feat(secrets): add shared secrets
This commit is contained in:
parent
4c9b7ac9e2
commit
7efd6d5b84
SSH key fingerprint:
SHA256:4P0aN6M8ajKukNi6aPOaX0LacanGYtlfjmN+m/sHY/o
8 changed files with 29 additions and 21 deletions
|
|
@ -12,6 +12,9 @@
|
||||||
stateVersion = "23.11";
|
stateVersion = "23.11";
|
||||||
|
|
||||||
rootPassword = _utils.setupSingleSecret config "rootPassword" {};
|
rootPassword = _utils.setupSingleSecret config "rootPassword" {};
|
||||||
|
secrets = _utils.setupSharedSecrets config {
|
||||||
|
secrets = ["userPassword" "tailscaleKey"];
|
||||||
|
};
|
||||||
in {
|
in {
|
||||||
imports = [
|
imports = [
|
||||||
agenix.nixosModules.default
|
agenix.nixosModules.default
|
||||||
|
|
@ -20,6 +23,7 @@ in {
|
||||||
(lib.mkAliasOptionModule ["hm"] ["home-manager" "users" username])
|
(lib.mkAliasOptionModule ["hm"] ["home-manager" "users" username])
|
||||||
|
|
||||||
rootPassword.generate
|
rootPassword.generate
|
||||||
|
secrets.generate
|
||||||
|
|
||||||
../programs/fish.nix
|
../programs/fish.nix
|
||||||
../programs/git.nix
|
../programs/git.nix
|
||||||
|
|
@ -27,14 +31,7 @@ in {
|
||||||
../programs/starship
|
../programs/starship
|
||||||
];
|
];
|
||||||
|
|
||||||
age = {
|
age.identityPaths = ["/etc/age/key"];
|
||||||
identityPaths = ["/etc/age/key"];
|
|
||||||
|
|
||||||
secrets = {
|
|
||||||
userPassword.file = ../secrets/userPassword.age;
|
|
||||||
tailscaleKey.file = ../secrets/tailscaleKey.age;
|
|
||||||
};
|
|
||||||
};
|
|
||||||
|
|
||||||
boot = {
|
boot = {
|
||||||
kernelPackages = pkgs.linuxPackages; # use lts
|
kernelPackages = pkgs.linuxPackages; # use lts
|
||||||
|
|
@ -157,7 +154,7 @@ in {
|
||||||
enable = true;
|
enable = true;
|
||||||
useRoutingFeatures = "both";
|
useRoutingFeatures = "both";
|
||||||
extraUpFlags = ["--ssh" "--stateful-filtering"];
|
extraUpFlags = ["--ssh" "--stateful-filtering"];
|
||||||
authKeyFile = config.age.secrets.tailscaleKey.path;
|
authKeyFile = secrets.get "tailscaleKey";
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
|
|
@ -170,7 +167,7 @@ in {
|
||||||
isNormalUser = true;
|
isNormalUser = true;
|
||||||
shell = pkgs.fish;
|
shell = pkgs.fish;
|
||||||
extraGroups = ["networkmanager" "wheel" "video" "libvirtd"];
|
extraGroups = ["networkmanager" "wheel" "video" "libvirtd"];
|
||||||
hashedPasswordFile = config.age.secrets.userPassword.path;
|
hashedPasswordFile = secrets.get "userPassword";
|
||||||
openssh.authorizedKeys.keys = [
|
openssh.authorizedKeys.keys = [
|
||||||
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIN+7+KfdOrhcnHayxvOENUeMx8rE4XEIV/AxMHiaNUP8"
|
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIN+7+KfdOrhcnHayxvOENUeMx8rE4XEIV/AxMHiaNUP8"
|
||||||
];
|
];
|
||||||
|
|
|
||||||
|
|
@ -16,6 +16,14 @@
|
||||||
inherit (_config.age.secrets.${name}) path;
|
inherit (_config.age.secrets.${name}) path;
|
||||||
};
|
};
|
||||||
|
|
||||||
|
setupSharedSecrets = _config: {
|
||||||
|
secrets,
|
||||||
|
extra ? {},
|
||||||
|
}: {
|
||||||
|
generate = {age.secrets = lib.genAttrs secrets (name: extra // {file = ../secrets/shared/${name}.age;});};
|
||||||
|
get = name: _config.age.secrets.${name}.path;
|
||||||
|
};
|
||||||
|
|
||||||
mkMinecraftServer = _config: {
|
mkMinecraftServer = _config: {
|
||||||
name,
|
name,
|
||||||
port,
|
port,
|
||||||
|
|
|
||||||
|
|
@ -7,22 +7,21 @@ let
|
||||||
main = [fuji kilimandjaro];
|
main = [fuji kilimandjaro];
|
||||||
all = main ++ [etna vesuvio];
|
all = main ++ [etna vesuvio];
|
||||||
in {
|
in {
|
||||||
"userPassword.age".publicKeys = all;
|
"shared/userPassword.age".publicKeys = all;
|
||||||
"tailscaleKey.age".publicKeys = all;
|
"shared/tailscaleKey.age".publicKeys = all;
|
||||||
|
"shared/frpToken.age".publicKeys = main ++ [etna vesuvio];
