From 48d3f66855fb57379351fb9a458a95cf28522916 Mon Sep 17 00:00:00 2001 From: stuebinm Date: Tue, 11 Apr 2023 18:37:20 +0200 Subject: manage secrets with sops not sure if i like this yet, but it seems worth trying it out. --- .sops.yaml | 10 ++++ flake.lock | 24 ++++++++ flake.nix | 140 ++++++++++++++++++++++++---------------------- flora/configuration.nix | 4 ++ flora/services/akkoma.nix | 16 +++++- flora/services/mail.nix | 4 +- home/packages.nix | 2 +- secrets/flora.yaml | 35 ++++++++++++ 8 files changed, 163 insertions(+), 72 deletions(-) create mode 100644 .sops.yaml create mode 100644 secrets/flora.yaml diff --git a/.sops.yaml b/.sops.yaml new file mode 100644 index 0000000..c3f890a --- /dev/null +++ b/.sops.yaml @@ -0,0 +1,10 @@ +keys: + - &ilex age18wkr3kjalalzrq9l05q32gnlaqr7t6rqqzde307m83rs9fp4xcfsdtj9gt + # server's ssh pubkeys as age keys + - &flora age1d8hulw7weg6gwxv0cmz969w04d2jkphdx93tm9xs0mqr0ut0t4ls4g4vah +creation_rules: + - path_regex: secrets/[^/]+\.yaml$ + key_groups: + - age: + - *ilex + - *flora diff --git a/flake.lock b/flake.lock index 9c91a7f..8523132 100644 --- a/flake.lock +++ b/flake.lock @@ -330,6 +330,7 @@ "rust-overlay": "rust-overlay", "showrt": "showrt", "simple-nixos-mailserver": "simple-nixos-mailserver", + "sops-nix": "sops-nix", "tracktrain": "tracktrain", "traveltext": "traveltext", "uplcg": "uplcg", @@ -397,6 +398,29 @@ "type": "gitlab" } }, + "sops-nix": { + "inputs": { + "nixpkgs": [ + "nixpkgs-unstable" + ], + "nixpkgs-stable": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1681209176, + "narHash": "sha256-wyQokPpkNZnsl/bVf8m1428tfA0hJ0w/qexq4EizhTc=", + "owner": "Mic92", + "repo": "sops-nix", + "rev": "00d5fd73756d424de5263b92235563bc06f2c6e1", + "type": "github" + }, + "original": { + "owner": "Mic92", + "repo": "sops-nix", + "type": "github" + } + }, "tracktrain": { "flake": false, "locked": { diff --git a/flake.nix b/flake.nix index c1c790f..cf0aaff 100644 --- a/flake.nix +++ b/flake.nix @@ -1,4 +1,3 @@ - { description = "testing nix flakes for server deployment"; @@ -10,10 +9,15 @@ home-manager.inputs.nixpkgs.follows = "nixpkgs"; deploy-rs.url = "github:serokell/deploy-rs"; deploy-rs.inputs.nixpkgs.follows = "nixpkgs"; - simple-nixos-mailserver.url = "gitlab:simple-nixos-mailserver/nixos-mailserver/master"; - emacs-overlay.url = "gitlab:nix-community/emacs-overlay?rev=d938b780a3d8072aeac0178c46121060079ff217"; + simple-nixos-mailserver.url = + "gitlab:simple-nixos-mailserver/nixos-mailserver/master"; + emacs-overlay.url = + "gitlab:nix-community/emacs-overlay?rev=d938b780a3d8072aeac0178c46121060079ff217"; rust-overlay.url = "github:oxalica/rust-overlay"; rust-overlay.inputs.nixpkgs.follows = "nixpkgs"; + sops-nix.url = "github:Mic92/sops-nix"; + sops-nix.inputs.nixpkgs.follows = "nixpkgs-unstable"; + sops-nix.inputs.nixpkgs-stable.follows = "nixpkgs"; uplcg.url = "git+https://stuebinm.eu/git/uplcg?ref=main"; uplcg.flake = false; @@ -40,64 +44,69 @@ walint.flake = false; }; - outputs = { self, deploy-rs, ... }@inputs: - let - nixpkgs = import inputs.nixpkgs { - system = "x86_64-linux"; - overlays = [ - inputs.rust-overlay.overlays.default - self.overlays.default - ]; - }; - mkConfig = imports: config: - inputs.nixpkgs.lib.nixosSystem rec { - system = "x86_64-linux"; - modules = [ config ] ++ imports; - pkgs = nixpkgs; - - specialArgs = { - inherit inputs system; - craneLib = inputs.crane.lib.