Add secrets
This commit is contained in:
parent
cf6e371b77
commit
5af6da2101
14
.sops.yaml
Normal file
14
.sops.yaml
Normal file
|
@ -0,0 +1,14 @@
|
|||
keys:
|
||||
- &admin_asonix age17yhtwnhqjssghc5qqamt0fqdu27zpqms8d8ghrc0txeevywfp3ssklfy57
|
||||
- &server_nextcloud2 age145uwrexj6ffaaxy7jg3j29gtchhwy0y0nttw06zeuxkqsy8rnpds7fh7xq
|
||||
creation_rules:
|
||||
- path_regex: secrets/[^/]+\.yaml$
|
||||
key_groups:
|
||||
- age:
|
||||
- *admin_asonix
|
||||
- *server_nextcloud2
|
||||
- path_regex: secrets/[^/]+\.bin$
|
||||
key_groups:
|
||||
- age:
|
||||
- *admin_asonix
|
||||
- *server_nextcloud2
|
117
flake.lock
117
flake.lock
|
@ -3,7 +3,9 @@
|
|||
"deploy-rs": {
|
||||
"inputs": {
|
||||
"flake-compat": "flake-compat",
|
||||
"nixpkgs": "nixpkgs",
|
||||
"nixpkgs": [
|
||||
"nixpkgs"
|
||||
],
|
||||
"utils": "utils"
|
||||
},
|
||||
"locked": {
|
||||
|
@ -38,14 +40,15 @@
|
|||
},
|
||||
"image-builder": {
|
||||
"inputs": {
|
||||
"nixpkgs": "nixpkgs_2"
|
||||
"nixpkgs": "nixpkgs",
|
||||
"sops-nix": "sops-nix"
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1674613871,
|
||||
"narHash": "sha256-ybiVqMvTq0Ke0Zs8KgOSmnTI4I3b7gu8f9uVnXxO56U=",
|
||||
"lastModified": 1674702157,
|
||||
"narHash": "sha256-P7n+tTvL5q/0Oblosv4BQVKWFbqqrmSeSo0/CySnDdU=",
|
||||
"ref": "refs/heads/main",
|
||||
"rev": "73571dbf09e7ecc417a137cbe3c9dc4e27cf01d5",
|
||||
"revCount": 48,
|
||||
"rev": "5137effca1af9cbe644a5b9acd4594703778d6a2",
|
||||
"revCount": 50,
|
||||
"type": "git",
|
||||
"url": "https://git.asonix.dog/asonix/nixos-aarch64-images"
|
||||
},
|
||||
|
@ -55,22 +58,6 @@
|
|||
}
|
||||
},
|
||||
"nixpkgs": {
|
||||
"locked": {
|
||||
"lastModified": 1671417167,
|
||||
"narHash": "sha256-JkHam6WQOwZN1t2C2sbp1TqMv3TVRjzrdoejqfefwrM=",
|
||||
"owner": "NixOS",
|
||||
"repo": "nixpkgs",
|
||||
"rev": "bb31220cca6d044baa6dc2715b07497a2a7c4bc7",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "NixOS",
|
||||
"ref": "nixpkgs-unstable",
|
||||
"repo": "nixpkgs",
|
||||
"type": "github"
|
||||
}
|
||||
},
|
||||
"nixpkgs_2": {
|
||||
"locked": {
|
||||
"lastModified": 1674521756,
|
||||
"narHash": "sha256-cRrkhBGPO2rKvvEM2FzDBQDsh4DPuR17I+7P4MqxQoM=",
|
||||
|
@ -86,13 +73,45 @@
|
|||
"type": "github"
|
||||
}
|
||||
},
|
||||
"nixpkgs_3": {
|
||||
"nixpkgs-stable": {
|
||||
"locked": {
|
||||
"lastModified": 1674611681,
|
||||
"narHash": "sha256-/Wr0pJFtkogjL2DC2SZrilWKOMRZt7cIixMvB0MmDUw=",
|
||||
"lastModified": 1674352297,
|
||||
"narHash": "sha256-OkAnJPrauEcUCrst4/3DKoQfUn2gXKuU6CFvhtMrLgg=",
|
||||
"owner": "NixOS",
|
||||
"repo": "nixpkgs",
|
||||
"rev": "918b760070bb8f48cb511300fcd7e02e13058a2e",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "NixOS",
|
