fix: setting up sops

This commit is contained in:
truxnell 2024-03-16 23:46:36 +11:00
parent 80924b0c91
commit e9133714ad
9 changed files with 81 additions and 40 deletions

View file

@ -1,9 +1,11 @@
--- ---
keys: keys:
- &nixosvm age1d3qtnwd73k0npgwhqwpwysdpqa2zyyjyyzs463f5rak9swmw45gsxdyjyn - &nixosvm age1d3qtnwd73k0npgwhqwpwysdpqa2zyyjyyzs463f5rak9swmw45gsxdyjyn
- &nixosvm2 age16mwx76r29pa9lnmagujw9adxrpujxmxu38hjfastf6pgw6v66gjs5ugewz
creation_rules: creation_rules:
- path_regex: .*\.sops\.yaml$ - path_regex: .*\.sops\.yaml$
key_groups: key_groups:
- age: - age:
- *nixosvm - *nixosvm
- *nixosvm2

View file

@ -1,3 +1,8 @@
{ {
"recommendations": ["jnoortheen.nix-ide"] "recommendations": [
"jnoortheen.nix-ide",
"shipitsmarter.sops-edit",
"ionutvmi.path-autocomplete",
"redhat.vscode-yaml"
]
} }

View file

@ -18,7 +18,6 @@
inputs.nixpkgs.follows = "nixpkgs"; inputs.nixpkgs.follows = "nixpkgs";
}; };
}; };
outputs = { self, nixpkgs, sops-nix, ... }@inputs: outputs = { self, nixpkgs, sops-nix, ... }@inputs:
with inputs; with inputs;
@ -27,7 +26,7 @@
# Use nixpkgs-fmt for 'nix fmt' # Use nixpkgs-fmt for 'nix fmt'
formatter.x86_64-linux = nixpkgs.legacyPackages.x86_64-linux.nixpkgs-fmt; formatter.x86_64-linux = nixpkgs.legacyPackages.x86_64-linux.nixpkgs-fmt;
# Each subdirectory in ./machines is a host. Add them all to # Each subdirectory in ./machines is a host. Add them all to
# nixosConfigurations. Host configurations need a file called # nixosConfigurations. Host configurations need a file called
# configuration.nix that will be read first # configuration.nix that will be read first
nixosConfigurations = builtins.listToAttrs (map nixosConfigurations = builtins.listToAttrs (map
@ -50,5 +49,5 @@
}; };
}) })
(builtins.attrNames (builtins.readDir ./nixos/hosts))); (builtins.attrNames (builtins.readDir ./nixos/hosts)));
}; };
} }

View file

@ -1,7 +1,7 @@
{ inputs, outputs, config, ... }: { { inputs, outputs, config, ... }: {
# Time # Time
networking.timeServers = ["10.8.10.1"]; networking.timeServers = [ "10.8.10.1" ];
services.chrony = { services.chrony = {
enable = true; enable = true;
}; };
} }

View file

@ -1 +0,0 @@
forward-address: hi

View file

@ -3,42 +3,37 @@
{ inputs, outputs, pkgs, config, ... }: { { inputs, outputs, pkgs, config, ... }: {
# Disable resolvd to ensure it doesnt re-write /etc/resolv.conf # Disable resolvd to ensure it doesnt re-write /etc/resolv.conf
services.resolved.enable = false; config.services.resolved.enable = false;
# Fix this devices DNS resolv.conf # Fix this devices DNS resolv.conf else resolvd will point it to dnscrypt
networking = { # causing a risk of no dns if service fails.
nameservers = [ "10.8.10.1" ]; config.networking = {
nameservers = [ "10.8.10.1" ]; # TODO make varible IP
dhcpcd.extraConfig = "nohook resolv.conf"; dhcpcd.extraConfig = "nohook resolv.conf";
}; };
services.dnscrypt-proxy2 = { # configure secret for forwarding rules
config.sops.secrets."system/networking/dnscrypt-proxy2/forwarding-rules".sopsFile = ./dnscrypt-proxy2.sops.yaml;
config.sops.secrets."system/networking/dnscrypt-proxy2/forwarding-rules".mode = "0440";
# Restart dnscrypt when secret changes
config.sops.secrets.monitoring_token.restartUnits = [ "dnscrypt-proxy2" ];
config.services.dnscrypt-proxy2 = {
enable = true; enable = true;
settings = { settings = {
require_dnssec = true; require_dnssec = true;
forwarding_rules = pkgs.writeText "forwarding-rules.txt" '' forwarding_rules = config.sops.secrets."system/networking/dnscrypt-proxy2/forwarding-rules".path;
natallan.com 10.8.10.1
sonarr.trux.dev 10.8.20.11 server_names = [ "NextDNS-f6fe35" ];
radarr.trux.dev 10.8.20.11
lidarr.trux.dev 10.8.20.11 static = {
qbittorrent.trux.dev 10.8.20.11 "NextDNS-f6fe35" = {
qbittorrent-lidarr.trux.dev 10.8.20.11 stamp = "sdns://AgEAAAAAAAAAAAAOZG5zLm5leHRkbnMuaW8HL2Y2ZmUzNQ";
syncthing.trux.dev 10.8.20.11
qbittorrent-readarr.trux.dev 10.8.20.11
filebrowser.trux.dev 10.8.20.11
minio.trux.dev 10.8.20.11
sabnzbd.trux.dev 10.8.20.11
trux.dev 10.8.20.203
'';
server_names = ["NextDNS-f6fe35"];
static = {
"NextDNS-f6fe35" = {
stamp = "sdns://AgEAAAAAAAAAAAAOZG5zLm5leHRkbnMuaW8HL2Y2ZmUzNQ";
};
}; };
};
}; };
}; };
} }

