fix: setting up sops
This commit is contained in:
parent
80924b0c91
commit
e9133714ad
9 changed files with 81 additions and 40 deletions
|
@ -1,9 +1,11 @@
|
|||
---
|
||||
keys:
|
||||
- &nixosvm age1d3qtnwd73k0npgwhqwpwysdpqa2zyyjyyzs463f5rak9swmw45gsxdyjyn
|
||||
- &nixosvm2 age16mwx76r29pa9lnmagujw9adxrpujxmxu38hjfastf6pgw6v66gjs5ugewz
|
||||
|
||||
creation_rules:
|
||||
- path_regex: .*\.sops\.yaml$
|
||||
key_groups:
|
||||
- age:
|
||||
- *nixosvm
|
||||
- *nixosvm2
|
||||
|
|
7
.vscode/extensions.json
vendored
7
.vscode/extensions.json
vendored
|
@ -1,3 +1,8 @@
|
|||
{
|
||||
"recommendations": ["jnoortheen.nix-ide"]
|
||||
"recommendations": [
|
||||
"jnoortheen.nix-ide",
|
||||
"shipitsmarter.sops-edit",
|
||||
"ionutvmi.path-autocomplete",
|
||||
"redhat.vscode-yaml"
|
||||
]
|
||||
}
|
||||
|
|
|
@ -18,7 +18,6 @@
|
|||
inputs.nixpkgs.follows = "nixpkgs";
|
||||
};
|
||||
|
||||
|
||||
};
|
||||
outputs = { self, nixpkgs, sops-nix, ... }@inputs:
|
||||
with inputs;
|
||||
|
@ -27,7 +26,7 @@
|
|||
# Use nixpkgs-fmt for 'nix fmt'
|
||||
formatter.x86_64-linux = nixpkgs.legacyPackages.x86_64-linux.nixpkgs-fmt;
|
||||
|
||||
# Each subdirectory in ./machines is a host. Add them all to
|
||||
# Each subdirectory in ./machines is a host. Add them all to
|
||||
# nixosConfigurations. Host configurations need a file called
|
||||
# configuration.nix that will be read first
|
||||
nixosConfigurations = builtins.listToAttrs (map
|
||||
|
@ -50,5 +49,5 @@
|
|||
};
|
||||
})
|
||||
(builtins.attrNames (builtins.readDir ./nixos/hosts)));
|
||||
};
|
||||
}
|
||||
};
|
||||
}
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
{ inputs, outputs, config, ... }: {
|
||||
# Time
|
||||
networking.timeServers = ["10.8.10.1"];
|
||||
# Time
|
||||
networking.timeServers = [ "10.8.10.1" ];
|
||||
services.chrony = {
|
||||
enable = true;
|
||||
};
|
||||
}
|
||||
}
|
||||
|
|
|
@ -1 +0,0 @@
|
|||
forward-address: hi
|
|
@ -3,42 +3,37 @@
|
|||
{ inputs, outputs, pkgs, config, ... }: {
|
||||
|
||||
# Disable resolvd to ensure it doesnt re-write /etc/resolv.conf
|
||||
services.resolved.enable = false;
|
||||
|
||||
# Fix this devices DNS resolv.conf
|
||||
networking = {
|
||||
nameservers = [ "10.8.10.1" ];
|
||||
|
||||
config.services.resolved.enable = false;
