diff --git a/README.md b/README.md index beed349..e92cfb9 100644 --- a/README.md +++ b/README.md @@ -14,6 +14,27 @@ configurations are grouped within a directory specific to each user. As of now, this is just `jrpotter`. The `flake.nix` file links the system and user configurations together. +## Secrets + +Secrets are managed via [sops-nix](https://github.com/Mic92/sops-nix) containing +keys generated by [age](https://github.com/FiloSottile/age) from a pre-existing +ed25519 SSH key. If you do not have an ed25519 key already, generate one via: +```bash +$ ssh-keygen -t ed25519 -C "" +``` +You can generate an `age` secret key from this SSH key like so: +```bash +$ mkdir -p ~/.config/sops/age +$ nix-shell -p ssh-to-age --run \ + "ssh-to-age -private-key -i > ~/.config/sops/age/keys.txt" +``` +And find the corresponding public key (to be included in `.sops.yaml`) like so: +```bash +$ nix-shell -p ssh-to-age --run "ssh-to-age < ~/.ssh/id_ed25519.pub" +``` +and include in the root `.sop.yaml` file to be used when creating new secret +files. + ## Remotes Remote machines are hosted on [DigitalOcean](https://www.digitalocean.com/). @@ -22,6 +43,8 @@ The custom image used by each droplet can be built using the top-level A droplet running this image will automatically pull in any enabled SSH keys from your DigitalOcean account at creation time. +Each machine must be registered using + Deployment is managed using [colmena](https://github.com/zhaofengli/colmena). To deploy, run the following: ```bash @@ -29,10 +52,10 @@ $ cd infra $ nix flake update # If any machine changes were made. $ colmena apply ``` -Note that colmena requires non-interactivity. If you haven't done so already, -you'll likely need to add the private SSH key corresponding to the public one -uploaded to DigitalOcean to your SSH agent. Do so by running: +Note that `colmena` requires non-interactivity. If you haven't done so already, +you'll likely need to add the private Ed25519 SSH key corresponding to the +public one uploaded to DigitalOcean to your SSH agent. Do so by running: ```bash $ eval $(ssh-agent -s) -$ ssh-add +$ ssh-add ~/.ssh/id_ed25519 ``` diff --git a/desktop/flake.nix b/desktop/flake.nix index d92422f..db78abe 100644 --- a/desktop/flake.nix +++ b/desktop/flake.nix @@ -3,7 +3,6 @@ inputs = { nixpkgs.url = "github:NixOS/nixpkgs/nixos-23.05"; - bootstrap = { url = "github:jrpotter/bootstrap/v0.1.2"; inputs.nixpkgs.follows = "nixpkgs"; @@ -12,13 +11,9 @@ url = "github:nix-community/home-manager/release-23.05"; inputs.nixpkgs.follows = "nixpkgs"; }; - sops-nix = { - url = "github:Mic92/sops-nix"; - inputs.nixpkgs.follows = "nixpkgs"; - }; }; - outputs = { nixpkgs, bootstrap, home-manager, sops-nix, ... }: + outputs = { nixpkgs, bootstrap, home-manager, ... }: let system = "x86_64-linux"; in @@ -28,7 +23,6 @@ modules = [ ./configuration.nix - sops-nix.nixosModules.sops home-manager.nixosModules.home-manager { home-manager = { diff --git a/infra/.sops.yaml b/infra/.sops.yaml new file mode 100644 index 0000000..25be703 --- /dev/null +++ b/infra/.sops.yaml @@ -0,0 +1,13 @@ +keys: + - &admin_jrpotter age1huyyxsy4g0e5svmcejxvvdjnnk6qkulgd3qfpue59exnfrnqzudspxnn62 + - &server_phobos age1lmx6334s0y2ecfpve00vcjemyechycda2g8c5nnpzs5py2qay9pqx8m3vs +creation_rules: + - path_regex: phobos/[^/]+\.