From 92fae1bed4db8f80731dc87a3a99ec9d0975e4dc Mon Sep 17 00:00:00 2001 From: Jo Date: Sun, 22 Sep 2024 23:07:08 +0200 Subject: [PATCH] feat: finish sops-nix configuration feat(modules): update traefik service to letsencrypt staging servers various other tweaks --- .gitignore | 2 +- .sops.yaml | 6 ++-- modules/nixos/services/traefik/default.nix | 4 +-- secrets/default.yaml | 36 +++++++++++++++++++ .../x86_64-linux/absolutesolver/default.nix | 6 ++++ systems/x86_64-linux/puzzlevision/default.nix | 8 +++++ 6 files changed, 57 insertions(+), 5 deletions(-) create mode 100644 secrets/default.yaml diff --git a/.gitignore b/.gitignore index 589556f..66356cd 100644 --- a/.gitignore +++ b/.gitignore @@ -1,2 +1,2 @@ ### Jetbrains -/.idea \ No newline at end of file +/.idea diff --git a/.sops.yaml b/.sops.yaml index 60f1f04..3a7a1f8 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -1,7 +1,9 @@ keys: - - &jo D94C5D66B93C7C7B855F8FF08FBFDF2DB9BBAAF9 + - &jo age1gudgza8lv02nwec0pejqpp5t7zu0tzjsfkmvgvy3ckfscr9f4qrq2sl5dv + - &server_absolutesolver age1qcjcwh9tq8pzf2yr7m3hm2n3n3y5rlc30fpkr0eytju9w57ucgcsgcy79d creation_rules: - path_regex: secrets/[^/]+\.(yaml|json|env|ini)$ key_groups: - - pgp: + - age: - *jo + - *server_absolutesolver diff --git a/modules/nixos/services/traefik/default.nix b/modules/nixos/services/traefik/default.nix index 1ab2c2a..4ce1231 100644 --- a/modules/nixos/services/traefik/default.nix +++ b/modules/nixos/services/traefik/default.nix @@ -14,7 +14,8 @@ in { systemd.services.traefik = { environment = { - CF_API_EMAIL = "johannesreckers2006@gmail.com"; + CF_API_EMAIL = config.sops.secrets."cloudflare/api_email".path; + CF_API_KEY = config.sops.secrets."cloudflare/api_key".path; }; }; @@ -96,6 +97,5 @@ in { }; # Todo: continue with "traefik" configuration and test it on a running system - # Todo: setup sops-nix for secret management }; } diff --git a/secrets/default.yaml b/secrets/default.yaml new file mode 100644 index 0000000..ac5762a --- /dev/null +++ b/secrets/default.yaml @@ -0,0 +1,36 @@ +users: + jo: + password_hash: ENC[AES256_GCM,data:zHiVYdv7vQjW4yYWVyszNaHM40r5pp2CRIbcGRF9CcEoCSJnDF0LRDFoTAFGsnXLMgzpvai7nCNHksSW6NEsVubVeH0D7/ECbw==,iv:g+py8p9KF1Kds1mg7iUjMghoeapAo4738LxMrwXGEgc=,tag:tQsDWtspuWVU77jyEpgNYQ==,type:str] +services: + cloudflare: + api_email: ENC[AES256_GCM,data:n32V/74Kz7lSwCVYmwKrbSVdct/oLc9NcIZtvvk=,iv:HOe2unXoP+C+DliK0vGbkTNUWbQJvDwfWpNwqsIJHWM=,tag:sQT1fnjgRihkDUGJH4CnIA==,type:str] + api_key: ENC[AES256_GCM,data:uDh6rPtSx2B53x5xd1R1vNJTLyB2Bn5/vCkzIZnX0MSFQhiwSA==,iv:5rzKLF6h3uAFUWyh9oz2JmQFd4FTvQ7KCx6dgCvp2jg=,tag:NYB4oMI47AZDCmOlNH0ZrA==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1gudgza8lv02nwec0pejqpp5t7zu0tzjsfkmvgvy3ckfscr9f4qrq2sl5dv + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB4MGdHQ2V4YzAwSG5ZWXJD + ejhVdVpML2J0Q3Z6NzlIanV4anpsSXpXdWw4CkVvTDlYd3k1RldoaVJVV0lSN3JD + bUw3ZGxpREpjKzVEZFd4U0NIV0htWXMKLS0tIDBkZFRYN3p4YTNEMm50VGgwcUlN + dGRtcmY2VytsbThLdzY1UzByQUZyR00K9bBXCTqpmzo1LNT4pmgGtEwad8cmoxyJ + 0y3TkHXFZw8KHuyV53sbrDyUreePCXLbjdBChdTSMXCMAZQxews+TQ== + -----END AGE ENCRYPTED FILE----- + - recipient: age1qcjcwh9tq8pzf2yr7m3hm2n3n3y5rlc30fpkr0eytju9w57ucgcsgcy79d + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBXanBCY01yTDZiS3N1YUQ2 + SXFkbXVPT1E0M05xeFAyUVY5bUY3dTlTdWpjCjFIU2FVelpJaUJNWFRmbnB5aHg4 + bS9LYnU1WFB2KzRjZlZ2SHZKb3B2ZGMKLS0tIGxDcW9uMjF3ZU1pY0g4NlVPcVNu + dnk2Z3N0YzU0eG5nbkkvZC8yQXJhWlEKKVGY0IyA9MMqzc+YohmHzKqHaf8z8t6Z + ag0TBf2uU2ZDiPfNhhDaUdltGiPrk+AlbHSTmrDwZ8T/+A8hHRyGYA== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-09-22T15:10:16Z" + mac: ENC[AES256_GCM,data:BZfsnJDXxawuMzV0N2c4McnKWGq5wZky3vJZL9vMKwvffRqXyGJThaZxM7jGFL8Tv/OYdLD7YuH2TA6yVf4yK2fukXRbWlGMoAjtSVL6iXh6B8dn6jeDPyNwG/QSIDimRVj/dWCWgZWCG7+D72Dilj7lPohAVWNPKJR7C21jETk=,iv:Xbw3dbQfs32/6IDSwlRJU+NN2XzyQAfoijLQj/e4dao=,tag:BZYab9PYYg5CjUtXfBj6wA==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.9.0 diff --git a/systems/x86_64-linux/absolutesolver/default.nix b/systems/x86_64-linux/absolutesolver/default.nix index 952b8ff..de88da8 100644 --- a/systems/x86_64-linux/absolutesolver/default.nix +++ b/systems/x86_64-linux/absolutesolver/default.nix @@ -14,6 +14,12 @@ inputs.hardware.nixosModules.common-pc-laptop-ssd ]; + # Setup Sops + sops.defaultSopsFile = lib.snowfall.fs.get-file "secrets/default.yaml"; + sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ]; + sops.age.keyFile = "/var/lib/sops-nix/key.txt"; + sops.age.generateKey = true; + # Set hostname # Todo: move to common/networking module networking.hostName = "absolutesolver"; diff --git a/systems/x86_64-linux/puzzlevision/default.nix b/systems/x86_64-linux/puzzlevision/default.nix index 307d5b5..46ba150 100644 --- a/systems/x86_64-linux/puzzlevision/default.nix +++ b/systems/x86_64-linux/puzzlevision/default.nix @@ -14,6 +14,13 @@ inputs.hardware.nixosModules.common-pc-laptop-ssd ]; + # Configure Sops + sops.defaultSopsFile = lib.snowfall.fs.get-file "secrets/default.yaml"; + sops.age.keyFile = "/var/lib/sops-nix/key.txt"; # The main AGE key is expected in this location, it is only needed for this system. + + # Sops keys + sops.secrets."user/jo/password_hash".neededForUsers = true; + # Set hostname # Todo: move to common/networking module networking.hostName = "puzzlevision"; @@ -53,6 +60,7 @@ snowfallorg.users.jo.admin = true; users.users.jo.isNormalUser = true; users.users.jo.extraGroups = [ "dialout" "docker" ]; + users.users.jo.hashedPasswordFile = config.sops.secrets."user/jo/password_hash".path; # Configure home-manager home-manager = {