From e9133714add1c5fbcb80bb1d7f61755c9f2dea7b Mon Sep 17 00:00:00 2001 From: truxnell <19149206+truxnell@users.noreply.github.com> Date: Sat, 16 Mar 2024 23:46:36 +1100 Subject: [PATCH] fix: setting up sops --- .sops.yaml | 2 + .vscode/extensions.json | 7 ++- flake.nix | 7 ++- nixos/hosts/common/optional/chrony.nix | 6 +-- .../common/optional/cloudflare.ddns.sops.yaml | 1 - .../hosts/common/optional/dnscrypt-proxy2.nix | 53 +++++++++---------- .../common/optional/dnscrypt-proxy2.sops.yaml | 33 ++++++++++++ nixos/hosts/common/optional/sops-nix.nix | 7 +++ nixos/hosts/nixosvm/default.nix | 5 +- 9 files changed, 81 insertions(+), 40 deletions(-) delete mode 100644 nixos/hosts/common/optional/cloudflare.ddns.sops.yaml create mode 100644 nixos/hosts/common/optional/dnscrypt-proxy2.sops.yaml create mode 100644 nixos/hosts/common/optional/sops-nix.nix diff --git a/.sops.yaml b/.sops.yaml index 0f48904..7f92eee 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -1,9 +1,11 @@ --- keys: - &nixosvm age1d3qtnwd73k0npgwhqwpwysdpqa2zyyjyyzs463f5rak9swmw45gsxdyjyn + - &nixosvm2 age16mwx76r29pa9lnmagujw9adxrpujxmxu38hjfastf6pgw6v66gjs5ugewz creation_rules: - path_regex: .*\.sops\.yaml$ key_groups: - age: - *nixosvm + - *nixosvm2 diff --git a/.vscode/extensions.json b/.vscode/extensions.json index 0b04a3b..622c6ae 100644 --- a/.vscode/extensions.json +++ b/.vscode/extensions.json @@ -1,3 +1,8 @@ { - "recommendations": ["jnoortheen.nix-ide"] + "recommendations": [ + "jnoortheen.nix-ide", + "shipitsmarter.sops-edit", + "ionutvmi.path-autocomplete", + "redhat.vscode-yaml" + ] } diff --git a/flake.nix b/flake.nix index 36ad97b..d2b216e 100644 --- a/flake.nix +++ b/flake.nix @@ -18,7 +18,6 @@ inputs.nixpkgs.follows = "nixpkgs"; }; - }; outputs = { self, nixpkgs, sops-nix, ... }@inputs: with inputs; @@ -27,7 +26,7 @@ # Use nixpkgs-fmt for 'nix fmt' formatter.x86_64-linux = nixpkgs.legacyPackages.x86_64-linux.nixpkgs-fmt; - # Each subdirectory in ./machines is a host. Add them all to + # Each subdirectory in ./machines is a host. Add them all to # nixosConfigurations. Host configurations need a file called # configuration.nix that will be read first nixosConfigurations = builtins.listToAttrs (map @@ -50,5 +49,5 @@ }; }) (builtins.attrNames (builtins.readDir ./nixos/hosts))); -}; -} \ No newline at end of file + }; +} diff --git a/nixos/hosts/common/optional/chrony.nix b/nixos/hosts/common/optional/chrony.nix index 27af2a9..a6f961d 100644 --- a/nixos/hosts/common/optional/chrony.nix +++ b/nixos/hosts/common/optional/chrony.nix @@ -1,7 +1,7 @@ { inputs, outputs, config, ... }: { -# Time - networking.timeServers = ["10.8.10.1"]; + # Time + networking.timeServers = [ "10.8.10.1" ]; services.chrony = { enable = true; }; -} \ No newline at end of file +} diff --git a/nixos/hosts/common/optional/cloudflare.ddns.sops.yaml b/nixos/hosts/common/optional/cloudflare.ddns.sops.yaml deleted file mode 100644 index 61c78a8..0000000 --- a/nixos/hosts/common/optional/cloudflare.ddns.sops.yaml +++ /dev/null @@ -1 +0,0 @@ -forward-address: hi diff --git a/nixos/hosts/common/optional/dnscrypt-proxy2.nix b/nixos/hosts/common/optional/dnscrypt-proxy2.nix index f1d63cc..ac4049f 100644 --- a/nixos/hosts/common/optional/dnscrypt-proxy2.nix +++ b/nixos/hosts/common/optional/dnscrypt-proxy2.nix @@ -3,42 +3,37 @@ { inputs, outputs, pkgs, config, ... }: { # Disable resolvd to ensure it doesnt re-write /etc/resolv.conf - services.resolved.enable = false; - - # Fix this devices DNS resolv.conf - networking = { - nameservers = [ "10.8.10.1" ]; - + config.services.resolved.enable = false; + + # Fix this devices DNS resolv.conf else resolvd will point it to dnscrypt + # causing a risk of no dns if service fails. + config.networking = { + nameservers = [ "10.8.10.1" ]; # TODO make varible IP + dhcpcd.extraConfig = "nohook resolv.conf"; }; - services.dnscrypt-proxy2 = { + # configure secret for forwarding rules + config.sops.secrets."system/networking/dnscrypt-proxy2/forwarding-rules".sopsFile = ./dnscrypt-proxy2.sops.yaml; + config.sops.secrets."system/networking/dnscrypt-proxy2/forwarding-rules".mode = "0440"; + + # Restart dnscrypt when secret changes + config.sops.secrets.monitoring_token.restartUnits = [ "dnscrypt-proxy2" ]; + + config.services.dnscrypt-proxy2 = { enable = true; settings = { - require_dnssec = true; + require_dnssec = true; - forwarding_rules = pkgs.writeText "forwarding-rules.txt" '' - natallan.com 10.8.10.1 - sonarr.trux.dev 10.8.20.11 - radarr.trux.dev 10.8.20.11 - lidarr.trux.dev 10.8.20.11 - qbittorrent.trux.dev 10.8.20.11 - qbittorrent-lidarr.trux.dev 10.8.20.11 - syncthing.trux.dev 10.8.20.11 - qbittorrent-readarr.trux.dev 10.8.20.11 - filebrowser.trux.dev 10.8.20.11 - minio.trux.dev 10.8.20.11 - sabnzbd.trux.dev 10.8.20.11 - trux.dev 10.8.20.203 - ''; - - server_names = ["NextDNS-f6fe35"]; - - static = { - "NextDNS-f6fe35" = { - stamp = "sdns://AgEAAAAAAAAAAAAOZG5zLm5leHRkbnMuaW8HL2Y2ZmUzNQ"; - }; + forwarding_rules = config.sops.secrets."system/networking/dnscrypt-proxy2/forwarding-rules".path; + + server_names = [ "NextDNS-f6fe35" ]; + + static = { + "NextDNS-f6fe35" = { + stamp = "sdns://AgEAAAAAAAAAAAAOZG5zLm5leHRkbnMuaW8HL2Y2ZmUzNQ"; }; + }; }; }; } diff --git a/nixos/hosts/common/optional/dnscrypt-proxy2.sops.yaml b/nixos/hosts/common/optional/dnscrypt-proxy2.sops.yaml new file mode 100644 index 0000000..1fabbbd --- /dev/null +++ b/nixos/hosts/common/optional/dnscrypt-proxy2.sops.yaml @@ -0,0 +1,33 @@ +system: + networking: + dnscrypt-proxy2: + forwarding-rules: ENC[AES256_GCM,data:l4Sq/FCZ3WskAm9vjE1S95AX6ljcULOuc1jjuraJ4ZogEyBe4zlyrFv7LxTFX8myTewWlM0987B3o04ls3WU5nSA9wU54aTEQiFvXDJogCqLZ6SpMHqHMsStUTt6xcF1NXmnHbuneh9UAVeiWjqOprkh/Ndix0ksjYjZF+gjvxq7sLBidn77pNLuaEY+B7wCUUEnYXcJbhGAuWXYnaxdYoc8rv018e4gWjgG1gbpCXq47osjCHQ+jUzU0quMdw418nOGDUVigAaXExeQE4BTDXPCfEL4eGVYWcD7pBfsTPDDIK8OqTNjku41tLdCNmCUk/yS+jFmbfeq/nS2EEy0FRk2O4zikUArdmGKmq9Gsb4cuCL2274NqZ7zIr9YKMqYFbDFN5eh4qcCPPsiLooYdNMIuScWIpDdvHN3o8CyosmiweeqNan48juze9X5pW0zpVPFfBHuEdysAt1mDJok3rE=,iv:T4gfKOShNUT7NOBrnbJf9UCmbiQF3JFqLdFaG+1zhcw=,tag:Po4hhwgxy097ULi4KPpztQ==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1d3qtnwd73k0npgwhqwpwysdpqa2zyyjyyzs463f5rak9swmw45gsxdyjyn + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBCVnZ2SmJxeURPc3Q2UWla + eHBXTWdlSGtGTFR6b25TWU9YZy9rMlhHU1NnClhQOE5Qc0hxbERoeUdhUGhtaTVM + d283LzYvZ1lKVXRjYi94bzVaNmo5WlUKLS0tIEhQbGtvS094d1M2cUlPWXF6Y3o4 + dUdkcHRsQ095V3hUc0hjdFUzNUtOa2sKenpNvjeoouaOG41aHfMtU6GVQ7CQ4h6h + y8DoqXGNLUfPxK1Rlrt1G3zyeOq++Ea+tJErD9pxasYNbXE7ZsAuMQ== + -----END AGE ENCRYPTED FILE----- + - recipient: age16mwx76r29pa9lnmagujw9adxrpujxmxu38hjfastf6pgw6v66gjs5ugewz + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBzaXBDRFcwbld0MnlvYm9W + Vlkxa1FFRmZLZmtlS0hLSWpjZ0U1eGtHT2x3CmMwWFFkTjZKTDk2NXE3MGpYL2xP + dWN6VWF2ZDZGYUFmTC9UYlh6bUR6UDAKLS0tIEtHV3l0TWQ3Z01oWUt5clVMbFJl + OTZyeCtKbHRCMXZpcGNlcjNzWDFlNjgKZOL4fRxqefBVIkGgh6ToaxR/oNNxKXGB + 7pCsMJDc9B5A8tg2FOCD30biec3HeXmvBlFQgwAWvSNa1TYmZpT3KA== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-03-16T12:22:42Z" + mac: ENC[AES256_GCM,data:hjTjQ2U3b9vvo3hXBv5HUn/zyqwgiMjMWop/cG7jklG6wRjZ4fpFGKW4YJqkSYJYlJIkQtLXE28Nw8rLRbgu77Uw6yaAiTEH8hYYTFvFqiXyQKR4ORMOp7OcvpT9K+sdoKkNmwkxJZzwzgmv7ua2LWlY9hnUZow+2rJWm0z+zOk=,iv:2vMwU3CwqZGfA0MbwxbMSHrsHKHlSf84Jwxw+zjcf1o=,tag:viLrQGbAKTeWRbHQujc7SQ==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.8.1 diff --git a/nixos/hosts/common/optional/sops-nix.nix b/nixos/hosts/common/optional/sops-nix.nix new file mode 100644 index 0000000..278907d --- /dev/null +++ b/nixos/hosts/common/optional/sops-nix.nix @@ -0,0 +1,7 @@ +{ inputs, outputs, config, ... }: { + # SOPS settings + # https://github.com/Mic92/sops-nix + + sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ]; + +} diff --git a/nixos/hosts/nixosvm/default.nix b/nixos/hosts/nixosvm/default.nix index da60414..e062ff2 100644 --- a/nixos/hosts/nixosvm/default.nix +++ b/nixos/hosts/nixosvm/default.nix @@ -6,7 +6,7 @@ { imports = - [ + [ # Host-specific ./hardware-configuration.nix @@ -20,6 +20,7 @@ ../common/optional/gnome.nix ../common/optional/editors/vscode ../common/optional/firefox.nix + ../common/optional/sops-nix.nix ]; @@ -48,7 +49,7 @@ # services.xserver.enable = true; - + # Configure keymap in X11 # services.xserver.xkb.layout = "us";