From 4bb0dd620381d365d98bd7efc9556614d623cd5d Mon Sep 17 00:00:00 2001 From: klarkc Date: Wed, 20 Dec 2023 01:16:33 -0300 Subject: [PATCH] feat(cache): add secrets and host-keys --- .gitignore | 5 +++ flake.lock | 84 ++++++++++++++++++++++++++++++++++----- flake.nix | 3 ++ secrets/env.age | Bin 0 -> 418 bytes secrets/klarkc.pub | 1 + secrets/secrets.nix | 4 ++ setups/cache/default.nix | 22 ++++++---- 7 files changed, 103 insertions(+), 16 deletions(-) create mode 100644 secrets/env.age create mode 100644 secrets/klarkc.pub create mode 100644 secrets/secrets.nix diff --git a/.gitignore b/.gitignore index f3b12c3..5ff76a3 100644 --- a/.gitignore +++ b/.gitignore @@ -1,2 +1,7 @@ /result /*.img +/*.qcow2 +/secrets/* +!/secrets/*.nix +!/secrets/*.age +!/secrets/*.pub diff --git a/flake.lock b/flake.lock index 6ac85d5..1b54dff 100644 --- a/flake.lock +++ b/flake.lock @@ -1,5 +1,27 @@ { "nodes": { + "agenix": { + "inputs": { + "darwin": "darwin", + "home-manager": "home-manager", + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1701216516, + "narHash": "sha256-jKSeJn+7hZ1dZdiH1L+NWUGT2i/BGomKAJ54B9kT06Q=", + "owner": "ryantm", + "repo": "agenix", + "rev": "13ac9ac6d68b9a0896e3d43a082947233189e247", + "type": "github" + }, + "original": { + "owner": "ryantm", + "repo": "agenix", + "type": "github" + } + }, "attic": { "inputs": { "crane": "crane", @@ -45,13 +67,35 @@ "type": "github" } }, + "darwin": { + "inputs": { + "nixpkgs": [ + "agenix", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1673295039, + "narHash": "sha256-AsdYgE8/GPwcelGgrntlijMg4t3hLFJFCRF3tL5WVjA=", + "owner": "lnl7", + "repo": "nix-darwin", + "rev": "87b9d090ad39b25b2400029c64825fc2a8868943", + "type": "github" + }, + "original": { + "owner": "lnl7", + "ref": "master", + "repo": "nix-darwin", + "type": "github" + } + }, "everyday": { "locked": { - "lastModified": 1695765897, - "narHash": "sha256-nibcP9tkDodJFII7dSuIQxgsok4KeFE5lgviptvGZ50=", + "lastModified": 1703045794, + "narHash": "sha256-WRBSS0VoyvOBlZOQSE3mKS07zU6YjMUp1xnDrjUIAg8=", "owner": "klarkc", "repo": "nixos-everyday", - "rev": "09a010169fe741508e0ed5040c2977955630a1b7", + "rev": "b55f5ea474ebf269b14129d1e052831ca84c28e4", "type": "github" }, "original": { @@ -99,11 +143,11 @@ ] }, "locked": { - "lastModified": 1687183443, - "narHash": "sha256-foX4pkph2AwUdJL3JURa7IHog+YRIheZ54vwHwxqwhU=", + "lastModified": 1701689616, + "narHash": "sha256-ewnfgvRy73HoP5KnYmy1Rcr4m4yShvsb6TCCaKoW8pc=", "owner": "nix-community", "repo": "nixos-generators", - "rev": "09140f23f5ffce828db4ef040070bdd9595b1f3a", + "rev": "246219bc21b943c6f6812bb7744218ba0df08600", "type": "github" }, "original": { @@ -112,13 +156,34 @@ "type": "github" } }, + "home-manager": { + "inputs": { + "nixpkgs": [ + "agenix", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1682203081, + "narHash": "sha256-kRL4ejWDhi0zph/FpebFYhzqlOBrk0Pl3dzGEKSAlEw=", + "owner": "nix-community", + "repo": "home-manager", + "rev": "32d3e39c491e2f91152c84f8ad8b003420eab0a1", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "home-manager", + "type": "github" + } + }, "nixlib": { "locked": { - "lastModified": 1687049841, - "narHash": "sha256-FBNZQfWtA7bb/rwk92mfiWc85x4hXta2OAouDqO5W8w=", + "lastModified": 1693701915, + "narHash": "sha256-waHPLdDYUOHSEtMKKabcKIMhlUOHPOOPQ9UyFeEoovs=", "owner": "nix-community", "repo": "nixpkgs.lib", - "rev": "908af6d1fa3643c5818ea45aa92b21d6385fbbe5", + "rev": "f5af57d3ef9947a70ac86e42695231ac1ad00c25", "type": "github" }, "original": { @@ -161,6 +226,7 @@ }, "root": { "inputs": { + "agenix": "agenix", "attic": "attic", "everyday": "everyday", "generators": "generators", diff --git a/flake.nix b/flake.nix index 9fbc667..ee689de 100644 --- a/flake.nix +++ b/flake.nix @@ -2,11 +2,13 @@ inputs = { nixpkgs.url = "github:NixOS/nixpkgs/nixpkgs-unstable"; generators.url = "github:nix-community/nixos-generators"; + agenix.url = "github:ryantm/agenix"; attic.url = "github:zhaofengli/attic"; everyday.url = "github:klarkc/nixos-everyday"; # optimizations generators.inputs.nixpkgs.follows = "nixpkgs"; attic.inputs.nixpkgs.follows = "nixpkgs"; + agenix.inputs.nixpkgs.follows = "nixpkgs"; }; outputs = { self, ... }@inputs: @@ -17,6 +19,7 @@ system = "${platform}-${os}"; pkgs = import inputs.nixpkgs { inherit system; }; lib = { + secrets = ./secrets; mkSystem = options: let inherit (inputs.nixpkgs.lib) nixosSystem; diff --git a/secrets/env.age b/secrets/env.age new file mode 100644 index 0000000000000000000000000000000000000000..3915511990ae3cfac512d2d77163a2e3690fc5f4 GIT binary patch literal 418 zcmV;T0bTxKXJsvAZewzJaCB*JZZ2tNG(uEOY;i+GO*uJpZZ9!0IdcjvJ|JKsU@|U5NiAn`Wnpt= zAVqs7W+r(cB0?s4AW&aEASOLtX(S3rc|%NOOfqh7c1=riGgvrcP-$&gNpf*>Ib$(4 zMp;B_OHoh?EiEk|Vp=yePGmthXKivTR4`9uFhNjpD_TizXjOA@QBE*UFK97WMp8*x zRCG8Bfn%KxSiTy><2FyUZTtNacdvu-vxVK4zy7^$2^CGu!(ez$=?9U5hFk1A@fyg+)=IsOfRgg^1sBX0eT4Ng0b5t|HJEO Mhxstqf{J+L{A&57-2eap literal 0 HcmV?d00001 diff --git a/secrets/klarkc.pub b/secrets/klarkc.pub new file mode 100644 index 0000000..61746df --- /dev/null +++ b/secrets/klarkc.pub @@ -0,0 +1 @@ +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFYlM/N+ZY5j5ddzyWWoEsYwnhhDiTGlmprZscFapgWt klarkc@ssdinarch diff --git a/secrets/secrets.nix b/secrets/secrets.nix new file mode 100644 index 0000000..7ac6380 --- /dev/null +++ b/secrets/secrets.nix @@ -0,0 +1,4 @@ +let klarkc = builtins.readFile ./klarkc.pub; in +{ + "env.age".publicKeys = [ klarkc ]; +} diff --git a/setups/cache/default.nix b/setups/cache/default.nix index dc4e683..f0e68e8 100644 --- a/setups/cache/default.nix +++ b/setups/cache/default.nix @@ -1,20 +1,28 @@ { system, pkgs, flake, ... }: let - inherit (flake.inputs.everyday.nixosModules) logger; + inherit (flake.inputs.generators.nixosModules) vm-nogui; + inherit (flake.inputs.everyday.nixosModules) logger host-keys; inherit (flake.inputs.attic.nixosModules) atticd; - inherit (flake.outputs.lib) mkSystem; + inherit (flake.outputs.lib) mkSystem secrets; + agenix = flake.inputs.agenix.nixosModules.default; domain = "cache.klarkc.is-a.dev"; + home = "/home/klarkc"; cache-module = { config, ... }: { + imports = [ logger atticd vm-nogui agenix host-keys ]; + # cd secrets + # echo -n 'ATTIC_SERVER_TOKEN_HS256_SECRET_BASE64="' > env + # openssl rand 64 | base64 -w0 >> env + # echo -n '"' >> env + # cat env | nix run github:ryantm/agenix -- -e env.age -i ~/.ssh/id_ed25519 + # cp ~/.ssh/id_ed25519.pub klarkc.pub + age.secrets.env.file = "${secrets}/env.age"; + services.atticd.credentialsFile = config.age.secrets.env.path; + host-keys.source = "${home}/.ssh"; system.stateVersion = config.system.nixos.version; - imports = [ logger atticd ]; fileSystems."/".device = "none"; boot.loader.grub.device = "nodev"; services.atticd = { enable = true; - # echo -n 'ATTIC_SERVER_TOKEN_HS256_SECRET_BASE64="' > /tmp/atticd.env - # openssl rand 64 | base64 -w0 >> /tmp/atticd.env - # echo -n '"' >> /tmp/atticd.env - credentialsFile = "/tmp/atticd.env"; settings = { listen = "[::]:8080"; chunking = {