WIP: Drop sops-nix in favor of agenix

Servers: Remove RSA SSH keys
2024-12-10 17:55:29 +01:00 · 2024-12-10 17:35:30 +01:00
21 changed files with 227 additions and 73 deletions
--- a/configurations/camelot/default.nix
+++ b/configurations/camelot/default.nix
@ -31,22 +31,20 @@
  ];

  # System secrets
-  sops = {
-    gnupg.sshKeyPaths = [ ];
-    age = {
-      sshKeyPaths = [ ];
-      keyFile = "/var/lib/sops-nix/key.txt";
+  age.secrets = {
+    wg0Private.file = ../../secrets/camelot-wg0.age;
+    wg1Private.file = ../../secrets/camelot-wg1.age;
+
+    nextcloudAdminPassword = {
+      file = ../../secrets/nextcloud-admin.age;
+      owner = config.users.users.nextcloud.name;
+      group = config.users.users.nextcloud.group;
    };
-    defaultSopsFile = ./secrets/secrets.yaml;
-    secrets = {
-      wg0_private = { };
-      wg1_private = { };
-      nextcloud_admin_pw = {
-        owner = config.users.users.nextcloud.name;
-      };
-      gotosocial_env = {
-        owner = config.users.users.gotosocial.name;
-      };
+
+    gtsEnv = {
+      file = ../../secrets/gts-env.age;
+      owner = config.users.users.gotosocial.name;
+      group = config.users.users.gotosocial.group;
    };
  };

--- a/configurations/camelot/gotosocial.nix
+++ b/configurations/camelot/gotosocial.nix
@ -12,7 +12,7 @@ in
    enable = true;
    openFirewall = false;
    setupPostgresqlDB = true;
-    environmentFile = config.sops.secrets.gotosocial_env.path;
+    environmentFile = config.age.secrets.gtsEnv.path;
    settings = {
      application-name = "Dala's personnal instance";
      landing-page-user = "dala";
--- a/configurations/camelot/nextcloud.nix
+++ b/configurations/camelot/nextcloud.nix
@ -39,7 +39,7 @@
      dbtype = "pgsql";

      adminuser = "dala";
-      adminpassFile = config.sops.secrets.nextcloud_admin_pw.path;
+      adminpassFile = config.age.secrets.nextcloudAdminPassword.path;
    };

    caching = {
--- a/configurations/camelot/wireguard.nix
+++ b/configurations/camelot/wireguard.nix
@ -1,6 +1,5 @@
 {
  config,
-  pkgs,
  extraInfo,
  ...
 }:
@ -12,7 +11,7 @@
    ips = [ "10.100.0.6/8" ];

    listenPort = 51820;
-    privateKeyFile = config.sops.secrets.wg0_private.path;
+    privateKeyFile = config.age.secrets.wg0Private.path;

    peers = [
      # Rock Pro 64
@ -46,7 +45,7 @@
  networking.wireguard.interfaces.wg1 = {
    ips = [ extraInfo.wireguard.VPNAddress ];
    listenPort = 51821;
-    privateKeyFile = config.sops.secrets.wg1_private.path;
+    privateKeyFile = config.age.secrets.wg1Private.path;
    interfaceNamespace = "wg1ns";

    preSetup = ''
--- a/configurations/fuyuki/default.nix
+++ b/configurations/fuyuki/default.nix
@ -16,14 +16,8 @@

  console.keyMap = "us";

-  sops = {
-    gnupg.sshKeyPaths = [ ];
-    age = {
-      sshKeyPaths = [ ];
-      keyFile = "/var/lib/sops-nix/key.txt";
-    };
-    defaultSopsFile = ./secrets/secrets.yaml;
-    secrets.wg0_private = { };
+  age.secrets = {
+     wg0Private.file = ../../secrets/fuyuki-wg0.age;
  };

  my.users = {
--- a/configurations/fuyuki/wireguard.nix
+++ b/configurations/fuyuki/wireguard.nix
@ -3,7 +3,7 @@
  networking.wg-quick.interfaces.wg0 = {
    address = [ "10.100.0.3/24" ];
    listenPort = 51820;
-    privateKeyFile = config.sops.secrets.wg0_private.path;
+    privateKeyFile = config.age.secrets.wg0Private.path;

    dns = [ "10.100.0.1" ];

