Compare commits
3 commits
60b72e5595
...
c9902bebc2
Author | SHA1 | Date | |
---|---|---|---|
c9902bebc2 | |||
67e83e764c | |||
f16e385288 |
5 changed files with 89 additions and 2 deletions
12
.sops.yaml
Normal file
12
.sops.yaml
Normal file
|
@ -0,0 +1,12 @@
|
||||||
|
keys:
|
||||||
|
- users:
|
||||||
|
- &jahanson age18kj3xhlvgjeg2awwku3r8d95w360uysu0w5ejghnp4kh8qmtge5qwa2vjp
|
||||||
|
- hosts:
|
||||||
|
- &telperion age1z3vjvkead2h934n3w4m5m7tg4tj5qlzagsq6ly84h3tcu7x4ldsqd3s5fg
|
||||||
|
|
||||||
|
creation_rules:
|
||||||
|
- path_regex: secrets.yaml$
|
||||||
|
key_groups:
|
||||||
|
- age:
|
||||||
|
- *jahanson
|
||||||
|
- *telperion
|
|
@ -1,7 +1,28 @@
|
||||||
{ pkgs, ... }:
|
{ inputs, pkgs, ... }:
|
||||||
{
|
{
|
||||||
|
|
||||||
imports = [ ../cachix.nix ];
|
imports = [
|
||||||
|
../cachix.nix
|
||||||
|
inputs.sops-nix.nixosModules.sops
|
||||||
|
];
|
||||||
|
|
||||||
|
sops = {
|
||||||
|
defaultSopsFile = ../secrets.yaml;
|
||||||
|
validateSopsFiles = false;
|
||||||
|
|
||||||
|
age = {
|
||||||
|
# Derives sops private key from host ssh private key and places it at /var/lib/sops-nix/key.txt.
|
||||||
|
sshKeyPath = [ "/etc/ssh/ssh_host_ed25519_key" ];
|
||||||
|
keyFile = "/var/lib/sops-nix/key.txt";
|
||||||
|
generateKey = true;
|
||||||
|
};
|
||||||
|
|
||||||
|
# # Mounts unencrypted sops values at /run/secrets/rndc_keys accessible by root only by default.
|
||||||
|
# secrets = {
|
||||||
|
# rndc_keys = {};
|
||||||
|
# };
|
||||||
|
};
|
||||||
|
|
||||||
# Bootloader.
|
# Bootloader.
|
||||||
boot = {
|
boot = {
|
||||||
loader = {
|
loader = {
|
||||||
|
@ -161,6 +182,7 @@
|
||||||
|
|
||||||
# nix tools
|
# nix tools
|
||||||
nvd
|
nvd
|
||||||
|
nix-inspect
|
||||||
|
|
||||||
];
|
];
|
||||||
# my traceroute
|
# my traceroute
|
||||||
|
|
|
@ -128,4 +128,11 @@
|
||||||
};
|
};
|
||||||
wantedBy = [ "default.target" ];
|
wantedBy = [ "default.target" ];
|
||||||
};
|
};
|
||||||
|
|
||||||
|
# Enable the OpenSSH daemon.
|
||||||
|
services.openssh = {
|
||||||
|
enable = true;
|
||||||
|
settings.PasswordAuthentication = false;
|
||||||
|
settings.KbdInteractiveAuthentication = false;
|
||||||
|
};
|
||||||
}
|
}
|
||||||
|
|
|
@ -10,6 +10,15 @@
|
||||||
./hardware-configuration.nix
|
./hardware-configuration.nix
|
||||||
];
|
];
|
||||||
|
|
||||||
|
sops = {
|
||||||
|
# Mounts unencrypted sops values at /run/secrets/rndc_keys accessible by root only by default.
|
||||||
|
secrets = {
|
||||||
|
"rndc_keys" = {
|
||||||
|
# owner = config.users.users
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
# Use the systemd-boot EFI boot loader.
|
# Use the systemd-boot EFI boot loader.
|
||||||
boot.loader.systemd-boot.enable = true;
|
boot.loader.systemd-boot.enable = true;
|
||||||
boot.loader.efi.canTouchEfiVariables = true;
|
boot.loader.efi.canTouchEfiVariables = true;
|
||||||
|
@ -41,6 +50,11 @@
|
||||||
wget
|
wget
|
||||||
];
|
];
|
||||||
|
|
||||||
|
services.bind = {
|
||||||
|
enable = true;
|
||||||
|
|
||||||
|
};
