Compare commits

..

15 commits

Author SHA1 Message Date
977bfa7114
fixed a merge thingy in README 2023-09-25 22:03:19 +02:00
013ef7d979
Merge branch 'nyarlathtop' of ssh://gitea.mathebau.de:3022/Fachschaft/nixConfig into nyarlathtop 2023-09-25 21:58:29 +02:00
12a20c4c52
Merge branch 'nyarlathtop' of ssh://gitea.mathebau.de:3022/dennis/nixConfig into nyarlathtop 2023-09-25 21:57:04 +02:00
8d3731eeb3
added a comment regarding the use of pkgs.nixos 2023-09-25 21:54:47 +02:00
bc8b37f38d
refactored xen_guest.nix 2023-09-25 21:54:46 +02:00
72c98986a0
some documentation I wrote without proofreading at 2 in the morning 2023-09-25 21:54:43 +02:00
53787ba7bb
/var/mail is special OOOPS 2023-09-25 21:50:36 +02:00
cb771c4abb
fixed small error in trusted nix keys handling 2023-09-25 21:50:35 +02:00
ba8862cb0c
first running config (fingers crossed) 2023-09-25 21:50:35 +02:00
0c6bb20db2
updated dependencies 2023-09-25 21:50:35 +02:00
60885b4cb5
added actual hardware identifiers & atual network config 2023-09-25 21:50:07 +02:00
fe7ea8aee1
first working steps on nyarlathotep 2023-09-25 21:48:15 +02:00
a9a95f4ca3
added sensible credentials to nerf user 2023-09-25 21:48:15 +02:00
dennis
5e247589dc Merge pull request '[#5] adding sops support' (#6) from dennis/nixConfig:nerf/sops-nix into main
Reviewed-on: #6
2023-09-25 19:23:42 +00:00
cf537f3c7b
[#5] adding sops support 2023-09-25 21:03:23 +02:00
6 changed files with 93 additions and 2 deletions

16
.sops.yaml Normal file
View file

@ -0,0 +1,16 @@
keys:
- &nerf age1rasjnr2tlv9y70sj0z0hwpgpxdc974wzg5umtx2pnc6z0p05u3js6r8sln
- &nyarlathotep age1s99d0vlj5qlm287n98jratql5fypvjrxxal0k5jl2aw9dcc8kyvqw5yyt4
creation_rules:
- path_regex nixos/machines/nyarlathotep/.*
key_groups:
- age:
*nerf
*nyarlathotep
# this is the catchall clause if nothing above machtes. Encrypt to users but not
# to machines
- key_groups:
- age:
*nerf

View file

@ -109,3 +109,25 @@ is imported as (`../../roles`) in every machine. Notable are the files `nixos/ro
common admin accounts for these machines and `nixos/roles/nix_keys.nix` which contains the additional trusted
keys for the nix store.
## sops
We are sharing secrets using [`sops`](https://github.com/getsops/sops) and [`sops-nix`](https://github.com/Mic92/sops-nix)
As of right now we use only `age` keys.
The machine keys are derived from their server ssh keys, that they generate at first boot.
User keys are generated by the users.
New keys and machines need entries into the `.sops.yaml` file within the root directory of this repo.
To make a secret available on a given machine you need to do the following. Configure the following keys
```
sops.secrets.example-key = {
sopsFile = "relative path to file in the repo containing the secrets (optional else the sops.defaultSopsFile is used)
path = "optinal path where the secret gets symlinked to, practical if some programm expects a specific path"
owner = user that owns the secret file: config.users.users.nerf.name (for example)
group = same as user just with groups: config.users.users.nerf.group
mode = "premission in usual octet: 0400 (for example)"
```
afterwards the secret should be available in `/run/secrets/example-key`.
If the accessing process is not root it must be member of the group `config.users.groups.keys`
for systemd services this can be archived by setting `serviceConfig.SupplementaryGroups = [ config.users.groups.keys.name ];`
it the service config.

View file

@ -120,11 +120,49 @@
"type": "github"
}
},
"nixpkgs-stable": {
"locked": {
"lastModified": 1694908564,
"narHash": "sha256-ducA98AuWWJu5oUElIzN24Q22WlO8bOfixGzBgzYdVc=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "596611941a74be176b98aeba9328aa9d01b8b322",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "release-23.05",
"repo": "nixpkgs",
"type": "github"
}
},
"root": {
"inputs": {
"flake-parts": "flake-parts",
"nixos-mailserver": "nixos-mailserver",
"nixpkgs": "nixpkgs"
"nixpkgs": "nixpkgs",
"sops-nix": "sops-nix"
}
},
"sops-nix": {
"inputs": {
"nixpkgs": [
"nixpkgs"
],
"nixpkgs-stable": "nixpkgs-stable"
},
"locked": {
"lastModified": 1695284550,
"narHash": "sha256-z9fz/wz9qo9XePEvdduf+sBNeoI9QG8NJKl5ssA8Xl4=",
"owner": "Mic92",
"repo": "sops-nix",
"rev": "2f375ed8702b0d8ee2430885059d5e7975e38f78",
"type": "github"
},
"original": {
"owner": "Mic92",
"repo": "sops-nix",
"type": "github"
}
},
"utils": {

View file

@ -10,6 +10,10 @@
nixpkgs.follows = "";
};
};
sops-nix = {
url = "github:Mic92/sops-nix";
inputs.nixpkgs.follows = "nixpkgs";
};
};
outputs = inputs@{ flake-parts, ... }:

View file

@ -2,6 +2,15 @@
# This automatically searches for nixos configs in ./machines/${name}/configuration.nix
# and exposes them as outputs.nixosConfigurations.${name}
#
# a comment regarding pkgs.nixos vs lib.nixosSystem
# while lib.nixosSystem is the usual enduser way to evaluate nixos configurations
# in flakes, pkgs.nixos sets the package set to the packages it comes from.
# This spares us tracking our potentiell overlays and own package additions, but just
# using the right package set to begin with. Using lib.nixosSystem from the flake we would
# need to specify that again.
{ withSystem, lib, inputs, ... }: {
flake = {
nixosConfigurations = withSystem "x86_64-linux" ({ pkgs, ... }:
@ -11,7 +20,7 @@
pkgs.nixos {
imports = [
(import (./. + "/machines/${name}/configuration.nix") inputs)
# inputs.secrets.nixosModules.default
inputs.sops-nix.nixosModules.sops
];
};
in lib.genAttrs machines makeSystem);

View file

@ -25,6 +25,8 @@ users = {
mutableUsers = false;
};
sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
environment = {
systemPackages = builtins.attrValues {
inherit (pkgs)