From a1ee5c63a1004986a1cbddfec729c80f1fb86ec5 Mon Sep 17 00:00:00 2001 From: FReenen Date: Thu, 2 May 2024 18:13:43 +0200 Subject: [PATCH] test for using sops --- .sops.yaml | 7 +++++++ configuration.nix | 11 +---------- flake.nix | 4 +++- secrets.nix | 10 ++++++++++ software.nix | 3 ++- sshkeys.secret.yaml | 25 +++++++++++++++++++++++++ userPasswords.secret.yaml | 24 ++++++++++++++++++++++++ users.nix | 14 ++++++++++++++ 8 files changed, 86 insertions(+), 12 deletions(-) create mode 100644 .sops.yaml create mode 100644 secrets.nix create mode 100644 sshkeys.secret.yaml create mode 100644 userPasswords.secret.yaml create mode 100644 users.nix diff --git a/.sops.yaml b/.sops.yaml new file mode 100644 index 0000000..8649c4d --- /dev/null +++ b/.sops.yaml @@ -0,0 +1,7 @@ +keys: + - &freenen_pgp 659E789F50DBF29C559A20D31A49C544894DAA60 +creation_rules: + - path_regex: \.secret\.(yaml|json|env|ini)$ + key_groups: + - pgp: + - *freenen_pgp diff --git a/configuration.nix b/configuration.nix index c3106a6..ce3875e 100644 --- a/configuration.nix +++ b/configuration.nix @@ -11,6 +11,7 @@ ./locals.nix ./services.nix ./software.nix + ./secrets.nix ]; # Bootloader. @@ -63,16 +64,6 @@ # Enable touchpad support (enabled default in most desktopManager). # services.xserver.libinput.enable = true; - # Define a user account. Don't forget to set a password with ‘passwd’. - users.users.freenen = { - isNormalUser = true; - description = "Finley"; - extraGroups = [ "networkmanager" "wheel" ]; - packages = with pkgs; [ - # thunderbird - ]; - }; - # Some programs need SUID wrappers, can be configured further or are # started in user sessions. # programs.mtr.enable = true; diff --git a/flake.nix b/flake.nix index 09d8af3..4ce52d0 100644 --- a/flake.nix +++ b/flake.nix @@ -2,12 +2,14 @@ inputs = { nixpkgs.url = "github:NixOS/nixpkgs/nixos-23.11"; nix-flatpak.url = "github:gmodena/nix-flatpak/?ref=v0.4.1"; + sops-nix.url = "github:Mic92/sops-nix"; }; - outputs = { nixpkgs, nix-flatpak, ... }: { + outputs = { nixpkgs, nix-flatpak, sops-nix, ... }: { nixosConfigurations.frdesktop = nixpkgs.lib.nixosSystem { modules = [ nix-flatpak.nixosModules.nix-flatpak + sops-nix.nixosModules.sops ./configuration.nix ]; diff --git a/secrets.nix b/secrets.nix new file mode 100644 index 0000000..ff047ef --- /dev/null +++ b/secrets.nix @@ -0,0 +1,10 @@ +{ + imports = [ ]; + sops.defaultSopsFile = ./sshkeys.secret.yaml; + + sops.secrets.userPasswords = { + neededForUsers = true; + sopsFile = ./userPasswords.secret.yaml; + }; + sops.secrets.sshKeys.sopsFile = ./sshkeys.secret.yaml; +} diff --git a/software.nix b/software.nix index c199776..c322a35 100644 --- a/software.nix +++ b/software.nix @@ -8,10 +8,11 @@ environment.systemPackages = with pkgs; [ vim wget git ncdu btop gcc cmake valgrind clang-tools + texliveFull + vscodium gnome.nautilus libsForQt5.kalgebra - texliveFull ]; services.flatpak.enable = true; diff --git a/sshkeys.secret.yaml b/sshkeys.secret.yaml new file mode 100644 index 0000000..6dab096 --- /dev/null +++ b/sshkeys.secret.yaml @@ -0,0 +1,25 @@ +sshKeys: + mainRSA: ENC[AES256_GCM,data:BKPuceNFRVG0Tyj0tMmYeZbA3WBrJUKB4NrJh4+lvzMgPreGJIwKuB5bQkMvcyz5x6lDYeIiUTLYIzsiPvCmwWSqeTHmyqum09zekZNfxEOYyrMHuxxRISz8LPZ0fKTaXp0VsN1uqfNBe+aLUzgWlilzib4LZrUM19W+nyb+PLA+wSaZn6e7Ov2c7IpGdeEwi5A6PeW96ni7dioJtCSDXz7OcWzLub28gMgPMaGbrMy4HosqbZvCct/QUFg3qveQWZ8dIPIMvDioHWgqpHkV1ELGbL20zv49A5riJ3fF2R70Yjbmb4cEEagNix9L7z325wz2mNcNHNbb+a2yq+bweZ8ia21MmCW/smniwRwnpbJ4HYQwzuq7K/NoRkBAZGPg5STTarOsMa3O7X3mf382VCMt1Y8d9C1POjete7fJGfKvzY56+JoLPxnjc8lw5/EGjJrq+KzY9BgKWXP9TXH3638KeFoJv+xPy0beNCG5wYfObLCoFzbjw+gd56hZ8JLDjjkxx+Zr4wita+et3BQtcwcSt1o9sih4zmF1l3oTvCEpPVY2HU32lCyk0A2IwHDOhVKHpt7LfgNmlqr7WHCXmp+5P7xSczyZpCma15VnwREKUHgGpWTpozLEo1BDE/VQqfeqyT9MRntkvWgfZLQzS7EqGxJ/C2QGN0rKkAV0si26iwSJpz7CcDyITJEQDhbbEioMXdciDFuFEMaa5VExNDkBqib2C1gkLJ3hxRaxZMzyYw3rg57hQr2tazdpEdy1P2qkJqQdMXsE+TCyc91+zgLaf4Oc71Q0nbdnuKZ9/bFV94sV+zu9C/LD7z8CNZSDBlanRCZm8lTXZQzAFX5bbCL/V5YyEc3ioDrTYIkZ/me5HfDabB8atr2p5uk2W/oVKGZmQPD/oBQ1K95svPp46ko1gEC6tOVCweNs0pvnUmAPkcZHEH1tz8dA7MiB+FUcwLpXly9dKU1mldcXb+YYWvVhVSvyGK7HVQdpw/fd3uPY6f0h/rhqePzHnc3kEovNcrpIDSmQB1s0/4ANnk5WjGKsG6L4bIJ/3UA8mfV4qitGJS2Q0+WwndO3Hy0pieIkcT2F7yCCoB4jM46t0tgWb7ztGVszJGfWAULD6phiEXUpcpQsuBz0hBk5R0+iiiQT7NUXgxQRV/LgbIHDVu9e2hAwlAPogKZZCjZEtDzj4HDsBajUjSdfZzR5cdLnO1gyEERqMPb13P4E0J18ohI7+XFdnvvCRnNf3jsW3pW/VRBGwZa8NPjiJjp5ANkNmfZStiVPMgQRncJgM2C+jJfPa76Jn3gz4ukbCSOjqh+kOSk9aJaIsjsUlNw5cQwPHtWpBSYDOyJceFObLkPvdGnsLRo9ZfpHAMLe43OVXJ/KH+VJBfKMX4ocTGSEIjPnt0B38k1VN4zRU2PG5pDhOiKF6Rz53Ju9JRtqOwBGdMS+hoC13eRw+PMXtUuTnFq2LMUylxAqGDsTGK0Fq9f7GG6H53HWV2eKZA11kdvOkUaYpaULnumNErtmH+xFTg3mUEBPQk+dtqQaCigIJAE5aZsL3wWkapU1SJ9aP2oHn34SPN4P2v5TctYT9aqmQwdO3GNsm/N5CSt5UaAoJ3y7PHe8G+cj/4dG498/S1EKhQ+D8A6LfDu91guuEBK9wH28eecNw89V918N98NcP9Zlv09+38LnMdfwSWQEG0qNM7IM49NeLP2nyTErx5W8fu16ebw7Mg/0/mCg9s/wyqkahs7N1rD0wJMggIVY/bbj37WABwcp8lIGK8v2IXHCsEWwWLXeVsWIHLC97vWR+DK3+F9uhhSUTo2kmuAf7bLe8WD61lnPPvgdnUwhzCFGEm3cUhtIesnr4Dw8IGN5UuDaZ8BtyM6Wo1Wwsk0CUi7caNHHU/3Y9ttwu8DaqO/2KCyXDnm9jbtmsx0FAEdirf8AbXxp8ouZL2tytKjhwOlt2TIU7ElKPtvuJ1+Yks0Y28XIbs1pZLPWFPT4oDHDh74Ao0fFcB8JNz75DAD0fDTH6g52szTQzrQ1vq5KrsqEeUzh205tO96ycpfEoD24nSem9g5VMyZ8/MKeqUfPpjEIQtoi+aOoQrPzb0h9LYb3ZJpTEX2PdrgxV0g7RUOFpXfn6YxFgtG5WF4vkp1sRCAyZm10/DwvdARSo1bOhwOMMszGCwbOsU/YMsbNiClrU5LTGfETqp8xjXx/UjXFwuRBJaLvUbVAhmSrDGJLrSnw9ZqKHEp6vRdO6h8Bqp541i6TIEGKexTSG5L8igaElAJbLflfKptbXprXbqQPGpb+IhnnIDut4rWaEHMzEI/58Q7qRX2tvH/xcuCmgyLA5saUsiGTJAORBd4CETBsVXDijuK2Vw6GLkM/c0h59PYN1HGw1iAcWBe0rGIP23HmF/xqCAxTJafYMItGskOP5ERYFOCNJkwAA304JQeW1plG0UHed+4iAQ2nmPmwm+dVJXoFIliKQVgkRN51EL+DCLCT1Z5s9S4l1e4r/uZoCoykHlAuATkznuX6QA9FL1G300gXwC9FMmp4qYhVPX0XBIko7Zd7MaQdrQHDLdaq9SVmH83HZejD4vnGXtHC0gdHvjPQSBtXlmxNtNzMhoJP8DCgUUrKAkYWS06Snmfxe4hZzisFumzODcEPiTDP3JWjwVlsDYqxgBf9tEGR9vjHWBttutdIuhu8/LOUlXhh1Pyt1Ua4YNgB/dgc9cOV3nsog5gy4sPrHxNSa7zYXE3xSnC9wVjSyJscvfGhZ6WI5BwTkVH3DrXW9Td3iHS3HDHu9AMEs9HdEd0C3udn01K6N/JW7Olaczm1EfYEEM+3Ka4OzaBA770GnBCf8TjEBFA4aLfxtW11GTszmXiek5vuzc9n+Ute+hU3fq0jxV06XPXHxvLtxmmGcVVEXPzreV0yLbUSOvi1QIvt7lysOyXzg5OnPz/9WXC3QcUzPoeho38C/VWJCXrhuJJI8YkhQm4APEbXr8agQKw1jjn276qaZBnM/0XqGS2OSJOAp96dzb2ph4vntFy0SMgORQTWHamUrC+mtvTmrLxG3ALQWDXJu1sVS9XFwrzfdaqBF29EA6Baz6NMsqmEpqiUvD/5VK1JJo2buGe++1kW/WblQ7fRTY6c4tALj84t+zkjswkDsHWlo59RihaHInAKoIOgwBaBejVw2I03uLP/Rp0YR1KEFKLrqNZR52hLeeDYhjI/8FqSKpGQZ+YLoGcv4piVR+hzb2KLZ4mfX3LpHMvNJ80VLhoAe2Cl236GCst7V9/4dS+Iq7JWFzlbs2pmj82O40DRERLOqtYg2bp8LbSv3kbnDh+A+qJkH2/t3+/gQbYEM7HlKugg7xtKZCldVJstO/YAkFi0CzX8PN//3Xo1IfFRu2di361cRxiBJjq6mgxQ4x9CHqYJpnjYQ38/FmDAU3Evm6bkiIcSAM448a8yFo8jgOJf1BOgphg1N8UblNR05qPwhj/7+Ox5R+y/jGmloAX1IrLEk0oybbBq9PjxzO2uUdoR759Xi59sUGffyxCUVZK5cGoxqCmP,iv:OTAzULAPMvKR0STRcTBX3niYwXO0qnp1e+EL4qbbYqc=,tag:p4VWErm4a2L6zrZx9WyT9g==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: [] + lastmodified: "2024-05-02T15:04:39Z" + mac: ENC[AES256_GCM,data:J4WvM1rQQ3tkbmf+cXh6HnoDvRFqECzwz8EoO1mdtT8oLPd/0wq544qYy12WrGzRM/TLFKvqi874JxB1uBT9fiTkIPgTtQd0juzUO1mAFXO1sMjxj7xZqlet9TZuvh7pqWmaDMcyqSjDnHqKuPTbVOPsagc8twP97b2i9gUDbp4=,iv:qNBP03Y28s2MOMaIpz2lw89FIB8lrGt+q4YJ6HkCHDY=,tag:3VMIaoRzL8CuuW5I953zOA==,type:str] + pgp: + - created_at: "2024-05-02T14:45:56Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hF4DNs2dC5MoGHESAQdAMAANtGTepileo5+JlKQjUN5WQMizJod4Btc+nIttk2Aw + CiQfHb0PXS3hMmPvEE5r4ncbLP5j4GbJQIWlvcuMzpHOtcXN33U7yQlNWQ7+yl9/ + 1GYBCQIQ2SOLTJEuOOadtdFNR6IqhcZZMmGab5WPRBsG1Ez0TsVm6D2gpxYL8Mwt + l5963ZKae6/DEWQaTdwLEke03coNeMh+ayviARZdHqw5722/hG2bt7mV+YEhhX+S + 83mxH0/aVvc= + =B3Ks + -----END PGP MESSAGE----- + fp: 659E789F50DBF29C559A20D31A49C544894DAA60 + unencrypted_suffix: _unencrypted + version: 3.8.1 diff --git a/userPasswords.secret.yaml b/userPasswords.secret.yaml new file mode 100644 index 0000000..7bc1a4a --- /dev/null +++ b/userPasswords.secret.yaml @@ -0,0 +1,24 @@ +freenen: ENC[AES256_GCM,data:YiJ1EKxEHq8jS/yhuemgzcAX2Hx5idxCXi3VJZoWCxY2EWAxErIJEYfTPm1PunHQ+OyqailvIDMzXpZ0DF9COLRVAksgcFJonA==,iv:aCbuapg9W6QsZzebP0aGsXtNIuuNIarUCjvG0URRcnU=,tag:bq91mG4xVrfbLr+F4mZ5rA==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: [] + lastmodified: "2024-05-02T15:21:54Z" + mac: ENC[AES256_GCM,data:DxuNe6mAIbIbQg64ABAJKEBu00L+0SGkNAsBsfZtqVOFZAendLgHeSpRPM54ofpJq7O6WosEDCcvEHCmhO14Rba9HbsWtlkEpZXvAnWcNc012aaulJ6rDmsN1MozDxHMSfd/8a4iyxoj6jTKnHJl7XmRrbcy/3Gz8ZJ3PAceElY=,iv:ZQEx7axOaRlRMkVqe9HerDADAavob3veFDcdu+8ot8c=,tag:aqQ/Ci17z7hPPYY9PwJ6SQ==,type:str] + pgp: + - created_at: "2024-05-02T15:20:40Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hF4DNs2dC5MoGHESAQdAS8J1hu2Vrl81vWurRGN+f9orvzmsvGtIlkZujVe5sUAw + RumSi34DsECwn0yWti6jKqrDXnxz9FP3s2IAAqF/sSdjdMqoHQxKAjJhc5icHLkb + 1GgBCQIQa7dTBhih0hOnQzv1kzTi1OH0MpFw//HBJ/h5C/6g6T0RCfZH54vEp7Dt + oiSr7QHZbGhR28LEHq4tAQmqA8W/cvEexcT8DcdWQHCbWbL5yhoKuKltMJ747ay/ + cDZT+hML31L5ow== + =Ev2q + -----END PGP MESSAGE----- + fp: 659E789F50DBF29C559A20D31A49C544894DAA60 + unencrypted_suffix: _unencrypted + version: 3.8.1 diff --git a/users.nix b/users.nix new file mode 100644 index 0000000..b7ec9aa --- /dev/null +++ b/users.nix @@ -0,0 +1,14 @@ +{ config, pkgs, ... }: { + users.mutableUsers = false; # make users unmutable + + users.users.freenen = { + isNormalUser = true; + home = "/home/freenen"; + description = "Finley van Reenen"; + extraGroups = [ "networkmanager" "wheel" ]; + hashedPassword = config.sops.secrets.preUser.freenen; + + # openssh.authorizedKeys.keys = []; + # packages = with pkgs; [ ]; + }; +}