(yaml|json|env|ini)$ + key_groups: + - age: + - *admin_jrpotter + - *server_phobos + - path_regex: .* + key_groups: + - age: + - *admin_jrpotter diff --git a/infra/flake.lock b/infra/flake.lock index b2daaba..0bba99f 100644 --- a/infra/flake.lock +++ b/infra/flake.lock @@ -72,16 +72,49 @@ "type": "github" } }, + "nixpkgs-stable": { + "locked": { + "lastModified": 1701568804, + "narHash": "sha256-iwr1fjOCvlirVL/xNvOTwY9kg3L/F3TC/7yh/QszaPI=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "dc01248a9c946953ad4d438b0a626f5c987a93e4", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "release-23.05", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs-stable_2": { + "locked": { + "lastModified": 1701568804, + "narHash": "sha256-iwr1fjOCvlirVL/xNvOTwY9kg3L/F3TC/7yh/QszaPI=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "dc01248a9c946953ad4d438b0a626f5c987a93e4", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "release-23.05", + "repo": "nixpkgs", + "type": "github" + } + }, "phobos": { "inputs": { "boardwise": "boardwise", "nixpkgs": [ "nixpkgs" - ] + ], + "sops-nix": "sops-nix" }, "locked": { "lastModified": 1, - "narHash": "sha256-BcLR2La75qG8EVXabtZ0KXq+OYXtBVY8opTxS2qHdrg=", + "narHash": "sha256-eJcRqFATORPXB3PXPLiR+5lAJDNiEK+SbpdBkBcS3G8=", "path": "./phobos", "type": "path" }, @@ -93,7 +126,51 @@ "root": { "inputs": { "nixpkgs": "nixpkgs", - "phobos": "phobos" + "phobos": "phobos", + "sops-nix": "sops-nix_2" + } + }, + "sops-nix": { + "inputs": { + "nixpkgs": [ + "phobos", + "nixpkgs" + ], + "nixpkgs-stable": "nixpkgs-stable" + }, + "locked": { + "lastModified": 1701728052, + "narHash": "sha256-7lOMc3PtW5a55vFReBJLLLOnopsoi1W7MkjJ93jPV4E=", + "owner": "Mic92", + "repo": "sops-nix", + "rev": "e91ece6d2cf5a0ae729796b8f0dedceab5107c3d", + "type": "github" + }, + "original": { + "owner": "Mic92", + "repo": "sops-nix", + "type": "github" + } + }, + "sops-nix_2": { + "inputs": { + "nixpkgs": [ + "nixpkgs" + ], + "nixpkgs-stable": "nixpkgs-stable_2" + }, + "locked": { + "lastModified": 1701728052, + "narHash": "sha256-7lOMc3PtW5a55vFReBJLLLOnopsoi1W7MkjJ93jPV4E=", + "owner": "Mic92", + "repo": "sops-nix", + "rev": "e91ece6d2cf5a0ae729796b8f0dedceab5107c3d", + "type": "github" + }, + "original": { + "owner": "Mic92", + "repo": "sops-nix", + "type": "github" } }, "systems": { diff --git a/infra/flake.nix b/infra/flake.nix index 8ba8e64..4557137 100644 --- a/infra/flake.nix +++ b/infra/flake.nix @@ -2,14 +2,18 @@ description = "Configuration of all remote NixOS machines."; inputs = { + nixpkgs.url = "github:NixOS/nixpkgs/nixos-23.11"; phobos = { url = "path:./phobos"; inputs.nixpkgs.follows = "nixpkgs"; }; - nixpkgs.url = "github:NixOS/nixpkgs/nixos-23.11"; + sops-nix = { + url = "github:Mic92/sops-nix"; + inputs.nixpkgs.follows = "nixpkgs"; + }; }; - outputs = { nixpkgs, phobos, ... }: + outputs = { nixpkgs, phobos, sops-nix, ... }: let system = "x86_64-linux"; in diff --git a/infra/phobos/flake.nix