asonix/sbc-deploys
1
0
Fork 0
Code Issues Pull requests Packages Projects Releases Wiki Activity

Add secrets

Browse source
This commit is contained in:
asonix 2023-01-25 21:26:30 -06:00
parent cf6e371b77
commit 5af6da2101
5 changed files with 196 additions and 51 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

14
.sops.yaml Normal file
View file

@ -0,0 +1,14 @@
keys:
- &admin_asonix age17yhtwnhqjssghc5qqamt0fqdu27zpqms8d8ghrc0txeevywfp3ssklfy57
- &server_nextcloud2 age145uwrexj6ffaaxy7jg3j29gtchhwy0y0nttw06zeuxkqsy8rnpds7fh7xq
creation_rules:
- path_regex: secrets/[^/]+\.yaml$
key_groups:
- age:
- *admin_asonix
- *server_nextcloud2
- path_regex: secrets/[^/]+\.bin$
key_groups:
- age:
- *admin_asonix
- *server_nextcloud2

117
flake.lock
View file

@ -3,7 +3,9 @@
"deploy-rs": {
"inputs": {
"flake-compat": "flake-compat",
"nixpkgs": "nixpkgs",
"nixpkgs": [
"nixpkgs"
],
"utils": "utils"
},
"locked": {
@ -38,14 +40,15 @@
},
"image-builder": {
"inputs": {
"nixpkgs": "nixpkgs_2"
"nixpkgs": "nixpkgs",
"sops-nix": "sops-nix"
},
"locked": {
"lastModified": 1674613871,
"narHash": "sha256-ybiVqMvTq0Ke0Zs8KgOSmnTI4I3b7gu8f9uVnXxO56U=",
"lastModified": 1674702157,
"narHash": "sha256-P7n+tTvL5q/0Oblosv4BQVKWFbqqrmSeSo0/CySnDdU=",
"ref": "refs/heads/main",
"rev": "73571dbf09e7ecc417a137cbe3c9dc4e27cf01d5",
"revCount": 48,
"rev": "5137effca1af9cbe644a5b9acd4594703778d6a2",
"revCount": 50,
"type": "git",
"url": "https://git.asonix.dog/asonix/nixos-aarch64-images"
},
@ -55,22 +58,6 @@
}
},
"nixpkgs": {
"locked": {
"lastModified": 1671417167,
"narHash": "sha256-JkHam6WQOwZN1t2C2sbp1TqMv3TVRjzrdoejqfefwrM=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "bb31220cca6d044baa6dc2715b07497a2a7c4bc7",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "nixpkgs-unstable",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs_2": {
"locked": {
"lastModified": 1674521756,
"narHash": "sha256-cRrkhBGPO2rKvvEM2FzDBQDsh4DPuR17I+7P4MqxQoM=",
@ -86,13 +73,45 @@
"type": "github"
}
},
"nixpkgs_3": {
"nixpkgs-stable": {
"locked": {
"lastModified": 1674611681,
"narHash": "sha256-/Wr0pJFtkogjL2DC2SZrilWKOMRZt7cIixMvB0MmDUw=",
"lastModified": 1674352297,
"narHash": "sha256-OkAnJPrauEcUCrst4/3DKoQfUn2gXKuU6CFvhtMrLgg=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "918b760070bb8f48cb511300fcd7e02e13058a2e",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "release-22.11",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs-stable_2": {
"locked": {
"lastModified": 1674352297,
"narHash": "sha256-OkAnJPrauEcUCrst4/3DKoQfUn2gXKuU6CFvhtMrLgg=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "918b760070bb8f48cb511300fcd7e02e13058a2e",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "release-22.11",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs_2": {
"locked": {
"lastModified": 1674703351,
"narHash": "sha256-n4JueHFyyHL0kDW3+QVJuYBH9Jnu2NUaGB/i38n0pB8=",
"owner": "nixos",
"repo": "nixpkgs",
"rev": "e1cf19931b5a526db1ebcfc78c12ccd1233a2ee8",
"rev": "efecda51128b079bb9c7d09d2e06681598315260",
"type": "github"
},
"original": {
@ -106,7 +125,51 @@
"inputs": {
"deploy-rs": "deploy-rs",
"image-builder": "image-builder",
"nixpkgs": "nixpkgs_3"
"nixpkgs": "nixpkgs_2",
"sops-nix": "sops-nix_2"
}
},
"sops-nix": {
"inputs": {
"nixpkgs": [
"image-builder",
"nixpkgs"
],
"nixpkgs-stable": "nixpkgs-stable"
},
"locked": {
"lastModified": 1674546403,
"narHash": "sha256-vkyNv0xzXuEnu9v52TUtRugNmQWIti8c2RhYnbLG71w=",
"owner": "Mic92",
"repo": "sops-nix",
"rev": "b6ab3c61e2ca5e07d1f4eb1b67304e2670ea230c",
"type": "github"
},
"original": {
"owner": "Mic92",
"repo": "sops-nix",
"type": "github"
}
},
"sops-nix_2": {
"inputs": {
"nixpkgs": [
"nixpkgs"
],
"nixpkgs-stable": "nixpkgs-stable_2"
},
"locked": {
"lastModified": 1674546403,
"narHash": "sha256-vkyNv0xzXuEnu9v52TUtRugNmQWIti8c2RhYnbLG71w=",
"owner": "Mic92",
"repo": "sops-nix",
"rev": "b6ab3c61e2ca5e07d1f4eb1b67304e2670ea230c",
"type": "github"
},
"original": {
"owner": "Mic92",
"repo": "sops-nix",
"type": "github"
}
},
"utils": {

