVoZW8KLS0tIGtaelVQNFFtMDVndlpoMFpKY3p2 + S0NwYWFQcmFtTm5zTEZLVXRtMi91Zk0K3ylHH4OXduJlJxepPz9GxBzVmKGpv9LL + ApkEQxfPL4Bxrb2XOFLOYqJGv2SwxBv1QNYT7eTXRLTEsIXUHR0MGA== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2022-12-27T16:39:22Z" + mac: ENC[AES256_GCM,data:ziliEa5Nqxpgp8fAQ89TjnUvCpSH813aViSpBZGqAq+fO0QSsNOIGiTCVoEskwAhIUK733rheJpBKfhApGk87Z/aZeUV3KYMhA80n8J5TMwqXAMoIqlYVXJv/HkRF40yafkSlDewURgUE+dx/IqKT++XOA5/S6E2lyLvTpsEyDc=,iv:gste7RZyzgrE8FdLYruAvdc6Obq/KCJFx4YPd4NWEjs=,tag:BGwL2z/6rgW6hZTcQ7hFMQ==,type:str] + pgp: + - created_at: "2022-12-27T16:39:15Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + wcFMAzUXo8ZPJwGLAQ/+O6i2iycUhTxUEd+JjpRVOuK2+84ZS5vub8zEdgtvNZlb + +Jokp1pmzWxQ5jqwzJoJ4ALhK4RZWf/WdmUuDK2M7/T99zosPg8ZiADcqna3AACt + Neg/6irkgNfBEkhzKnSkfintE0U2GXcYQeKiQ88qtjJ2MFBrDmnMaTAr63C2u4ng + tiZ4VAgqWwJVpSOQ0lQn/QuZcQKeaXMP+1C8ezbbr/bh3AiOSN5CHNwNgwXVQFOj + JML4yyK+OTYG6STDDX2z18CosjZkrCakybFkW1sgb5KHnFmjouCLOH/eaof2Abea + B1d4TRkSCEHct471oVtFBc7FXuF80JG+OYActBYMviCReanbuQmiI63ngMS6+hkv + fkbRKpdZRYTRkYnKRbQeyOZ4e0+CTbVhNuSNgHF31zC8XUq4dZj67vJn9O0qvOJb + vtkoUAt+tsHeoCJjQsCb0UshjPPo3WAQThZdvE3PDX36qdm2WPkRkk2YYeu7YuPb + 8oZIPxF8UWriO5o/C6pqzMwMXqWTjFREz/7tZ7QbxMPSt1VgJGi1t63LMyv0Jw+Q + O87/hfWfoCBXS4juS3UuQGJqAV3M7qa17J1GrsJpOh/gWYIrkW1PQ4bfjY3Vj7P1 + arjRyk3QTxAPJy68p+1+p5QKCqWNrlZpZClHV6U9f0d4b+bdy2uaIZ5xHsf54oXS + UQHpLgxNzvTQZLTsMqb8yvFdj/KiQfa1MiOKMh2zMCpMImvkptmc3XtqXSybuCS4 + 6jPzv4cTvE/kpSxUO7fCOFIGoLleRYMpieYLyYsCrDrP8g== + =hdQ0 + -----END PGP MESSAGE----- + fp: 116987A8DD3F78FF8601BF4DB95E8FE6B11C4D09 + unencrypted_suffix: _unencrypted + version: 3.7.3 diff --git a/shared/sops.nix b/shared/sops.nix new file mode 100644 index 0000000..c9be369 --- /dev/null +++ b/shared/sops.nix @@ -0,0 +1,9 @@ +{config, pkgs, ...}: +{ + environment.systemPackages = with pkgs; [ sops ]; + + # directory party + sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ]; + sops.age.generateKey = false; + +}