From 5af6da21015162d72ffa469fe9096a84e1464609 Mon Sep 17 00:00:00 2001 From: asonix Date: Wed, 25 Jan 2023 21:26:30 -0600 Subject: [PATCH] Add secrets --- .sops.yaml | 14 ++++++ flake.lock | 117 ++++++++++++++++++++++++++++++++++---------- flake.nix | 62 ++++++++++++++--------- secrets/btrbk.yaml | 30 ++++++++++++ secrets/keyfile.bin | 24 +++++++++ 5 files changed, 196 insertions(+), 51 deletions(-) create mode 100644 .sops.yaml create mode 100644 secrets/btrbk.yaml create mode 100644 secrets/keyfile.bin diff --git a/.sops.yaml b/.sops.yaml new file mode 100644 index 0000000..3aec0bf --- /dev/null +++ b/.sops.yaml @@ -0,0 +1,14 @@ +keys: + - &admin_asonix age17yhtwnhqjssghc5qqamt0fqdu27zpqms8d8ghrc0txeevywfp3ssklfy57 + - &server_nextcloud2 age145uwrexj6ffaaxy7jg3j29gtchhwy0y0nttw06zeuxkqsy8rnpds7fh7xq +creation_rules: + - path_regex: secrets/[^/]+\.yaml$ + key_groups: + - age: + - *admin_asonix + - *server_nextcloud2 + - path_regex: secrets/[^/]+\.bin$ + key_groups: + - age: + - *admin_asonix + - *server_nextcloud2 diff --git a/flake.lock b/flake.lock index 1792853..16b9e85 100644 --- a/flake.lock +++ b/flake.lock @@ -3,7 +3,9 @@ "deploy-rs": { "inputs": { "flake-compat": "flake-compat", - "nixpkgs": "nixpkgs", + "nixpkgs": [ + "nixpkgs" + ], "utils": "utils" }, "locked": { @@ -38,14 +40,15 @@ }, "image-builder": { "inputs": { - "nixpkgs": "nixpkgs_2" + "nixpkgs": "nixpkgs", + "sops-nix": "sops-nix" }, "locked": { - "lastModified": 1674613871, - "narHash": "sha256-ybiVqMvTq0Ke0Zs8KgOSmnTI4I3b7gu8f9uVnXxO56U=", + "lastModified": 1674702157, + "narHash": "sha256-P7n+tTvL5q/0Oblosv4BQVKWFbqqrmSeSo0/CySnDdU=", "ref": "refs/heads/main", - "rev": "73571dbf09e7ecc417a137cbe3c9dc4e27cf01d5", - "revCount": 48, + "rev": "5137effca1af9cbe644a5b9acd4594703778d6a2", + "revCount": 50, "type": "git", "url": "https://git.asonix.dog/asonix/nixos-aarch64-images" }, @@ -55,22 +58,6 @@ } }, "nixpkgs": { - "locked": { - "lastModified": 1671417167, - "narHash": "sha256-JkHam6WQOwZN1t2C2sbp1TqMv3TVRjzrdoejqfefwrM=", - "owner": "NixOS", - "repo": "nixpkgs", - "rev": "bb31220cca6d044baa6dc2715b07497a2a7c4bc7", - "type": "github" - }, - "original": { - "owner": "NixOS", - "ref": "nixpkgs-unstable", - "repo": "nixpkgs", - "type": "github" - } - }, - "nixpkgs_2": { "locked": { "lastModified": 1674521756, "narHash": "sha256-cRrkhBGPO2rKvvEM2FzDBQDsh4DPuR17I+7P4MqxQoM=", @@ -86,13 +73,45 @@ "type": "github" } }, - "nixpkgs_3": { + "nixpkgs-stable": { "locked": { - "lastModified": 1674611681, - "narHash": "sha256-/Wr0pJFtkogjL2DC2SZrilWKOMRZt7cIixMvB0MmDUw=", + "lastModified": 1674352297, + "narHash": "sha256-OkAnJPrauEcUCrst4/3DKoQfUn2gXKuU6CFvhtMrLgg=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "918b760070bb8f48cb511300fcd7e02e13058a2e", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "release-22.11", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs-stable_2": { + "locked": { + "lastModified": 1674352297, + "narHash": "sha256-OkAnJPrauEcUCrst4/3DKoQfUn2gXKuU6CFvhtMrLgg=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "918b760070bb8f48cb511300fcd7e02e13058a2e", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "release-22.11", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs_2": { + "locked": { + "lastModified": 1674703351, + "narHash": "sha256-n4JueHFyyHL0kDW3+QVJuYBH9Jnu2NUaGB/i38n0pB8=", "owner": "nixos", "repo": "nixpkgs", - "rev": "e1cf19931b5a526db1ebcfc78c12ccd1233a2ee8", + "rev": "efecda51128b079bb9c7d09d2e06681598315260", "type": "github" }, "original": { @@ -106,7 +125,51 @@ "inputs": { "deploy-rs": "deploy-rs", "image-builder": "image-builder", - "nixpkgs": "nixpkgs_3" + "nixpkgs": "nixpkgs_2", + "sops-nix": "sops-nix_2" + } + }, + "sops-nix": { + "inputs": { + "nixpkgs": [ + "image-builder", + "nixpkgs" + ], + "nixpkgs-stable": "nixpkgs-stable" + }, + "locked": { + "lastModified": 1674546403, + "narHash": "sha256-vkyNv0xzXuEnu9v52TUtRugNmQWIti8c2RhYnbLG71w=", + "owner": "Mic92", + "repo": "sops-nix", + "rev": "b6ab3c61e2ca5e07d1f4eb1b67304e2670ea230c", + "type": "github" + }, + "original": { + "owner": "Mic92", + "repo": "sops-nix", + "type": "github" + } + }, + "sops-nix_2": { + "inputs": { + "nixpkgs": [ + "nixpkgs" + ], + "nixpkgs-stable": "nixpkgs-stable_2" + }, + "locked": { + "lastModified": 1674546403, + "narHash": "sha256-vkyNv0xzXuEnu9v52TUtRugNmQWIti8c2RhYnbLG71w=", + "owner": "Mic92", + "repo": "sops-nix", + "rev": "b6ab3c61e2ca5e07d1f4eb1b67304e2670ea230c", + "type": "github" + }, + "original": { + "owner": "Mic92", + "repo": "sops-nix", + "type": "github" } }, "utils": { diff --git a/flake.nix b/flake.nix index 566d88a..1e749bb 100644 --- a/flake.nix +++ b/flake.nix @@ -2,12 +2,19 @@ description = "A very basic flake"; inputs = { - deploy-rs.url = "github:serokell/deploy-rs"; - nixpkgs.url = "github:nixos/nixpkgs/master"; + deploy-rs = { + url = "github:serokell/deploy-rs"; + inputs.nixpkgs.follows = "nixpkgs"; + }; image-builder.url = "git+https://git.asonix.dog/asonix/nixos-aarch64-images"; + nixpkgs.url = "github:nixos/nixpkgs/master"; + sops-nix = { + url = "github:Mic92/sops-nix"; + inputs.nixpkgs.follows = "nixpkgs"; + }; }; - outputs = { self, deploy-rs, image-builder, nixpkgs }: + outputs = { self, deploy-rs, image-builder, nixpkgs, sops-nix }: let pkgs = import nixpkgs { system = "aarch64-linux"; @@ -56,7 +63,7 @@ "postgres-cfg" ]; - sharedModule = { extraPackages ? [ ] }: { + sharedModule = ({ config, ... }: { services.openssh.settings.PasswordAuthentication = false; # Use the extlinux boot loader. (NixOS wants to enable GRUB by default) @@ -64,15 +71,6 @@ # Enables the generation of /boot/extlinux/extlinux.conf boot.loader.generic-extlinux-compatible.enable = true; - users.users.asonix = { - isNormalUser = true; - description = "Tavi"; - extraGroups = [ "wheel" ]; - openssh.authorizedKeys.keys = [ - "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQD3+mNUlokSKZQNXJAuGm2LCHelKuElWLJArzIYZQYEPbrFaE+J8VtfNbMMD1qVI21ksfcqvFQW4aiP4+BFDxTOGW0uBmUHWKxkyyU39y2yhnsa+svwwIooc+Iwkxw0atzSMEBb94UaZlq9cKMSnG9RGeRFqfYnW2s49wpU79wk6zEFUuOHCMKn4R7zqkPac7IyjxZeKlspY3fOasNH4zyrkbhEOlvrwEOdRNTRNCWWzDcinIVZjfmErHlSynshx9yLnCGkLBxHSxgI2TVyR3RlQ3aGbHtB3QN5X7/T/dwXJFJ11P1Q2bC3XP3hHCogDqXcPvDTFSQEM/mZuFcKNbsn asonix@asonix-tower" - ]; - }; - fileSystems."/" = { device = "/dev/disk/by-uuid/44444444-4444-4444-8888-888888888888"; @@ -81,7 +79,20 @@ environment.systemPackages = with pkgs; [ btrbk - ] ++ extraPackages; + ]; + + sops = { + age.keyFile = /home/asonix/.config/sops/age/keys.txt; + age.generateKey = true; + secrets.private_key = { + format = "yaml"; + sopsFile = "./secrets/btrbk.yaml"; + }; + secrets.btrfsKeyFile = { + format = "binary"; + sopsFile = "./secrets/keyfile.bin"; + }; + }; services.btrbk = { sshAccess = [ @@ -101,24 +112,24 @@ archive_preserve_min = "latest"; archive_preserve = "12m 10y"; ssh_user = "btrbk"; - ssh_identity = "/etc/btrbk/ssh/backup-ssh-key"; + ssh_identity = config.sops.secrets.private_key.path; backend_remote = "btrfs-progs-sudo"; }; }; - }; + }); makeDockerConfig = { hostname, volume, baseModule }: nixpkgs.lib.nixosSystem { system = "aarch64-linux"; modules = [ + sops-nix.nixosModules.sops baseModule - (sharedModule - { - extraPackages = with pkgs; [ - docker - docker-compose - ]; - }) + sharedModule { + environment.systemPackages = with pkgs; [ + docker + docker-compose + ]; + networking.hostName = hostname; virtualisation.docker.enable = true; @@ -131,10 +142,13 @@ deployer = { hostname, configuration }: { hostname = hostname; profiles.system = { + sshUser = "asonix"; user = "root"; + magicRollback = false; sshOpts = [ "-i" - "/home/asonix/.ssh/nix-installer" + "/home/asonix/.ssh/kube-rsa" + "-t" ]; path = deploy-rs.lib.aarch64-linux.activate.nixos configuration; }; diff --git a/secrets/btrbk.yaml b/secrets/btrbk.yaml new file mode 100644 index 0000000..254d13c --- /dev/null +++ b/secrets/btrbk.yaml @@ -0,0 +1,30 @@ +secret_key: ENC[AES256_GCM,data:vOSidp2iECXPceHPcBWqgYlhlMcGfwkVW1KUVDT+UcMfT4yLRlZAAxAbuvjH7ZQizs4FPiNI6yNrkP0DF7OKKvuoYfARg3bATVNtnBzyJbLhJk7lOcrHcGWyGeiVlkHk8IgUm01EHWaJ/01ZLouDoy1yt2/CTh56p8TBYKwlqJC+QIiTvSo+7580DCcvdxUAbo6ZlTJjEsCgbzBHvmW8K0HsjjDfdT7NEs2xk2pUJE3Vgl6J6pDc9wJT9lIljDQN5KgP6/MQ68dOCnb9OUqVX+ebBpF0k9uZxsel4GhqpsCX04aSmnawmDs/eYbFv0Fv/xUspZByU8/xl7XysUZ7kUsX60CXWFkuCSR4sOctTOb8yW17bco1PHUh/800GrrTmDnG5tPKqM53pB/efNI4wi04roOmSj57lPeUBzTnBsf+WjvlRUw/URFyK14rO83fk1HFdiuW4z5SdcnsFB7Cy1HBFFzryZkRPCHivKo8BYe+AwGb5mvVh1C4Z2U/sfNRTK/JpXp85zlSghvZnv3RE+uAS1U18NtI0uRg,iv:2ZYJZy5p8waPfqM9EZrahxwT57I3H0cEr1d0nGlxiAU=,tag:pJytnJgjsX5snwnfcCdDrg==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age17yhtwnhqjssghc5qqamt0fqdu27zpqms8d8ghrc0txeevywfp3ssklfy57 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAwUWVCTVQySVBmcnQ1dGVz + dmxMamJOQjU3M3RVY3B4QXBvakVxT0I2clZFCnBnd2l5YndZQTF1c3JZSnppZU5p + TzFCczZCRFBBdzY4eXpaYnQwWjNaRUUKLS0tIHhLdkRVdUhjYURTUWw1WDJRMXVy + WHlrcEFmZGFKYjZ5dTBqK0RZZkVGOEkK/r90o5fybML6kJxfuOdH80LOBPX49wk8 + 1bZoy2wLvU4w4ZON35PxbL2lIJbfVlc6ORJs2o90fPw3HO4fHbShIw== + -----END AGE ENCRYPTED FILE----- + - recipient: age145uwrexj6ffaaxy7jg3j29gtchhwy0y0nttw06zeuxkqsy8rnpds7fh7xq + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAxSEdLWS9KUlY4Q2s2MWk1 + b2NvUXdGN3piTThoNkUybm1oZE16eWU3eWlrClJCaGtYS0MzTCs4VjFhbUNIdVow + WWx3L0xEUHBnN0dGSCtEblZ4SFdGN2sKLS0tIHlCZ1BHeGZoc2VUOFhSdFhKNVRS + V1R4YTZKMWpVdzVxN3NMTWlWbFN1Q2cK1Q8YDH612krI2ck1qer6gLrlQbCY3duR + e8NcUXci0IDfFTnHP6hFhwkG3QHll81Vr9Hk97vctkOqi6jBXSnuQA== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2023-01-26T03:12:49Z" + mac: ENC[AES256_GCM,data:wFwsTgOzcl/29MLOzAc2h0obwQDK7sm8Ti8Ymi1YVm3xQt9kieJwhf3X/ZnaL3NBX7zhKH4EENSNB89lGHmuasKQ6JG2tP8p7ijZVVrT1dR3N2LltnXVFwkFDaYj9V7lROSQjLM1+1WQ69o6wR+5FQ8qAvaMqVaJPlp76w3BWyQ=,iv:4MuHmkUKv7cdjzjF+2xPrjKcnUMdOdfRYaJufK5OS5Q=,tag:Q4ekRkTendfr2fKJCiqwpQ==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.7.3 