--- a/configurations/london/default.nix
+++ b/configurations/london/default.nix
@ -20,15 +20,8 @@
  # Nix
  nixpkgs.config.allowUnfree = true;

-  # System secrets
-  sops = {
-    gnupg.sshKeyPaths = [ ];
-    age = {
-      sshKeyPaths = [ ];
-      keyFile = "/var/lib/sops-nix/key.txt";
-    };
-    defaultSopsFile = ./secrets/secrets.yaml;
-    secrets.wg0_private = { };
+  age.secrets = {
+    wg0Private.file = ../../secrets/london-wg0.age;
  };

  # Wireguard
@ -37,7 +30,7 @@
    dns = [ "10.100.0.1" ];

    listenPort = 51820;
-    privateKeyFile = config.sops.secrets.wg0_private.path;
+    privateKeyFile = config.age.secrets.wg0Private.path;

    peers = [
      {
--- a/configurations/okeanos/default.nix
+++ b/configurations/okeanos/default.nix
@ -1,4 +1,4 @@
-{ pkgs, lib, ... }:
+{ pkgs, ... }:

 {

@ -23,16 +23,8 @@
    };
  };

-  sops = {
-    gnupg.sshKeyPaths = [ ];
-    age = {
-      sshKeyPaths = [ ];
-      keyFile = "/var/lib/sops-nix/key.txt";
-    };
-    defaultSopsFile = ./secrets/secrets.yaml;
-    secrets = {
-      wg0_private = { };
-    };
+  age.secrets = {
+    wg0Private.file = ../../secrets/okeanos-wg0.age;
  };

 }
--- a/configurations/okeanos/wireguard.nix
+++ b/configurations/okeanos/wireguard.nix
@ -12,7 +12,7 @@
    address = [ "10.100.0.1/8" ];

    listenPort = 51820;
-    privateKeyFile = config.sops.secrets.wg0_private.path;
+    privateKeyFile = config.age.secrets.wg0Private.path;