${system}; + outputs = { self, deploy-rs, sops-nix, ... }@inputs: + let + nixpkgs = import inputs.nixpkgs { + system = "x86_64-linux"; + overlays = + [ inputs.rust-overlay.overlays.default self.overlays.default ]; }; - }; - mkServer = mkConfig [ ./common/headless.nix ]; - mkDesktop = mkConfig [ ./common/desktop.nix ]; - deploy-vps = hostname: { - inherit hostname; - profiles.system = { - user = "root"; - sshUser = "root"; - path = deploy-rs.lib.x86_64-linux.activate.nixos self.nixosConfigurations.${hostname}; + mkConfig = imports: config: + inputs.nixpkgs.lib.nixosSystem rec { + system = "x86_64-linux"; + modules = [ config ] ++ imports; + pkgs = nixpkgs; + + specialArgs = { + inherit inputs system; + craneLib = inputs.crane.lib.${system}; + }; + }; + mkDesktop = mkConfig [ ./common/desktop.nix ]; + mkServer = mkConfig [ + ./common/headless.nix + sops-nix.nixosModules.sops + ]; + deploy-vps = hostname: { + inherit hostname; + profiles.system = { + user = "root"; + sshUser = "root"; + path = deploy-rs.lib.x86_64-linux.activate.nixos + self.nixosConfigurations.${hostname}; + }; }; - }; - in { + in { - nixosConfigurations = { - chaski = mkServer ./chaski/configuration.nix; - flora = mkServer ./flora/configuration.nix; - abbenay = mkDesktop ./abbenay/configuration.nix; - cyberbox = mkDesktop ./cyberbox/configuration.nix; - surltesh-echer = mkDesktop ./surltesh-echer/configuration.nix; - ilex = mkDesktop ./ilex/configuration.nix; - }; + nixosConfigurations = { + chaski = mkServer ./chaski/configuration.nix; + flora = mkServer ./flora/configuration.nix; + abbenay = mkDesktop ./abbenay/configuration.nix; + cyberbox = mkDesktop ./cyberbox/configuration.nix; + surltesh-echer = mkDesktop ./surltesh-echer/configuration.nix; + ilex = mkDesktop ./ilex/configuration.nix; + }; - deploy.nodes = { - chaski = deploy-vps "chaski"; - flora = deploy-vps "flora"; - parsons = { - hostname = "parsons"; - profiles.home = { - user = "stuebinm"; - sshUser = "stuebinm"; - path = deploy-rs.lib.x86_64-linux.activate.home-manager self.homeConfigurations.stuebinm-minimal; - }; + deploy.nodes = { + chaski = deploy-vps "chaski"; + flora = deploy-vps "flora"; + parsons = { + hostname = "parsons"; + profiles.home = { + user = "stuebinm"; + sshUser = "stuebinm"; + path = deploy-rs.lib.x86_64-linux.activate.home-manager + self.homeConfigurations.stuebinm-minimal; + }; + }; }; - }; - checks = builtins.mapAttrs (system: deployLib: deployLib.deployChecks self.deploy) deploy-rs.lib; + checks = builtins.mapAttrs + (system: deployLib: deployLib.deployChecks self.deploy) deploy-rs.lib; - homeConfigurations = - let home = root: inputs.home-manager.lib.homeManagerConfiguration