feat(secrets): add shared secrets
This commit is contained in:
parent
4c9b7ac9e2
commit
7efd6d5b84
8 changed files with 29 additions and 21 deletions
|
@ -12,6 +12,9 @@
|
|||
stateVersion = "23.11";
|
||||
|
||||
rootPassword = _utils.setupSingleSecret config "rootPassword" {};
|
||||
secrets = _utils.setupSharedSecrets config {
|
||||
secrets = ["userPassword" "tailscaleKey"];
|
||||
};
|
||||
in {
|
||||
imports = [
|
||||
agenix.nixosModules.default
|
||||
|
@ -20,6 +23,7 @@ in {
|
|||
(lib.mkAliasOptionModule ["hm"] ["home-manager" "users" username])
|
||||
|
||||
rootPassword.generate
|
||||
secrets.generate
|
||||
|
||||
../programs/fish.nix
|
||||
../programs/git.nix
|
||||
|
@ -27,14 +31,7 @@ in {
|
|||
../programs/starship
|
||||
];
|
||||
|
||||
age = {
|
||||
identityPaths = ["/etc/age/key"];
|
||||
|
||||
secrets = {
|
||||
userPassword.file = ../secrets/userPassword.age;
|
||||
tailscaleKey.file = ../secrets/tailscaleKey.age;
|
||||
};
|
||||
};
|
||||
age.identityPaths = ["/etc/age/key"];
|
||||
|
||||
boot = {
|
||||
kernelPackages = pkgs.linuxPackages; # use lts
|
||||
|
@ -157,7 +154,7 @@ in {
|
|||
enable = true;
|
||||
useRoutingFeatures = "both";
|
||||
extraUpFlags = ["--ssh" "--stateful-filtering"];
|
||||
authKeyFile = config.age.secrets.tailscaleKey.path;
|
||||
authKeyFile = secrets.get "tailscaleKey";
|
||||
};
|
||||
};
|
||||
|
||||
|
@ -170,7 +167,7 @@ in {
|
|||
isNormalUser = true;
|
||||
shell = pkgs.fish;
|
||||
extraGroups = ["networkmanager" "wheel" "video" "libvirtd"];
|
||||
hashedPasswordFile = config.age.secrets.userPassword.path;
|
||||
hashedPasswordFile = secrets.get "userPassword";
|
||||
openssh.authorizedKeys.keys = [
|
||||
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIN+7+KfdOrhcnHayxvOENUeMx8rE4XEIV/AxMHiaNUP8"
|
||||
];
|
||||
|
|
|
@ -16,6 +16,14 @@
|
|||
inherit (_config.age.secrets.${name}) path;
|
||||
};
|
||||
|
||||
setupSharedSecrets = _config: {
|
||||
secrets,
|
||||
extra ? {},
|
||||
}: {
|
||||
generate = {age.secrets = lib.genAttrs secrets (name: extra // {file = ../secrets/shared/${name}.age;});};
|
||||
get = name: _config.age.secrets.${name}.path;
|
||||
};
|
||||
|
||||
mkMinecraftServer = _config: {
|
||||
name,
|
||||
port,
|
||||
|
|
|
@ -7,22 +7,21 @@ let
|
|||
main = [fuji kilimandjaro];
|
||||
all = main ++ [etna vesuvio];
|
||||
in {
|
||||
"userPassword.age".publicKeys = all;
|
||||
"tailscaleKey.age".publicKeys = all;
|
||||
"shared/userPassword.age".publicKeys = all;
|
||||
"shared/tailscaleKey.age".publicKeys = all;
|
||||
"shared/frpToken.age".publicKeys = main ++ [etna vesuvio];
|
||||
|
||||
"fuji/rootPassword.age".publicKeys = main;
|
||||
"fuji-wsl/rootPassword.age".publicKeys = main;
|
||||
"kilimandjaro/rootPassword.age".publicKeys = main;
|
||||
|
||||
"etna/rootPassword.age".publicKeys = main ++ [etna];
|
||||
"vesuvio/rootPassword.age".publicKeys = main ++ [vesuvio];
|
||||
|
||||
"etna/rootPassword.age".publicKeys = main ++ [etna];
|
||||
"etna/tunnelCreds.age".publicKeys = main ++ [etna];
|
||||
"etna/apiRsEnv.age".publicKeys = main ++ [etna];
|
||||
"etna/ukubotRsEnv.age".publicKeys = main ++ [etna];
|
||||
"etna/minecraftEnv.age".publicKeys = main ++ [etna];
|
||||
"etna/dendriteKey.age".publicKeys = main ++ [etna];
|
||||
"etna/nextcloudAdminPass.age".publicKeys = main ++ [etna];
|
||||
"etna/frpToken.age".publicKeys = main ++ [etna vesuvio];
|
||||
"etna/turnstileSecret.age".publicKeys = main ++ [etna];
|
||||
}
|
||||
|
|
|
@ -7,7 +7,7 @@
|
|||
}: let
|
||||
tunnelId = "57f51ad7-25a0-45f3-b113-0b6ae0b2c3e5";
|
||||
|
||||
frpSecret = _utils.setupSingleSecret config "frpToken" {};
|
||||
secrets = _utils.setupSharedSecrets config {secrets = ["frpToken"];};
|
||||
cfTunnelSecret = _utils.setupSingleSecret config "tunnelCreds" {
|
||||
owner = "cloudflared";
|
||||
group = "cloudflared";
|
||||
|
@ -16,7 +16,7 @@ in {
|
|||
imports = [
|
||||
(lib.mkAliasOptionModule ["cfTunnels"] ["services" "cloudflared" "tunnels" tunnelId "ingress"])
|
||||
|
||||
frpSecret.generate
|
||||
secrets.generate
|
||||
cfTunnelSecret.generate
|
||||
|
||||
./minecraft.nix
|
||||
|
@ -67,5 +67,5 @@ in {
|
|||
};
|
||||
};
|
||||
|
||||
systemd.services.frp.serviceConfig.EnvironmentFile = frpSecret.path;
|
||||
systemd.services.frp.serviceConfig.EnvironmentFile = secrets.get "frpToken";
|
||||
}
|
||||
|
|
|
@ -1,8 +1,13 @@
|
|||
{
|
||||
pkgs,
|
||||
config,
|
||||
_utils,
|
||||
...
|
||||
}: {
|
||||
}: let
|
||||
secrets = _utils.setupSharedSecrets config {secrets = ["frpToken"];};
|
||||
in {
|
||||
imports = [secrets.generate];
|
||||
|
||||
boot.tmp.cleanOnBoot = true;
|
||||
zramSwap.enable = true;
|
||||
|
||||
|
@ -25,8 +30,7 @@
|
|||
};
|
||||
};
|
||||
|
||||
age.secrets.frpToken.file = ../../secrets/etna/frpToken.age;
|
||||
systemd.services.frp.serviceConfig.EnvironmentFile = config.age.secrets.frpToken.path;
|
||||
systemd.services.frp.serviceConfig.EnvironmentFile = secrets.get "frpToken";
|
||||
|
||||
networking = {
|
||||
networkmanager.dns = "default";
|
||||
|
|
Loading…
Reference in a new issue