    peers = [
      {
--- a/flake.lock
+++ b/flake.lock
@ -1,5 +1,26 @@
 {
  "nodes": {
+    "agenix": {
+      "inputs": {
+        "darwin": "darwin",
+        "home-manager": "home-manager",
+        "nixpkgs": "nixpkgs",
+        "systems": "systems"
+      },
+      "locked": {
+        "lastModified": 1723293904,
+        "narHash": "sha256-b+uqzj+Wa6xgMS9aNbX4I+sXeb5biPDi39VgvSFqFvU=",
+        "owner": "ryantm",
+        "repo": "agenix",
+        "rev": "f6291c5935fdc4e0bef208cfc0dcab7e3f7a1c41",
+        "type": "github"
+      },
+      "original": {
+        "owner": "ryantm",
+        "repo": "agenix",
+        "type": "github"
+      }
+    },
    "crane": {
      "inputs": {
        "nixpkgs": [
@ -34,6 +55,28 @@
        "url": "https://git.dalaran.fr/dala/dalaran.fr/archive/main.tar.gz"
      }
    },
+    "darwin": {
+      "inputs": {
+        "nixpkgs": [
+          "agenix",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1700795494,
+        "narHash": "sha256-gzGLZSiOhf155FW7262kdHo2YDeugp3VuIFb4/GGng0=",
+        "owner": "lnl7",
+        "repo": "nix-darwin",
+        "rev": "4b9b83d5a92e8c1fbfd8eb27eda375908c11ec4d",
+        "type": "github"
+      },
+      "original": {
+        "owner": "lnl7",
+        "ref": "master",
+        "repo": "nix-darwin",
+        "type": "github"
+      }
+    },
    "extra-config": {
      "locked": {
        "lastModified": 1733060531,
@ -88,7 +131,7 @@
    },
    "flake-utils": {
      "inputs": {
-        "systems": "systems"
+        "systems": "systems_2"
      },
      "locked": {
        "lastModified": 1731533236,
@ -106,7 +149,7 @@
    },
    "flake-utils_2": {
      "inputs": {
-        "systems": "systems_2"
+        "systems": "systems_3"
      },
      "locked": {
        "lastModified": 1710146030,
@ -124,7 +167,7 @@
    },
    "flake-utils_3": {
      "inputs": {
-        "systems": "systems_3"
+        "systems": "systems_4"
      },
      "locked": {
        "lastModified": 1726560853,
@ -178,6 +221,27 @@
      }
    },
    "home-manager": {
+      "inputs": {
+        "nixpkgs": [
+          "agenix",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1703113217,
+        "narHash": "sha256-7ulcXOk63TIT2lVDSExj7XzFx09LpdSAPtvgtM7yQPE=",
+        "owner": "nix-community",
+        "repo": "home-manager",
+        "rev": "3bfaacf46133c037bb356193bd2f1765d9dc82c1",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-community",
+        "repo": "home-manager",
+        "type": "github"
+      }
+    },
+    "home-manager_2": {
      "inputs": {
        "nixpkgs": [
          "nixpkgs-unstable"
@ -203,7 +267,7 @@
        "flake-compat": "flake-compat",
        "flake-parts": "flake-parts",
        "flake-utils": "flake-utils_2",
-        "nixpkgs": "nixpkgs",
+        "nixpkgs": "nixpkgs_2",
        "pre-commit-hooks-nix": "pre-commit-hooks-nix",
        "rust-overlay": "rust-overlay"
      },
@ -227,7 +291,7 @@
        "flake-utils": "flake-utils_3",
        "flakey-profile": "flakey-profile",
        "lix": "lix_2",
-        "nixpkgs": "nixpkgs_2"
+        "nixpkgs": "nixpkgs_3"
      },
      "locked": {
        "lastModified": 1732605668,
@ -257,16 +321,16 @@
    },
    "nixpkgs": {
      "locked": {
-        "lastModified": 1717794163,
-        "narHash": "sha256-Ch6ZpFPVvi7Bb6gmmuufpTEFkXqa43pC94XMfU5FEt0=",
+        "lastModified": 1703013332,
+        "narHash": "sha256-+tFNwMvlXLbJZXiMHqYq77z/RfmpfpiI3yjL6o/Zo9M=",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "121f68ed7c6c32de5a8ce91a08ef25713d1c4755",
+        "rev": "54aac082a4d9bb5bbc5c4e899603abfb76a3f6d6",
        "type": "github"
      },
      "original": {
        "owner": "NixOS",
-        "ref": "nixos-unstable-small",
+        "ref": "nixos-unstable",
        "repo": "nixpkgs",
        "type": "github"
      }
@ -320,6 +384,22 @@
      }
    },
    "nixpkgs_2": {
+      "locked": {
+        "lastModified": 1717794163,
+        "narHash": "sha256-Ch6ZpFPVvi7Bb6gmmuufpTEFkXqa43pC94XMfU5FEt0=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "121f68ed7c6c32de5a8ce91a08ef25713d1c4755",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "ref": "nixos-unstable-small",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
+    "nixpkgs_3": {
      "locked": {
        "lastModified": 1729070438,
        "narHash": "sha256-KOTTUfPkugH52avUvXGxvWy8ibKKj4genodIYUED+Kc=",
@ -364,10 +444,11 @@
    },
    "root": {
      "inputs": {
+        "agenix": "agenix",
        "dalaran-fr": "dalaran-fr",
        "extra-config": "extra-config",
        "flake-utils": "flake-utils",
-        "home-manager": "home-manager",
+        "home-manager": "home-manager_2",
        "lanzaboote": "lanzaboote",
        "lix": "lix",
        "nixpkgs-stable": "nixpkgs-stable_2",
@ -464,6 +545,21 @@
        "repo": "default",
        "type": "github"
      }
+    },
+    "systems_4": {
+      "locked": {
+        "lastModified": 1681028828,
+        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
+        "owner": "nix-systems",
+        "repo": "default",
+        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-systems",
+        "repo": "default",
+        "type": "github"
+      }
    }
  },
  "root": "root",
--- a/flake.nix
+++ b/flake.nix
@ -20,6 +20,8 @@
      inputs.nixpkgs.follows = "nixpkgs-unstable";
    };