|
||||||
|
|
||||||
# Some programs need SUID wrappers, can be configured further or are
|
# Some programs need SUID wrappers, can be configured further or are
|
||||||
# started in user sessions.
|
# started in user sessions.
|
||||||
programs.mtr.enable = true;
|
programs.mtr.enable = true;
|
||||||
|
|
32
secrets.yaml
Normal file
32
secrets.yaml
Normal file
|
@ -0,0 +1,32 @@
|
||||||
|
rndc_keys:
|
||||||
|
main: ENC[AES256_GCM,data:ohxkgif+L3sinvm8lJXrcFIdabkO/VgH8i/Ewca5XAI9QP+2LQudDQ5V2xwEQAjy0MCDzqNdwhQwKGGotr8KshxBJZZZ4sy7ZF57FJzIM+ySUb6n5faKz9PpGFFxu8pNhQkthjEF,iv:SpUGmPT2mBOIDWzBZTAk7Mr86OakbW4CPP7hY3DLJUw=,tag:3xaQxRSZrXSgg3x/hu+Y/Q==,type:str]
|
||||||
|
externaldns: ENC[AES256_GCM,data:eMLZ9+vfkdtH2nxgZMB0FyCHc7+94lXLLfsyTvRVRCMKA+SKnzHQ1ep2pTGHRe8z9qdE9fzXNQAx8VyqxvQroadqFx8OA8yyfP5+A/a3GMQ3o+/dF9Nh8ysoLEZYvLk/qQYRSA0o/K39,iv:9wv4ySiQKWu4j7528aKdsX5XM/U+3BC05d/EgzK3gws=,tag:5XhYhSGETKP/exE2Zd6raA==,type:str]
|
||||||
|
sops:
|
||||||
|
kms: []
|
||||||
|
gcp_kms: []
|
||||||
|
azure_kv: []
|
||||||
|
hc_vault: []
|
||||||
|
age:
|
||||||
|
- recipient: age18kj3xhlvgjeg2awwku3r8d95w360uysu0w5ejghnp4kh8qmtge5qwa2vjp
|
||||||
|
enc: |
|
||||||
|
-----BEGIN AGE ENCRYPTED FILE-----
|
||||||
|
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBVNzRsKytjQ25NN2xsU0hI
|
||||||
|
MWZuRTZjRWNibnhnWkJsYklScmt5UFl2T2pBCnU4L2ZWVnRMclJaN2QyWHQwMVF2
|
||||||
|
Z1hTZUEwMXAwamxRWXgyQ0VQMUY3UVkKLS0tIHVVUXljMzh1MEExTURPSkFoV09u
|
||||||
|
MFB0VDhVUmxCc2JBaTlLV1BVTGJhVkEK2DtRNL6KBkBS23ywub66hpUcRn/Jea6k
|
||||||
|
+oXXU8kcQ30WqSupI6kUUK0Dd+at0vrV1tV/IkvfW0Qs5OzjgtPo5w==
|
||||||
|
-----END AGE ENCRYPTED FILE-----
|
||||||
|
- recipient: age1z3vjvkead2h934n3w4m5m7tg4tj5qlzagsq6ly84h3tcu7x4ldsqd3s5fg
|
||||||
|
enc: |
|
||||||
|
-----BEGIN AGE ENCRYPTED FILE-----
|
||||||
|
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBoT3RINjA2SUVsT21EWFpm
|
||||||
|
a2V2YytIMktRbSsrNkhlOGI4c2dRS2ZpakFZCmFTNGs5aXA4SW1PQnhSSHlQM0hL
|
||||||
|
cFZvZzlXdGtXbjg2WDNDYytqQkpwYmsKLS0tIFAyUEkrVXJEYkhSNktQR2pQOWFz
|
||||||
|
SHZmN3JDL1ExVHZ5K2txM2h6MzRKWE0KbS3kO9teIcRDY4hnb54LgWzcRQu7aGGf
|
||||||
|
TjnTJzqKqmRRMLOs5be6wbrxBiRe9p5nCN/WJ9nqhr7rfNNMUiZePw==
|
||||||
|
-----END AGE ENCRYPTED FILE-----
|
||||||
|
lastmodified: "2024-04-29T13:34:02Z"
|
||||||
|
mac: ENC[AES256_GCM,data:mrsov4+aHrhdtbZAwGoSSYpRNzzOHlSasGerHmS3tkY3CNskFCpgKNsdGMRsPJdO5JQmccFIRM5FOjdhxA2df+o64HJBWqVR41GzSAczz6m8jcRonsezC/53z684sLttRozR2mLVqU13dnUTNi+IfynJU8FsdwqgUhT6Kb7IvSI=,iv:bTgYT5nczrVmpF6cSLFipvr+5vu00yAi0JkJkBLYQdQ=,tag:qQcqON806EmFy4rpla0NOA==,type:str]
|
||||||
|
pgp: []
|
||||||
|
unencrypted_suffix: _unencrypted
|
||||||
|
version: 3.8.1
|
Reference in a new issue