From 21fc0ee3182f202101d58548a24baf80001e9f85 Mon Sep 17 00:00:00 2001 From: DACHXY Date: Tue, 22 Apr 2025 13:20:41 +0800 Subject: [PATCH] Squash merge sops-nix into main --- .sops.yaml | 8 ++++ flake.lock | 37 +++++++++++++- flake.nix | 5 ++ home/config/nvim/lua/plugins/suda.lua | 2 +- pkgs/overlays/default.nix | 2 +- pkgs/overlays/ferium.nix | 2 +- system/dev/dn-server/networking.nix | 3 +- system/dev/dn-server/nextcloud.nix | 4 +- system/dev/dn-server/secret.yaml | 27 +++++++++++ system/dev/dn-server/services.nix | 5 +- system/dev/dn-server/step-ca.nix | 69 +++++++++++++++++++++++++-- system/modules/presets/basic.nix | 1 + system/modules/presets/minimal.nix | 1 + system/modules/sops-nix.nix | 25 ++++++++++ system/modules/wireguard.nix | 6 +-- 15 files changed, 180 insertions(+), 17 deletions(-) create mode 100644 .sops.yaml create mode 100644 system/dev/dn-server/secret.yaml create mode 100644 system/modules/sops-nix.nix diff --git a/.sops.yaml b/.sops.yaml new file mode 100644 index 0000000..6adfc19 --- /dev/null +++ b/.sops.yaml @@ -0,0 +1,8 @@ +keys: + - &dn_server age1z6f643a6vqm7cqh6fna5dhmxfkgwxgqy8kg9s0vf9uxhaswtngtspmqsjw + +creation_rules: + - path_regex: system/dev/dn-server/secret.yaml + key_groups: + - age: + - *dn_server diff --git a/flake.lock b/flake.lock index 675ce07..3e23921 100644 --- a/flake.lock +++ b/flake.lock @@ -1106,6 +1106,22 @@ } }, "nixpkgs_5": { + "locked": { + "lastModified": 1744502386, + "narHash": "sha256-QAd1L37eU7ktL2WeLLLTmI6P9moz9+a/ONO8qNBYJgM=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "f6db44a8daa59c40ae41ba6e5823ec77fe0d2124", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixpkgs-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs_6": { "locked": { "lastModified": 1737003892, "narHash": "sha256-RCzJE9wKByLCXmRBp+z8LK9EgdW+K+W/DXnJS4S/NVo=", @@ -1187,6 +1203,7 @@ "nix-index-database": "nix-index-database", "nix-minecraft": "nix-minecraft", "nixpkgs": "nixpkgs_4", + "sops-nix": "sops-nix", "yazi": "yazi" } }, @@ -1232,6 +1249,24 @@ "type": "github" } }, + "sops-nix": { + "inputs": { + "nixpkgs": "nixpkgs_5" + }, + "locked": { + "lastModified": 1744669848, + "narHash": "sha256-pXyanHLUzLNd3MX9vsWG+6Z2hTU8niyphWstYEP3/GU=", + "owner": "Mic92", + "repo": "sops-nix", + "rev": "61154300d945f0b147b30d24ddcafa159148026a", + "type": "github" + }, + "original": { + "owner": "Mic92", + "repo": "sops-nix", + "type": "github" + } + }, "systems": { "locked": { "lastModified": 1689347949, @@ -1402,7 +1437,7 @@ "yazi": { "inputs": { "flake-utils": "flake-utils_4", - "nixpkgs": "nixpkgs_5", + "nixpkgs": "nixpkgs_6", "rust-overlay": "rust-overlay_2" }, "locked": { diff --git a/flake.nix b/flake.nix index 3acae07..fbe5450 100644 --- a/flake.nix +++ b/flake.nix @@ -68,6 +68,10 @@ nix-minecraft = { url = "github:Infinidoge/nix-minecraft"; }; + + sops-nix = { + url = "github:Mic92/sops-nix"; + }; }; outputs = @@ -87,6 +91,7 @@ modules = [ home-manager.nixosModules.default nix-index-database.nixosModules.nix-index + inputs.sops-nix.nixosModules.sops ]; args = { inherit diff --git a/home/config/nvim/lua/plugins/suda.lua b/home/config/nvim/lua/plugins/suda.lua index 55b593e..e08666d 100644 --- a/home/config/nvim/lua/plugins/suda.lua +++ b/home/config/nvim/lua/plugins/suda.lua @@ -1,7 +1,7 @@ return { { "lambdalisue/vim-suda", - cmd = "SudaWrite", + cmd = { "SudaWrite", "SudaRead" }, keys = { { "bs", "SudaWrite", desc = "Save Buffer as Root" } }, }, } diff --git a/pkgs/overlays/default.nix b/pkgs/overlays/default.nix index 006e8b8..c5d9b09 100644 --- a/pkgs/overlays/default.nix +++ b/pkgs/overlays/default.nix @@ -1,4 +1,4 @@ [ - (import ./ferium.nix) + # (import ./ferium.nix) (import ./vesktop.nix) ] diff --git a/pkgs/overlays/ferium.nix b/pkgs/overlays/ferium.nix index 63d43d2..6a6e015 100644 --- a/pkgs/overlays/ferium.nix +++ b/pkgs/overlays/ferium.nix @@ -1,4 +1,4 @@ -prev: final: { +final: prev: { ferium = prev.ferium.overrideAttrs ( final: prev: rec { cargoHash = "sha256-yedl4KQCpT7Ai1EPvwD5kzhkHesIjGVAcxKjp5k2jmI="; diff --git a/system/dev/dn-server/networking.nix b/system/dev/dn-server/networking.nix index 3c425bd..e7cd237 100644 --- a/system/dev/dn-server/networking.nix +++ b/system/dev/dn-server/networking.nix @@ -1,5 +1,4 @@ -{ config, pkgs, ... }: - +{ ... }: { networking = { networkmanager.enable = true; diff --git a/system/dev/dn-server/nextcloud.nix b/system/dev/dn-server/nextcloud.nix index 7f8d8d5..36521fc 100644 --- a/system/dev/dn-server/nextcloud.nix +++ b/system/dev/dn-server/nextcloud.nix @@ -64,7 +64,7 @@ tar -xf passwords.tar.gz mv passwords/* ./ rm passwords.tar.gz - rm -rpasswords + rm -r passwords ''; }); }; @@ -72,7 +72,7 @@ database.createLocally = true; config = { - adminpassFile = "/run/keys/nextcloud-admin-password.key"; + adminpassFile = config.sops.secrets."nextcloud/adminPassword".path; dbtype = "pgsql"; }; diff --git a/system/dev/dn-server/secret.yaml b/system/dev/dn-server/secret.yaml new file mode 100644 index 0000000..64ed46a --- /dev/null +++ b/system/dev/dn-server/secret.yaml @@ -0,0 +1,27 @@ +wireguard: + privateKey: ENC[AES256_GCM,data:0lryTtUwLxr7d+EKdu618HwVAl9kSDkDfkpTrX5cMGJATXMmEnaMEVGPYnY=,iv:XG107Tnt/Md56q9vK/Eh5uyzvFT+JrcD0UAUdqky+EA=,tag:RAQIkl6zRQzFuzorg2aeew==,type:str] + conf: "" +nextcloud: + adminPassword: ENC[AES256_GCM,data:O2rK18+riVrvloqqLsMUXw==,iv:OosiF0g4l1mrgndbwUOvO2YUqxWVk1hvAZY0rHU9GPE=,tag:yh1ccDmthARLND0NwpLTCA==,type:str] +step_ca: + password: ENC[AES256_GCM,data:3EWxpk/ktZHJreqnR9ln5pfdPjgigoCC4lyoRWugHas=,iv:q9cWW8xTxYQnRYohBxnPIsbVSpvkZYVpYLRVeZgmsRM=,tag:UHZagnLvorZUrPq43YU+Gw==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1z6f643a6vqm7cqh6fna5dhmxfkgwxgqy8kg9s0vf9uxhaswtngtspmqsjw + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBuKzJObXlPVUJzUkEyZXlV + Q0tEbzBPTy9kUXIwVmJkckUyWklUMzhCcTE0Ckh3bXIwRkpESTJYeTBPMGhQYk9y + L2NQTWFuMWVqYzJHZGhTaHpDRE5CRGMKLS0tIEsybHdPMk9JeEM2cXFwdlpOeXRj + Qm0wbmNGZDZwZlNTOVl0WVh5RXNxK2cK1Fwbgl5kKAFyrIIhBP+X4ZKFS4Xl39QY + 11qkglNgro/JBFJ/W7Hj5wtEd8QToiJM1RW0lQaI25sneQ2v6L5pDA== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2025-04-21T12:56:08Z" + mac: ENC[AES256_GCM,data:b1e1MemL+HHD1pl5X8gnSpczuM7bR+tmkwZJgdZclwkJwi0yBCq14Fy4VE9LklpU2k+WtD1RLqpSZtgz95skpYQog/3phaQNSPLZKXCRfnmTtDxUxWC52cBkhv/RIe99ROzIoG9hBvoPptnCZDlv70vL21xBFyhgzyo1guQUC6w=,iv:VNFKWZMNO+wkrC4NCsmFUrQa09FibMlu+yQOhzqduO0=,tag:imZRSLg4NBF1zaDTmIAPvA==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.9.4 diff --git a/system/dev/dn-server/services.nix b/system/dev/dn-server/services.nix index c582569..a340a80 100644 --- a/system/dev/dn-server/services.nix +++ b/system/dev/dn-server/services.nix @@ -1,5 +1,6 @@ { settings, + config, pkgs, lib, ... @@ -303,7 +304,7 @@ in ${personal.interface} = { ips = [ personal.ip ]; listenPort = personal.port; - privateKeyFile = "/etc/wireguard/privatekey"; + privateKeyFile = config.sops.secrets."wireguard/privateKey".path; peers = builtins.map (r: { publicKey = r.publicKey; allowedIPs = r.allowedIPs; @@ -313,7 +314,7 @@ in ${kube.interface} = { ips = [ kube.ip ]; listenPort = kube.port; - privateKeyFile = "/etc/wireguard/privatekey"; + privateKeyFile = config.sops.secrets."wireguard/privateKey".path; peers = [ ]; }; }; diff --git a/system/dev/dn-server/step-ca.nix b/system/dev/dn-server/step-ca.nix index e034207..341abd9 100644 --- a/system/dev/dn-server/step-ca.nix +++ b/system/dev/dn-server/step-ca.nix @@ -1,4 +1,4 @@ -{ pkgs, ... }: +{ pkgs, config, ... }: { environment.systemPackages = with pkgs; [ step-cli ]; @@ -12,9 +12,72 @@ services.step-ca = { enable = true; address = "0.0.0.0"; - settings = builtins.fromJSON (builtins.readFile /var/lib/step-ca/config/ca.json); + settings = { + address = ":443"; + authority = { + provisioners = [ + { + encryptedKey = "eyJhbGciOiJQQkVTMi1IUzI1NitBMTI4S1ciLCJjdHkiOiJqd2sranNvbiIsImVuYyI6IkEyNTZHQ00iLCJwMmMiOjYwMDAwMCwicDJzIjoiUTZYbDJOdkFabGZZSTZ5QnBrZWp6dyJ9.z +Bq-3sY8n13Dv0E6yx2hVIAlzLj3aE29LC4A2j81vW5MtpaM27lMpg.cwlqZ-8l1iZNeeS9.idRpRJ9zB1ezz4NvpSDe9GIweBlTLH4DpZ7As65QftJf-32vFeSjw_8So8ugpS2BmfWaMcL6rHxJG369zf-Ninecy3yg4AvQ0WvzUWCYnR2m5-B2YYFJ0SlTv-FXOf_412ZaGdIK9FQo +8LszKMGzw0e3YkBuAAfEsqYaCTd27trDDPUelTVnC20zblVDEkBlusvoNeYEiy7nphjqy2OPW6bxLKdQMg-b9zVgZqkImRqojBBqnV85sBHaSyQWA9rP2PPJM8AVjVBtrVLG3YIVObbjiLAa21WMaFe1bW4LK7BNj7KwQ2JJzlBfkDkdmo3gZvYag--9AarieKeIumQ.Vxj5NwzSurT +47yHhoiCOug"; + key = { + alg = "ES256"; + crv = "P-256"; + kid = "ywqnDBi0j1wjIx4i8xOBhqd6sCqsI_Z7aGQ6QifKFtM"; + kty = "EC"; + use = "sig"; + x = "o-Srd0v3IY7zU9U2COE9BOsjyIPjBvNT2WKPTo8ePZI"; + y = "y5OFjciRMVg8ePaEsjSPWbKp_ +NjQ6U4CtbplRx7z3Bw"; + }; + name = "danny@smallstep.net.dn"; + type = "JWK"; + } + { + claims = { + maxTLSCertDuration = "8760h"; + }; + name = "acme"; + options = { + enableRenewal = true; + }; + type = "ACME"; + } + ]; + }; + crt = "/var/lib/s +tep-ca/certs/intermediate_ca.crt"; + db = { + badgerFileLoadingMode = ""; + dataSource = "/var/lib/step-ca/db"; + type = "badgerv2"; + }; + dnsNames = [ + "10.0.0.1" + "ca.net.dn" + ]; + federatedRoots = null; + insecureAddress = ""; + key = "/var/lib/step-ca/secrets/intermediate_ca_key"; + logger = { + format = "text"; + }; + root = "/var/lib/step-ca/certs/root_ca.crt"; + tls = { + cipherSuites = [ + "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256" + "TLS_EC +DHE_ECDSA_WITH_AES_128_GCM_SHA256" + ]; + maxVersion = 1.3; + minVersion = 1.2; + renegotiation = false; + }; + + }; port = 8443; openFirewall = true; - intermediatePasswordFile = "/run/keys/step-password"; + intermediatePasswordFile = config.sops.secrets."step_ca/password".path; }; } diff --git a/system/modules/presets/basic.nix b/system/modules/presets/basic.nix index 5bc0d3c..5dcb33b 100644 --- a/system/modules/presets/basic.nix +++ b/system/modules/presets/basic.nix @@ -26,5 +26,6 @@ ../tmux.nix ../users.nix ../ca.nix + ../sops-nix.nix ]; } diff --git a/system/modules/presets/minimal.nix b/system/modules/presets/minimal.nix index e78d9d7..677efc6 100644 --- a/system/modules/presets/minimal.nix +++ b/system/modules/presets/minimal.nix @@ -16,5 +16,6 @@ ../users.nix ../tmux.nix ../ca.nix + ../sops-nix.nix ]; } diff --git a/system/modules/sops-nix.nix b/system/modules/sops-nix.nix new file mode 100644 index 0000000..6f8c6b5 --- /dev/null +++ b/system/modules/sops-nix.nix @@ -0,0 +1,25 @@ +{ config, ... }: +let + defaultSopsFile = ../.. + "/system/dev/${config.networking.hostName}/secret.yaml"; + ageKeyFile = "/var/lib/sops-nix/key.txt"; +in +{ + sops = { + defaultSopsFile = defaultSopsFile; + + age = { + keyFile = ageKeyFile; + }; + + secrets = { + "wireguard/privateKey" = { }; + "wireguard/conf" = { }; + "nextcloud/adminPassword" = { }; + "step_ca/password" = { }; + }; + }; + + environment.variables = { + SOPS_AGE_KEY_FILE = ageKeyFile; + }; +} diff --git a/system/modules/wireguard.nix b/system/modules/wireguard.nix index 5deb8f7..54dde02 100644 --- a/system/modules/wireguard.nix +++ b/system/modules/wireguard.nix @@ -1,14 +1,12 @@ { + config, ... }: -let - configPath = "/etc/wireguard/wg0.conf"; -in { networking = { firewall = { allowedUDPPorts = [ 51820 ]; }; - wg-quick.interfaces.wg0.configFile = configPath; + wg-quick.interfaces.wg0.configFile = config.sops.secrets."wireguard/conf".path; }; }