From 0cac64029a45f930365e88841273f899dfbfd085 Mon Sep 17 00:00:00 2001 From: uku Date: Thu, 18 Jan 2024 16:11:18 +0100 Subject: [PATCH] rework secrets --- modules/common.nix | 4 ++++ modules/desktop.nix | 21 +++++---------------- secrets/desktop/rootPassword.age | 12 ------------ secrets/desktop/userPassword.age | 13 ------------- secrets/fuji/rootPassword.age | 14 ++++++++++++++ secrets/kilimandjaro/rootPassword.age | 13 +++++++++++++ secrets/secrets.nix | 18 ++++++++---------- secrets/tailscaleKey.age | 22 ++++++++++------------ secrets/userPassword.age | 11 +++++++++++ 9 files changed, 65 insertions(+), 63 deletions(-) delete mode 100644 secrets/desktop/rootPassword.age delete mode 100644 secrets/desktop/userPassword.age create mode 100644 secrets/fuji/rootPassword.age create mode 100644 secrets/kilimandjaro/rootPassword.age create mode 100644 secrets/userPassword.age diff --git a/modules/common.nix b/modules/common.nix index 97c0a23..b9fab7b 100644 --- a/modules/common.nix +++ b/modules/common.nix @@ -10,6 +10,8 @@ identityPaths = ["/etc/ssh/ssh_host_ed25519_key"]; secrets = { + rootPassword.file = ../secrets/${config.networking.hostName}/rootPassword.age; + userPassword.file = ../secrets/userPassword.age; tailscaleKey.file = ../secrets/tailscaleKey.age; }; }; @@ -104,6 +106,8 @@ time.timeZone = "Europe/Paris"; + users.users.root.hashedPasswordFile = config.age.secrets.rootPassword.path; + # This value determines the NixOS release from which the default # settings for stateful data, like file locations and database versions # on your system were taken. It‘s perfectly fine and recommended to leave diff --git a/modules/desktop.nix b/modules/desktop.nix index 5e1dc0a..7e3d577 100644 --- a/modules/desktop.nix +++ b/modules/desktop.nix @@ -12,13 +12,6 @@ in { (lib.mkAliasOptionModule ["hm"] ["home-manager" "users" username]) ]; - age.secrets = let - base = ../secrets/desktop; - in { - rootPassword.file = "${base}/rootPassword.age"; - userPassword.file = "${base}/userPassword.age"; - }; - boot = { extraModulePackages = with config.boot.kernelPackages; [v4l2loopback]; kernelModules = ["v4l2loopback"]; @@ -174,15 +167,11 @@ in { sound.enable = true; - users.users = { - "${username}" = { - isNormalUser = true; - shell = pkgs.fish; - extraGroups = ["networkmanager" "wheel" "video" "libvirtd"]; - hashedPasswordFile = config.age.secrets.userPassword.path; - }; - - root.hashedPasswordFile = config.age.secrets.rootPassword.path; + users.users."