fix: setting up sops
This commit is contained in:
parent
80924b0c91
commit
e9133714ad
9 changed files with 81 additions and 40 deletions
|
@ -1,9 +1,11 @@
|
||||||
---
|
---
|
||||||
keys:
|
keys:
|
||||||
- &nixosvm age1d3qtnwd73k0npgwhqwpwysdpqa2zyyjyyzs463f5rak9swmw45gsxdyjyn
|
- &nixosvm age1d3qtnwd73k0npgwhqwpwysdpqa2zyyjyyzs463f5rak9swmw45gsxdyjyn
|
||||||
|
- &nixosvm2 age16mwx76r29pa9lnmagujw9adxrpujxmxu38hjfastf6pgw6v66gjs5ugewz
|
||||||
|
|
||||||
creation_rules:
|
creation_rules:
|
||||||
- path_regex: .*\.sops\.yaml$
|
- path_regex: .*\.sops\.yaml$
|
||||||
key_groups:
|
key_groups:
|
||||||
- age:
|
- age:
|
||||||
- *nixosvm
|
- *nixosvm
|
||||||
|
- *nixosvm2
|
||||||
|
|
7
.vscode/extensions.json
vendored
7
.vscode/extensions.json
vendored
|
@ -1,3 +1,8 @@
|
||||||
{
|
{
|
||||||
"recommendations": ["jnoortheen.nix-ide"]
|
"recommendations": [
|
||||||
|
"jnoortheen.nix-ide",
|
||||||
|
"shipitsmarter.sops-edit",
|
||||||
|
"ionutvmi.path-autocomplete",
|
||||||
|
"redhat.vscode-yaml"
|
||||||
|
]
|
||||||
}
|
}
|
||||||
|
|
|
@ -18,7 +18,6 @@
|
||||||
inputs.nixpkgs.follows = "nixpkgs";
|
inputs.nixpkgs.follows = "nixpkgs";
|
||||||
};
|
};
|
||||||
|
|
||||||
|
|
||||||
};
|
};
|
||||||
outputs = { self, nixpkgs, sops-nix, ... }@inputs:
|
outputs = { self, nixpkgs, sops-nix, ... }@inputs:
|
||||||
with inputs;
|
with inputs;
|
||||||
|
@ -27,7 +26,7 @@
|
||||||
# Use nixpkgs-fmt for 'nix fmt'
|
# Use nixpkgs-fmt for 'nix fmt'
|
||||||
formatter.x86_64-linux = nixpkgs.legacyPackages.x86_64-linux.nixpkgs-fmt;
|
formatter.x86_64-linux = nixpkgs.legacyPackages.x86_64-linux.nixpkgs-fmt;
|
||||||
|
|
||||||
# Each subdirectory in ./machines is a host. Add them all to
|
# Each subdirectory in ./machines is a host. Add them all to
|
||||||
# nixosConfigurations. Host configurations need a file called
|
# nixosConfigurations. Host configurations need a file called
|
||||||
# configuration.nix that will be read first
|
# configuration.nix that will be read first
|
||||||
nixosConfigurations = builtins.listToAttrs (map
|
nixosConfigurations = builtins.listToAttrs (map
|
||||||
|
@ -50,5 +49,5 @@
|
||||||
};
|
};
|
||||||
})
|
})
|
||||||
(builtins.attrNames (builtins.readDir ./nixos/hosts)));
|
(builtins.attrNames (builtins.readDir ./nixos/hosts)));
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
|
|
@ -1,7 +1,7 @@
|
||||||
{ inputs, outputs, config, ... }: {
|
{ inputs, outputs, config, ... }: {
|
||||||
# Time
|
# Time
|
||||||
networking.timeServers = ["10.8.10.1"];
|
networking.timeServers = [ "10.8.10.1" ];
|
||||||
services.chrony = {
|
services.chrony = {
|
||||||
enable = true;
|
enable = true;
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
|
|
@ -1 +0,0 @@
|
||||||
forward-address: hi
|
|
|
@ -3,42 +3,37 @@
|
||||||
{ inputs, outputs, pkgs, config, ... }: {
|
{ inputs, outputs, pkgs, config, ... }: {
|
||||||
|
|
||||||
# Disable resolvd to ensure it doesnt re-write /etc/resolv.conf
|
# Disable resolvd to ensure it doesnt re-write /etc/resolv.conf
|
||||||
services.resolved.enable = false;
|
config.services.resolved.enable = false;