|
||||||
|
|
||||||
"fuji/rootPassword.age".publicKeys = main;
|
"fuji/rootPassword.age".publicKeys = main;
|
||||||
"fuji-wsl/rootPassword.age".publicKeys = main;
|
"fuji-wsl/rootPassword.age".publicKeys = main;
|
||||||
"kilimandjaro/rootPassword.age".publicKeys = main;
|
"kilimandjaro/rootPassword.age".publicKeys = main;
|
||||||
|
"etna/rootPassword.age".publicKeys = main ++ [etna];
|
||||||
"vesuvio/rootPassword.age".publicKeys = main ++ [vesuvio];
|
"vesuvio/rootPassword.age".publicKeys = main ++ [vesuvio];
|
||||||
|
|
||||||
"etna/rootPassword.age".publicKeys = main ++ [etna];
|
|
||||||
"etna/tunnelCreds.age".publicKeys = main ++ [etna];
|
"etna/tunnelCreds.age".publicKeys = main ++ [etna];
|
||||||
"etna/apiRsEnv.age".publicKeys = main ++ [etna];
|
"etna/apiRsEnv.age".publicKeys = main ++ [etna];
|
||||||
"etna/ukubotRsEnv.age".publicKeys = main ++ [etna];
|
"etna/ukubotRsEnv.age".publicKeys = main ++ [etna];
|
||||||
"etna/minecraftEnv.age".publicKeys = main ++ [etna];
|
"etna/minecraftEnv.age".publicKeys = main ++ [etna];
|
||||||
"etna/dendriteKey.age".publicKeys = main ++ [etna];
|
"etna/dendriteKey.age".publicKeys = main ++ [etna];
|
||||||
"etna/nextcloudAdminPass.age".publicKeys = main ++ [etna];
|
"etna/nextcloudAdminPass.age".publicKeys = main ++ [etna];
|
||||||
"etna/frpToken.age".publicKeys = main ++ [etna vesuvio];
|
|
||||||
"etna/turnstileSecret.age".publicKeys = main ++ [etna];
|
"etna/turnstileSecret.age".publicKeys = main ++ [etna];
|
||||||
}
|
}
|
||||||
|
|
|
||||||
|
|
@ -7,7 +7,7 @@
|
||||||
}: let
|
}: let
|
||||||
tunnelId = "57f51ad7-25a0-45f3-b113-0b6ae0b2c3e5";
|
tunnelId = "57f51ad7-25a0-45f3-b113-0b6ae0b2c3e5";
|
||||||
|
|
||||||
frpSecret = _utils.setupSingleSecret config "frpToken" {};
|
secrets = _utils.setupSharedSecrets config {secrets = ["frpToken"];};
|
||||||
cfTunnelSecret = _utils.setupSingleSecret config "tunnelCreds" {
|
cfTunnelSecret = _utils.setupSingleSecret config "tunnelCreds" {
|
||||||
owner = "cloudflared";
|
owner = "cloudflared";
|
||||||
group = "cloudflared";
|
group = "cloudflared";
|
||||||
|
|
@ -16,7 +16,7 @@ in {
|
||||||
imports = [
|
imports = [
|
||||||
(lib.mkAliasOptionModule ["cfTunnels"] ["services" "cloudflared" "tunnels" tunnelId "ingress"])
|
(lib.mkAliasOptionModule ["cfTunnels"] ["services" "cloudflared" "tunnels" tunnelId "ingress"])
|
||||||
|
|
||||||
frpSecret.generate
|
secrets.generate
|
||||||
cfTunnelSecret.generate
|
cfTunnelSecret.generate
|
||||||
|
|
||||||
./minecraft.nix
|
./minecraft.nix
|
||||||
|
|
@ -67,5 +67,5 @@ in {
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
systemd.services.frp.serviceConfig.EnvironmentFile = frpSecret.path;
|
systemd.services.frp.serviceConfig.EnvironmentFile = secrets.get "frpToken";
|
||||||
}
|
}
|
||||||
|
|
|
||||||
|
|
@ -1,8 +1,13 @@
|
||||||
{
|
{
|
||||||
pkgs,
|
pkgs,
|
||||||
config,
|
config,
|
||||||
|
_utils,
|
||||||
...
|
...
|
||||||
}: {
|
}: let
|
||||||
|
secrets = _utils.setupSharedSecrets config {secrets = ["frpToken"];};
|
||||||
|
in {
|
||||||
|
imports = [secrets.generate];
|
||||||
|
|
||||||
boot.tmp.cleanOnBoot = true;
|
boot.tmp.cleanOnBoot = true;
|
||||||
zramSwap.enable = true;
|
zramSwap.enable = true;
|
||||||
|
|
||||||
|
|
@ -25,8 +30,7 @@
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
age.secrets.frpToken.file = ../../secrets/etna/frpToken.age;
|
systemd.services.frp.serviceConfig.EnvironmentFile = secrets.get "frpToken";
|
||||||
systemd.services.frp.serviceConfig.EnvironmentFile = config.age.secrets.frpToken.path;
|
|
||||||
|
|
||||||
networking = {
|
networking = {
|
||||||
networkmanager.dns = "default";
|
networkmanager.dns = "default";
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue