Compare commits

..

13 commits

6 changed files with 97 additions and 2 deletions

16
.sops.yaml Normal file
View file

@ -0,0 +1,16 @@
keys:
- &nerf age1rasjnr2tlv9y70sj0z0hwpgpxdc974wzg5umtx2pnc6z0p05u3js6r8sln
- &nyarlathotep age1s99d0vlj5qlm287n98jratql5fypvjrxxal0k5jl2aw9dcc8kyvqw5yyt4
creation_rules:
- path_regex nixos/machines/nyarlathotep/.*
key_groups:
- age:
*nerf
*nyarlathotep
# this is the catchall clause if nothing above machtes. Encrypt to users but not
# to machines
- key_groups:
- age:
*nerf

View file

@ -80,6 +80,10 @@ If you have a `nixos-rebuild` available on your system it can automatize these t
`--target-host` parameters. But there are some pitfalls so look at the `nixos-rebuild` documentation beforehand. `--target-host` parameters. But there are some pitfalls so look at the `nixos-rebuild` documentation beforehand.
### On the machine ### On the machine
<<<<<<< HEAD
=======
>>>>>>> d89313e25d9c66bafdaed10bb11716589472bac3
clone this repo to `/etc/nixos/` and `nixos-rebuild boot` or `nixos-rebuild switch` that will select clone this repo to `/etc/nixos/` and `nixos-rebuild boot` or `nixos-rebuild switch` that will select
the appropriate machine based on hostname. the appropriate machine based on hostname.
@ -109,3 +113,25 @@ is imported as (`../../roles`) in every machine. Notable are the files `nixos/ro
common admin accounts for these machines and `nixos/roles/nix_keys.nix` which contains the additional trusted common admin accounts for these machines and `nixos/roles/nix_keys.nix` which contains the additional trusted
keys for the nix store. keys for the nix store.
## sops
We are sharing secrets using [`sops`](https://github.com/getsops/sops) and [`sops-nix`](https://github.com/Mic92/sops-nix)
As of right now we use only `age` keys.
The machine keys are derived from their server ssh keys, that they generate at first boot.
User keys are generated by the users.
New keys and machines need entries into the `.sops.yaml` file within the root directory of this repo.
To make a secret available on a given machine you need to do the following. Configure the following keys
```
sops.secrets.example-key = {
sopsFile = "relative path to file in the repo containing the secrets (optional else the sops.defaultSopsFile is used)
path = "optinal path where the secret gets symlinked to, practical if some programm expects a specific path"
owner = user that owns the secret file: config.users.users.nerf.name (for example)
group = same as user just with groups: config.users.users.nerf.group
mode = "premission in usual octet: 0400 (for example)"
```
afterwards the secret should be available in `/run/secrets/example-key`.
If the accessing process is not root it must be member of the group `config.users.groups.keys`
for systemd services this can be archived by setting `serviceConfig.SupplementaryGroups = [ config.users.groups.keys.name ];`
it the service config.

View file

@ -120,11 +120,49 @@
"type": "github" "type": "github"
} }
}, },
"nixpkgs-stable": {
"locked": {
"lastModified": 1694908564,
"narHash": "sha256-ducA98AuWWJu5oUElIzN24Q22WlO8bOfixGzBgzYdVc=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "596611941a74be176b98aeba9328aa9d01b8b322",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "release-23.05",
"repo": "nixpkgs",
"type": "github"
}
},
"root": { "root": {
"inputs": { "inputs": {
"flake-parts": "flake-parts", "flake-parts": "flake-parts",
"nixos-mailserver": "nixos-mailserver", "nixos-mailserver": "nixos-mailserver",
"nixpkgs": "nixpkgs" "nixpkgs": "nixpkgs",
"sops-nix": "sops-nix"
}
},
"sops-nix": {
"inputs": {
"nixpkgs": [
"nixpkgs"
],
"nixpkgs-stable": "nixpkgs-stable"
},
"locked": {
"lastModified": 1695284550,
"narHash": "sha256-z9fz/wz9qo9XePEvdduf+sBNeoI9QG8NJKl5ssA8Xl4=",
"owner": "Mic92",
"repo": "sops-nix",
"rev": "2f375ed8702b0d8ee2430885059d5e7975e38f78",
"type": "github"
},
"original": {
"owner": "Mic92",
"repo": "sops-nix",
"type": "github"
} }
}, },
"utils": { "utils": {

View file

@ -10,6 +10,10 @@
nixpkgs.follows = ""; nixpkgs.follows = "";
}; };
}; };
sops-nix = {
url = "github:Mic92/sops-nix";
inputs.nixpkgs.follows = "nixpkgs";
};
}; };
outputs = inputs@{ flake-parts, ... }: outputs = inputs@{ flake-parts, ... }:

View file

@ -2,6 +2,15 @@
# This automatically searches for nixos configs in ./machines/${name}/configuration.nix # This automatically searches for nixos configs in ./machines/${name}/configuration.nix
# and exposes them as outputs.nixosConfigurations.${name} # and exposes them as outputs.nixosConfigurations.${name}
#
# a comment regarding pkgs.nixos vs lib.nixosSystem
# while lib.nixosSystem is the usual enduser way to evaluate nixos configurations
# in flakes, pkgs.nixos sets the package set to the packages it comes from.
# This spares us tracking our potentiell overlays and own package additions, but just
# using the right package set to begin with. Using lib.nixosSystem from the flake we would
# need to specify that again.
{ withSystem, lib, inputs, ... }: { { withSystem, lib, inputs, ... }: {
flake = { flake = {
nixosConfigurations = withSystem "x86_64-linux" ({ pkgs, ... }: nixosConfigurations = withSystem "x86_64-linux" ({ pkgs, ... }:
@ -11,7 +20,7 @@
pkgs.nixos { pkgs.nixos {
imports = [ imports = [
(import (./. + "/machines/${name}/configuration.nix") inputs) (import (./. + "/machines/${name}/configuration.nix") inputs)
# inputs.secrets.nixosModules.default inputs.sops-nix.nixosModules.sops
]; ];
}; };
in lib.genAttrs machines makeSystem); in lib.genAttrs machines makeSystem);

View file

@ -25,6 +25,8 @@ users = {
mutableUsers = false; mutableUsers = false;
}; };
sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
environment = { environment = {
systemPackages = builtins.attrValues { systemPackages = builtins.attrValues {
inherit (pkgs) inherit (pkgs)