|
||||||
|
|
||||||
# Fix this devices DNS resolv.conf
|
# Fix this devices DNS resolv.conf else resolvd will point it to dnscrypt
|
||||||
networking = {
|
# causing a risk of no dns if service fails.
|
||||||
nameservers = [ "10.8.10.1" ];
|
config.networking = {
|
||||||
|
nameservers = [ "10.8.10.1" ]; # TODO make varible IP
|
||||||
|
|
||||||
dhcpcd.extraConfig = "nohook resolv.conf";
|
dhcpcd.extraConfig = "nohook resolv.conf";
|
||||||
};
|
};
|
||||||
|
|
||||||
services.dnscrypt-proxy2 = {
|
# configure secret for forwarding rules
|
||||||
|
config.sops.secrets."system/networking/dnscrypt-proxy2/forwarding-rules".sopsFile = ./dnscrypt-proxy2.sops.yaml;
|
||||||
|
config.sops.secrets."system/networking/dnscrypt-proxy2/forwarding-rules".mode = "0440";
|
||||||
|
|
||||||
|
# Restart dnscrypt when secret changes
|
||||||
|
config.sops.secrets.monitoring_token.restartUnits = [ "dnscrypt-proxy2" ];
|
||||||
|
|
||||||
|
config.services.dnscrypt-proxy2 = {
|
||||||
enable = true;
|
enable = true;
|
||||||
settings = {
|
settings = {
|
||||||
require_dnssec = true;
|
require_dnssec = true;
|
||||||
|
|
||||||
forwarding_rules = pkgs.writeText "forwarding-rules.txt" ''
|
forwarding_rules = config.sops.secrets."system/networking/dnscrypt-proxy2/forwarding-rules".path;
|
||||||
natallan.com 10.8.10.1
|
|
||||||
sonarr.trux.dev 10.8.20.11
|
server_names = [ "NextDNS-f6fe35" ];
|
||||||
radarr.trux.dev 10.8.20.11
|
|
||||||
lidarr.trux.dev 10.8.20.11
|
static = {
|
||||||
qbittorrent.trux.dev 10.8.20.11
|
"NextDNS-f6fe35" = {
|
||||||
qbittorrent-lidarr.trux.dev 10.8.20.11
|
stamp = "sdns://AgEAAAAAAAAAAAAOZG5zLm5leHRkbnMuaW8HL2Y2ZmUzNQ";
|
||||||
syncthing.trux.dev 10.8.20.11
|
|
||||||
qbittorrent-readarr.trux.dev 10.8.20.11
|
|
||||||
filebrowser.trux.dev 10.8.20.11
|
|
||||||
minio.trux.dev 10.8.20.11
|
|
||||||
sabnzbd.trux.dev 10.8.20.11
|
|
||||||
trux.dev 10.8.20.203
|
|
||||||
'';
|
|
||||||
|
|
||||||
server_names = ["NextDNS-f6fe35"];
|
|
||||||
|
|
||||||
static = {
|
|
||||||
"NextDNS-f6fe35" = {
|
|
||||||
stamp = "sdns://AgEAAAAAAAAAAAAOZG5zLm5leHRkbnMuaW8HL2Y2ZmUzNQ";
|
|
||||||
};
|
|
||||||
};
|
};
|
||||||
|
};
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
|
33
nixos/hosts/common/optional/dnscrypt-proxy2.sops.yaml
Normal file
33
nixos/hosts/common/optional/dnscrypt-proxy2.sops.yaml
Normal file
|
@ -0,0 +1,33 @@
|
||||||
|
system:
|
||||||
|
networking:
|
||||||
|
dnscrypt-proxy2:
|
||||||
|
forwarding-rules: ENC[AES256_GCM,data:l4Sq/FCZ3WskAm9vjE1S95AX6ljcULOuc1jjuraJ4ZogEyBe4zlyrFv7LxTFX8myTewWlM0987B3o04ls3WU5nSA9wU54aTEQiFvXDJogCqLZ6SpMHqHMsStUTt6xcF1NXmnHbuneh9UAVeiWjqOprkh/Ndix0ksjYjZF+gjvxq7sLBidn77pNLuaEY+B7wCUUEnYXcJbhGAuWXYnaxdYoc8rv018e4gWjgG1gbpCXq47osjCHQ+jUzU0quMdw418nOGDUVigAaXExeQE4BTDXPCfEL4eGVYWcD7pBfsTPDDIK8OqTNjku41tLdCNmCUk/yS+jFmbfeq/nS2EEy0FRk2O4zikUArdmGKmq9Gsb4cuCL2274NqZ7zIr9YKMqYFbDFN5eh4qcCPPsiLooYdNMIuScWIpDdvHN3o8CyosmiweeqNan48juze9X5pW0zpVPFfBHuEdysAt1mDJok3rE=,iv:T4gfKOShNUT7NOBrnbJf9UCmbiQF3JFqLdFaG+1zhcw=,tag:Po4hhwgxy097ULi4KPpztQ==,type:str]