${username}" = { + isNormalUser = true; + shell = pkgs.fish; + extraGroups = ["networkmanager" "wheel" "video" "libvirtd"]; + hashedPasswordFile = config.age.secrets.userPassword.path; }; virtualisation.libvirtd.enable = true; diff --git a/secrets/desktop/rootPassword.age b/secrets/desktop/rootPassword.age deleted file mode 100644 index b22bbc0..0000000 --- a/secrets/desktop/rootPassword.age +++ /dev/null @@ -1,12 +0,0 @@ ------BEGIN AGE ENCRYPTED FILE----- -YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IFd5V3BRdyBsWEll -NkhsbzR0bkFHZ1pFaWZqTnA2MWNDUW84RjZuZFc4VStEdFRneTBZCkEzc1hYRmRo -VFNUaHpTcE9UY1BvMmhzL1lYNzUzOXdsRnBRbmxPSlJqNVkKLT4gc3NoLWVkMjU1 -MTkgVmIvYW1BIFpmL0FvWjNibkIzY3dOYzdhbG1qSmttenFPbkt2SnJtZCt1dGM3 -dksvVmsKSjlZNWFmcDVLTmJqVWRkeTZ5ZzVoUG4zN1dWcjRvVDZBSXBkUnZhbEpL -MAotPiA7RVtbRS1ncmVhc2UKcDVHVkdmaEtrNEF4UjNsR3pqNUUrRnA3VncKLS0t -IHloS2FmT3lzd0hYT3U4bTFtY2o5cXBWaSsxQUNSWUp3YUk5VUdiU25hQmMKGtZ1 -BdOOKKg94mA6tGutkcTTmu2UDCNr6ATRUkodyNEj0JPJG70OmVC0UoKU4cK0ZxI4 -6qr4xlJGPsD2BTa9KTPhb/Yd3968lz3+rgGHt9oWlWQxxdwZYhoLkY9F1sVRM/Ro -O9HTXx5UDKUZRJ44s8619B09o1p+A+7LBUwwjUU3tnSpHdJIPz+teQ== ------END AGE ENCRYPTED FILE----- diff --git a/secrets/desktop/userPassword.age b/secrets/desktop/userPassword.age deleted file mode 100644 index 9b7a23b..0000000 --- a/secrets/desktop/userPassword.age +++ /dev/null @@ -1,13 +0,0 @@ ------BEGIN AGE ENCRYPTED FILE----- -YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IFd5V3BRdyBoVnJo -azN5ak5ObGpPeDcyWHpoOUJsekxkMmRraFNRV2EvUUdGejZaeVR3CjdRSVBuOTlB -SnlqdjA3NTdacEdURW1maHhUdmVaaURnMnlrdnM0SEFWYk0KLT4gc3NoLWVkMjU1 -MTkgVmIvYW1BIEYxUWZQQzh4MzM5NG43VkJtWkJQUEJhNDd2QUJncW1xVnZqMHVl -WHQxQXMKc2xsbkJjbml2QVFWS0FUSE1Mazh4NXplL0ZpUkhMWEw1cTRDa0p1b2lW -VQotPiBXWDstZ3JlYXNlIC0gQDRKZFBjPyBgVkd1b0BsCkY2Kzc1TTNJbUdTWlVm -WGdVNWkxa1F3YmFpR3lRdkNLTHBaZGd2MEQ3WU9wb25McVRzRGF6QUFjMzdqcnhl -Ui8KRjlTaHF5VW5WVjdMcEI3cGVRCi0tLSBGNHl5QWJqSlZJL3Vyd3hMd0YvcjdL -NXpUeVRPVWNQbjk5ZC80THFZeFFFCusEoCsLe1yC8S51XmFBVmO4pGV8nwm+DRta -92cgf751L2h7kyuY7ns0MrWVjfR0fWEh2ekd9Q2GmBKf4DLW/SBYbn3NzZKJY8Nb -vlazcItj9ztHf6f4/aR2OVmBsDbxoGUZLvO1y6Mvpto= ------END AGE ENCRYPTED FILE----- diff --git a/secrets/fuji/rootPassword.age b/secrets/fuji/rootPassword.age new file mode 100644 index 0000000..ac9bdc5 --- /dev/null +++ b/secrets/fuji/rootPassword.age @@ -0,0 +1,14 @@ +-----BEGIN AGE ENCRYPTED FILE----- +YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IFd5V3BRdyBQcnVF +UGNPWC9NaUJhbEZnbGFjUEtDS2FEZWRBeUxaK1JpZ08xY2tiUEVjClEyb09tVWlk +WGtkRXBIU1JPUGZKVUJVQ1lOV0R6K1NjVkZQeldvS212RWcKLT4gc3NoLWVkMjU1 +MTkgVmIvYW1BIFRkNTJrYzZtYlhIVUZ3T3FDNWlwV3NnK1U1UjltbGJuL2U5MFVY +RFpLaGcKYU4zQ1BaalNCNG1FOXN4ZStkdW9XNEFqbTdBVVdTZmFTMERNTEFXNkZi +QQotPiBvT2Z9My1ncmVhc2UgYmRoMm0iNFEgcyhOfWRcIDwKTVJVZllHWnhjUG9m +Q0hmWTBmTVlmT2RReFJjU2FKWGpTMi9WaUlZTWoxL2pmOFRMVjVpbU9jREJoZlBm +NlR3QQpRYUpZakNXNWpKSzgreEhsMWpqczg0VGhKeGNNYmc5UjJnCi0tLSBWOVZp +dkthdnh1dFV4djBTMjg1SUh6ZWpCaUttWStYTnZjREZkNnZPYWFzCpGQpx4DjeYa +ySZeZU/9qaM2lty9XsRyyY9Y3MfU4zORTEs6EoxQQ5uJSkksWOiKq1pXEVp7Eiiw +zlml1y9HZjUJWHTkJqIu47bqBIeIJjwL4PZ9L73EmTa9m+LvfqFpMC9Ka42Iwwz3 +C/7dsp19SrYydPct/nHstHL8a6ymIkXfmI35Cfl4puvE8do= +-----END AGE ENCRYPTED FILE----- diff --git a/secrets/kilimandjaro/rootPassword.age b/secrets/kilimandjaro/rootPassword.age new file mode 100644 index 0000000..ec1d0b2 --- /dev/null +++ b/secrets/kilimandjaro/rootPassword.age @@ -0,0 +1,13 @@ +-----BEGIN AGE ENCRYPTED FILE----- +YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IFd5V3BRdyA5aVlB +L1krb2xjbklkVCttMzZNczVYV3ZtRDBWLzI2MGphTW42TmwyTkdVCi8rOEpLUGhx +YXR1cnVZN0RVK3hOVVRwUTB4cHU3djFqY1MxeDRZckVhQzQKLT4gc3NoLWVkMjU1 +MTkgVmIvYW1BIG9qcFNzdDhaZmFxczRVd1JaTEVlSEplcTdxQTM1YTIyZVhSVTVX +OHN5bGMKR1ZjTjJ1NVdYOFFMbFUvNlRZbTU2UDdaVDBOOFh4SkUzTEl1RUZvQ2Jx +UQotPiA3djRILWdyZWFzZSBpO1dtLWpJICQyPyB+ZkRncyB9YSFVIWdzKgpBSVRU +MklzYmNNaUxQNHJ2QUJIYjhiU2Z1QTAKLS0tIENPYkpsNUI0eFVHbnRkU0t0Q3Jv +SXRsYzNjYmRKa0tQOXBnMUdmalZiS00KQDI4rngNrAQUeBm1jkO99uAba2XAOmc4 +ps3WPwPj+uQvF/kQ3sJsy6JCGErumTXJ/tm9+Atv1hrsDsCQ73vloLsbhNGNpumH +3DPYRTSr30l7ncu6qciyaFLHjSB2uTD18hh3+QSD0CJkq+0EoZZiJwZSehLsatjR +ufIgRoaf5P7cE9jBcJUT2QZSOw== +-----END AGE ENCRYPTED FILE----- diff --git a/secrets/secrets.nix b/secrets/secrets.nix index 47989df..25ffcdd 100644 --- a/secrets/secrets.nix +++ b/secrets/secrets.nix @@ -1,15 +1,13 @@ let - main = [ - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHETiSgdsFFub534ChUKrY3U1ApAlyM7jqFmj3qN65so root@fuji" - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPbRi03uVAVzqEI5zc8QmP3uthcC1ep55gQL+nQPrEvv root@kilimandjaro" - ]; + fuji = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHETiSgdsFFub534ChUKrY3U1ApAlyM7jqFmj3qN65so root@fuji"; + kilimandjaro = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPbRi03uVAVzqEI5zc8QmP3uthcC1ep55gQL+nQPrEvv root@kilimandjaro"; - server = ["ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILdyRFBTdyCCMQ7I75TyO9voxrrreXQTXtSw+iCRf4XI root@vesuvio"] ++ main; + main = [fuji kilimandjaro]; + server = main; in { - "desktop/rootPassword.age".publicKeys = main; - "desktop/userPassword.age".publicKeys = main; - + "userPassword.age".publicKeys = server; "tailscaleKey.age".publicKeys = server; - "vesuvio/rootPassword.age".publicKeys = server; - "vesuvio/userPassword.age".publicKeys = server; + + "fuji/rootPassword.age".publicKeys = main; + "kilimandjaro/rootPassword.age".publicKeys = main; } diff --git a/secrets/tailscaleKey.age b/secrets/tailscaleKey.age index e771603..18d328c 100644 --- a/secrets/tailscaleKey.age +++ b/secrets/tailscaleKey.age @@ -1,14 +1,12 @@ -----BEGIN AGE ENCRYPTED FILE----- -YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5ICsraU9FZyBTNnZC -NHRiQ3RnNUpYemhXUkZjVUdHRXUyY1EzazBJZklrd0EwczMyYkd3CkZJQ3pTWm83 -WktmRE96TzFkcDY0YmJxRlhmWVBHMDFuZk5MWSsyQ1FxVWsKLT4gc3NoLWVkMjU1 -MTkgV3lXcFF3IDhXSlc3OFJLVXlkaDl6NGVQNHphNG5XbSsxWFh2OVVzMldYajRG -dzRPMXMKRzNZcDFrRlpiQTZvR1VPdWw2Y05xb2YzejV5bStwVHVTZ0lFaXN3c2Ur -RQotPiBzc2gtZWQyNTUxOSBWYi9hbUEgcFhxbFNJcmo4NWpxME5GbFd1VEpRNFR4 -c2ZGMGQ0L21HWEJtZkpIelBtRQpyOThscG85MWtSZXVyRnY0cjlTcXZLMHZKb25s -VlllUEM0ZnVQUWVoYkJzCi0+IEZ6dFNkUmQtZ3JlYXNlCjNjb29LZUN4NEtqaVNP -TzZTcHZEUjZRbAotLS0gZTBPUmNBNVp5Zlhab3h2bXNUcS91OE5UR09NaFNPaHE4 -RnkvY1NXUzRNVQrvIkHSleeXAXwmLiEMULwHsZPhJ4nQufrqIf/hKLpeMl1/UYkN -hDOcFv/ycsIbBjpnbDc/63FzD4FHepIEUDX2PHM7K2GKxo8CyLQDKKNLVnvpUPyB -JbZgCaA= +YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IFd5V3BRdyAwT3NR +NmVyVERocFpVNkpHQXBuL1oyZUx5RFdJRXpOek41Tmd3OHJTQ1FJCjJIQndIWWNn +RGh0cjdHN1lEbkdwUnhuRDlvdVVWODRJY1pjTHVIRlJJTXMKLT4gc3NoLWVkMjU1 +MTkgVmIvYW1BIEYxRlJhb3ZEMU9yMW5majlJaDFGUXVWUXlHT1NPd2J4QzM0azZo +cVpnUzgKaU5CUWQwL2NrdUc4K096eW5BckRkdHJTOCtBMW41SnJkM2ZQNHBReVdL +dwotPiBcLWdyZWFzZSBkQz0gcng1KCBXaFx1SiBsTAp3YmlGNVRKcTF2eGVkRWtV +RER2azZBNFpzdwotLS0gT2hKbmpvK25OdTNGUFBzTXNPWUxYdUIySnlGS21TY0FM +YUJiSk1WYjVtVQqAxVWNyP4XGgZahX5r3lcocV8zRWjLbu0Hyvy9Oma6fFDiEKuq +l+Xwb5Bs6WaSowSPJO815x/T/xGdo8ggntUDNDFN4lLrKQhIkz00pbbxeVaXva9X +rrkZBn8= -----END AGE ENCRYPTED FILE----- diff --git a/secrets/userPassword.age b/secrets/userPassword.age new file mode 100644 index 0000000..ddb779a --- /dev/null +++ b/secrets/userPassword.age @@ -0,0 +1,11 @@ +-----BEGIN AGE ENCRYPTED FILE----- +YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IFd5V3BRdyBZbkkw +UlVDRmY4SStUc3NUeHJwajE2MGZKU01abXBsSjhUTlVaR1RUS0FBCnI1aGdOeTRS +cE1va3MyR08rSFZXd0h3eFNTcm05dGZGYTVFeEk1TC8zR1EKLT4gc3NoLWVkMjU1 +MTkgVmIvYW1BIEJlbHhZVUdTWlZSeFNWT2xON1RCRWNrQnNpeDNiTE1lcERCSFNo +Y0NmQmsKM0hBdkZ3K0FpV3RxMUs0eXkySmt0TDB6U0N1dkhUczhsWUowV2lCSkxq +awotPiBqYi1ncmVhc2UgdCcKdTRlOQotLS0gR2Q4ajQvR2p2cWVmS3dMeTJNam5H +NUU5dkxvRFA2SXdEa1NtTWZUOE1uZwrc3tjr3tkK0xwRJT1BvUWvKmsMBqlwly7p +CBB0rphclsuS+HdxuCU1/qQ6dfXw8heoIKrRR0iTFp3NMZLQgcrWExwqRfQhS4wy +uA/xZPhUA96MhTpTtthnmClSijn5rAv++DFx9UajBjXr +-----END AGE ENCRYPTED FILE-----