manage secrets with sops

not sure if i like this yet, but it seems worth trying it out.
author: stuebinm 2023-04-11 18:37:20 +0200
committer: stuebinm 2023-04-11 18:41:13 +0200
commit: 48d3f66855fb57379351fb9a458a95cf28522916 (patch)
tree: 730f4f9186a5a7f52e64236417ec384968eb96fd
parent: 4e4eaf4838bbd45393d7a19ad182c8d4c076b043 (diff)
8 files changed, 163 insertions, 72 deletions
diff --git a/.sops.yaml b/.sops.yaml
new file mode 100644
index 0000000..c3f890a
--- /dev/null
+++ b/.sops.yaml
@@ -0,0 +1,10 @@
+keys:
+  - &ilex age18wkr3kjalalzrq9l05q32gnlaqr7t6rqqzde307m83rs9fp4xcfsdtj9gt
+  # server's ssh pubkeys as age keys
+  - &flora age1d8hulw7weg6gwxv0cmz969w04d2jkphdx93tm9xs0mqr0ut0t4ls4g4vah
+creation_rules:
+  - path_regex: secrets/[^/]+\.yaml$
+    key_groups:
+    - age:
+      - *ilex
+      - *flora
diff --git a/flake.lock b/flake.lock
index 9c91a7f..8523132 100644
--- a/flake.lock
+++ b/flake.lock
@@ -330,6 +330,7 @@
         "rust-overlay": "rust-overlay",
         "showrt": "showrt",
         "simple-nixos-mailserver": "simple-nixos-mailserver",
+        "sops-nix": "sops-nix",
         "tracktrain": "tracktrain",
         "traveltext": "traveltext",
         "uplcg": "uplcg",
@@ -397,6 +398,29 @@
         "type": "gitlab"
       }
     },
+    "sops-nix": {
+      "inputs": {
+        "nixpkgs": [
+          "nixpkgs-unstable"
+        ],
+        "nixpkgs-stable": [
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1681209176,
+        "narHash": "sha256-wyQokPpkNZnsl/bVf8m1428tfA0hJ0w/qexq4EizhTc=",
+        "owner": "Mic92",
+        "repo": "sops-nix",
+        "rev": "00d5fd73756d424de5263b92235563bc06f2c6e1",
+        "type": "github"
+      },
+      "original": {
+        "owner": "Mic92",
+        "repo": "sops-nix",
+        "type": "github"
+      }
+    },
     "tracktrain": {
       "flake": false,
       "locked": {
diff --git a/flake.nix b/flake.nix
index c1c790f..cf0aaff 100644
--- a/flake.nix
+++ b/flake.nix
@@ -1,4 +1,3 @@
-
 {
   description = "testing nix flakes for server deployment";
 
@@ -10,10 +9,15 @@
     home-manager.inputs.nixpkgs.follows = "nixpkgs";
     deploy-rs.url = "github:serokell/deploy-rs";
     deploy-rs.inputs.nixpkgs.follows = "nixpkgs";
-    simple-nixos-mailserver.url = "gitlab:simple-nixos-mailserver/nixos-mailserver/master";
-    emacs-overlay.url = "gitlab:nix-community/emacs-overlay?rev=d938b780a3d8072aeac0178c46121060079ff217";
+    simple-nixos-mailserver.url =
+      "gitlab:simple-nixos-mailserver/nixos-mailserver/master";
+    emacs-overlay.url =
+      "gitlab:nix-community/emacs-overlay?rev=d938b780a3d8072aeac0178c46121060079ff217";
     rust-overlay.url = "github:oxalica/rust-overlay";
     rust-overlay.inputs.nixpkgs.follows = "nixpkgs";
+    sops-nix.url = "github:Mic92/sops-nix";
+    sops-nix.inputs.nixpkgs.follows = "nixpkgs-unstable";
+    sops-nix.inputs.nixpkgs-stable.follows = "nixpkgs";
 
     uplcg.url = "git+https://stuebinm.eu/git/uplcg?ref=main";
     uplcg.flake = false;
@@ -40,64 +44,69 @@
     walint.flake = false;
   };
 