|
||||||
|
sops:
|
||||||
|
kms: []
|
||||||
|
gcp_kms: []
|
||||||
|
azure_kv: []
|
||||||
|
hc_vault: []
|
||||||
|
age:
|
||||||
|
- recipient: age1d3qtnwd73k0npgwhqwpwysdpqa2zyyjyyzs463f5rak9swmw45gsxdyjyn
|
||||||
|
enc: |
|
||||||
|
-----BEGIN AGE ENCRYPTED FILE-----
|
||||||
|
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBCVnZ2SmJxeURPc3Q2UWla
|
||||||
|
eHBXTWdlSGtGTFR6b25TWU9YZy9rMlhHU1NnClhQOE5Qc0hxbERoeUdhUGhtaTVM
|
||||||
|
d283LzYvZ1lKVXRjYi94bzVaNmo5WlUKLS0tIEhQbGtvS094d1M2cUlPWXF6Y3o4
|
||||||
|
dUdkcHRsQ095V3hUc0hjdFUzNUtOa2sKenpNvjeoouaOG41aHfMtU6GVQ7CQ4h6h
|
||||||
|
y8DoqXGNLUfPxK1Rlrt1G3zyeOq++Ea+tJErD9pxasYNbXE7ZsAuMQ==
|
||||||
|
-----END AGE ENCRYPTED FILE-----
|
||||||
|
- recipient: age16mwx76r29pa9lnmagujw9adxrpujxmxu38hjfastf6pgw6v66gjs5ugewz
|
||||||
|
enc: |
|
||||||
|
-----BEGIN AGE ENCRYPTED FILE-----
|
||||||
|
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBzaXBDRFcwbld0MnlvYm9W
|
||||||
|
Vlkxa1FFRmZLZmtlS0hLSWpjZ0U1eGtHT2x3CmMwWFFkTjZKTDk2NXE3MGpYL2xP
|
||||||
|
dWN6VWF2ZDZGYUFmTC9UYlh6bUR6UDAKLS0tIEtHV3l0TWQ3Z01oWUt5clVMbFJl
|
||||||
|
OTZyeCtKbHRCMXZpcGNlcjNzWDFlNjgKZOL4fRxqefBVIkGgh6ToaxR/oNNxKXGB
|
||||||
|
7pCsMJDc9B5A8tg2FOCD30biec3HeXmvBlFQgwAWvSNa1TYmZpT3KA==
|
||||||
|
-----END AGE ENCRYPTED FILE-----
|
||||||
|
lastmodified: "2024-03-16T12:22:42Z"
|
||||||
|
mac: ENC[AES256_GCM,data:hjTjQ2U3b9vvo3hXBv5HUn/zyqwgiMjMWop/cG7jklG6wRjZ4fpFGKW4YJqkSYJYlJIkQtLXE28Nw8rLRbgu77Uw6yaAiTEH8hYYTFvFqiXyQKR4ORMOp7OcvpT9K+sdoKkNmwkxJZzwzgmv7ua2LWlY9hnUZow+2rJWm0z+zOk=,iv:2vMwU3CwqZGfA0MbwxbMSHrsHKHlSf84Jwxw+zjcf1o=,tag:viLrQGbAKTeWRbHQujc7SQ==,type:str]
|
||||||
|
pgp: []
|
||||||
|
unencrypted_suffix: _unencrypted
|
||||||
|
version: 3.8.1
|
7
nixos/hosts/common/optional/sops-nix.nix
Normal file
7
nixos/hosts/common/optional/sops-nix.nix
Normal file
|
@ -0,0 +1,7 @@
|
||||||
|
{ inputs, outputs, config, ... }: {
|
||||||
|
# SOPS settings
|
||||||
|
# https://github.com/Mic92/sops-nix
|
||||||
|
|
||||||
|
sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
|
||||||
|
|
||||||
|
}
|
|
@ -6,7 +6,7 @@
|
||||||
|
|
||||||
{
|
{
|
||||||
imports =
|
imports =
|
||||||
[
|
[
|
||||||
# Host-specific
|
# Host-specific
|
||||||
./hardware-configuration.nix
|
./hardware-configuration.nix
|
||||||
|
|
||||||
|
@ -20,6 +20,7 @@
|
||||||
../common/optional/gnome.nix
|
../common/optional/gnome.nix
|
||||||
../common/optional/editors/vscode
|
../common/optional/editors/vscode
|
||||||
../common/optional/firefox.nix
|
../common/optional/firefox.nix
|
||||||
|
../common/optional/sops-nix.nix
|
||||||
|
|
||||||
];
|
];
|
||||||
|
|
||||||
|
@ -48,7 +49,7 @@
|
||||||
# services.xserver.enable = true;
|
# services.xserver.enable = true;
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
# Configure keymap in X11
|
# Configure keymap in X11
|
||||||
# services.xserver.xkb.layout = "us";
|
# services.xserver.xkb.layout = "us";
|
||||||
|
|
Reference in a new issue