Gonne/nixConfig
1
0
Fork 0
forked from Fachschaft/nixConfig
Code Pull requests Activity

Merge pull request 'store signing keys for nodens' (#86) from nerf/nixConfig:nodens-deploy into main

Browse source 
Reviewed-on: Fachschaft/nixConfig#86
Reviewed-by: Gonne <gonne@noreply.localhost>
This commit is contained in:
nerf 2025-06-22 18:39:10 +00:00
commit 375c2a2e4d
5 changed files with 82 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

9
.sops.yaml
View file

@ -7,6 +7,7 @@ keys:
- &bragi age1lqvgpmlemyg9095ujck64u59ma29656zs7a4yxgz4s6u5cld2ccss69jwe
- &lobon age12nz7dtc0m5wasxm4r9crtkgwnzvauyfp0xh0n8z8jld0arn9ea9qe0agvn
- &nyarlathotep age1ktwclxa640l89le6yecm8v2z6hmwr4lusd6x9gyzamhv57887szqtqp59a
- &nodens age1vzhru3nsv5ttx3scmxvdep7z29qtsacft48wj2pk2rtkrdywdyuswc3lqn
creation_rules:
- path_regex: nixos/machines/nyarlathotep/.*
@ -33,6 +34,14 @@ creation_rules:
- *daniel
- *totallynotadolphin
- *lobon
- path_regex: nixos/machines/nodens/.*
key_groups:
- age:
- *nerf
- *gonne
- *daniel
- *totallynotadolphin
- *nodens
# this is the catchall clause if nothing above machtes. Encrypt to users but not
# to machines
- key_groups:

4
README.md
View file

@ -82,6 +82,10 @@ is exactly the same it was on your machine.
If you have a `nixos-rebuild` available on your system, it can automatize these things with the `--flake` and
`--target-host` parameters. But there are some pitfalls so look at the `nixos-rebuild` documentation beforehand.
### On nodens
You can build the machine on `nodens` the same way you would build it on your local machine. On `nodens` there
is a key trusted by all machines at `/run/secrets/nodens-deploy.key`, to sign your build.
### On the machine
Clone this repository to `/etc/nixos/` and `nixos-rebuild boot` or `nixos-rebuild switch` that will select

7
nixos/machines/nodens/configuration.nix
View file

@ -11,4 +11,11 @@
networking.hostName = "nodens";
system.stateVersion = "24.11";
sops.secrets."nodens-deploy.key" = {
sopsFile = ./deploy.secrets.yaml;
owner = "root";
group = "root";
mode = "0400";
};
}

52
nixos/machines/nodens/deploy.secrets.yaml Normal file
View file

@ -0,0 +1,52 @@
nodens-deploy.key: ENC[AES256_GCM,data:78egSKIl+ecnCoIsw30ytx9wYwtnAHppMObpn4tPBuqSNN20ILWK4IdZUTE7H/QkOAbhi+R565efg/Cxt85OghXZ9jwBNXX+EwTwS7LAiGwp2Kxm7kYGX4jWvrmAnvmd/nqM3Rw+DgfGAA==,iv:+5Hz/Vmluk9icv68rmb1Dyi0g6PkW2JyaOnqluC/TKo=,tag:c7DQRCcKsS+9zJ9agCb0VA==,type:str]
sops:
age:
- recipient: age1rasjnr2tlv9y70sj0z0hwpgpxdc974wzg5umtx2pnc6z0p05u3js6r8sln
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB6MWdKbDBpaHoycmdWdlc3
MGltTU1rbUhPQ2VtbERWUXQzdWpvd2ZGdzFjCmV0aW5oTkdGMExUUkV1UFV3UkpZ
dE5kUktrYUlEQ1hNWEIzdlFxeUFKRXcKLS0tIGN6NStxdTl0VkYvcS82QjJCT0xu
eDRtM1BjN0tMVnkwZHF4ajRKUW94aVEKklPazc/5C/g0cTe0xzdwxi+G4vZ3LSbI
utp7vfDLIddT4mKVyt4bD/VffDlB5Afvu91mDMEr/WrQGQsmczqdYg==
-----END AGE ENCRYPTED FILE-----
- recipient: age1epz92k2rkp43hkrg3u0jgkzhnkwx8y43kag7rvfzwl9wcddelvusyetxl7
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB4S1RZVVB2ancrMERNSUZ1
Nlg4Q3FZNFl1WUN5b2FVM0pYUDA2cXVtendrCm1TWkZNanZqYnM2eEt3eFZpdS9M
SzlpQnZQQzE5OFM1ME5xaXQxOWdGbzQKLS0tIEdXUGFGL3ZOZlZMWTgwY1lNdE5o
MS9WYWtuWkpKdDFnb0huelcyVEgvK2sKzRQ6oxBmOrE+OnCF19Nuaf9SZus4CtHD
l+q/0xqkSnxz+/Vl3ooq0bPUPXiGrHWkSXb/LFH6crRJHxRAuiga3w==
-----END AGE ENCRYPTED FILE-----
- recipient: age1mmpdvzy6d23qyhrl55jtv3c25pus2wwfplx9tujmqps2xsreuv8qwc6gv5
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAwVlNZZ05TK3c1TitESEYx
dkpaMjhKaWNTTElld21yTXcyeVorTHBZYlFBCjF3R3BVNFcvZFZFK0xScmJTUEda
TmNySERXVk9jT01JWlFHNGd4MFlwUFkKLS0tIHJQV2dSd1pRbCtqKys3YW1JNVpq
QU5wdlBQODh4WmxrY1Z3aHl3WTE0eUUKTJPqJFelo6bQLfFNVa6K8UnUxCM8N15A
v8FWo1C71bIbMEtMTOq/TotJwxElUk8Oc10ECd3ST0bWZfyKFtkwHQ==
-----END AGE ENCRYPTED FILE-----
- recipient: age1m7l4x2zdgn7akgg5mkm9quen3u9sm0785tzm7vl000anuqrwwg6s5urenn
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBjTUdtYzJMWk1YSitjNnhi
VVdpU0R4eHJIejZmSTNycWxheTZjcjBJdGlZCmxHdWxpaGdhQnFCT0tMRTVTS29X
Yks5UEw1MG5OMlZyWHVaZHpLb01vTFEKLS0tIHBTcjZrOHE4S2lZVllGNWpBdzV1
ci8xcGo2dzU0NDh2M3RCVEU3VjNDRkUKWZuklDoyHN83M0sfO9lnHP8cfj5ECqbx
3/JbV4wOalQ4+LiSSFmgxYXfADtWe4QpRUDCoVEHPc+sBvA09aCh+g==
-----END AGE ENCRYPTED FILE-----
- recipient: age1vzhru3nsv5ttx3scmxvdep7z29qtsacft48wj2pk2rtkrdywdyuswc3lqn
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBRa09heTBzZ0xtSHlqR092
R3BNQWk3ZXhnd0wwMmI0SVBOSG00cTY2czI4ClZoMHJwdDh0b08xR2lXNStEbVkz
RGFnNkJrRkUrU0hIaTJsNzBOdENpdFEKLS0tIHhlazVXeTgzakpTYW1qUzZSMXNJ
V3JSeDNsdVNOQ2ZLL2MvSDBZdk1wTzgKPzrGAY1xqJ679iTqe+gUXB3UoTuA71Rj
KUTxgml2J6R+3mI61VFL1C5mDApFPoI6FaG/dXk5zgXSO1auVxHlAA==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2025-06-20T16:36:28Z"
mac: ENC[AES256_GCM,data:2UKbVUVB0WYZBAti4QN6gqsl9bsYjjjy6JOwwHYpLXywsXZOkpj1wptwdAXyjR3s9KT0fpywxZgCPtIqYb6wd8QqXkNzrTcVc6I7OJtDizcHh/tNvNsVvlC4I1+VpbTlIkmw3OxbIf88MrsVUxCFcyin7spIFHLtgIVQVO1xAHI=,iv:v7c/Wa81EE43hnWi6xISlxuzgfDxdpABkfQb/0zF+Kc=,tag:2fDl4Hy59d5QiXF3KZG+EQ==,type:str]
unencrypted_suffix: _unencrypted
version: 3.10.2

10
nixos/roles/default.nix
View file

@ -30,6 +30,16 @@
sops.age.sshKeyPaths = ["/etc/ssh/ssh_host_ed25519_key"];
# additional trusted keys for substituters for every machine
# right now it is only nodens so nodens can build system configs
# and we can deploy them from nodens.
# For security reasons we might want to move this to the vm part, as
# someone who can get control of nodens and get hold of the build process
# can gain control of the other machines. While this is very handy
# and a step towards CI, we might not want this for backups.
# (This is a tradeof between security and convenience)
nix.settings.trusted-public-keys = ["nodens-deploy.key:VHJmEr17pdoEEnWlSfC03TIf4GBbClxGRiInHuWaUvU="];
environment = {
systemPackages = builtins.attrValues {
inherit