From 49fa2325f342e1d4c30c52ae0bb5fe50ca029229 Mon Sep 17 00:00:00 2001 From: stuebinm Date: Wed, 19 Apr 2023 20:08:45 +0200 Subject: [PATCH] sops-nix proof of concept this is currently deployed and appears to be working. please everyone have a look at it & then decide if we want to use this for the other secrets as well. --- .sops.yaml | 19 +++++++++ flake.lock | 34 +++++---------- flake.nix | 7 ++- hosts/parsons/configuration.nix | 3 ++ secrets.yaml | 76 +++++++++++++++++++++++++++++++++ services/hedgedoc-hacc.nix | 8 +++- 6 files changed, 122 insertions(+), 25 deletions(-) create mode 100644 .sops.yaml create mode 100644 secrets.yaml diff --git a/.sops.yaml b/.sops.yaml new file mode 100644 index 0000000..cae8e7b --- /dev/null +++ b/.sops.yaml @@ -0,0 +1,19 @@ +keys: + - &parsons age1yql8qaf7upraqy4cq397tt4vgs046hq0v59qymla8t3x0ujqvu4sesgsvw + - &hexchen-backup age1zgdegurzlr8cw9948wgf4q5qh3efltwhhzus5tt6az5xvvsux9us2v4tyd + - &stuebinm-ilex age18wkr3kjalalzrq9l05q32gnlaqr7t6rqqzde307m83rs9fp4xcfsdtj9gt + - &stuebinm-surltesh-echer age1q88az2y5hnx8naqsvrurllqj6y5gtehrpa9emmrxy5ghwsr7pvnqf7tfpx + - &stuebinm-abbenay age18nkru4pwvvapdw76nauv2xdtlj8cvyv3ugahe9kcxtvtsptx2eyqw7p0m6 + - &moira-2022-06 age1l694a4xht7r0eza9r2vjncupmp6cxyk3k9x2ljwynnur4m2lc5jqmy3jut + - &moira-openpgp age1m374x78q9eykua32ldrqxh8rh36kz6jyre69a263krf28hcycsqsrmshl0 +creation_rules: + - path_regex: secrets.yaml + key_groups: + - age: + - *parsons + - *hexchen-backup + - *stuebinm-ilex + - *stuebinm-surltesh-echer + - *stuebinm-abbenay + - *moira-2022-06 + - *moira-openpgp diff --git a/flake.lock b/flake.lock index 3aaad66..217eb7f 100644 --- a/flake.lock +++ b/flake.lock @@ -511,7 +511,9 @@ "nixpkgs": [ "nixpkgs-unstable" ], - "sops-nix": "sops-nix", + "sops-nix": [ + "sops-nix" + ], "waybar-iceportal": "waybar-iceportal" }, "locked": { @@ -601,22 +603,6 @@ "type": "indirect" } }, - "nixpkgs-stable": { - "locked": { - "lastModified": 1677560965, - "narHash": "sha256-Tqwt5alTtMnbYUPKCYRYZqlfbjprLgDWqjMhXpFMQ6k=", - "owner": "NixOS", - "repo": "nixpkgs", - "rev": "40968a3aa489191cf4b7ba85cf2a54d8a75c8daa", - "type": "github" - }, - "original": { - "owner": "NixOS", - "ref": "release-22.11", - "repo": "nixpkgs", - "type": "github" - } - }, "nixpkgs-unstable": { "locked": { "lastModified": 1678843226, @@ -753,6 +739,7 @@ "nixos-mailserver": "nixos-mailserver", "nixpkgs": "nixpkgs", "nixpkgs-unstable": "nixpkgs-unstable", + "sops-nix": "sops-nix", "tracktrain": "tracktrain" } }, @@ -791,17 +778,18 @@ "sops-nix": { "inputs": { "nixpkgs": [ - "nix-hexchen", - "nixpkgs" + "nixpkgs-unstable" ], - "nixpkgs-stable": "nixpkgs-stable" + "nixpkgs-stable": [ + "nixpkgs" + ] }, "locked": { - "lastModified": 1677833841, - "narHash": "sha256-yHZFGe7dhBE43FFWKiWc29NuveH+nfyTT6oKyFDEMys=", + "lastModified": 1681821695, + "narHash": "sha256-uwyBGo/9IALi97AfMuzkJroQQhV6hkybaZVdw6pRNG4=", "owner": "Mic92", "repo": "sops-nix", - "rev": "128e9b29ddd88ceb634a28f7dbbfee7b895f005f", + "rev": "5698b06b0731a2c15ff8c2351644427f8ad33993", "type": "github" }, "original": { diff --git a/flake.nix b/flake.nix index a3b0702..d910ee2 100644 --- a/flake.nix +++ b/flake.nix @@ -16,6 +16,9 @@ deploy-rs.url = "github:serokell/deploy-rs"; deploy-rs.inputs.nixpkgs.follows = "nixpkgs"; + sops-nix.url = "github:Mic92/sops-nix"; + sops-nix.inputs.nixpkgs.follows = "nixpkgs-unstable"; + sops-nix.inputs.nixpkgs-stable.follows = "nixpkgs"; # these exist mostly to make the flake.lock somewhat more human-friendly # note that in theory doing this might break things, but it seems fairly unlikely @@ -26,6 +29,7 @@ doom-emacs.follows = "nix-hexchen/nix-doom-emacs/doom-emacs"; emacs-overlay.follows = "nix-hexchen/nix-doom-emacs/emacs-overlay"; flake-utils.follows = "/deploy-rs/utils"; + sops-nix.follows = "sops-nix"; }; nixos-mailserver.inputs = { "nixpkgs-22_05".follows = "nixpkgs"; @@ -33,7 +37,7 @@ }; }; - outputs = { self, nixpkgs, nix-hexchen, deploy-rs, ... }@inputs: + outputs = { self, nixpkgs, nix-hexchen, deploy-rs, sops-nix, ... }@inputs: let modules = nix-hexchen.nixosModules; profiles = nix-hexchen.nixosModules.profiles // { container = import ./modules/container-profile.nix; @@ -61,6 +65,7 @@ system = "x86_64-linux"; modules = [ ./hosts/parsons/configuration.nix + sops-nix.nixosModules.sops { nixpkgs.pkgs = pkgs; } { environment.etc."haccfiles".source = self.outPath; } ]; diff --git a/hosts/parsons/configuration.nix b/hosts/parsons/configuration.nix index cd62e67..6f6dd7e 100644 --- a/hosts/parsons/configuration.nix +++ b/hosts/parsons/configuration.nix @@ -37,6 +37,9 @@ networkDrivers = [ "igb" ]; }; + sops.defaultSopsFile = ../../secrets.yaml; + sops.age.sshKeyPaths = [ "/persist/ssh/ssh_host_ed25519_key" ]; + boot.loader.grub.enable = true; boot.loader.grub.version = 