rework secrets
This commit is contained in:
parent
e22617306e
commit
0cac64029a
9 changed files with 65 additions and 63 deletions
|
@ -10,6 +10,8 @@
|
||||||
identityPaths = ["/etc/ssh/ssh_host_ed25519_key"];
|
identityPaths = ["/etc/ssh/ssh_host_ed25519_key"];
|
||||||
|
|
||||||
secrets = {
|
secrets = {
|
||||||
|
rootPassword.file = ../secrets/${config.networking.hostName}/rootPassword.age;
|
||||||
|
userPassword.file = ../secrets/userPassword.age;
|
||||||
tailscaleKey.file = ../secrets/tailscaleKey.age;
|
tailscaleKey.file = ../secrets/tailscaleKey.age;
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
@ -104,6 +106,8 @@
|
||||||
|
|
||||||
time.timeZone = "Europe/Paris";
|
time.timeZone = "Europe/Paris";
|
||||||
|
|
||||||
|
users.users.root.hashedPasswordFile = config.age.secrets.rootPassword.path;
|
||||||
|
|
||||||
# This value determines the NixOS release from which the default
|
# This value determines the NixOS release from which the default
|
||||||
# settings for stateful data, like file locations and database versions
|
# settings for stateful data, like file locations and database versions
|
||||||
# on your system were taken. It‘s perfectly fine and recommended to leave
|
# on your system were taken. It‘s perfectly fine and recommended to leave
|
||||||
|
|
|
@ -12,13 +12,6 @@ in {
|
||||||
(lib.mkAliasOptionModule ["hm"] ["home-manager" "users" username])
|
(lib.mkAliasOptionModule ["hm"] ["home-manager" "users" username])
|
||||||
];
|
];
|
||||||
|
|
||||||
age.secrets = let
|
|
||||||
base = ../secrets/desktop;
|
|
||||||
in {
|
|
||||||
rootPassword.file = "${base}/rootPassword.age";
|
|
||||||
userPassword.file = "${base}/userPassword.age";
|
|
||||||
};
|
|
||||||
|
|
||||||
boot = {
|
boot = {
|
||||||
extraModulePackages = with config.boot.kernelPackages; [v4l2loopback];
|
extraModulePackages = with config.boot.kernelPackages; [v4l2loopback];
|
||||||
kernelModules = ["v4l2loopback"];
|
kernelModules = ["v4l2loopback"];
|
||||||
|
@ -174,17 +167,13 @@ in {
|
||||||
|
|
||||||
sound.enable = true;
|
sound.enable = true;
|
||||||
|
|
||||||
users.users = {
|
users.users."${username}" = {
|
||||||
"${username}" = {
|
|
||||||
isNormalUser = true;
|
isNormalUser = true;
|
||||||
shell = pkgs.fish;
|
shell = pkgs.fish;
|
||||||
extraGroups = ["networkmanager" "wheel" "video" "libvirtd"];
|
extraGroups = ["networkmanager" "wheel" "video" "libvirtd"];
|
||||||
hashedPasswordFile = config.age.secrets.userPassword.path;
|
hashedPasswordFile = config.age.secrets.userPassword.path;
|
||||||
};
|
};
|
||||||
|
|
||||||
root.hashedPasswordFile = config.age.secrets.rootPassword.path;
