feat(x1): add secrets management and configuration
Introduce encrypted secrets and SOPS configuration for the x1 system. Update SSH and related services to utilize these secrets and modify flake.lock to align with the latest dependencies.
This commit is contained in:
parent
600245fe27
commit
8a7ac30acf
41
.secrets/x1/files.yaml
Normal file
41
.secrets/x1/files.yaml
Normal file
|
|
@ -0,0 +1,41 @@
|
|||
hello: ENC[AES256_GCM,data:fXNDiacuFhmqmbo9FiGmoBKeOk7KvuVw3ytzcEzj/VxkqoDCGtJ2YX/TaVQfsQ==,iv:bHP2CYXZth3DX6OIeqdzv3zmFVWdRaNBvLuZx0FSyf8=,tag:bn1w5QcyyQ5EcXyoFnc1Zw==,type:str]
|
||||
example_key: ENC[AES256_GCM,data:lumROh5JwNpCJrNzxg==,iv:FLmpmVtzMUzPV9Y0nLTKXzisUqCZKonv44LviQTMsfU=,tag:Hp2N7AG7lGNQstt27Ty8pw==,type:str]
|
||||
#ENC[AES256_GCM,data:KrggG2yc0mFi3zoZ+WLd7w==,iv:GQZPZZH4xGxFcP5BLiwUIVQkCi7Bsmalsz/myNBbdoI=,tag:fzmEQLnWjfVc+iywEFwp9Q==,type:comment]
|
||||
example_array:
|
||||
- ENC[AES256_GCM,data:7go3euwMIP7BDuq96vo=,iv:P8hx+DSSbkhrw0SOKLMtcc4/TZBODnQnQFRUxv49oio=,tag:Xi5JbLc+xvcOOv10pY1ydw==,type:str]
|
||||
- ENC[AES256_GCM,data:WVgP3/Hak8ha5yaPmTU=,iv:2DwnOLze1a0vXfOey2xv4qOVE1PhOMq3e+GR/3RiOPU=,tag:TftAtYcHRQctTV5sBHPKFw==,type:str]
|
||||
example_number: ENC[AES256_GCM,data:fOprnAAZ/267JQ==,iv:5jvsM3i5iHcpSJWqcryqQJQZCrEP72jcAkyc7qVVirk=,tag:nxecWgcSZOyzuwvOlFawyw==,type:float]
|
||||
example_booleans:
|
||||
- ENC[AES256_GCM,data:iCUmxA==,iv:On6DiKbzithmRq+smOW4pEq3tod0zWWT7dyW9ArolLY=,tag:yoD9ODLYSZkuP0qkUrkR3w==,type:bool]
|
||||
- ENC[AES256_GCM,data:dAYxptk=,iv:JAm9mvA5EH581cZkaNK8yYkV8U8o2gWR2jAh+mUMxt0=,tag:W5sHPszsOzUDZ6mQgIcq+w==,type:bool]
|
||||
hosts: ENC[AES256_GCM,data:/28ojxFukz4ThwSjQGURtf+h5Ic5WJN6P8nC75zQWan6LANOVc1zk5tVh7qmSLXcGvGW/2IE0dpz2ysY+z7ujYdKSDA2neFy8+NoBXc3REG60nF/QdNiHMg2rlLfq9n7eQAqXGBSpED/41Y/YO2nuV8ehL4GtsDOuFZnxujnLbu+Q6u30yf+/IVqlk3VnWm5C+Fy6bdX2bYOUyM5ce313i4u5slBEBs0l1lQjX1vE4KK5F6t3d410NdGHShB+RXkOhaBujKX/hKEXWQku/nnjgOiP+JURB/qA/SZzxO/yoV7htNvCE/JcfmTk85SVPAmp7uy4egyK4FveKRXtT5Gla1Vnrg1v9NAVCuYgQECqhE3IYEjtUlxul0h+OI4JmnP6y90nLz8RozxGw4qIc8yJgOZmVORqr2PqbFbtdj8MKid9Df0ciU=,iv:YhMTYHV3kc3LQrAGaPgkek5ZrEYYcZxNOPyKUSbgsC8=,tag:Axx5CIPWdDb8hukM7H4sxg==,type:str]
|
||||
wg: ENC[AES256_GCM,data:HjvSsKAkH2yIpuPPteNz/7guP46OrRvH2eKIQPxMSf/kiWXHTRUZDUmGakbOryirkakkgQF1fwxRXehiFULvfaPb9WNx6kR7X7orNWmSR5CRmNWBCB5y7CRsSlO3frL8iKR1JLFjew7omktHiXBew63q38YvsvOeXI2zoLumuGuXl6JH5D9hK2AvEBUehMSkBzrLFgZNeNjsxnFatQEic9e6namjJ2TqcT4F1z4u/5yptkmUCpn4isLjV23zFOALOXcjjyy/9ztcKMGiGE+ULQM3fm+7c3ryux/PmREr2Aj0IDQMDXgJCPvdiHhXvC7K/oGwJPDJeP0v,iv:Lnz5RyUi9D3dClgzFmm4EeD6SZGuFFbs6JBIZevUIdo=,tag:EjheBu/a392lcAgQVVtIuw==,type:str]
|
||||
sops:
|