2; boot.loader.grub.devices = [ "/dev/nvme0n1" "/dev/nvme1n1" ]; diff --git a/secrets.yaml b/secrets.yaml new file mode 100644 index 0000000..97ab582 --- /dev/null +++ b/secrets.yaml @@ -0,0 +1,76 @@ +hedgedoc-hacc: + env: ENC[AES256_GCM,data:e2vSolxJNucya9QNs28gAVDBJQq5AJh7jS1nBh0UTkDnhNL8NPW1KTxcun4rM99EhiNZsz6Z9qHRMejmP4frQw==,iv:DqAGhGWYf/EpGnI79MxKmBlHMhK26zx50vXb1TbvESw=,tag:Xix499XAcAmxhNuGr2ApcA==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1yql8qaf7upraqy4cq397tt4vgs046hq0v59qymla8t3x0ujqvu4sesgsvw + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSByREd2cmhXSUhNMWxEa3FB + em5WZ0lkaVVka2c5RUdidC9UQ2F5N2FXWGhBCmY2dUlHUmtpZkFZTitlaTVxMS8y + RFM0cHQwOFBwZFpSS0JWRXFVbUxMbTQKLS0tIFBNU2YxYUM4Y0U1NSt4Lzg1SnRF + N2Z1ZUpxKzBwV3Q0T0ppQis3UFJmT3cKRa4o6e0hNCSqZibQ8yjUMntXDaZxrmMc + tKAr9uGbSWQMbfjK26JKiOFt7QgF0olNvv7MxVD/kFScJBr1AerBQg== + -----END AGE ENCRYPTED FILE----- + - recipient: age1zgdegurzlr8cw9948wgf4q5qh3efltwhhzus5tt6az5xvvsux9us2v4tyd + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBYNlQyeGtWeUx2R25oVFFr + ckh0UlRCTkt5aEg5MUREOEpIUzN4aWovVFFnCjIxREF0RTBHUStBS3hFSUtUVC9y + ZXVyVlUwSlJKRTMyOG5CS0d6amFjU3cKLS0tIDZFdisyM0xEbHl1LzhJL2VwNVhR + d2RWMHdTS2hDNUpDOHFxNmNQVDZmNFEKgo3vmIWXFYsYSohZxh1eGhuq6kh3j/n1 + R5kN1Rs46/Id0lkFkySXUfuAzOqCWlnJYYgMtqOmxVI3UQhJAtWXOg== + -----END AGE ENCRYPTED FILE----- + - recipient: age18wkr3kjalalzrq9l05q32gnlaqr7t6rqqzde307m83rs9fp4xcfsdtj9gt + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBjUi8zQ2lPZS9nZHByQVBl + eU05WDRaUjlCVzZlbDI4K0ZhMkFNVFg5UlQwCkNuakpJTStvZFpTZkQ5UWFoWHVH + RzRqTzlpNjNlMHlGbEFheFRTV1ByencKLS0tIDNHWEE4SENqRWZwNVpHcHN0TzY5 + NkpFTXFoLzUrcjEvbVBNSzdINzZHQ2MKb3knCvuJ1ivuGMZ+0bmLJoi5nUXMRNVf + l50GRm4JVZ210wwQq0vqf86HLIUE0hwaXiWsb7Sn3VvdsgE4x7wEmQ== + -----END AGE ENCRYPTED FILE----- + - recipient: age1q88az2y5hnx8naqsvrurllqj6y5gtehrpa9emmrxy5ghwsr7pvnqf7tfpx + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSArNUY4c25EN3BBSTFTMEU0 + Vjg3RjFkS1FzZ2NXTUlZZHJNR3pTa0MzNVRNCkZhS1FMY2RlNGlCN3hoSm9yN0RL + UHAwNlFQNWN5UWp0TUJybjVhMjY1TW8KLS0tIEJ3VGFQOEkrU01lbWYvQnRYdkx1 + VzFDbm9zMk4rVWlMQm5Sdk9uMEF1OTgK1d0syR0MY4DNA059QApJess94MZTulNQ + THZ2S/BmEJGPoyvjKot5clX0Lm6s7LyNoYDjBypo+6OI8Cvjo5Qjgg== + -----END AGE ENCRYPTED FILE----- + - recipient: age18nkru4pwvvapdw76nauv2xdtlj8cvyv3ugahe9kcxtvtsptx2eyqw7p0m6 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBCK0luUmtzZXdGOTY4bU51 + V016dTFaRkxyNksyMXJiUmY5QkJjcXdoSXd3CnpoQVVXVTNZWnZmajUzMlNJN2Fz + dDN1NThmS0IyREIvQSt2SlJKYmgwR1kKLS0tIFU5dHJYNzdydDkwT3FyQzRCRlFh + VUpXYTFRK3FTRlJYd1B3Qm5HMEQzMWMK5IqzmCIdUphR2W6y6UtZLo2cPRW2L0d4 + X0qmWnDxa4ghD1CMlIi2spIS/0mE2+tu+XmxYnWYtfMggCtJpZen6g== + -----END AGE ENCRYPTED FILE----- + - recipient: age1l694a4xht7r0eza9r2vjncupmp6cxyk3k9x2ljwynnur4m2lc5jqmy3jut + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBuNEUvL2ZQbEo4SytWYnRJ + a1ZMdS9FR1JsUUpsMlZTdXRzOGtDeTdIcFI4ClhxaFN0dXVmR3RhOHVpdFNxNEVE + UzBxYStNMGZjNFJmTllxdlg2R1RIRm8KLS0tIFRJYzVrdE9mTGJZeXdpWnBUSkll + QmZtNmtabkVYQVNNZFRtWnE3LzR3Z3cKKOUqRmH5OzXSLNJAwCylXDMxoHJFT4Dn + 5iuRwydc9VvI/XKLmK/rR2XXeXzxESWu1OJVXPV87VIFh1jF71lCbQ== + -----END AGE ENCRYPTED FILE----- + - recipient: age1m374x78q9eykua32ldrqxh8rh36kz6jyre69a263krf28hcycsqsrmshl0 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBlZ3VRd1lNYVZpRHNsRWti + eEM5NjlOaEc4L29yRlA1eVdEZzFWbThXR2xFCngwN0YzWXdpTk4rY0h6VDBzQWtM + TGhPYk8wRWRqd0ttRm5zSTBMbVAzNWcKLS0tIFBsQnQ3TTJqQUZXQVlVZTcxWXJG + bVFISHFrRnZHVE9YbGVlakxJSFE1aTgKsddkeIFwHckApYhK53/qzG8bUYm3JXiI + amI6nq+0nNoU2bzOTO4FLW7gYssxWFxdSVV153BWGJHSNh/JItvDHg== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2023-04-19T14:56:57Z" + mac: ENC[AES256_GCM,data:Mw5SUPLqVhq3bEjYj7v7qZO2RqEKDzC6u+lzLsFXdnJ+pLSUslulzGgIerkKbe9wXM3m7LgPIEeCdRhmRfjuDbqdvE8RifuE3UpJ1F0497RmGPAVsxZeUh8YaHzKe/fij3QGgGAaahLYs413WUZNvGPrnJSIISlRdJ2JNlTQw8c=,iv:2vEUSrdr30gEZh/wqSDDuakK3W+ZY6iJS5BgUpYKkk8=,tag:p8X8exlJoutmUW3WaP68Tw==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.7.3 diff --git a/services/hedgedoc-hacc.nix b/services/hedgedoc-hacc.nix index 1a3740d..bb09cd0 100644 --- a/services/hedgedoc-hacc.nix +++ b/services/hedgedoc-hacc.nix @@ -1,6 +1,11 @@ { config, lib, pkgs, profiles, modules, evalConfig, sources, ... }: { + + sops.secrets = { + "hedgedoc-hacc/env" = {}; + }; + containers.pad-hacc = { privateNetwork = true; hostAddress = "192.168.100.1"; @@ -11,6 +16,7 @@ hostPath = "/persist/containers/pad-hacc"; isReadOnly = false; }; + "/secrets".hostPath = "/run/secrets/hedgedoc-hacc"; }; path = evalConfig ({ config, lib, pkgs, profiles, ... }: { imports = [ profiles.nopersist profiles.container ]; @@ -43,7 +49,7 @@ clientSecret = "lol nope"; }; }; - environmentFile = "/persist/secrets.env"; + environmentFile = "/secrets/env"; }; systemd.services.hedgedoc.environment = { "CMD_LOGLEVEL" = "warn";