|
||||
|
||||
# Fix this devices DNS resolv.conf else resolvd will point it to dnscrypt
|
||||
# causing a risk of no dns if service fails.
|
||||
config.networking = {
|
||||
nameservers = [ "10.8.10.1" ]; # TODO make varible IP
|
||||
|
||||
dhcpcd.extraConfig = "nohook resolv.conf";
|
||||
};
|
||||
|
||||
services.dnscrypt-proxy2 = {
|
||||
# configure secret for forwarding rules
|
||||
config.sops.secrets."system/networking/dnscrypt-proxy2/forwarding-rules".sopsFile = ./dnscrypt-proxy2.sops.yaml;
|
||||
config.sops.secrets."system/networking/dnscrypt-proxy2/forwarding-rules".mode = "0440";
|
||||
|
||||
# Restart dnscrypt when secret changes
|
||||
config.sops.secrets.monitoring_token.restartUnits = [ "dnscrypt-proxy2" ];
|
||||
|
||||
config.services.dnscrypt-proxy2 = {
|
||||
enable = true;
|
||||
settings = {
|
||||
require_dnssec = true;
|
||||
require_dnssec = true;
|
||||
|
||||
forwarding_rules = pkgs.writeText "forwarding-rules.txt" ''
|
||||
natallan.com 10.8.10.1
|
||||
sonarr.trux.dev 10.8.20.11
|
||||
radarr.trux.dev 10.8.20.11
|
||||
lidarr.trux.dev 10.8.20.11
|
||||
qbittorrent.trux.dev 10.8.20.11
|
||||
qbittorrent-lidarr.trux.dev 10.8.20.11
|
||||
syncthing.trux.dev 10.8.20.11
|
||||
qbittorrent-readarr.trux.dev 10.8.20.11
|
||||
filebrowser.trux.dev 10.8.20.11
|
||||
minio.trux.dev 10.8.20.11
|
||||
sabnzbd.trux.dev 10.8.20.11
|
||||
trux.dev 10.8.20.203
|
||||
'';
|
||||
|
||||
server_names = ["NextDNS-f6fe35"];
|
||||
|
||||
static = {
|
||||
"NextDNS-f6fe35" = {
|
||||
stamp = "sdns://AgEAAAAAAAAAAAAOZG5zLm5leHRkbnMuaW8HL2Y2ZmUzNQ";
|
||||
};
|
||||
forwarding_rules = config.sops.secrets."system/networking/dnscrypt-proxy2/forwarding-rules".path;
|
||||
|
||||
server_names = [ "NextDNS-f6fe35" ];
|
||||
|
||||
static = {
|
||||
"NextDNS-f6fe35" = {
|
||||
stamp = "sdns://AgEAAAAAAAAAAAAOZG5zLm5leHRkbnMuaW8HL2Y2ZmUzNQ";
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
}
|
||||
|
|
33
nixos/hosts/common/optional/dnscrypt-proxy2.sops.yaml
Normal file
33
nixos/hosts/common/optional/dnscrypt-proxy2.sops.yaml
Normal file
|
@ -0,0 +1,33 @@
|
|||
system:
|
||||
networking:
|
||||
dnscrypt-proxy2:
|
||||
forwarding-rules: ENC[AES256_GCM,data:l4Sq/FCZ3WskAm9vjE1S95AX6ljcULOuc1jjuraJ4ZogEyBe4zlyrFv7LxTFX8myTewWlM0987B3o04ls3WU5nSA9wU54aTEQiFvXDJogCqLZ6SpMHqHMsStUTt6xcF1NXmnHbuneh9UAVeiWjqOprkh/Ndix0ksjYjZF+gjvxq7sLBidn77pNLuaEY+B7wCUUEnYXcJbhGAuWXYnaxdYoc8rv018e4gWjgG1gbpCXq47osjCHQ+jUzU0quMdw418nOGDUVigAaXExeQE4BTDXPCfEL4eGVYWcD7pBfsTPDDIK8OqTNjku41tLdCNmCUk/yS+jFmbfeq/nS2EEy0FRk2O4zikUArdmGKmq9Gsb4cuCL2274NqZ7zIr9YKMqYFbDFN5eh4qcCPPsiLooYdNMIuScWIpDdvHN3o8CyosmiweeqNan48juze9X5pW0zpVPFfBHuEdysAt1mDJok3rE=,iv:T4gfKOShNUT7NOBrnbJf9UCmbiQF3JFqLdFaG+1zhcw=,tag:Po4hhwgxy097ULi4KPpztQ==,type:str]