-  outputs = { self, deploy-rs, ... }@inputs:
-  let
-    nixpkgs = import inputs.nixpkgs {
-      system = "x86_64-linux";
-      overlays = [
-        inputs.rust-overlay.overlays.default
-        self.overlays.default
-      ];
-    };
-    mkConfig = imports: config:
-    inputs.nixpkgs.lib.nixosSystem rec {
-      system = "x86_64-linux";
-      modules = [ config ] ++ imports;
-      pkgs = nixpkgs;
-
-      specialArgs = {
-        inherit inputs system;
-        craneLib = inputs.crane.lib.${system};
+  outputs = { self, deploy-rs, sops-nix, ... }@inputs:
+    let
+      nixpkgs = import inputs.nixpkgs {
+        system = "x86_64-linux";
+        overlays =
+          [ inputs.rust-overlay.overlays.default self.overlays.default ];
       };
-    };
-    mkServer = mkConfig [ ./common/headless.nix ];
-    mkDesktop = mkConfig [ ./common/desktop.nix ];
-    deploy-vps = hostname: {
-      inherit hostname;
-      profiles.system = {
-        user = "root";
-        sshUser = "root";
-        path = deploy-rs.lib.x86_64-linux.activate.nixos self.nixosConfigurations.${hostname};
+      mkConfig = imports: config:
+        inputs.nixpkgs.lib.nixosSystem rec {
+          system = "x86_64-linux";
+          modules = [ config ] ++ imports;
+          pkgs = nixpkgs;
+
+          specialArgs = {
+            inherit inputs system;
+            craneLib = inputs.crane.lib.${system};
+          };
+        };
+      mkDesktop = mkConfig [ ./common/desktop.nix ];
+      mkServer = mkConfig [
+        ./common/headless.nix
+        sops-nix.nixosModules.sops
+      ];
+      deploy-vps = hostname: {
+        inherit hostname;
+        profiles.system = {
+          user = "root";
+          sshUser = "root";
+          path = deploy-rs.lib.x86_64-linux.activate.nixos
+            self.nixosConfigurations.${hostname};
+        };
       };
-    };
-  in {
+    in {
 
-    nixosConfigurations = {
-      chaski = mkServer ./chaski/configuration.nix;
-      flora = mkServer ./flora/configuration.nix;
-      abbenay = mkDesktop ./abbenay/configuration.nix;
-      cyberbox = mkDesktop ./cyberbox/configuration.nix;
-      surltesh-echer = mkDesktop ./surltesh-echer/configuration.nix;
-      ilex = mkDesktop ./ilex/configuration.nix;
-    };
+      nixosConfigurations = {
+        chaski = mkServer ./chaski/configuration.nix;
+        flora = mkServer ./flora/configuration.nix;
+        abbenay = mkDesktop ./abbenay/configuration.nix;
+        cyberbox = mkDesktop ./cyberbox/configuration.nix;
+        surltesh-echer = mkDesktop ./surltesh-echer/configuration.nix;
+        ilex = mkDesktop ./ilex/configuration.nix;
+      };
 
-    deploy.nodes = {
-      chaski = deploy-vps "chaski";
-      flora = deploy-vps "flora";
-      parsons = {
-        hostname = "parsons";
-	      profiles.home = {
-          user = "stuebinm";
-	        sshUser = "stuebinm";
-	        path = deploy-rs.lib.x86_64-linux.activate.home-manager self.homeConfigurations.stuebinm-minimal;
-	      };
+      deploy.nodes = {
+        chaski = deploy-vps "chaski";
+        flora = deploy-vps "flora";
+        parsons = {
+          hostname = "parsons";
+          profiles.home = {
+            user = "stuebinm";
+            sshUser = "stuebinm";
+            path = deploy-rs.lib.x86_64-linux.activate.home-manager
+              self.homeConfigurations.stuebinm-minimal;
+          };
+        };
       };
-    };
 
-    checks = builtins.mapAttrs (system: deployLib: deployLib.deployChecks self.deploy) deploy-rs.lib;
+      checks = builtins.mapAttrs
+        (system: deployLib: deployLib.deployChecks self.deploy) deploy-rs.lib;
 
-    homeConfigurations =
-      let home = root: inputs.home-manager.lib.homeManagerConfiguration rec {
+      homeConfigurations = let
+        home = root:
+          inputs.home-manager.lib.homeManagerConfiguration rec {
             pkgs = nixpkgs;
             modules = [ root ];
             extraSpecialArgs = {
@@ -110,19 +119,18 @@
         stuebinm-minimal = home ./home/home-minimal.nix;
       };
 
-    home = self.homeConfigurations.stuebinm.activationPackage;
-    home-minimal = self.homeConfigurations.stuebinm-minimal.activationPackage;
+      home = self.homeConfigurations.stuebinm.activationPackage;
+      home-minimal = self.homeConfigurations.stuebinm-minimal.activationPackage;
 