||||
"ref": "release-22.11",
|
||||
"repo": "nixpkgs",
|
||||
"type": "github"
|
||||
}
|
||||
},
|
||||
"nixpkgs-stable_2": {
|
||||
"locked": {
|
||||
"lastModified": 1674352297,
|
||||
"narHash": "sha256-OkAnJPrauEcUCrst4/3DKoQfUn2gXKuU6CFvhtMrLgg=",
|
||||
"owner": "NixOS",
|
||||
"repo": "nixpkgs",
|
||||
"rev": "918b760070bb8f48cb511300fcd7e02e13058a2e",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "NixOS",
|
||||
"ref": "release-22.11",
|
||||
"repo": "nixpkgs",
|
||||
"type": "github"
|
||||
}
|
||||
},
|
||||
"nixpkgs_2": {
|
||||
"locked": {
|
||||
"lastModified": 1674703351,
|
||||
"narHash": "sha256-n4JueHFyyHL0kDW3+QVJuYBH9Jnu2NUaGB/i38n0pB8=",
|
||||
"owner": "nixos",
|
||||
"repo": "nixpkgs",
|
||||
"rev": "e1cf19931b5a526db1ebcfc78c12ccd1233a2ee8",
|
||||
"rev": "efecda51128b079bb9c7d09d2e06681598315260",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
|
@ -106,7 +125,51 @@
|
|||
"inputs": {
|
||||
"deploy-rs": "deploy-rs",
|
||||
"image-builder": "image-builder",
|
||||
"nixpkgs": "nixpkgs_3"
|
||||
"nixpkgs": "nixpkgs_2",
|
||||
"sops-nix": "sops-nix_2"
|
||||
}
|
||||
},
|
||||
"sops-nix": {
|
||||
"inputs": {
|
||||
"nixpkgs": [
|
||||
"image-builder",
|
||||
"nixpkgs"
|
||||
],
|
||||
"nixpkgs-stable": "nixpkgs-stable"
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1674546403,
|
||||
"narHash": "sha256-vkyNv0xzXuEnu9v52TUtRugNmQWIti8c2RhYnbLG71w=",
|
||||
"owner": "Mic92",
|
||||
"repo": "sops-nix",
|
||||
"rev": "b6ab3c61e2ca5e07d1f4eb1b67304e2670ea230c",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "Mic92",
|
||||
"repo": "sops-nix",
|
||||
"type": "github"
|
||||
}
|
||||
},
|
||||
"sops-nix_2": {
|
||||
"inputs": {
|
||||
"nixpkgs": [
|
||||
"nixpkgs"
|
||||
],
|
||||
"nixpkgs-stable": "nixpkgs-stable_2"
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1674546403,
|
||||
"narHash": "sha256-vkyNv0xzXuEnu9v52TUtRugNmQWIti8c2RhYnbLG71w=",
|
||||
"owner": "Mic92",
|
||||
"repo": "sops-nix",
|
||||
"rev": "b6ab3c61e2ca5e07d1f4eb1b67304e2670ea230c",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "Mic92",
|
||||
"repo": "sops-nix",
|
||||
"type": "github"
|
||||
}
|
||||
},
|
||||
"utils": {
|
||||
|
|
62
flake.nix
62
flake.nix
|
@ -2,12 +2,19 @@
|
|||
description = "A very basic flake";
|
||||
|
||||
inputs = {
|
||||
deploy-rs.url = "github:serokell/deploy-rs";
|
||||
nixpkgs.url = "github:nixos/nixpkgs/master";
|
||||
deploy-rs = {
|
||||
url = "github:serokell/deploy-rs";
|
||||
inputs.nixpkgs.follows = "nixpkgs";
|
||||
};
|
||||
image-builder.url = "git+https://git.asonix.dog/asonix/nixos-aarch64-images";
|
||||
nixpkgs.url = "github:nixos/nixpkgs/master";
|
||||
sops-nix = {
|
||||
url = "github:Mic92/sops-nix";