|
||||
sops:
|
||||
kms: []
|
||||
gcp_kms: []
|
||||
azure_kv: []
|
||||
hc_vault: []
|
||||
age:
|
||||
- recipient: age1d3qtnwd73k0npgwhqwpwysdpqa2zyyjyyzs463f5rak9swmw45gsxdyjyn
|
||||
enc: |
|
||||
-----BEGIN AGE ENCRYPTED FILE-----
|
||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBCVnZ2SmJxeURPc3Q2UWla
|
||||
eHBXTWdlSGtGTFR6b25TWU9YZy9rMlhHU1NnClhQOE5Qc0hxbERoeUdhUGhtaTVM
|
||||
d283LzYvZ1lKVXRjYi94bzVaNmo5WlUKLS0tIEhQbGtvS094d1M2cUlPWXF6Y3o4
|
||||
dUdkcHRsQ095V3hUc0hjdFUzNUtOa2sKenpNvjeoouaOG41aHfMtU6GVQ7CQ4h6h
|
||||
y8DoqXGNLUfPxK1Rlrt1G3zyeOq++Ea+tJErD9pxasYNbXE7ZsAuMQ==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
- recipient: age16mwx76r29pa9lnmagujw9adxrpujxmxu38hjfastf6pgw6v66gjs5ugewz
|
||||
enc: |
|
||||
-----BEGIN AGE ENCRYPTED FILE-----
|
||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBzaXBDRFcwbld0MnlvYm9W
|
||||
Vlkxa1FFRmZLZmtlS0hLSWpjZ0U1eGtHT2x3CmMwWFFkTjZKTDk2NXE3MGpYL2xP
|
||||
dWN6VWF2ZDZGYUFmTC9UYlh6bUR6UDAKLS0tIEtHV3l0TWQ3Z01oWUt5clVMbFJl
|
||||
OTZyeCtKbHRCMXZpcGNlcjNzWDFlNjgKZOL4fRxqefBVIkGgh6ToaxR/oNNxKXGB
|
||||
7pCsMJDc9B5A8tg2FOCD30biec3HeXmvBlFQgwAWvSNa1TYmZpT3KA==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
lastmodified: "2024-03-16T12:22:42Z"
|
||||
mac: ENC[AES256_GCM,data:hjTjQ2U3b9vvo3hXBv5HUn/zyqwgiMjMWop/cG7jklG6wRjZ4fpFGKW4YJqkSYJYlJIkQtLXE28Nw8rLRbgu77Uw6yaAiTEH8hYYTFvFqiXyQKR4ORMOp7OcvpT9K+sdoKkNmwkxJZzwzgmv7ua2LWlY9hnUZow+2rJWm0z+zOk=,iv:2vMwU3CwqZGfA0MbwxbMSHrsHKHlSf84Jwxw+zjcf1o=,tag:viLrQGbAKTeWRbHQujc7SQ==,type:str]
|
||||
pgp: []
|
||||
unencrypted_suffix: _unencrypted
|
||||
version: 3.8.1
|
7
nixos/hosts/common/optional/sops-nix.nix
Normal file
7
nixos/hosts/common/optional/sops-nix.nix
Normal file
|
@ -0,0 +1,7 @@
|
|||
{ inputs, outputs, config, ... }: {
|
||||
# SOPS settings
|
||||
# https://github.com/Mic92/sops-nix
|
||||
|
||||
sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
|
||||
|
||||
}
|
|
@ -6,7 +6,7 @@
|
|||
|
||||
{
|
||||
imports =
|
||||
[
|
||||
[
|
||||
# Host-specific
|
||||
./hardware-configuration.nix
|
||||
|
||||
|
@ -20,6 +20,7 @@
|
|||
../common/optional/gnome.nix
|
||||
../common/optional/editors/vscode
|
||||
../common/optional/firefox.nix
|
||||
../common/optional/sops-nix.nix
|
||||
|
||||
];
|
||||
|
||||
|
@ -48,7 +49,7 @@
|
|||
# services.xserver.enable = true;
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
# Configure keymap in X11
|
||||
# services.xserver.xkb.layout = "us";
|
||||
|
|
Reference in a new issue