b/infra/phobos/flake.nix index 94f55df..8727e23 100644 --- a/infra/phobos/flake.nix +++ b/infra/phobos/flake.nix @@ -7,14 +7,23 @@ url = "github:boardwise-gg/website/v0.1.0"; inputs.nixpkgs.follows = "nixpkgs"; }; + sops-nix = { + url = "github:Mic92/sops-nix"; + inputs.nixpkgs.follows = "nixpkgs"; + }; }; - outputs = { boardwise, ... }: { + outputs = { boardwise, sops-nix, ... }: { nixosModules.default = { modulesPath, pkgs, lib, system, ... }: { imports = lib.optional (builtins.pathExists ./do-userdata.nix) ./do-userdata.nix ++ [ (modulesPath + "/virtualisation/digital-ocean-config.nix") + sops-nix.nixosModules.sops ]; + sops.defaultSopsFile = ./secrets.yaml; + sops.secrets.example-key = {}; + sops.secrets."myservice/my_subdir/my_secret" = {}; + deployment = { targetHost = "146.190.127.180"; }; diff --git a/infra/phobos/secrets.yaml b/infra/phobos/secrets.yaml new file mode 100644 index 0000000..2ade98a --- /dev/null +++ b/infra/phobos/secrets.yaml @@ -0,0 +1,36 @@ +#ENC[AES256_GCM,data:pkTmy1WX4sI6CHkuiMO/873FBuGKjtDyDuqGIY69b7LYXAyOeKU=,iv:CjqG2mlzIieeTJqrwAGklZQ1l7upH4dXTT0aoqKWQFY=,tag:25gMrm0gi21DhgnIdrki4A==,type:comment] +example-key: ENC[AES256_GCM,data:1ywkHMSLq1aAiZl9JA==,iv:1ip/LHeptLnpYq3O29xjNeDIUZr77xiAdGFmPPKIy3c=,tag:Q5BeX1XS6ySIqKcLv86yrg==,type:str] +#ENC[AES256_GCM,data:t4SrnsLqfNlxLqoEwuDtameoUYBZ4TpUDYQ2nQ133vEig6MuNgsKVQPs+3J3K3jXSqJHu8TvV9k=,iv:IDhuYa6LnPLREq3TFUBdkkdbFoxWxRuDw4rNYX+Q294=,tag:H+1n+P4NN4/4MHyXjDsOEg==,type:comment] +#ENC[AES256_GCM,data:DHudM+N5MDuM/tRKFcUNHn1pkSdSzJRgg4ROkAxOlWQy03x6up3MtTCbuZ1gW2aLAA8sHxB3ki1WOLQ6jeU67Hk6DMsP+sOS,iv:p9ry0MmeUXXdtmZYKlqs4dJ9uopHD4Z9YVf25PVKjIc=,tag:3WmKGQyrIpL2Aw+b2ANIxA==,type:comment] +myservice: + my_subdir: + my_secret: ENC[AES256_GCM,data:uZOzai2mhtkM,iv:Uo+RuNxwaaMPr56pcNfN7stZXterbvfbhbwr3gyH+PI=,tag:kzQav/0gDRELwdmOMJjn7g==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1huyyxsy4g0e5svmcejxvvdjnnk6qkulgd3qfpue59exnfrnqzudspxnn62 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAyN0d4VDcvZ085Sm9SL2ZE + MW5rUlpNQWdLV3UrVHlkMDFQazRuaGZLUlVVClo4a0ZreVU3MGV4MUovZXZVWm10 + dTZ3OEc4ZlJqQ21TYmJEc2FJNDAyazAKLS0tIEZxVzk4ZEo3MjFHMVZDV0JTWmRo + YzRDWjZ2ZFlQdEw5N2N5SG9oVDdPMFkKHPz6J4TL6lPSH1a806iVBrgJUnV297uh + 1sacjMW5ncEktozngq7gqQnrKEfapYqq3rAVpxGLY3C6mxwPDTgT5g== + -----END AGE ENCRYPTED FILE----- + - recipient: age1lmx6334s0y2ecfpve00vcjemyechycda2g8c5nnpzs5py2qay9pqx8m3vs + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBNYmtQcWF5Rm50MWxQYjRB + bHBYK25BMThvN3Ivd1JxSTJKOThxS0N6TEZFCnVvS2RKZEQ3WEpCN1V6ekd3Sjhv + N0UwbUJTck9PSXhDcGI3aDNUYmNPVVEKLS0tIDBuc2xmdEpYZVZpbGczQ2RlRS9U + YXV1UEl0Q3RTZSt0ak1sU3BkcFIwdWcKwfNMcaDdud0Ve+ibJq5bRc63hiDgaTp9 + 5GKaIaU4TOkB2K3/N8DIU3KW0scl+5foWTaQbrVSMy9x31H0jTdlgQ== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2023-12-08T18:51:48Z" + mac: ENC[AES256_GCM,data:/pnQDn4ADDkyYNRYAMzOnxc6HkyJ94izk8Em+v6oY3oKEw8m0I51ClS1glaXTL+FFocYnKAu/TuuX49QI8mnY3qhHrg1s2ruGtjRhDJGEvsCCgK6BcuclktTS7r046rRa7S0kahotI9C9ZHKilRoc5tTGNVKnGg+Xq+zG2ch6Cc=,iv:muBqr7RR0taT9VYwZoBMJn76kc5Zk0h6d8vcZJOxwT8=,tag:wF/6Q6fkDzyJ+XtEB9Vzog==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.7.3