62
flake.nix
View file

@ -2,12 +2,19 @@
description = "A very basic flake";
inputs = {
deploy-rs.url = "github:serokell/deploy-rs";
nixpkgs.url = "github:nixos/nixpkgs/master";
deploy-rs = {
url = "github:serokell/deploy-rs";
inputs.nixpkgs.follows = "nixpkgs";
};
image-builder.url = "git+https://git.asonix.dog/asonix/nixos-aarch64-images";
nixpkgs.url = "github:nixos/nixpkgs/master";
sops-nix = {
url = "github:Mic92/sops-nix";
inputs.nixpkgs.follows = "nixpkgs";
};
};
outputs = { self, deploy-rs, image-builder, nixpkgs }:
outputs = { self, deploy-rs, image-builder, nixpkgs, sops-nix }:
let
pkgs = import nixpkgs {
system = "aarch64-linux";
@ -56,7 +63,7 @@
"postgres-cfg"
];
sharedModule = { extraPackages ? [ ] }: {
sharedModule = ({ config, ... }: {
services.openssh.settings.PasswordAuthentication = false;
# Use the extlinux boot loader. (NixOS wants to enable GRUB by default)
@ -64,15 +71,6 @@
# Enables the generation of /boot/extlinux/extlinux.conf
boot.loader.generic-extlinux-compatible.enable = true;
users.users.asonix = {
isNormalUser = true;
description = "Tavi";
extraGroups = [ "wheel" ];
openssh.authorizedKeys.keys = [
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQD3+mNUlokSKZQNXJAuGm2LCHelKuElWLJArzIYZQYEPbrFaE+J8VtfNbMMD1qVI21ksfcqvFQW4aiP4+BFDxTOGW0uBmUHWKxkyyU39y2yhnsa+svwwIooc+Iwkxw0atzSMEBb94UaZlq9cKMSnG9RGeRFqfYnW2s49wpU79wk6zEFUuOHCMKn4R7zqkPac7IyjxZeKlspY3fOasNH4zyrkbhEOlvrwEOdRNTRNCWWzDcinIVZjfmErHlSynshx9yLnCGkLBxHSxgI2TVyR3RlQ3aGbHtB3QN5X7/T/dwXJFJ11P1Q2bC3XP3hHCogDqXcPvDTFSQEM/mZuFcKNbsn asonix@asonix-tower"
];
};
fileSystems."/" =
{
device = "/dev/disk/by-uuid/44444444-4444-4444-8888-888888888888";
@ -81,7 +79,20 @@
environment.systemPackages = with pkgs; [
btrbk
] ++ extraPackages;
];
sops = {
age.keyFile = /home/asonix/.config/sops/age/keys.txt;
age.generateKey = true;
secrets.private_key = {
format = "yaml";
sopsFile = "./secrets/btrbk.yaml";
};
secrets.btrfsKeyFile = {
format = "binary";
sopsFile = "./secrets/keyfile.bin";
};
};
services.btrbk = {
sshAccess = [
@ -101,24 +112,24 @@
archive_preserve_min = "latest";
archive_preserve = "12m 10y";
ssh_user = "btrbk";
ssh_identity = "/etc/btrbk/ssh/backup-ssh-key";
ssh_identity = config.sops.secrets.private_key.path;
backend_remote = "btrfs-progs-sudo";
};
};
};
});
makeDockerConfig = { hostname, volume, baseModule }: nixpkgs.lib.nixosSystem {
system = "aarch64-linux";
modules = [
sops-nix.nixosModules.sops
baseModule
(sharedModule
{
extraPackages = with pkgs; [
docker
docker-compose
];
})
sharedModule
{
environment.systemPackages = with pkgs; [
docker
docker-compose
];
networking.hostName = hostname;
virtualisation.docker.enable = true;
@ -131,10 +142,13 @@
deployer = { hostname, configuration }: {
hostname = hostname;
profiles.system = {
sshUser = "asonix";
user = "root";
magicRollback = false;
sshOpts = [
"-i"
"/home/asonix/.ssh/nix-installer"
"/home/asonix/.ssh/kube-rsa"
"-t"
];
path = deploy-rs.lib.aarch64-linux.activate.nixos configuration;
};

