From 7efd6d5b84cccbc4739520d6d82e60eed09f438f Mon Sep 17 00:00:00 2001 From: uku Date: Mon, 29 Jul 2024 23:47:05 +0200 Subject: [PATCH] feat(secrets): add shared secrets --- configs/common.nix | 17 +++++++---------- global/utils.nix | 8 ++++++++ secrets/secrets.nix | 9 ++++----- secrets/{etna => shared}/frpToken.age | 0 secrets/{ => shared}/tailscaleKey.age | 0 secrets/{ => shared}/userPassword.age | 0 systems/etna/default.nix | 6 +++--- systems/vesuvio/default.nix | 10 +++++++--- 8 files changed, 29 insertions(+), 21 deletions(-) rename secrets/{etna => shared}/frpToken.age (100%) rename secrets/{ => shared}/tailscaleKey.age (100%) rename secrets/{ => shared}/userPassword.age (100%) diff --git a/configs/common.nix b/configs/common.nix index 32ce54e..84d95f5 100644 --- a/configs/common.nix +++ b/configs/common.nix @@ -12,6 +12,9 @@ stateVersion = "23.11"; rootPassword = _utils.setupSingleSecret config "rootPassword" {}; + secrets = _utils.setupSharedSecrets config { + secrets = ["userPassword" "tailscaleKey"]; + }; in { imports = [ agenix.nixosModules.default @@ -20,6 +23,7 @@ in { (lib.mkAliasOptionModule ["hm"] ["home-manager" "users" username]) rootPassword.generate + secrets.generate ../programs/fish.nix ../programs/git.nix @@ -27,14 +31,7 @@ in { ../programs/starship ]; - age = { - identityPaths = ["/etc/age/key"]; - - secrets = { - userPassword.file = ../secrets/userPassword.age; - tailscaleKey.file = ../secrets/tailscaleKey.age; - }; - }; + age.identityPaths = ["/etc/age/key"]; boot = { kernelPackages = pkgs.linuxPackages; # use lts @@ -157,7 +154,7 @@ in { enable = true; useRoutingFeatures = "both"; extraUpFlags = ["--ssh" "--stateful-filtering"]; - authKeyFile = config.age.secrets.tailscaleKey.path; + authKeyFile = secrets.get "tailscaleKey"; }; }; @@ -170,7 +167,7 @@ in { isNormalUser = true; shell = pkgs.fish; extraGroups = ["networkmanager" "wheel" "video" "libvirtd"]; - hashedPasswordFile = config.age.secrets.userPassword.path; + hashedPasswordFile = secrets.get "userPassword"; openssh.authorizedKeys.keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIN+7+KfdOrhcnHayxvOENUeMx8rE4XEIV/AxMHiaNUP8" ]; diff --git a/global/utils.nix b/global/utils.nix index 7b46df8..f8f7483 100644 --- a/global/utils.nix +++ b/global/utils.nix @@ -16,6 +16,14 @@ inherit (_config.age.secrets.${name}) path; }; + setupSharedSecrets = _config: { + secrets, + extra ? {}, + }: { + generate = {age.secrets = lib.genAttrs secrets (name: extra // {file = ../secrets/shared/${name}.age;});}; + get = name: _config.age.secrets.${name}.path; + }; + mkMinecraftServer = _config: { name, port, diff --git a/secrets/secrets.nix b/secrets/secrets.nix index 4787799..9496b39 100644 --- a/secrets/secrets.nix +++ b/secrets/secrets.nix @@ -7,22 +7,21 @@ let main = [fuji kilimandjaro]; all = main ++ [etna vesuvio]; in { - "userPassword.age".publicKeys = all; - "tailscaleKey.age".publicKeys = all; + "shared/userPassword.age".publicKeys = all; + "shared/tailscaleKey.age".publicKeys = all; + "shared/frpToken.age".publicKeys = main ++ [etna vesuvio]; "fuji/rootPassword.age".publicKeys = main; "fuji-wsl/rootPassword.age".publicKeys = main; "kilimandjaro/rootPassword.age".publicKeys = main; - + "etna/rootPassword.age".publicKeys = main ++ [etna]; "vesuvio/rootPassword.age".publicKeys = main ++ [vesuvio]; - "etna/rootPassword.age".publicKeys = main ++ [etna]; "etna/tunnelCreds.age".publicKeys = main ++ [etna]; "etna/apiRsEnv.age".publicKeys = main ++ [etna]; "etna/ukubotRsEnv.age".publicKeys = main ++ [etna]; "etna/minecraftEnv.age".publicKeys = main ++ [etna]; "etna/dendriteKey.age".publicKeys = main ++ [etna]; "etna/nextcloudAdminPass.age".publicKeys = main ++ [etna]; - "etna/frpToken.age".publicKeys = main ++ [etna vesuvio]; "etna/turnstileSecret.age".publicKeys = main ++ [etna]; } diff --git a/secrets/etna/frpToken.age b/secrets/shared/frpToken.age similarity index 100% rename from secrets/etna/frpToken.age rename to secrets/shared/frpToken.age diff --git a/secrets/tailscaleKey.age b/secrets/shared/tailscaleKey.age similarity index 100% rename from secrets/tailscaleKey.age rename to secrets/shared/tailscaleKey.age diff --git a/secrets/userPassword.age b/secrets/shared/userPassword.age similarity index 100% rename from secrets/userPassword.age rename to secrets/shared/userPassword.age diff --git a/systems/etna/default.nix b/systems/etna/default.nix index 49124db..5e7e985 100644 --- a/systems/etna/default.nix +++ b/systems/etna/default.nix @@ -7,7 +7,7 @@ }: let tunnelId = "57f51ad7-25a0-45f3-b113-0b6ae0b2c3e5"; - frpSecret = _utils.setupSingleSecret config "frpToken" {}; + secrets = _utils.setupSharedSecrets config {secrets = ["frpToken"];}; cfTunnelSecret = _utils.setupSingleSecret config "tunnelCreds" { owner = "cloudflared"; group = "cloudflared"; @@ -16,7 +16,7 @@ in { imports = [ (lib.mkAliasOptionModule ["cfTunnels"] ["services" "cloudflared" "tunnels" tunnelId "ingress"]) - frpSecret.generate + secrets.generate cfTunnelSecret.generate ./minecraft.nix @@ -67,5 +67,5 @@ in { }; }; - systemd.services.frp.serviceConfig.EnvironmentFile = frpSecret.path; + systemd.services.frp.serviceConfig.EnvironmentFile = secrets.get "frpToken"; } diff --git a/systems/vesuvio/default.nix b/systems/vesuvio/default.nix index 99e13b4..dfd06e5 100644 --- a/systems/vesuvio/default.nix +++ b/systems/vesuvio/default.nix @@ -1,8 +1,13 @@ { pkgs, config, + _utils, ... -}: { +}: let + secrets = _utils.setupSharedSecrets config {secrets = ["frpToken"];}; +in { + imports = [secrets.generate]; + boot.tmp.cleanOnBoot = true; zramSwap.enable = true; @@ -25,8 +30,7 @@ }; }; - age.secrets.frpToken.file = ../../secrets/etna/frpToken.age; - systemd.services.frp.serviceConfig.EnvironmentFile = config.age.secrets.frpToken.path; + systemd.services.frp.serviceConfig.EnvironmentFile = secrets.get "frpToken"; networking = { networkmanager.dns = "default";