|
|
||||||
};
|
|
||||||
|
|
||||||
virtualisation.libvirtd.enable = true;
|
virtualisation.libvirtd.enable = true;
|
||||||
|
|
||||||
xdg = {
|
xdg = {
|
||||||
|
|
|
@ -1,12 +0,0 @@
|
||||||
-----BEGIN AGE ENCRYPTED FILE-----
|
|
||||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IFd5V3BRdyBsWEll
|
|
||||||
NkhsbzR0bkFHZ1pFaWZqTnA2MWNDUW84RjZuZFc4VStEdFRneTBZCkEzc1hYRmRo
|
|
||||||
VFNUaHpTcE9UY1BvMmhzL1lYNzUzOXdsRnBRbmxPSlJqNVkKLT4gc3NoLWVkMjU1
|
|
||||||
MTkgVmIvYW1BIFpmL0FvWjNibkIzY3dOYzdhbG1qSmttenFPbkt2SnJtZCt1dGM3
|
|
||||||
dksvVmsKSjlZNWFmcDVLTmJqVWRkeTZ5ZzVoUG4zN1dWcjRvVDZBSXBkUnZhbEpL
|
|
||||||
MAotPiA7RVtbRS1ncmVhc2UKcDVHVkdmaEtrNEF4UjNsR3pqNUUrRnA3VncKLS0t
|
|
||||||
IHloS2FmT3lzd0hYT3U4bTFtY2o5cXBWaSsxQUNSWUp3YUk5VUdiU25hQmMKGtZ1
|
|
||||||
BdOOKKg94mA6tGutkcTTmu2UDCNr6ATRUkodyNEj0JPJG70OmVC0UoKU4cK0ZxI4
|
|
||||||
6qr4xlJGPsD2BTa9KTPhb/Yd3968lz3+rgGHt9oWlWQxxdwZYhoLkY9F1sVRM/Ro
|
|
||||||
O9HTXx5UDKUZRJ44s8619B09o1p+A+7LBUwwjUU3tnSpHdJIPz+teQ==
|
|
||||||
-----END AGE ENCRYPTED FILE-----
|
|
|
@ -1,13 +0,0 @@
|
||||||
-----BEGIN AGE ENCRYPTED FILE-----
|
|
||||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IFd5V3BRdyBoVnJo
|
|
||||||
azN5ak5ObGpPeDcyWHpoOUJsekxkMmRraFNRV2EvUUdGejZaeVR3CjdRSVBuOTlB
|
|
||||||
SnlqdjA3NTdacEdURW1maHhUdmVaaURnMnlrdnM0SEFWYk0KLT4gc3NoLWVkMjU1
|
|
||||||
MTkgVmIvYW1BIEYxUWZQQzh4MzM5NG43VkJtWkJQUEJhNDd2QUJncW1xVnZqMHVl
|
|
||||||
WHQxQXMKc2xsbkJjbml2QVFWS0FUSE1Mazh4NXplL0ZpUkhMWEw1cTRDa0p1b2lW
|
|
||||||
VQotPiBXWDstZ3JlYXNlIC0gQDRKZFBjPyBgVkd1b0BsCkY2Kzc1TTNJbUdTWlVm
|
|
||||||
WGdVNWkxa1F3YmFpR3lRdkNLTHBaZGd2MEQ3WU9wb25McVRzRGF6QUFjMzdqcnhl
|
|
||||||
Ui8KRjlTaHF5VW5WVjdMcEI3cGVRCi0tLSBGNHl5QWJqSlZJL3Vyd3hMd0YvcjdL
|
|
||||||
NXpUeVRPVWNQbjk5ZC80THFZeFFFCusEoCsLe1yC8S51XmFBVmO4pGV8nwm+DRta
|
|
||||||
92cgf751L2h7kyuY7ns0MrWVjfR0fWEh2ekd9Q2GmBKf4DLW/SBYbn3NzZKJY8Nb
|
|
||||||
vlazcItj9ztHf6f4/aR2OVmBsDbxoGUZLvO1y6Mvpto=
|
|
||||||
-----END AGE ENCRYPTED FILE-----
|
|
14
secrets/fuji/rootPassword.age
Normal file
14
secrets/fuji/rootPassword.age
Normal file
|
@ -0,0 +1,14 @@
|
||||||
|
-----BEGIN AGE ENCRYPTED FILE-----
|
||||||
|
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IFd5V3BRdyBQcnVF
|
||||||
|
UGNPWC9NaUJhbEZnbGFjUEtDS2FEZWRBeUxaK1JpZ08xY2tiUEVjClEyb09tVWlk
|
||||||
|
WGtkRXBIU1JPUGZKVUJVQ1lOV0R6K1NjVkZQeldvS212RWcKLT4gc3NoLWVkMjU1
|
||||||
|
MTkgVmIvYW1BIFRkNTJrYzZtYlhIVUZ3T3FDNWlwV3NnK1U1UjltbGJuL2U5MFVY
|
||||||
|
RFpLaGcKYU4zQ1BaalNCNG1FOXN4ZStkdW9XNEFqbTdBVVdTZmFTMERNTEFXNkZi
|
||||||
|
QQotPiBvT2Z9My1ncmVhc2UgYmRoMm0iNFEgcyhOfWRcIDwKTVJVZllHWnhjUG9m
|
||||||
|
Q0hmWTBmTVlmT2RReFJjU2FKWGpTMi9WaUlZTWoxL2pmOFRMVjVpbU9jREJoZlBm