30
secrets/btrbk.yaml Normal file
View file

@ -0,0 +1,30 @@
secret_key: ENC[AES256_GCM,data:vOSidp2iECXPceHPcBWqgYlhlMcGfwkVW1KUVDT+UcMfT4yLRlZAAxAbuvjH7ZQizs4FPiNI6yNrkP0DF7OKKvuoYfARg3bATVNtnBzyJbLhJk7lOcrHcGWyGeiVlkHk8IgUm01EHWaJ/01ZLouDoy1yt2/CTh56p8TBYKwlqJC+QIiTvSo+7580DCcvdxUAbo6ZlTJjEsCgbzBHvmW8K0HsjjDfdT7NEs2xk2pUJE3Vgl6J6pDc9wJT9lIljDQN5KgP6/MQ68dOCnb9OUqVX+ebBpF0k9uZxsel4GhqpsCX04aSmnawmDs/eYbFv0Fv/xUspZByU8/xl7XysUZ7kUsX60CXWFkuCSR4sOctTOb8yW17bco1PHUh/800GrrTmDnG5tPKqM53pB/efNI4wi04roOmSj57lPeUBzTnBsf+WjvlRUw/URFyK14rO83fk1HFdiuW4z5SdcnsFB7Cy1HBFFzryZkRPCHivKo8BYe+AwGb5mvVh1C4Z2U/sfNRTK/JpXp85zlSghvZnv3RE+uAS1U18NtI0uRg,iv:2ZYJZy5p8waPfqM9EZrahxwT57I3H0cEr1d0nGlxiAU=,tag:pJytnJgjsX5snwnfcCdDrg==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age17yhtwnhqjssghc5qqamt0fqdu27zpqms8d8ghrc0txeevywfp3ssklfy57
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAwUWVCTVQySVBmcnQ1dGVz
dmxMamJOQjU3M3RVY3B4QXBvakVxT0I2clZFCnBnd2l5YndZQTF1c3JZSnppZU5p
TzFCczZCRFBBdzY4eXpaYnQwWjNaRUUKLS0tIHhLdkRVdUhjYURTUWw1WDJRMXVy
WHlrcEFmZGFKYjZ5dTBqK0RZZkVGOEkK/r90o5fybML6kJxfuOdH80LOBPX49wk8
1bZoy2wLvU4w4ZON35PxbL2lIJbfVlc6ORJs2o90fPw3HO4fHbShIw==
-----END AGE ENCRYPTED FILE-----
- recipient: age145uwrexj6ffaaxy7jg3j29gtchhwy0y0nttw06zeuxkqsy8rnpds7fh7xq
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAxSEdLWS9KUlY4Q2s2MWk1
b2NvUXdGN3piTThoNkUybm1oZE16eWU3eWlrClJCaGtYS0MzTCs4VjFhbUNIdVow
WWx3L0xEUHBnN0dGSCtEblZ4SFdGN2sKLS0tIHlCZ1BHeGZoc2VUOFhSdFhKNVRS
V1R4YTZKMWpVdzVxN3NMTWlWbFN1Q2cK1Q8YDH612krI2ck1qer6gLrlQbCY3duR
e8NcUXci0IDfFTnHP6hFhwkG3QHll81Vr9Hk97vctkOqi6jBXSnuQA==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2023-01-26T03:12:49Z"
mac: ENC[AES256_GCM,data:wFwsTgOzcl/29MLOzAc2h0obwQDK7sm8Ti8Ymi1YVm3xQt9kieJwhf3X/ZnaL3NBX7zhKH4EENSNB89lGHmuasKQ6JG2tP8p7ijZVVrT1dR3N2LltnXVFwkFDaYj9V7lROSQjLM1+1WQ69o6wR+5FQ8qAvaMqVaJPlp76w3BWyQ=,iv:4MuHmkUKv7cdjzjF+2xPrjKcnUMdOdfRYaJufK5OS5Q=,tag:Q4ekRkTendfr2fKJCiqwpQ==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.7.3

