mirrors_public/oddlama_nix-config
1
1
Fork 1
mirror of https://github.com/oddlama/nix-config.git synced 2025-10-11 07:10:39 +02:00
Code Activity

feat: implement repository-wide secrets

Browse source
This commit is contained in:
oddlama 2023-03-14 23:55:59 +01:00
parent efa04063e6
commit b03c913349
No known key found for this signature in database
GPG key ID: 14EFE510775FE39A
9 changed files with 130 additions and 8 deletions
Download patch file Download diff file Expand all files Collapse all files

1
flake.nix
View file

@ -47,6 +47,7 @@
} @ inputs: } @ inputs:
{ {
hosts = import ./nix/hosts.nix inputs; hosts = import ./nix/hosts.nix inputs;
secrets = import ./nix/secrets.nix inputs;
colmena = import ./nix/colmena.nix inputs; colmena = import ./nix/colmena.nix inputs;
overlays = import ./nix/overlay.nix inputs; overlays = import ./nix/overlay.nix inputs;
homeConfigurations = import ./nix/home-manager.nix inputs; homeConfigurations = import ./nix/home-manager.nix inputs;

1
hosts/zackbiene/default.nix
View file

@ -20,6 +20,7 @@
./mosquitto.nix ./mosquitto.nix
./zigbee2mqtt.nix ./zigbee2mqtt.nix
./esphome.nix ./esphome.nix
./nginx.nix
]; ];
boot.loader.grub.enable = false; boot.loader.grub.enable = false;

43
hosts/zackbiene/nginx.nix Normal file
View file

@ -0,0 +1,43 @@
{
lib,
config,
nodeSecrets,
...
}: {
#security.acme.acceptTerms = true;
#security.acme.defaults.email = "admin+acme@example.com";
services.nginx = {
enable = true;
# Use recommended settings
recommendedGzipSettings = true;
recommendedOptimisation = true;
recommendedProxySettings = true;
recommendedTlsSettings = true;
# Only allow PFS-enabled ciphers with AES256
sslCiphers = "AES256+EECDH:AES256+EDH:!aNULL";
## SSL config
#ssl_protocols TLSv1.2 TLSv1.3;
#ssl_dhparam /etc/nginx/dhparam.pem;
#ssl_ciphers EECDH+AESGCM:EDH+AESGCM;
#ssl_ecdh_curve secp384r1;
#ssl_session_timeout 10m;
#ssl_session_cache shared:SSL:10m;
#ssl_session_tickets off;
#
## OCSP stapling
#ssl_stapling on;
#ssl_stapling_verify on;
virtualHosts = {
"${nodeSecrets.zigbee2mqtt.domain}" = {
#forceSSL = true;
#enableACME = true;
locations."/" = {
root = "/var/www";
};
};
};
};
}

11
hosts/zackbiene/secrets/secrets.nix.age Normal file
View file

@ -0,0 +1,11 @@
age-encryption.org/v1
-> X25519 i6aU9NyNgN17pez4P33oV7d/HNDirMTDIDvZQiWyD0U
3TgVPXyYypC+b7c17ZoV1ZbASpqzgskJ0OUVtBgxhFk
-> piv-p256 xqSe8Q A3kpyhwhqEsSqoVD7SB8VK5dU0ZiOrsOdloF+iviN/mq
W315d5mn13I4JWpsut801LKgGieKF8NIuJ6TeF4wCtI
-> Vzkv-grease u
ScmUF1PthzjmA8USzPlx5s5zcTDMGb2zcniHiOHz/ax4cTDKtnDgr8hI6r/6cKXs
5EkFcJHCI4nNFSCK8WHIIaGDpWWB6YrkkicVQU9K7QRa57xhVniotpH1rOnbEcFN
j5M
--- 4rSnr2uChIZoKOe3DDWFK/3JUUPAst1LDOulv1WN1Ek
þÊýÔ´‹âW…b^zËrFç<Zh®šp ʘëöѬzf# & ëÔφÖ\ÑlÝDQÅ wé9º#¢ÕS¢ü0ÜF¢A’/NãŽ%Ûßxÿ�™¸uÄl„

6
modules/core/default.nix
View file

@ -77,12 +77,6 @@ in {
users.mutableUsers = false; users.mutableUsers = false;
# Setup to use Secrets
rekey.forceRekeyOnSystem = "x86_64-linux";
rekey.hostPubkey = ../../secrets/pubkeys + "/${config.networking.hostName}.pub";
rekey.masterIdentities = [../../secrets/yk1-nix-rage.pub];
rekey.extraEncryptionPubkeys = [../../secrets/backup.pub];
home-manager = { home-manager = {
useGlobalPkgs = true; useGlobalPkgs = true;
useUserPackages = true; useUserPackages = true;