rec { + homeConfigurations = let + home = root: + inputs.home-manager.lib.homeManagerConfiguration rec { pkgs = nixpkgs; modules = [ root ]; extraSpecialArgs = { @@ -110,19 +119,18 @@ stuebinm-minimal = home ./home/home-minimal.nix; }; - home = self.homeConfigurations.stuebinm.activationPackage; - home-minimal = self.homeConfigurations.stuebinm-minimal.activationPackage; + home = self.homeConfigurations.stuebinm.activationPackage; + home-minimal = self.homeConfigurations.stuebinm-minimal.activationPackage; - overlays.default = final: prev: - import ./pkgs/overlay.nix { inherit inputs; } final prev; - packages.x86_64-linux = { - inherit (nixpkgs) galmon-core galmon-full glitchtip typst - almanac kijetesantakaluotokieni showrt isabelle-utils isabat - emacs29 crs-tools; - }; + overlays.default = final: prev: + import ./pkgs/overlay.nix { inherit inputs; } final prev; + packages.x86_64-linux = { + inherit (nixpkgs) + galmon-core galmon-full glitchtip typst almanac + kijetesantakaluotokieni showrt isabelle-utils isabat emacs29 + crs-tools; + }; - nixosModules = { - glitchtip = import ./modules/glitchtip.nix; + nixosModules = { glitchtip = import ./modules/glitchtip.nix; }; }; - }; } diff --git a/flora/configuration.nix b/flora/configuration.nix index 3eaaa08..954e5e6 100644 --- a/flora/configuration.nix +++ b/flora/configuration.nix @@ -19,6 +19,10 @@ boot.loader.grub.version = 2; boot.loader.grub.devices = [ "/dev/sda" ]; + sops.defaultSopsFile = ../secrets/flora.yaml; + # This will automatically import SSH keys as age keys + sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ]; + networking = { hostName = "flora"; diff --git a/flora/services/akkoma.nix b/flora/services/akkoma.nix index 98cfb7b..3eb9173 100644 --- a/flora/services/akkoma.nix +++ b/flora/services/akkoma.nix @@ -12,6 +12,11 @@ let staticDir = "/var/lib/akkoma/static"; in { + sops.secrets = { + "akkoma/keyBase" = {}; + "akkoma/signingSalt" = {}; + "akkoma/jokenDefaultSigner" = {}; + }; containers.pleroma = { autoStart = true; @@ -22,6 +27,11 @@ in hostAddress6 = "fd00::42:30"; localAddress6 = "fd00::42:31"; + bindMounts."/sops" = { + hostPath = "/run/secrets/akkoma"; + isReadOnly = true; + }; + config = {pkgs, config, ...}: { # generating the manual will fail when mixing nixos channels, @@ -63,10 +73,10 @@ in ":pleroma"."Pleroma.Web.Endpoint" = { "url" = { host = "pleroma.stuebinm.eu"; scheme = "https"; port = 443; }; "http" = { ip = "::"; port = 4000; }; - secret_key_base._secret = "/secret/secret_key_base"; - signing_salt._secret = "/secret/signing_salt"; + secret_key_base._secret = "/sops/keyBase"; + signing_salt._secret = "/sops/signingSalt"; }; - ":joken".":default_signer"._secret = "/secret/joken_default_signer"; + ":joken".":default_signer"._secret = "/sops/jokenDefaultSigner"; ":pleroma" = { ":instance" = { diff --git a/flora/services/mail.nix b/flora/services/mail.nix index d41f0e8..e43e56f 100644 --- a/flora/services/mail.nix +++ b/flora/services/mail.nix @@ -3,7 +3,7 @@ { imports = [ inputs.simple-nixos-mailserver.nixosModule ]; - + sops.secrets."mail/hashedPassword" = {}; mailserver = { enable = true; @@ -14,7 +14,7 @@ # nix run nixpkgs.apacheHttpd -c htpasswd -nbB "" "super secret password" | cut -d: -f2 loginAccounts = { "hello@stuebinm.eu" = { - hashedPasswordFile = "/var/mailstate/hello-password"; + hashedPasswordFile = "/run/secrets/mail/hashedPassword"; aliases = ["postmaster@stuebinm.eu" "abuse@stuebinm.eu"]; }; }; diff --git a/home/packages.nix b/home/packages.nix index afa2458..d3d9f2f 100644 --- a/home/packages.nix +++ b/home/packages.nix @@ -22,7 +22,7 @@ in # general cli utils almanac libnotify grim slurp wl-clipboard showrt kijetesantakaluotokieni mpc_cli duf dufs progress hledger - wineWowPackages.full + wineWowPackages.full sops # graphical utils kitty baobab # gnss things diff --git a/secrets/flora.yaml b/secrets/flora.yaml new file mode 100644 index 0000000..ca2db83 --- /dev/null +++ b/secrets/flora.yaml @@ -0,0 +1,35 @@ +mail: + hashedPassword: ENC[AES256_GCM,data:qZXAeESD86BaBjWF2YXtUn6wHUUVBIwHl5C0VE/5p8eIMHdRQbMwGP/uWBwUvh6Uey6iDj7YmSjhH0JN,iv:s/jOYehNIqMOuLHRjdVQG6nUJEuXbE+w4gyF14U3Scw=,tag:p3rKHAalK3sYp/b0NndKaw==,type:str] +akkoma: + keyBase: ENC[AES256_GCM,data:E9jPxP8Hg3civkyqHYPdAizisq/Oxw1zHsOmN0XvzPcKlX63ov3Akb1EFGsNqDBoSwTXtMoQk305cMB6VPLqmw==,iv:5c5W83leUmwy3w0dDvkWNdS7JWeseuxEnQc7f98O3bg=,tag:xz5JtAzvqSlkS6FKd8hVhw==,type:str] + signingSalt: ENC[AES256_GCM,data:/htaDciCAhI=,iv:MV4vYD+qaNBicKZEmYffGfTqE2AQgfUdQVjTrLGPMck=,tag:/Of2A9X2QeE6k4lHwWKcOQ==,type:str] + jokenDefaultSigner: ENC[AES256_GCM,data:1Wl/N58oiGiGeBHSkJPqLeHOyBmVgLGshAmTyi2H8cu7w/tIHMxW2sd11hhzyq2FCNVsL3Bi+yXgydG7uCl5yw==,iv:criEzJfQMsAUZ7tnIQvr9HOqn7NjBBzXL+rFAgzohPY=,tag:+izDkiUEfwD1+Ym2OuZRnA==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age18wkr3kjalalzrq9l05q32gnlaqr7t6rqqzde307m83rs9fp4xcfsdtj9gt + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBGekdoUEZhR2Vkb0cwdUVT + Zm16MHVWY3Rybm43UDhuVngwbCsrNUxxL3hVClZHUy8vTjdMZGRlM2FTNDdWdWZE + Zk4zblIydWtCMzFRK0Y5KzY1SXpVOE0KLS0tIDFXVnEvSjZoMkg5M0JxcXBaakl0 + Z2FUNFpXSzN4a05XK0dWVkdMMHVmRlEKQnPz8rcGSdEWkV0LPR5edJRmLYQZMVR+ + PJL64NDEg3t8uQak3jiiBgBGptXFJ0dWrXqdP3Zv1JlU8pbYka2GOg== + -----END AGE ENCRYPTED FILE----- + - recipient: age1d8hulw7weg6gwxv0cmz969w04d2jkphdx93tm9xs0mqr0ut0t4ls4g4vah + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBQd1M1UzRtbDh0QnhOZDJl + bFBPQWhqR2pRK05wVmJ5cmtyWjdtSE9DSXlVCklZTVdsUStTUFRYaXR0c3I4NUVu + dldUdjQvR1RYTGFkZlhxVzEwcUJnTjAKLS0tIHdNTm1XSkpNdzJWUm9KeGlnQzhS + SEx0Y2tsaGtkV3dMd0t0ejl3WVkwOW8KTpb14yYJ1bOeLquOrmworNqiwYoZSYiQ + LkLkXKSGf6T3BrL0t0bM3fgwSQN3k92GGsEZzY7I2hhxZoNXGBOaKg== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2023-04-11T16:27:36Z" + mac: ENC[AES256_GCM,data:jDwXDqpcX8eaYkVsHAt9rEVoavFCXF16YJV4QkjREy24f7c52pIqbOQ3RYcslyXjGWz0MCgUQ6B2w1MOvY6+xIF+dqPf1sSM5jnbazr9iyvhPIdlKWWq8MXHJEPDqC71ZkfGrPCboZmuZit2lWPu+czalZP/Dcm7bJexEsr2NZs=,iv:DVbxbYbgWNCTCgVKs3SvUCiDF0C9Av/OyrlGQHXW8WE=,tag:zwXtxzc6T8QO1T/esyDkNQ==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.7.3 -- cgit v1.2.3