-    overlays.default = final: prev:
-      import ./pkgs/overlay.nix { inherit inputs; } final prev;
-    packages.x86_64-linux = {
-      inherit (nixpkgs) galmon-core galmon-full glitchtip typst
-        almanac kijetesantakaluotokieni showrt isabelle-utils isabat
-        emacs29 crs-tools;
-    };
+      overlays.default = final: prev:
+        import ./pkgs/overlay.nix { inherit inputs; } final prev;
+      packages.x86_64-linux = {
+        inherit (nixpkgs)
+          galmon-core galmon-full glitchtip typst almanac
+          kijetesantakaluotokieni showrt isabelle-utils isabat emacs29
+          crs-tools;
+      };
 
-    nixosModules = {
-      glitchtip = import ./modules/glitchtip.nix;
+      nixosModules = { glitchtip = import ./modules/glitchtip.nix; };
     };
-  };
 }
diff --git a/flora/configuration.nix b/flora/configuration.nix
index 3eaaa08..954e5e6 100644
--- a/flora/configuration.nix
+++ b/flora/configuration.nix
@@ -19,6 +19,10 @@
   boot.loader.grub.version = 2;
   boot.loader.grub.devices = [ "/dev/sda" ];
 
+  sops.defaultSopsFile = ../secrets/flora.yaml;
+  # This will automatically import SSH keys as age keys
+  sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
+
   networking = {
     hostName = "flora";
     
diff --git a/flora/services/akkoma.nix b/flora/services/akkoma.nix
index 98cfb7b..3eb9173 100644
--- a/flora/services/akkoma.nix
+++ b/flora/services/akkoma.nix
@@ -12,6 +12,11 @@ let
   staticDir = "/var/lib/akkoma/static";
 in
 {
+  sops.secrets = {
+    "akkoma/keyBase" = {};
+    "akkoma/signingSalt" = {};
+    "akkoma/jokenDefaultSigner" = {};
+  };
 
   containers.pleroma = {
     autoStart = true;
@@ -22,6 +27,11 @@ in
     hostAddress6 = "fd00::42:30";
     localAddress6 = "fd00::42:31";
 
+    bindMounts."/sops" = {
+      hostPath = "/run/secrets/akkoma";
+      isReadOnly = true;
+    };
+
     config = {pkgs, config, ...}: {
 
       # generating the manual will fail when mixing nixos channels,
@@ -63,10 +73,10 @@ in
           ":pleroma"."Pleroma.Web.Endpoint" = {
             "url" = { host = "pleroma.stuebinm.eu"; scheme = "https"; port = 443; };
             "http" = { ip = "::"; port = 4000; };
-            secret_key_base._secret = "/secret/secret_key_base";
-            signing_salt._secret = "/secret/signing_salt";
+            secret_key_base._secret = "/sops/keyBase";
+            signing_salt._secret = "/sops/signingSalt";
           };
-          ":joken".":default_signer"._secret = "/secret/joken_default_signer";
+          ":joken".":default_signer"._secret = "/sops/jokenDefaultSigner";
 
           ":pleroma" = {
             ":instance" = {
diff --git a/flora/services/mail.nix b/flora/services/mail.nix
index d41f0e8..e43e56f 100644
--- a/flora/services/mail.nix
+++ b/flora/services/mail.nix
@@ -3,7 +3,7 @@
 {
   imports = [ inputs.simple-nixos-mailserver.nixosModule ];
 
-
+  sops.secrets."mail/hashedPassword" = {};
 
