diff --git a/common/default.nix b/common/default.nix index 57fac8e..8bdfa2b 100644 --- a/common/default.nix +++ b/common/default.nix @@ -1,6 +1,7 @@ -{ var, ... }: +{ var, inputs, ... }: { imports = [ + inputs.agenix.nixosModules.default ../mod ../desktop ./boot.nix diff --git a/common/users.nix b/common/users.nix index 48a8b29..df339df 100644 --- a/common/users.nix +++ b/common/users.nix @@ -1,11 +1,17 @@ { - pkgs, + config, lib, options, + pkgs, + secrets, var, ... }: { + age.secrets.hd-password = { + file = secrets."hd-password.age"; + }; + users = { mutableUsers = false; users."hd" = { @@ -16,12 +22,12 @@ extraGroups = [ "wheel" ]; shell = pkgs.fish; packages = [ ]; - openssh.authorizedKeys.keys = var.ssh-keys.unprivileged; - hashedPassword = "$y$jDT$dhvO.xqs8mopz.sFFul.q/$ud5642o7CnVetU6QEu0ctiVMFh7ngZznDf0wp4cXos8"; + openssh.authorizedKeys.keys = var.ssh-keys.hd; + hashedPasswordFile = config.age.secrets.hd-password.path; }; users.root = { hashedPassword = "!"; - openssh.authorizedKeys.keys = var.ssh-keys.priviliged; + openssh.authorizedKeys.keys = var.ssh-keys.root; }; }; } diff --git a/flake.lock b/flake.lock index de0a509..ded27f0 100644 --- a/flake.lock +++ b/flake.lock @@ -1,5 +1,28 @@ { "nodes": { + "agenix": { + "inputs": { + "darwin": [], + "home-manager": "home-manager", + "nixpkgs": [ + "nixpkgs" + ], + "systems": "systems" + }, + "locked": { + "lastModified": 1750173260, + "narHash": "sha256-9P1FziAwl5+3edkfFcr5HeGtQUtrSdk/MksX39GieoA=", + "owner": "ryantm", + "repo": "agenix", + "rev": "531beac616433bac6f9e2a19feb8e99a22a66baf", + "type": "github" + }, + "original": { + "owner": "ryantm", + "repo": "agenix", + "type": "github" + } + }, "colmena": { "inputs": { "flake-compat": "flake-compat", @@ -55,7 +78,7 @@ }, "flake-utils_2": { "inputs": { - "systems": "systems" + "systems": "systems_2" }, "locked": { "lastModified": 1731533236, @@ -72,6 +95,27 @@ } }, "home-manager": { + "inputs": { + "nixpkgs": [ + "agenix", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1745494811, + "narHash": "sha256-YZCh2o9Ua1n9uCvrvi5pRxtuVNml8X2a03qIFfRKpFs=", + "owner": "nix-community", + "repo": "home-manager", + "rev": "abfad3d2958c9e6300a883bd443512c55dfeb1be", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "home-manager", + "type": "github" + } + }, + "home-manager_2": { "inputs": { "nixpkgs": [ "nixpkgs" @@ -182,9 +226,10 @@ }, "root": { "inputs": { + "agenix": "agenix", "colmena": "colmena", "flake-utils": "flake-utils_2", - "home-manager": "home-manager", + "home-manager": "home-manager_2", "nixos-config-hidden": "nixos-config-hidden", "nixos-hardware": "nixos-hardware", "nixpkgs": "nixpkgs_2" @@ -220,6 +265,21 @@ "repo": "default", "type": "github" } + }, + "systems_2": { + "locked": { + "lastModified": 1681028828, + "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", + "owner": "nix-systems", + "repo": "default", + "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", + "type": "github" + }, + "original": { + "owner": "nix-systems", + "repo": "default", + "type": "github" + } } }, "root": "root", diff --git a/flake.nix b/flake.nix index 763b553..9c2d307 100644 --- a/flake.nix +++ b/flake.nix @@ -12,11 +12,17 @@ inputs.nixpkgs.follows = "nixpkgs"; }; flake-utils.url = "github:numtide/flake-utils"; + agenix = { + url = "github:ryantm/agenix"; + inputs.nixpkgs.follows = "nixpkgs"; + inputs.darwin.follows = ""; + }; }; outputs = { self, + agenix, colmena, flake-utils, home-manager, @@ -31,6 +37,7 @@ specialArgs = rec { inherit inputs lib'; var = (lib'.walk-dir ./var)._map (f: import f { inherit lib var; }); + secrets = lib'.walk-dir ./secrets; }; overlays = _: { nixpkgs.overlays = [ colmena.overlay ]; @@ -91,8 +98,11 @@ pkgs = import nixpkgs { inherit system; }; in { - devShells.withColmena = pkgs.mkShell { - buildInputs = [ colmena.packages.${system}.colmena ]; + devShells.default = pkgs.mkShell { + buildInputs = [ + colmena.packages.${system}.colmena + agenix.packages.${system}.default + ]; }; formatter = pkgs.nixfmt-tree; } diff --git a/host/c2/default.nix b/host/c2/default.nix index 28a2e68..2e0b2a5 100644 --- a/host/c2/default.nix +++ b/host/c2/default.nix @@ -2,6 +2,10 @@ { networking.hostName = "c2"; + age.identityPaths = [ + "/root/.ssh/id_ed25519" + ]; + imports = with inputs.nixos-hardware.nixosModules; [ ./hardware-configuration.nix common-cpu-intel diff --git a/host/roam/backup.nix b/host/roam/backup.nix new file mode 100644 index 0000000..22a7191 --- /dev/null +++ b/host/roam/backup.nix @@ -0,0 +1,41 @@ +{ + config, + pkgs, + secrets, + var, + ... +}: +{ + age.secrets.roam-rclone-conf = { + file = secrets.roam."rclone-conf.age"; + mode = "440"; + owner = "root"; + group = "root"; + }; + + systemd = { + timers."backup-rclone" = { + wantedBy = [ "timers.target" ]; + timerConfig = { + OnCalendar = "daily"; + Persistent = true; + Unit = "backup-rclone.service"; + }; + }; + services."backup-rclone" = + let + conf = config.age.secrets.roam-rclone-conf.path; + in + { + script = '' + ${pkgs.rclone}/bin/rclone --config ${conf} copy /home/hd/Documents odc:Documents + ${pkgs.rclone}/bin/rclone --config ${conf} copy /git odc:git + ''; + path = [ pkgs.rclone ]; + serviceConfig = { + Type = "oneshot"; + User = "root"; + }; + }; + }; +} diff --git a/host/roam/default.nix b/host/roam/default.nix index 0cd2475..2e3e990 100644 --- a/host/roam/default.nix +++ b/host/roam/default.nix @@ -2,7 +2,12 @@ { networking.hostName = "roam"; + age.identityPaths = [ + "/root/.ssh/id_ed25519" + ]; + imports = [ + ./backup.nix ./git.nix ./hardware-configuration.nix ./networking.nix diff --git a/host/roam/git.nix b/host/roam/git.nix index c10f3bf..5d56b6a 100644 --- a/host/roam/git.nix +++ b/host/roam/git.nix @@ -8,6 +8,6 @@ createHome = true; group = "git"; shell = "${pkgs.git}/bin/git-shell"; - openssh.authorizedKeys.keys = var.ssh-keys.unprivileged; + openssh.authorizedKeys.keys = var.ssh-keys.hd; }; } diff --git a/host/roam/services.nix b/host/roam/services.nix index b1b7fda..d6ad204 100644 --- a/host/roam/services.nix +++ b/host/roam/services.nix @@ -1,7 +1,5 @@ { var, - config, - pkgs, ... }: { @@ -36,26 +34,4 @@ 443 ]; }; - - systemd = { - timers."backup-rclone" = { - wantedBy = [ "timers.target" ]; - timerConfig = { - OnCalendar = "daily"; - Persistent = true; - Unit = "backup-rclone.service"; - }; - }; - services."backup-rclone" = { - script = '' - ${pkgs.rclone}/bin/rclone copy /home/hd/Documents odc:Documents - ${pkgs.rclone}/bin/rclone copy /git odc:git - ''; - path = [ pkgs.rclone ]; - serviceConfig = { - Type = "oneshot"; - User = "root"; - }; - }; - }; } diff --git a/host/solo/default.nix b/host/solo/default.nix index 0752652..63db5a0 100644 --- a/host/solo/default.nix +++ b/host/solo/default.nix @@ -2,6 +2,10 @@ { networking.hostName = "solo"; + age.identityPaths = [ + "/root/.ssh/id_ed25519" + ]; + imports = [ ./hardware-configuration.nix ./keyboard.nix diff --git a/secrets.nix b/secrets.nix new file mode 100644 index 0000000..a2160e3 --- /dev/null +++ b/secrets.nix @@ -0,0 +1,12 @@ +let + keys = + let + k = (import ./var/ssh-keys.nix { }); + in + k.root; # ++ k.hd; + secrets = [ + "roam/rclone-conf" + "hd-password" + ]; +in +builtins.foldl' (acc: x: acc // { "secrets/${x}.age".publicKeys = keys; }) { } secrets diff --git a/secrets/hd-password.age b/secrets/hd-password.age new file mode 100644 index 0000000..a6d79af --- /dev/null +++ b/secrets/hd-password.age @@ -0,0 +1,10 @@ +age-encryption.org/v1 +-> ssh-ed25519 ydxpSQ M0sDsl0um+whNdnXrl5RMp8BAXdVe1n8K41L6HXizG4 +hIV5u4+ZPujJsNwet9UC2wnAFgpFe+b4BGtsNhah/34 +-> ssh-ed25519 gbs8eg lNj3bYYZXf28MzvjOJ052zOg7xOROf3MjUWR35ZJfWw +Pxqa+IqRVAhoJdV/Muzt74rfoYBxE4YLh7y8KWwHaG0 +-> ssh-ed25519 FTMbvw 7deJR8NLmOWT/RKUa+JbdZ7KYcLNqYxuYS9y/eOYoE8 +haM8XoJVYTUVEEEuMbCdQxuOeZZT8ILtaGWG/uRDo+0 +--- MKr7VcEMTYpu+gNelWf7vIZvU/TpyH/N61shLABcitA +Ϻa̓UJm!yaُΌnxE8Kw * Z%MV:ò A֚K;& +~G;jyJ[6zK/4Ҳ? \ No newline at end of file diff --git a/secrets/roam/rclone-conf.age b/secrets/roam/rclone-conf.age new file mode 100644 index 0000000..2c67c31 Binary files /dev/null and b/secrets/roam/rclone-conf.age differ diff --git a/var/ssh-keys.nix b/var/ssh-keys.nix index 36cd86f..51c08b0 100644 --- a/var/ssh-keys.nix +++ b/var/ssh-keys.nix @@ -1,14 +1,16 @@ _: rec { # this is only used for forcing password entry on colmena apply - priviliged-by-host = { + root-by-host = { "solo" = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFsl8pLaGeCL3kacGWf8pzoLQr501ga/2OzvI2wWbTZJ"; "c2" = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJAZaswaiA+oQ9NviADYFf7BJQHNlmdxQuocIdoJmv3o"; + "roam" = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAID++uLcQOx/to3sEo5Nk97CenGf0Y6/dMsBbLouVTgIQ"; }; - priviliged = builtins.attrValues priviliged-by-host; + root = builtins.attrValues root-by-host; - unprivileged-by-host = { + hd-by-host = { "solo" = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEG+dd4m98aKEWfFa/7VZUlJNX0axvIlHVihT8w7RLyY"; "c2" = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIsoj2+esEebRwDV2PuNRt9Vz28oolOy+Hc2THwrWTAB"; + "roam" = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEDlh8hY01wwmNtfa1eK3mVBIcytdh4n/kV05gP9z1Lc"; }; - unprivileged = builtins.attrValues unprivileged-by-host; + hd = builtins.attrValues hd-by-host; }