|
||||
inputs.nixpkgs.follows = "nixpkgs";
|
||||
};
|
||||
};
|
||||
|
||||
outputs = { self, deploy-rs, image-builder, nixpkgs }:
|
||||
outputs = { self, deploy-rs, image-builder, nixpkgs, sops-nix }:
|
||||
let
|
||||
pkgs = import nixpkgs {
|
||||
system = "aarch64-linux";
|
||||
|
@ -56,7 +63,7 @@
|
|||
"postgres-cfg"
|
||||
];
|
||||
|
||||
sharedModule = { extraPackages ? [ ] }: {
|
||||
sharedModule = ({ config, ... }: {
|
||||
services.openssh.settings.PasswordAuthentication = false;
|
||||
|
||||
# Use the extlinux boot loader. (NixOS wants to enable GRUB by default)
|
||||
|
@ -64,15 +71,6 @@
|
|||
# Enables the generation of /boot/extlinux/extlinux.conf
|
||||
boot.loader.generic-extlinux-compatible.enable = true;
|
||||
|
||||
users.users.asonix = {
|
||||
isNormalUser = true;
|
||||
description = "Tavi";
|
||||
extraGroups = [ "wheel" ];
|
||||
openssh.authorizedKeys.keys = [
|
||||
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQD3+mNUlokSKZQNXJAuGm2LCHelKuElWLJArzIYZQYEPbrFaE+J8VtfNbMMD1qVI21ksfcqvFQW4aiP4+BFDxTOGW0uBmUHWKxkyyU39y2yhnsa+svwwIooc+Iwkxw0atzSMEBb94UaZlq9cKMSnG9RGeRFqfYnW2s49wpU79wk6zEFUuOHCMKn4R7zqkPac7IyjxZeKlspY3fOasNH4zyrkbhEOlvrwEOdRNTRNCWWzDcinIVZjfmErHlSynshx9yLnCGkLBxHSxgI2TVyR3RlQ3aGbHtB3QN5X7/T/dwXJFJ11P1Q2bC3XP3hHCogDqXcPvDTFSQEM/mZuFcKNbsn asonix@asonix-tower"
|
||||
];
|
||||
};
|
||||
|
||||
fileSystems."/" =
|
||||
{
|
||||
device = "/dev/disk/by-uuid/44444444-4444-4444-8888-888888888888";
|
||||
|
@ -81,7 +79,20 @@
|
|||
|
||||
environment.systemPackages = with pkgs; [
|
||||
btrbk
|
||||
] ++ extraPackages;
|
||||
];
|
||||
|
||||
sops = {
|
||||
age.keyFile = /home/asonix/.config/sops/age/keys.txt;
|
||||
age.generateKey = true;
|
||||
secrets.private_key = {
|
||||
format = "yaml";
|
||||
sopsFile = "./secrets/btrbk.yaml";
|
||||
};
|
||||
secrets.btrfsKeyFile = {
|
||||
format = "binary";
|
||||
sopsFile = "./secrets/keyfile.bin";
|
||||
};
|
||||
};
|
||||
|
||||
services.btrbk = {
|
||||
sshAccess = [
|
||||
|
@ -101,24 +112,24 @@
|
|||
archive_preserve_min = "latest";
|
||||
archive_preserve = "12m 10y";
|
||||
ssh_user = "btrbk";
|
||||
ssh_identity = "/etc/btrbk/ssh/backup-ssh-key";
|
||||
ssh_identity = config.sops.secrets.private_key.path;
|
||||
backend_remote = "btrfs-progs-sudo";
|
||||
};
|
||||
};
|
||||
};
|
||||
});
|
||||
|
||||
makeDockerConfig = { hostname, volume, baseModule }: nixpkgs.lib.nixosSystem {
|
||||
system = "aarch64-linux";
|
||||
modules = [
|
||||
sops-nix.nixosModules.sops
|
||||
baseModule
|
||||
(sharedModule
|
||||
{
|
||||
extraPackages = with pkgs; [
|
||||
docker
|
||||
docker-compose
|
||||
];
|
||||
})
|
||||
sharedModule
|
||||
{
|
||||
environment.systemPackages = with pkgs; [