|
||||||
|
NlR3QQpRYUpZakNXNWpKSzgreEhsMWpqczg0VGhKeGNNYmc5UjJnCi0tLSBWOVZp
|
||||||
|
dkthdnh1dFV4djBTMjg1SUh6ZWpCaUttWStYTnZjREZkNnZPYWFzCpGQpx4DjeYa
|
||||||
|
ySZeZU/9qaM2lty9XsRyyY9Y3MfU4zORTEs6EoxQQ5uJSkksWOiKq1pXEVp7Eiiw
|
||||||
|
zlml1y9HZjUJWHTkJqIu47bqBIeIJjwL4PZ9L73EmTa9m+LvfqFpMC9Ka42Iwwz3
|
||||||
|
C/7dsp19SrYydPct/nHstHL8a6ymIkXfmI35Cfl4puvE8do=
|
||||||
|
-----END AGE ENCRYPTED FILE-----
|
13
secrets/kilimandjaro/rootPassword.age
Normal file
13
secrets/kilimandjaro/rootPassword.age
Normal file
|
@ -0,0 +1,13 @@
|
||||||
|
-----BEGIN AGE ENCRYPTED FILE-----
|
||||||
|
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IFd5V3BRdyA5aVlB
|
||||||
|
L1krb2xjbklkVCttMzZNczVYV3ZtRDBWLzI2MGphTW42TmwyTkdVCi8rOEpLUGhx
|
||||||
|
YXR1cnVZN0RVK3hOVVRwUTB4cHU3djFqY1MxeDRZckVhQzQKLT4gc3NoLWVkMjU1
|
||||||
|
MTkgVmIvYW1BIG9qcFNzdDhaZmFxczRVd1JaTEVlSEplcTdxQTM1YTIyZVhSVTVX
|
||||||
|
OHN5bGMKR1ZjTjJ1NVdYOFFMbFUvNlRZbTU2UDdaVDBOOFh4SkUzTEl1RUZvQ2Jx
|
||||||
|
UQotPiA3djRILWdyZWFzZSBpO1dtLWpJICQyPyB+ZkRncyB9YSFVIWdzKgpBSVRU
|
||||||
|
MklzYmNNaUxQNHJ2QUJIYjhiU2Z1QTAKLS0tIENPYkpsNUI0eFVHbnRkU0t0Q3Jv
|
||||||
|
SXRsYzNjYmRKa0tQOXBnMUdmalZiS00KQDI4rngNrAQUeBm1jkO99uAba2XAOmc4
|
||||||
|
ps3WPwPj+uQvF/kQ3sJsy6JCGErumTXJ/tm9+Atv1hrsDsCQ73vloLsbhNGNpumH
|
||||||
|
3DPYRTSr30l7ncu6qciyaFLHjSB2uTD18hh3+QSD0CJkq+0EoZZiJwZSehLsatjR
|
||||||
|
ufIgRoaf5P7cE9jBcJUT2QZSOw==
|
||||||
|
-----END AGE ENCRYPTED FILE-----
|
|
@ -1,15 +1,13 @@
|
||||||
let
|
let
|
||||||
main = [
|
fuji = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHETiSgdsFFub534ChUKrY3U1ApAlyM7jqFmj3qN65so root@fuji";
|
||||||
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHETiSgdsFFub534ChUKrY3U1ApAlyM7jqFmj3qN65so root@fuji"
|
kilimandjaro = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPbRi03uVAVzqEI5zc8QmP3uthcC1ep55gQL+nQPrEvv root@kilimandjaro";
|
||||||
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPbRi03uVAVzqEI5zc8QmP3uthcC1ep55gQL+nQPrEvv root@kilimandjaro"
|
|
||||||
];
|
|
||||||
|
|
||||||
server = ["ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILdyRFBTdyCCMQ7I75TyO9voxrrreXQTXtSw+iCRf4XI root@vesuvio"] ++ main;
|
main = [fuji kilimandjaro];
|
||||||
|
server = main;
|
||||||
in {
|
in {
|
||||||
"desktop/rootPassword.age".publicKeys = main;
|
"userPassword.age".publicKeys = server;
|
||||||
"desktop/userPassword.age".publicKeys = main;
|
|
||||||
|
|
||||||
"tailscaleKey.age".publicKeys = server;
|
"tailscaleKey.age".publicKeys = server;
|
||||||
"vesuvio/rootPassword.age".publicKeys = server;
|
|
||||||
"vesuvio/userPassword.age".publicKeys = server;
|
"fuji/rootPassword.age".publicKeys = main;