+    agenix.url = "github:ryantm/agenix";
+
    # Use Lix instead of Nix
    lix.url = "https://git.lix.systems/lix-project/nixos-module/archive/2.91.1-2.tar.gz";

@ -37,6 +39,7 @@
      nixpkgs-stable,
      home-manager,
      sops-nix,
+      agenix,
      flake-utils,
      extra-config,
      lix,
@ -105,6 +108,7 @@
          {
            imports = [
              sops-nix.nixosModules.sops
+              agenix.nixosModules.default
              my.modules
            ];
          };
@ -139,6 +143,7 @@
                nixfmt-rfc-style
                nil
                sops
+                agenix.packages.${system}.default
              ];
            };
          }
--- a/modules/common/network.nix
+++ b/modules/common/network.nix
@ -1,9 +1,29 @@
-{ lib, config, ... }:
+{ lib, ... }:
 with lib;
 {
  config = {
    networking.networkmanager.enable = true;
    networking.useDHCP = mkDefault true;
    networking.firewall.enable = true;
+
+    services.openssh = {
+      enable = true;
+      settings = {
+        StrictModes = true;
+        PasswordAuthentication = false;
+        KbdInteractiveAuthentication = false;
+        PermitEmptyPasswords = "no";
+      };
+
+      openFirewall = true;
+
+      hostKeys = [
+        {
+          comment = "Main key";
+          path = "/etc/ssh/ssh_host_ed25519_key";
+          type = "ed25519";
+        }
+      ];
+    };
  };
 }
--- a/modules/server/network.nix
+++ b/modules/server/network.nix
@ -2,20 +2,9 @@
 with lib;
 {
  config = {
-    services.openssh = {
-      enable = true;
-      settings = {
-        StrictModes = true;
-        PasswordAuthentication = false;
-        KbdInteractiveAuthentication = false;
-        PermitEmptyPasswords = "no";
-      };
-    };
-
    networking.firewall.allowedTCPPorts = [
      (mkIf config.services.nginx.enable 80)
      (mkIf config.services.nginx.enable 443)
-      (mkIf config.services.openssh.enable 22)
    ];
  };
 }
--- a/secrets/camelot-wg0.age
+++ b/secrets/camelot-wg0.age
@ -0,0 +1,6 @@
+age-encryption.org/v1
+-> ssh-ed25519 1urzmQ QthE6va7QOa3TotoElF7lw9lklt/WudjJiuEVEh5mE8
+zvaMQzZ5D7wcDqps+20Km6pXlSXdC5QfKRrOc6M2fc8
+--- f0jLtwHZf8IWMRG6aQaXKU2hUvbFhNkj+EuMDMsqOHo
+ý‘z*?.áTæ‚¹><3E>=ÖTý¹ÀY×šà.„q\ç7×dÔRˆÕ¨‹ÝëjõÞ¡žfœ<0F>©–>²#0Í£M
+æ¸¼xDV
--- a/secrets/camelot-wg1.age
+++ b/secrets/camelot-wg1.age
@ -0,0 +1,6 @@
+age-encryption.org/v1
+-> ssh-ed25519 1urzmQ u6Xho2ZF6cQ3obQwFuYIhGCBPNxhPDTtYpLdnd05hW0
+uGC2qqRo7t5Tyy0nXVsvLa2gfXOFLOdrv4xZHZHehqg
+--- U7qkawxldhLzGtCwTXGX90SQfTpEDPzTKmg/qmwGibE
+±ŽØ?„I¦ÖòL)¨mÔ