|
||||
docker
|
||||
docker-compose
|
||||
];
|
||||
|
||||
networking.hostName = hostname;
|
||||
|
||||
virtualisation.docker.enable = true;
|
||||
|
@ -131,10 +142,13 @@
|
|||
deployer = { hostname, configuration }: {
|
||||
hostname = hostname;
|
||||
profiles.system = {
|
||||
sshUser = "asonix";
|
||||
user = "root";
|
||||
magicRollback = false;
|
||||
sshOpts = [
|
||||
"-i"
|
||||
"/home/asonix/.ssh/nix-installer"
|
||||
"/home/asonix/.ssh/kube-rsa"
|
||||
"-t"
|
||||
];
|
||||
path = deploy-rs.lib.aarch64-linux.activate.nixos configuration;
|
||||
};
|
||||
|
|
30
secrets/btrbk.yaml
Normal file
30
secrets/btrbk.yaml
Normal file
|
@ -0,0 +1,30 @@
|
|||
secret_key: ENC[AES256_GCM,data:vOSidp2iECXPceHPcBWqgYlhlMcGfwkVW1KUVDT+UcMfT4yLRlZAAxAbuvjH7ZQizs4FPiNI6yNrkP0DF7OKKvuoYfARg3bATVNtnBzyJbLhJk7lOcrHcGWyGeiVlkHk8IgUm01EHWaJ/01ZLouDoy1yt2/CTh56p8TBYKwlqJC+QIiTvSo+7580DCcvdxUAbo6ZlTJjEsCgbzBHvmW8K0HsjjDfdT7NEs2xk2pUJE3Vgl6J6pDc9wJT9lIljDQN5KgP6/MQ68dOCnb9OUqVX+ebBpF0k9uZxsel4GhqpsCX04aSmnawmDs/eYbFv0Fv/xUspZByU8/xl7XysUZ7kUsX60CXWFkuCSR4sOctTOb8yW17bco1PHUh/800GrrTmDnG5tPKqM53pB/efNI4wi04roOmSj57lPeUBzTnBsf+WjvlRUw/URFyK14rO83fk1HFdiuW4z5SdcnsFB7Cy1HBFFzryZkRPCHivKo8BYe+AwGb5mvVh1C4Z2U/sfNRTK/JpXp85zlSghvZnv3RE+uAS1U18NtI0uRg,iv:2ZYJZy5p8waPfqM9EZrahxwT57I3H0cEr1d0nGlxiAU=,tag:pJytnJgjsX5snwnfcCdDrg==,type:str]
|
||||
sops:
|
||||
kms: []
|
||||
gcp_kms: []
|
||||
azure_kv: []
|
||||
hc_vault: []
|
||||
age:
|
||||
- recipient: age17yhtwnhqjssghc5qqamt0fqdu27zpqms8d8ghrc0txeevywfp3ssklfy57
|
||||
enc: |
|
||||
-----BEGIN AGE ENCRYPTED FILE-----
|
||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAwUWVCTVQySVBmcnQ1dGVz
|
||||
dmxMamJOQjU3M3RVY3B4QXBvakVxT0I2clZFCnBnd2l5YndZQTF1c3JZSnppZU5p
|
||||
TzFCczZCRFBBdzY4eXpaYnQwWjNaRUUKLS0tIHhLdkRVdUhjYURTUWw1WDJRMXVy
|
||||
WHlrcEFmZGFKYjZ5dTBqK0RZZkVGOEkK/r90o5fybML6kJxfuOdH80LOBPX49wk8
|
||||
1bZoy2wLvU4w4ZON35PxbL2lIJbfVlc6ORJs2o90fPw3HO4fHbShIw==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
- recipient: age145uwrexj6ffaaxy7jg3j29gtchhwy0y0nttw06zeuxkqsy8rnpds7fh7xq
|
||||
enc: |
|
||||
-----BEGIN AGE ENCRYPTED FILE-----
|
||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAxSEdLWS9KUlY4Q2s2MWk1
|
||||
b2NvUXdGN3piTThoNkUybm1oZE16eWU3eWlrClJCaGtYS0MzTCs4VjFhbUNIdVow
|
||||
WWx3L0xEUHBnN0dGSCtEblZ4SFdGN2sKLS0tIHlCZ1BHeGZoc2VUOFhSdFhKNVRS
|
||||
V1R4YTZKMWpVdzVxN3NMTWlWbFN1Q2cK1Q8YDH612krI2ck1qer6gLrlQbCY3duR
|
||||
e8NcUXci0IDfFTnHP6hFhwkG3QHll81Vr9Hk97vctkOqi6jBXSnuQA==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
lastmodified: "2023-01-26T03:12:49Z"
|
||||