View file

@ -0,0 +1,33 @@
system:
networking:
dnscrypt-proxy2:
forwarding-rules: ENC[AES256_GCM,data:l4Sq/FCZ3WskAm9vjE1S95AX6ljcULOuc1jjuraJ4ZogEyBe4zlyrFv7LxTFX8myTewWlM0987B3o04ls3WU5nSA9wU54aTEQiFvXDJogCqLZ6SpMHqHMsStUTt6xcF1NXmnHbuneh9UAVeiWjqOprkh/Ndix0ksjYjZF+gjvxq7sLBidn77pNLuaEY+B7wCUUEnYXcJbhGAuWXYnaxdYoc8rv018e4gWjgG1gbpCXq47osjCHQ+jUzU0quMdw418nOGDUVigAaXExeQE4BTDXPCfEL4eGVYWcD7pBfsTPDDIK8OqTNjku41tLdCNmCUk/yS+jFmbfeq/nS2EEy0FRk2O4zikUArdmGKmq9Gsb4cuCL2274NqZ7zIr9YKMqYFbDFN5eh4qcCPPsiLooYdNMIuScWIpDdvHN3o8CyosmiweeqNan48juze9X5pW0zpVPFfBHuEdysAt1mDJok3rE=,iv:T4gfKOShNUT7NOBrnbJf9UCmbiQF3JFqLdFaG+1zhcw=,tag:Po4hhwgxy097ULi4KPpztQ==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1d3qtnwd73k0npgwhqwpwysdpqa2zyyjyyzs463f5rak9swmw45gsxdyjyn
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBCVnZ2SmJxeURPc3Q2UWla
eHBXTWdlSGtGTFR6b25TWU9YZy9rMlhHU1NnClhQOE5Qc0hxbERoeUdhUGhtaTVM
d283LzYvZ1lKVXRjYi94bzVaNmo5WlUKLS0tIEhQbGtvS094d1M2cUlPWXF6Y3o4
dUdkcHRsQ095V3hUc0hjdFUzNUtOa2sKenpNvjeoouaOG41aHfMtU6GVQ7CQ4h6h
y8DoqXGNLUfPxK1Rlrt1G3zyeOq++Ea+tJErD9pxasYNbXE7ZsAuMQ==
-----END AGE ENCRYPTED FILE-----
- recipient: age16mwx76r29pa9lnmagujw9adxrpujxmxu38hjfastf6pgw6v66gjs5ugewz
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBzaXBDRFcwbld0MnlvYm9W
Vlkxa1FFRmZLZmtlS0hLSWpjZ0U1eGtHT2x3CmMwWFFkTjZKTDk2NXE3MGpYL2xP
dWN6VWF2ZDZGYUFmTC9UYlh6bUR6UDAKLS0tIEtHV3l0TWQ3Z01oWUt5clVMbFJl
OTZyeCtKbHRCMXZpcGNlcjNzWDFlNjgKZOL4fRxqefBVIkGgh6ToaxR/oNNxKXGB
7pCsMJDc9B5A8tg2FOCD30biec3HeXmvBlFQgwAWvSNa1TYmZpT3KA==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2024-03-16T12:22:42Z"
mac: ENC[AES256_GCM,data:hjTjQ2U3b9vvo3hXBv5HUn/zyqwgiMjMWop/cG7jklG6wRjZ4fpFGKW4YJqkSYJYlJIkQtLXE28Nw8rLRbgu77Uw6yaAiTEH8hYYTFvFqiXyQKR4ORMOp7OcvpT9K+sdoKkNmwkxJZzwzgmv7ua2LWlY9hnUZow+2rJWm0z+zOk=,iv:2vMwU3CwqZGfA0MbwxbMSHrsHKHlSf84Jwxw+zjcf1o=,tag:viLrQGbAKTeWRbHQujc7SQ==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.8.1

View file

@ -0,0 +1,7 @@
{ inputs, outputs, config, ... }: {
# SOPS settings
# https://github.com/Mic92/sops-nix
sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
}

View file

@ -6,7 +6,7 @@
{ {
imports = imports =
[ [
# Host-specific # Host-specific
./hardware-configuration.nix ./hardware-configuration.nix
@ -20,6 +20,7 @@
../common/optional/gnome.nix ../common/optional/gnome.nix
../common/optional/editors/vscode ../common/optional/editors/vscode
../common/optional/firefox.nix ../common/optional/firefox.nix
../common/optional/sops-nix.nix
]; ];
@ -48,7 +49,7 @@
# services.xserver.enable = true; # services.xserver.enable = true;
# Configure keymap in X11 # Configure keymap in X11
# services.xserver.xkb.layout = "us"; # services.xserver.xkb.layout = "us";