   mailserver = {
     enable = true;
@@ -14,7 +14,7 @@
     # nix run nixpkgs.apacheHttpd -c htpasswd -nbB "" "super secret password" | cut -d: -f2
     loginAccounts = {
         "hello@stuebinm.eu" = {
-            hashedPasswordFile = "/var/mailstate/hello-password";
+            hashedPasswordFile = "/run/secrets/mail/hashedPassword";
             aliases = ["postmaster@stuebinm.eu" "abuse@stuebinm.eu"];
         };
     };
diff --git a/home/packages.nix b/home/packages.nix
index afa2458..d3d9f2f 100644
--- a/home/packages.nix
+++ b/home/packages.nix
@@ -22,7 +22,7 @@ in
     # general cli utils
     almanac libnotify grim slurp wl-clipboard showrt
     kijetesantakaluotokieni mpc_cli duf dufs progress hledger
-    wineWowPackages.full
+    wineWowPackages.full sops
     # graphical utils
     kitty baobab
     # gnss things
diff --git a/secrets/flora.yaml b/secrets/flora.yaml
new file mode 100644
index 0000000..ca2db83
--- /dev/null
+++ b/secrets/flora.yaml
@@ -0,0 +1,35 @@
+mail:
+    hashedPassword: ENC[AES256_GCM,data:qZXAeESD86BaBjWF2YXtUn6wHUUVBIwHl5C0VE/5p8eIMHdRQbMwGP/uWBwUvh6Uey6iDj7YmSjhH0JN,iv:s/jOYehNIqMOuLHRjdVQG6nUJEuXbE+w4gyF14U3Scw=,tag:p3rKHAalK3sYp/b0NndKaw==,type:str]
+akkoma:
+    keyBase: ENC[AES256_GCM,data:E9jPxP8Hg3civkyqHYPdAizisq/Oxw1zHsOmN0XvzPcKlX63ov3Akb1EFGsNqDBoSwTXtMoQk305cMB6VPLqmw==,iv:5c5W83leUmwy3w0dDvkWNdS7JWeseuxEnQc7f98O3bg=,tag:xz5JtAzvqSlkS6FKd8hVhw==,type:str]
+    signingSalt: ENC[AES256_GCM,data:/htaDciCAhI=,iv:MV4vYD+qaNBicKZEmYffGfTqE2AQgfUdQVjTrLGPMck=,tag:/Of2A9X2QeE6k4lHwWKcOQ==,type:str]
+    jokenDefaultSigner: ENC[AES256_GCM,data:1Wl/N58oiGiGeBHSkJPqLeHOyBmVgLGshAmTyi2H8cu7w/tIHMxW2sd11hhzyq2FCNVsL3Bi+yXgydG7uCl5yw==,iv:criEzJfQMsAUZ7tnIQvr9HOqn7NjBBzXL+rFAgzohPY=,tag:+izDkiUEfwD1+Ym2OuZRnA==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age18wkr3kjalalzrq9l05q32gnlaqr7t6rqqzde307m83rs9fp4xcfsdtj9gt
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBGekdoUEZhR2Vkb0cwdUVT
+            Zm16MHVWY3Rybm43UDhuVngwbCsrNUxxL3hVClZHUy8vTjdMZGRlM2FTNDdWdWZE
+            Zk4zblIydWtCMzFRK0Y5KzY1SXpVOE0KLS0tIDFXVnEvSjZoMkg5M0JxcXBaakl0
+            Z2FUNFpXSzN4a05XK0dWVkdMMHVmRlEKQnPz8rcGSdEWkV0LPR5edJRmLYQZMVR+
+            PJL64NDEg3t8uQak3jiiBgBGptXFJ0dWrXqdP3Zv1JlU8pbYka2GOg==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1d8hulw7weg6gwxv0cmz969w04d2jkphdx93tm9xs0mqr0ut0t4ls4g4vah
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBQd1M1UzRtbDh0QnhOZDJl
+            bFBPQWhqR2pRK05wVmJ5cmtyWjdtSE9DSXlVCklZTVdsUStTUFRYaXR0c3I4NUVu
+            dldUdjQvR1RYTGFkZlhxVzEwcUJnTjAKLS0tIHdNTm1XSkpNdzJWUm9KeGlnQzhS
+            SEx0Y2tsaGtkV3dMd0t0ejl3WVkwOW8KTpb14yYJ1bOeLquOrmworNqiwYoZSYiQ
+            LkLkXKSGf6T3BrL0t0bM3fgwSQN3k92GGsEZzY7I2hhxZoNXGBOaKg==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2023-04-11T16:27:36Z"
+    mac: ENC[AES256_GCM,data:jDwXDqpcX8eaYkVsHAt9rEVoavFCXF16YJV4QkjREy24f7c52pIqbOQ3RYcslyXjGWz0MCgUQ6B2w1MOvY6+xIF+dqPf1sSM5jnbazr9iyvhPIdlKWWq8MXHJEPDqC71ZkfGrPCboZmuZit2lWPu+czalZP/Dcm7bJexEsr2NZs=,iv:DVbxbYbgWNCTCgVKs3SvUCiDF0C9Av/OyrlGQHXW8WE=,tag:zwXtxzc6T8QO1T/esyDkNQ==,type:str]
+    pgp: []
+    unencrypted_suffix: _unencrypted
+    version: 3.7.3
author	stuebinm	2023-04-11 18:37:20 +0200
committer	stuebinm	2023-04-11 18:41:13 +0200
commit	48d3f66855fb57379351fb9a458a95cf28522916 (patch)
tree	730f4f9186a5a7f52e64236417ec384968eb96fd
parent	4e4eaf4838bbd45393d7a19ad182c8d4c076b043 (diff)