mac: ENC[AES256_GCM,data:wFwsTgOzcl/29MLOzAc2h0obwQDK7sm8Ti8Ymi1YVm3xQt9kieJwhf3X/ZnaL3NBX7zhKH4EENSNB89lGHmuasKQ6JG2tP8p7ijZVVrT1dR3N2LltnXVFwkFDaYj9V7lROSQjLM1+1WQ69o6wR+5FQ8qAvaMqVaJPlp76w3BWyQ=,iv:4MuHmkUKv7cdjzjF+2xPrjKcnUMdOdfRYaJufK5OS5Q=,tag:Q4ekRkTendfr2fKJCiqwpQ==,type:str]
|
||||
pgp: []
|
||||
unencrypted_suffix: _unencrypted
|
||||
version: 3.7.3
|
24
secrets/keyfile.bin
Normal file
24
secrets/keyfile.bin
Normal file
|
@ -0,0 +1,24 @@
|
|||
{
|
||||
"data": "ENC[AES256_GCM,data:ArnkV595FNM9wFbVRU67WBfULR3Cr5AmPLXKSvOd0GzhFjRM/ntnYkKOKitM4WLIgekZbjmKlDzb8DnJaZiVp17WjViUIsduqyiTtVnYoIHFKAwsfp/DFDunas/jL+qVOL8Dq3DayoBSYm0yKiiWcgwuguNE6fxn/PcDSvzruHAXamdCwMmkX3kycrS6KvWrw+FRxmxudO50e+ZJN0X7duj3LP4gxI+TZG7CxBoc87h9L+EhqqvFd4tO3mSdc2UOdnBDXr2WXJXEEI7D9gxUyrJAaK9zcfgUC4vkvz43tcPoK8HX9zx04nAzUXfMur0vdVFhFY/fJ3XgpN8PBVj/dc/1acpIL7xnqkDZKCTg7OkHTdDiNx70yixyQXrIWru2+oxbXBghHkyP9d+hsbJBACA7/G3iQgvJ45Ht4mUYuQ2K7AbaV/57YfSlvVgrs062L50bwbriPjLQQAGD6HNs+5zARTuOp1Bx9UgScUooLNK1bz/QXmCF0aSGV8EMdh1VTjN8xiDaj+5TViAELDj63etPLz6b+8+xEDNhFpqr8lj3NxTQZP4xItjmP9fg4BvLX1bU6mG8VBFcToSDfQhRz0z2ojKuFsOcF9PoniOsD1/Ern1YdJNheAGOqxlbVbYhsG2Fnf3buu5AIJjTnlLGBAJEsQxzMtOu+WwlcZfEp4g=,iv:lebZuAWBOZ48uZIs1EB6ejdLxE8+cBQJYZAcENO2/AI=,tag:N+hlG0tqOktcYsUW7kLS5g==,type:str]",
|
||||
"sops": {
|
||||
"kms": null,
|
||||
"gcp_kms": null,
|
||||
"azure_kv": null,
|
||||
"hc_vault": null,
|
||||
"age": [
|
||||
{
|
||||
"recipient": "age17yhtwnhqjssghc5qqamt0fqdu27zpqms8d8ghrc0txeevywfp3ssklfy57",
|
||||
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAzK0R5VU1YZEJUanlKc2wv\nQTlJTHRMZHAvZ0MzV0pmU0dtMnZEb1VmV0RVCktHbkdNWUl4SU9QdDEwdU01WDBM\nR0J2YWZ3QVd3REkzdC9zZWNDMkNPWFUKLS0tIDRHekdmdTlTV0FwSXkzNlhjdkZz\nNjRlM2UvY0RobWtTY2dyUEtpNk5ySVkK/syr7zqEAoKXSj3qfdY24lXEZ0WMQkoa\ngA5CSmbZHCalQ/iSL2/JXjuQi48xZsWiYz91HK7zUmLPRg1WZxJK0Q==\n-----END AGE ENCRYPTED FILE-----\n"
|
||||
},
|
||||
{
|
||||
"recipient": "age145uwrexj6ffaaxy7jg3j29gtchhwy0y0nttw06zeuxkqsy8rnpds7fh7xq",
|
||||
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBTbHpWbXh1U2s4OUlmdnV0\nZTFhSXYyZ0NBRHZpSENoYXkxaHN0cGRiSkZ3CitZb1RMR2FNVGRFUitDZnhsdlJN\nMllqeW9hZ1gwc3BTVFczSDg1MVRsWkUKLS0tIEVESVdGK3MvaFJNT25udzVsak14\nYmZCTkc2VHpJMmEzSnIwS1FLVEVtV1UKUp/MgQsgEFWX7DJxnctFjgvHChCQfjak\nGiZEUlLkcO5YlkgfI7uoUaau8AQl6EpFalnZWWHFVJwUvMFvCr70Mw==\n-----END AGE ENCRYPTED FILE-----\n"
|
||||
}
|
||||
],
|
||||
"lastmodified": "2023-01-26T03:21:21Z",
|
||||
"mac": "ENC[AES256_GCM,data:3W+L66vRggBhMIEgRTsS7UNBg38YEOhL/XFaAU8wNB/YbWDo7kqefZS9nOWOxXuMX5iUzm+cvDWp8sEvuOBcaaxrld2CEUbglJ8kfOe1kzpNmnBLWaa/KGDmilsT31JFO+uZgKCTInhVrvbnsfWXLgcWd6AEPIV0oar315+NCR0=,iv:3GvJyF310AUL0mDhzo5Y/vIYqWyOrbpOaiFl3OzdlzE=,tag:u5gs86FsEDH7H2UK1ixfPQ==,type:str]",
|
||||
"pgp": null,
|
||||
"unencrypted_suffix": "_unencrypted",
|
||||
"version": "3.7.3"
|
||||
}
|
||||
}
|
Loading…
Reference in a new issue