||||
kms: []
|
||||
gcp_kms: []
|
||||
azure_kv: []
|
||||
hc_vault: []
|
||||
age:
|
||||
- recipient: age1z87u2na6vts0sqg6sc73p9ym6e5g9a0gf3hp9e7ha47e83zy4efqcjhk0y
|
||||
enc: |
|
||||
-----BEGIN AGE ENCRYPTED FILE-----
|
||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBRRXJtL2lpZlR1TDBRalZr
|
||||
dmdpdmRrVGF0TnJFZHExQ3BuSS96Z0E5aENNCjNHbmJCRzdUVG9GOEdMaERRNzY2
|
||||
aStWNTR2UHkwL3MvNGJnZGFhTXFaencKLS0tIFNlTDZWQVRpbWxJb2JlenRFRDJY
|
||||
SFVUUHE0emZ6MS9VR0FWcytyQy90elUK3g0fuPB45+JnrRxgD+7Iijz6yUVVXct2
|
||||
w5T1UPZElKZQM6VL0QMozD8/piu5sk15cubMnmLjxESztpMRxrgPnw==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
- recipient: age1dwcz3fmp29ju4svy0t0wz4ylhpwlqa8xpw4l7t4gmgqr0ev37qrsfn840l
|
||||
enc: |
|
||||
-----BEGIN AGE ENCRYPTED FILE-----
|
||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBoYTdLcm9yTmRRaU5Qdlpy
|
||||
M2dsalNReWhpZTZtNW9xL3pNbVUzOEZuMkJRCmpXcHpCZkt3NEZJYXBNMXc0Q3BY
|
||||
ZlVBZ2hCenViSW5jRTc1cXFWVEJRZ2cKLS0tIGVROVBxaUFMNXVjdkcwNEE2VzJl
|
||||
blhTd3BhbmgvZHQ4dkF3TTJMcERRN2sKoPKAYvJzRm72V5WEee+vNqjw+mRL66ir
|
||||
DQRas5WfwqOIxHcPHpXHLu9zhmwlNKS+vt4GcG81l4eQLFDFmBol5w==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
lastmodified: "2025-04-04T11:23:03Z"
|
||||
mac: ENC[AES256_GCM,data:l/WirVeSYQLuaZEjAPyX+5DJu3hfqiw1ZzPUNAbNKFQ1vUQf5Zxo3tfM7ROO+x95T9jGE271TIchTJAVu0C2XFTSPv7fJ9+WWyUr3JeFN1kFXt/k8Q5aLGdffAInhN2exsw/KKP0IXta5t4g2QfFsBZTDKCqLaj+WUeGBEJfjoc=,iv:J+6OIcE6i0Nt1Nb4m+aBBYeCj1iLNFigrRWYyYbY5GU=,tag:XTBvtWFNgRzuVyT7sWkGlg==,type:str]
|
||||
pgp: []
|
||||
unencrypted_suffix: _unencrypted
|
||||
version: 3.9.4
|
||||
|
|
@ -2,6 +2,7 @@ keys:
|
|||
- &server_hetzner age1qur4kh3gay9ryk3jh2snvjp6x9eq94zdrmgkrfcv4fzsu7l6lumq4tr3uy
|
||||
- &server_sgx age149fqcw5jze00vd7jauylrp4j5xyv7amlu57jjfuzghkqtzlnxajs704uz3
|
||||
- &server_t15 age1f2yu0cc826ej7hs4g865y29zy9uqfy0yp32f2m80typpk2pxqp7sfcffj4
|
||||
- &server_x1 age1z87u2na6vts0sqg6sc73p9ym6e5g9a0gf3hp9e7ha47e83zy4efqcjhk0y
|
||||
- &harald age1dwcz3fmp29ju4svy0t0wz4ylhpwlqa8xpw4l7t4gmgqr0ev37qrsfn840l
|
||||
creation_rules:
|
||||
- path_regex: .secrets/hetzner/[^/]+\.(yaml|json|env|ini)$
|
||||
|
|
@ -19,3 +20,8 @@ creation_rules:
|
|||
- age:
|
||||
- *server_t15
|
||||
- *harald
|
||||
- path_regex: .secrets/x1/[^/]+\.(yaml|json|env|ini)$
|
||||
key_groups:
|
||||
- age:
|
||||
- *server_x1
|
||||
- *harald
|
||||
|
|
|
|||
18
flake.lock
18
flake.lock
|
|
@ -388,11 +388,11 @@
|
|||
]
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1742655702,
|
||||
"narHash": "sha256-jbqlw4sPArFtNtA1s3kLg7/A4fzP4GLk9bGbtUJg0JQ=",
|
||||
"lastModified": 1743387206,
|
||||