4
modules/core/nix.nix
View file

@ -1,4 +1,4 @@
{ {pkgs, ...}: {
nix = { nix = {
settings = { settings = {
auto-optimise-store = true; auto-optimise-store = true;
@ -23,6 +23,8 @@
builders-use-substitutes = true builders-use-substitutes = true
experimental-features = nix-command flakes recursive-nix experimental-features = nix-command flakes recursive-nix
flake-registry = /etc/nix/registry.json flake-registry = /etc/nix/registry.json
plugin-files = ${pkgs.nix-plugins}/lib/nix/plugins
extra-builtins-file = ${../../nix/extra-builtins.nix}
''; '';
optimise.automatic = true; optimise.automatic = true;
gc.automatic = true; gc.automatic = true;

12
nix/colmena.nix
View file

@ -24,6 +24,11 @@ with nixpkgs.lib; let
pkgs.flake = nixpkgs; pkgs.flake = nixpkgs;
templates.flake = templates; templates.flake = templates;
}; };
# Setup parameters for Secrets
rekey.forceRekeyOnSystem = "x86_64-linux";
rekey.hostPubkey = ../secrets/pubkeys + "/${config.networking.hostName}.pub";
rekey.masterIdentities = [../secrets/yk1-nix-rage.pub];
rekey.extraEncryptionPubkeys = [../secrets/backup.pub];
} }
(../hosts + "/${hostName}") (../hosts + "/${hostName}")
home-manager.nixosModules.default home-manager.nixosModules.default
@ -39,9 +44,14 @@ in
# Just a required dummy for colmena, overwritten on a per-node basis by nodeNixpkgs below. # Just a required dummy for colmena, overwritten on a per-node basis by nodeNixpkgs below.
nixpkgs = self.pkgs.x86_64-linux; nixpkgs = self.pkgs.x86_64-linux;
nodeNixpkgs = mapAttrs (hostName: {system, ...}: self.pkgs.${system}) nixosHosts; nodeNixpkgs = mapAttrs (hostName: {system, ...}: self.pkgs.${system}) nixosHosts;
#nodeSpecialArgs = mapAttrs (hostName: { system, ... }: {}) nixosHosts; nodeSpecialArgs =
mapAttrs (hostName: _: {
nodeSecrets = self.secrets.nodes.${hostName};
})
nixosHosts;
specialArgs = { specialArgs = {
inherit (nixpkgs) lib; inherit (nixpkgs) lib;
inherit (self) secrets;
nixos-hardware = nixos-hardware.nixosModules; nixos-hardware = nixos-hardware.nixosModules;
#impermanence = impermanence.nixosModules; #impermanence = impermanence.nixosModules;
}; };

29
nix/extra-builtins.nix Normal file
View file

@ -0,0 +1,29 @@
# This file is intended to be used together with pkgs.nix-plugins,
# to provide rage decryption as an additional safe builtin.
#
# Make sure that nix-plugins is installed by adding the following
# statement to your configuration.nix:
#
# ```nix
# {
# nix.extraOptions = ''
# plugin-files = ${pkgs.nix-plugins}/lib/nix/plugins
# # Please adjust path accordingly, or leave this out and alternativaly
# # pass `--option extra-builtins-file ./extra-builtins.nix` to each invocation
# extra-builtins-file = ./extra-builtins.nix
# '';
# }
# ```
{exec, ...}: let
assertMsg = pred: msg: pred || builtins.throw msg;
hasSuffix = suffix: content: let
lenContent = builtins.stringLength content;
lenSuffix = builtins.stringLength suffix;
in
lenContent >= lenSuffix && builtins.substring (lenContent - lenSuffix) lenContent content == suffix;
in {
rageImportDecrypt = identities: nixFile:
assert assertMsg (builtins.isPath nixFile) "The file to decrypt must be given as a path to prevent impurity.";
assert assertMsg (hasSuffix ".nix.age" nixFile) "The content of the decrypted file must be a nix expression and should therefore end in .nix.age";
exec (["rage" "-d"] ++ (builtins.concatMap (x: ["-i" x]) identities) ++ [nixFile]);
}

31
nix/secrets.nix Normal file
View file

@ -0,0 +1,31 @@
# This file manages access to repository-secrets. Anything that is technically
# not a secret on your hosts, but something you want to keep secret from the public.
# Anything you don't want people to see on GitHub that isn't a password or encrypted
# using agenix.
#
# All of these secrets may (and probably will be) put into the world-readable nix-store
# on the build and target hosts. You'll most likely want to store personally identifiable
# information here, such as:
# - MAC Addreses
# - Static IP addresses
# - Your full name (when configuring e.g. users)
# - Your postal address (when configuring e.g. home-assistant)
# - ...
{
self,
nixpkgs,
...
} @ inputs:
with nixpkgs.lib; let
mergeArray = f: unique (concatLists (mapAttrsToList (_: f) self.nodes));
mergedMasterIdentities = mergeArray (x: x.config.rekey.masterIdentities or []);
# "Imports" an encrypted .nix.age file
importEncrypted = path:
if builtins.pathExists path
then builtins.extraBuiltins.rageImportDecrypt mergedMasterIdentities path
else _: {};
in
(importEncrypted ../secrets/secrets.nix.age inputs)
// {
nodes = mapAttrs (hostName: _: importEncrypted ../hosts/${hostName}/secrets/secrets.nix.age inputs) self.nodes;
}