|
||||||
|
"kilimandjaro/rootPassword.age".publicKeys = main;
|
||||||
}
|
}
|
||||||
|
|
|
@ -1,14 +1,12 @@
|
||||||
-----BEGIN AGE ENCRYPTED FILE-----
|
-----BEGIN AGE ENCRYPTED FILE-----
|
||||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5ICsraU9FZyBTNnZC
|
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IFd5V3BRdyAwT3NR
|
||||||
NHRiQ3RnNUpYemhXUkZjVUdHRXUyY1EzazBJZklrd0EwczMyYkd3CkZJQ3pTWm83
|
NmVyVERocFpVNkpHQXBuL1oyZUx5RFdJRXpOek41Tmd3OHJTQ1FJCjJIQndIWWNn
|
||||||
WktmRE96TzFkcDY0YmJxRlhmWVBHMDFuZk5MWSsyQ1FxVWsKLT4gc3NoLWVkMjU1
|
RGh0cjdHN1lEbkdwUnhuRDlvdVVWODRJY1pjTHVIRlJJTXMKLT4gc3NoLWVkMjU1
|
||||||
MTkgV3lXcFF3IDhXSlc3OFJLVXlkaDl6NGVQNHphNG5XbSsxWFh2OVVzMldYajRG
|
MTkgVmIvYW1BIEYxRlJhb3ZEMU9yMW5majlJaDFGUXVWUXlHT1NPd2J4QzM0azZo
|
||||||
dzRPMXMKRzNZcDFrRlpiQTZvR1VPdWw2Y05xb2YzejV5bStwVHVTZ0lFaXN3c2Ur
|
cVpnUzgKaU5CUWQwL2NrdUc4K096eW5BckRkdHJTOCtBMW41SnJkM2ZQNHBReVdL
|
||||||
RQotPiBzc2gtZWQyNTUxOSBWYi9hbUEgcFhxbFNJcmo4NWpxME5GbFd1VEpRNFR4
|
dwotPiBcLWdyZWFzZSBkQz0gcng1KCBXaFx1SiBsTAp3YmlGNVRKcTF2eGVkRWtV
|
||||||
c2ZGMGQ0L21HWEJtZkpIelBtRQpyOThscG85MWtSZXVyRnY0cjlTcXZLMHZKb25s
|
RER2azZBNFpzdwotLS0gT2hKbmpvK25OdTNGUFBzTXNPWUxYdUIySnlGS21TY0FM
|
||||||
VlllUEM0ZnVQUWVoYkJzCi0+IEZ6dFNkUmQtZ3JlYXNlCjNjb29LZUN4NEtqaVNP
|
YUJiSk1WYjVtVQqAxVWNyP4XGgZahX5r3lcocV8zRWjLbu0Hyvy9Oma6fFDiEKuq
|
||||||
TzZTcHZEUjZRbAotLS0gZTBPUmNBNVp5Zlhab3h2bXNUcS91OE5UR09NaFNPaHE4
|
l+Xwb5Bs6WaSowSPJO815x/T/xGdo8ggntUDNDFN4lLrKQhIkz00pbbxeVaXva9X
|
||||||
RnkvY1NXUzRNVQrvIkHSleeXAXwmLiEMULwHsZPhJ4nQufrqIf/hKLpeMl1/UYkN
|
rrkZBn8=
|
||||||
hDOcFv/ycsIbBjpnbDc/63FzD4FHepIEUDX2PHM7K2GKxo8CyLQDKKNLVnvpUPyB
|
|
||||||
JbZgCaA=
|
|
||||||
-----END AGE ENCRYPTED FILE-----
|
-----END AGE ENCRYPTED FILE-----
|
||||||
|
|
11
secrets/userPassword.age
Normal file
11
secrets/userPassword.age
Normal file
|
@ -0,0 +1,11 @@
|
||||||
|
-----BEGIN AGE ENCRYPTED FILE-----
|
||||||
|
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IFd5V3BRdyBZbkkw
|
||||||
|
UlVDRmY4SStUc3NUeHJwajE2MGZKU01abXBsSjhUTlVaR1RUS0FBCnI1aGdOeTRS
|
||||||
|
cE1va3MyR08rSFZXd0h3eFNTcm05dGZGYTVFeEk1TC8zR1EKLT4gc3NoLWVkMjU1
|
||||||
|
MTkgVmIvYW1BIEJlbHhZVUdTWlZSeFNWT2xON1RCRWNrQnNpeDNiTE1lcERCSFNo
|
||||||
|
Y0NmQmsKM0hBdkZ3K0FpV3RxMUs0eXkySmt0TDB6U0N1dkhUczhsWUowV2lCSkxq
|
||||||
|
awotPiBqYi1ncmVhc2UgdCcKdTRlOQotLS0gR2Q4ajQvR2p2cWVmS3dMeTJNam5H
|
||||||
|
NUU5dkxvRFA2SXdEa1NtTWZUOE1uZwrc3tjr3tkK0xwRJT1BvUWvKmsMBqlwly7p
|
||||||
|
CBB0rphclsuS+HdxuCU1/qQ6dfXw8heoIKrRR0iTFp3NMZLQgcrWExwqRfQhS4wy
|
||||||
|
uA/xZPhUA96MhTpTtthnmClSijn5rAv++DFx9UajBjXr
|
||||||
|
-----END AGE ENCRYPTED FILE-----
|
Loading…
Reference in a new issue