+¢‰Ý¥ºó~Çð,)f¬~¢QŽó×¶Ñívl—žæk™ µ<C2A0>„7…ù;sHg‡aëú, Á†&„B®•}i½
--- a/secrets/fuyuki-wg0.age
+++ b/secrets/fuyuki-wg0.age
@ -0,0 +1,5 @@
+age-encryption.org/v1
+-> ssh-ed25519 BEMung w3V9FJbVq8i6hKQmaJPebuxASKjgrv3kbQMFoTnp3UM
+DVDePl8yU0bzcI+OPfZr7ze2w6ZoJ9VtCfgzPCA6U6k
+--- cwriaHYf/jbCHTYY8jBVGB7dsH1f4exGr89YIAaKt2s
+`›aØ”$Eèz-<2D>xÖÒ§íº«7f¼ ¿ï>+Àï|œáÖg„á§”ŸƒÁöš0P·@,¹H‚‰?RPé‹u}A<>ÞÓYI×wWI»òˆ
--- a/secrets/gts-env.age
+++ b/secrets/gts-env.age
--- a/secrets/london-wg0.age
+++ b/secrets/london-wg0.age
@ -0,0 +1,6 @@
+age-encryption.org/v1
+-> ssh-ed25519 bPPSlQ voAyDlYMndTWZk80+6xQYeoIYzAa/kypg6v9voEOugY
+zr7g75QDnu3PmULHGryMtSay9sUiV614mLXZFncNqHk
+--- MBUtMmttC/UFM3Up+u5mET67REUsx+A0K9JpgH+Ht1U
+'ylæå>K¤9€†„	œ
+$˜ËÒdð~ëZ>Ä¤¸àÞ÷Åº8ò^yŒwîU“7iÂ<69>Ç™ž›Wv¹ôz"¸a.ŽT›ÖÖ}9à
--- a/secrets/nextcloud-admin.age
+++ b/secrets/nextcloud-admin.age
@ -0,0 +1,5 @@
+age-encryption.org/v1
+-> ssh-ed25519 1urzmQ YHdUBNma4ZfV36fP9rJvqcHE7sEMM1zvKxvYK/bmExU
+So+8X/NvzLo0z8DRJq86KsF1+LHvkgA0P+KoAxZ2igI
+--- k50nE6+yjQfLmzfHTINtqgtmlNSfz8qdpA5Gw1LfB6g
+×xC#l™¶mcUk,/[íq'ÃH®°ÁZÏ{¬"úÖtÓâìqPJÍz±•}dRóŠ$
--- a/secrets/okeanos-wg0.age
+++ b/secrets/okeanos-wg0.age
@ -0,0 +1,5 @@
+age-encryption.org/v1
+-> ssh-ed25519 wYGtoA 3Snoa8hj+D2tDbcZ+tW/PNxs780ssLlfZRXFNPzopTE
+s7X+La4LSerexc1EEdiWz/ZPImPTtixXJ+FWTW+TTjg
+--- azHMnyhbBw/3pwRwQNSUXvFnQCRSnMeX1CLWOyJ/t0s
+ÐÁ¼<C381>¸<EFBFBD>âvejý5§ªØ¶h´ãÊŠØ[^X½&œu} ¯0·Œ×¸·ïÍ‚m!L<aFx3³C…Rà×_ÞE-¿ñ‚¯<M7ñ¨BBw
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@ -0,0 +1,35 @@
+let
+  camelot = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIL5rcgH4REOPtxC1ewvQgqzhWSB90/F6thtPVavToUbL";
+  okeanos = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIH0xGPXVpx4xpTiRews/Pd4kLz2HHVPJg0Ew/Ufu4LEY";
+  london = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFc0slhy7YWLN1/XcIUgARZmc6mZfYfstO5/VZbjMDRM";
+  fuyuki = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEWvC35PgMJTdeaD2mH+17yu5tBAI6j3ml2mDtC0OXgn";
+in
+{
+  "camelot-wg0.age".publicKeys = [
+    camelot
+  ];
+
+  "camelot-wg1.age".publicKeys = [
+    camelot
+  ];
+
+  "nextcloud-admin.age".publicKeys = [
+    camelot
+  ];
+
+  "gts-env.age".publicKeys = [
+    camelot
+  ];
+
+  "okeanos-wg0.age".publicKeys = [
+    okeanos
+  ];
+
+  "london-wg0.age".publicKeys = [
+    london
+  ];
+
+  "fuyuki-wg0.age".publicKeys = [
+    fuyuki
+  ];
+}
Author	SHA1	Message	Date
Victor Mignot	3577ead028	WIP: Drop sops-nix in favor of agenix	2024-12-10 17:55:29 +01:00
Victor Mignot	4cca387389	Servers: Remove RSA SSH keys	2024-12-10 17:35:30 +01:00