24
secrets/keyfile.bin Normal file
View file

@ -0,0 +1,24 @@
{
"data": "ENC[AES256_GCM,data:ArnkV595FNM9wFbVRU67WBfULR3Cr5AmPLXKSvOd0GzhFjRM/ntnYkKOKitM4WLIgekZbjmKlDzb8DnJaZiVp17WjViUIsduqyiTtVnYoIHFKAwsfp/DFDunas/jL+qVOL8Dq3DayoBSYm0yKiiWcgwuguNE6fxn/PcDSvzruHAXamdCwMmkX3kycrS6KvWrw+FRxmxudO50e+ZJN0X7duj3LP4gxI+TZG7CxBoc87h9L+EhqqvFd4tO3mSdc2UOdnBDXr2WXJXEEI7D9gxUyrJAaK9zcfgUC4vkvz43tcPoK8HX9zx04nAzUXfMur0vdVFhFY/fJ3XgpN8PBVj/dc/1acpIL7xnqkDZKCTg7OkHTdDiNx70yixyQXrIWru2+oxbXBghHkyP9d+hsbJBACA7/G3iQgvJ45Ht4mUYuQ2K7AbaV/57YfSlvVgrs062L50bwbriPjLQQAGD6HNs+5zARTuOp1Bx9UgScUooLNK1bz/QXmCF0aSGV8EMdh1VTjN8xiDaj+5TViAELDj63etPLz6b+8+xEDNhFpqr8lj3NxTQZP4xItjmP9fg4BvLX1bU6mG8VBFcToSDfQhRz0z2ojKuFsOcF9PoniOsD1/Ern1YdJNheAGOqxlbVbYhsG2Fnf3buu5AIJjTnlLGBAJEsQxzMtOu+WwlcZfEp4g=,iv:lebZuAWBOZ48uZIs1EB6ejdLxE8+cBQJYZAcENO2/AI=,tag:N+hlG0tqOktcYsUW7kLS5g==,type:str]",
"sops": {
"kms": null,
"gcp_kms": null,
"azure_kv": null,
"hc_vault": null,
"age": [
{
"recipient": "age17yhtwnhqjssghc5qqamt0fqdu27zpqms8d8ghrc0txeevywfp3ssklfy57",
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAzK0R5VU1YZEJUanlKc2wv\nQTlJTHRMZHAvZ0MzV0pmU0dtMnZEb1VmV0RVCktHbkdNWUl4SU9QdDEwdU01WDBM\nR0J2YWZ3QVd3REkzdC9zZWNDMkNPWFUKLS0tIDRHekdmdTlTV0FwSXkzNlhjdkZz\nNjRlM2UvY0RobWtTY2dyUEtpNk5ySVkK/syr7zqEAoKXSj3qfdY24lXEZ0WMQkoa\ngA5CSmbZHCalQ/iSL2/JXjuQi48xZsWiYz91HK7zUmLPRg1WZxJK0Q==\n-----END AGE ENCRYPTED FILE-----\n"
},
{
"recipient": "age145uwrexj6ffaaxy7jg3j29gtchhwy0y0nttw06zeuxkqsy8rnpds7fh7xq",
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBTbHpWbXh1U2s4OUlmdnV0\nZTFhSXYyZ0NBRHZpSENoYXkxaHN0cGRiSkZ3CitZb1RMR2FNVGRFUitDZnhsdlJN\nMllqeW9hZ1gwc3BTVFczSDg1MVRsWkUKLS0tIEVESVdGK3MvaFJNT25udzVsak14\nYmZCTkc2VHpJMmEzSnIwS1FLVEVtV1UKUp/MgQsgEFWX7DJxnctFjgvHChCQfjak\nGiZEUlLkcO5YlkgfI7uoUaau8AQl6EpFalnZWWHFVJwUvMFvCr70Mw==\n-----END AGE ENCRYPTED FILE-----\n"
}
],
"lastmodified": "2023-01-26T03:21:21Z",
"mac": "ENC[AES256_GCM,data:3W+L66vRggBhMIEgRTsS7UNBg38YEOhL/XFaAU8wNB/YbWDo7kqefZS9nOWOxXuMX5iUzm+cvDWp8sEvuOBcaaxrld2CEUbglJ8kfOe1kzpNmnBLWaa/KGDmilsT31JFO+uZgKCTInhVrvbnsfWXLgcWd6AEPIV0oar315+NCR0=,iv:3GvJyF310AUL0mDhzo5Y/vIYqWyOrbpOaiFl3OzdlzE=,tag:u5gs86FsEDH7H2UK1ixfPQ==,type:str]",
"pgp": null,
"unencrypted_suffix": "_unencrypted",
"version": "3.7.3"
}
}