"narHash": "sha256-24N3NAuZZbYqZ39NgToZgHUw6M7xHrtrAm18kv0+2Wo=",
|
||||
"owner": "nix-community",
|
||||
"repo": "home-manager",
|
||||
"rev": "0948aeedc296f964140d9429223c7e4a0702a1ff",
|
||||
"rev": "15c5f9d04fabd176f30286c8f52bbdb2c853a146",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
|
|
@ -799,11 +799,11 @@
|
|||
},
|
||||
"nixpkgs_4": {
|
||||
"locked": {
|
||||
"lastModified": 1742751704,
|
||||
"narHash": "sha256-rBfc+H1dDBUQ2mgVITMGBPI1PGuCznf9rcWX/XIULyE=",
|
||||
"lastModified": 1743576891,
|
||||
"narHash": "sha256-vXiKURtntURybE6FMNFAVpRPr8+e8KoLPrYs9TGuAKc=",
|
||||
"owner": "nixos",
|
||||
"repo": "nixpkgs",
|
||||
"rev": "f0946fa5f1fb876a9dc2e1850d9d3a4e3f914092",
|
||||
"rev": "44a69ed688786e98a101f02b712c313f1ade37ab",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
|
|
@ -2818,11 +2818,11 @@
|
|||
},
|
||||
"unstable": {
|
||||
"locked": {
|
||||
"lastModified": 1742669843,
|
||||
"narHash": "sha256-G5n+FOXLXcRx+3hCJ6Rt6ZQyF1zqQ0DL0sWAMn2Nk0w=",
|
||||
"lastModified": 1743583204,
|
||||
"narHash": "sha256-F7n4+KOIfWrwoQjXrL2wD9RhFYLs2/GGe/MQY1sSdlE=",
|
||||
"owner": "nixos",
|
||||
"repo": "nixpkgs",
|
||||
"rev": "1e5b653dff12029333a6546c11e108ede13052eb",
|
||||
"rev": "2c8d3f48d33929642c1c12cd243df4cc7d2ce434",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
|
|
|
|||
|
|
@ -1,4 +1,4 @@
|
|||
{ pkgs, lib, ... }:
|
||||
{ pkgs, lib, config, ... }:
|
||||
with lib;
|
||||
with lib.metacfg;
|
||||
{
|
||||
|
|
@ -7,6 +7,30 @@ with lib.metacfg;
|
|||
# ./ipu.nix
|
||||
];
|
||||
|
||||
sops.age.sshKeyPaths = [ "/var/lib/secrets/ssh_host_ed25519_key" ];
|
||||
sops.secrets."wg".sopsFile = ../../../.secrets/x1/files.yaml;
|
||||
sops.secrets."wg".mode = "0444";
|
||||
sops.secrets."hosts".sopsFile = ../../../.secrets/x1/files.yaml;
|
||||
sops.secrets."hosts".mode = "0444";
|
||||
|
||||
environment.etc."wg0.backup.conf".source = config.sops.secrets."wg".path;
|
||||
environment.etc."hosts.backup".source = config.sops.secrets."hosts".path;
|
||||
|
||||
services.openssh = {
|
||||
enable = true;
|
||||
hostKeys = [
|
||||
{
|
||||
path = "/var/lib/secrets/ssh_host_ed25519_key";
|
||||
type = "ed25519";
|
||||
}
|
||||
{
|
||||
path = "/var/lib/secrets/ssh_host_rsa_key";
|
||||
type = "rsa";
|
||||
bits = 4096;
|
||||
}
|
||||
];
|
||||
};
|
||||
|
||||
hardware.bluetooth.input.General.ClassicBondedOnly = false;
|
||||
services.udev.extraRules = ''
|
||||
KERNEL=="hidraw*", SUBSYSTEM=="hidraw", ATTRS{idVendor}=="342d", ATTRS{idProduct}=="e4c5", MODE="0660", GROUP="users", TAG+="uaccess", TAG+="udev-acl"
|
||||
|
|
|
|||
Loading…
Reference in a new issue