diff --git a/secrets/keyfile.bin b/secrets/keyfile.bin new file mode 100644 index 0000000..0c3ff78 --- /dev/null +++ b/secrets/keyfile.bin @@ -0,0 +1,24 @@ +{ + "data": "ENC[AES256_GCM,data:ArnkV595FNM9wFbVRU67WBfULR3Cr5AmPLXKSvOd0GzhFjRM/ntnYkKOKitM4WLIgekZbjmKlDzb8DnJaZiVp17WjViUIsduqyiTtVnYoIHFKAwsfp/DFDunas/jL+qVOL8Dq3DayoBSYm0yKiiWcgwuguNE6fxn/PcDSvzruHAXamdCwMmkX3kycrS6KvWrw+FRxmxudO50e+ZJN0X7duj3LP4gxI+TZG7CxBoc87h9L+EhqqvFd4tO3mSdc2UOdnBDXr2WXJXEEI7D9gxUyrJAaK9zcfgUC4vkvz43tcPoK8HX9zx04nAzUXfMur0vdVFhFY/fJ3XgpN8PBVj/dc/1acpIL7xnqkDZKCTg7OkHTdDiNx70yixyQXrIWru2+oxbXBghHkyP9d+hsbJBACA7/G3iQgvJ45Ht4mUYuQ2K7AbaV/57YfSlvVgrs062L50bwbriPjLQQAGD6HNs+5zARTuOp1Bx9UgScUooLNK1bz/QXmCF0aSGV8EMdh1VTjN8xiDaj+5TViAELDj63etPLz6b+8+xEDNhFpqr8lj3NxTQZP4xItjmP9fg4BvLX1bU6mG8VBFcToSDfQhRz0z2ojKuFsOcF9PoniOsD1/Ern1YdJNheAGOqxlbVbYhsG2Fnf3buu5AIJjTnlLGBAJEsQxzMtOu+WwlcZfEp4g=,iv:lebZuAWBOZ48uZIs1EB6ejdLxE8+cBQJYZAcENO2/AI=,tag:N+hlG0tqOktcYsUW7kLS5g==,type:str]", + "sops": { + "kms": null, + "gcp_kms": null, + "azure_kv": null, + "hc_vault": null, + "age": [ + { + "recipient": "age17yhtwnhqjssghc5qqamt0fqdu27zpqms8d8ghrc0txeevywfp3ssklfy57", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAzK0R5VU1YZEJUanlKc2wv\nQTlJTHRMZHAvZ0MzV0pmU0dtMnZEb1VmV0RVCktHbkdNWUl4SU9QdDEwdU01WDBM\nR0J2YWZ3QVd3REkzdC9zZWNDMkNPWFUKLS0tIDRHekdmdTlTV0FwSXkzNlhjdkZz\nNjRlM2UvY0RobWtTY2dyUEtpNk5ySVkK/syr7zqEAoKXSj3qfdY24lXEZ0WMQkoa\ngA5CSmbZHCalQ/iSL2/JXjuQi48xZsWiYz91HK7zUmLPRg1WZxJK0Q==\n-----END AGE ENCRYPTED FILE-----\n" + }, + { + "recipient": "age145uwrexj6ffaaxy7jg3j29gtchhwy0y0nttw06zeuxkqsy8rnpds7fh7xq", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBTbHpWbXh1U2s4OUlmdnV0\nZTFhSXYyZ0NBRHZpSENoYXkxaHN0cGRiSkZ3CitZb1RMR2FNVGRFUitDZnhsdlJN\nMllqeW9hZ1gwc3BTVFczSDg1MVRsWkUKLS0tIEVESVdGK3MvaFJNT25udzVsak14\nYmZCTkc2VHpJMmEzSnIwS1FLVEVtV1UKUp/MgQsgEFWX7DJxnctFjgvHChCQfjak\nGiZEUlLkcO5YlkgfI7uoUaau8AQl6EpFalnZWWHFVJwUvMFvCr70Mw==\n-----END AGE ENCRYPTED FILE-----\n" + } + ], + "lastmodified": "2023-01-26T03:21:21Z", + "mac": "ENC[AES256_GCM,data:3W+L66vRggBhMIEgRTsS7UNBg38YEOhL/XFaAU8wNB/YbWDo7kqefZS9nOWOxXuMX5iUzm+cvDWp8sEvuOBcaaxrld2CEUbglJ8kfOe1kzpNmnBLWaa/KGDmilsT31JFO+uZgKCTInhVrvbnsfWXLgcWd6AEPIV0oar315+NCR0=,iv:3GvJyF310AUL0mDhzo5Y/vIYqWyOrbpOaiFl3OzdlzE=,tag:u5gs86FsEDH7H2UK1ixfPQ==,type:str]", + "pgp": null, + "unencrypted_suffix": "_unencrypted", + "version": "3.7.3" + } +} \ No newline at end of file