mirror of
https://github.com/Swarsel/.dotfiles.git
synced 2025-12-06 09:07:21 +01:00
feat: repo-local secrets implemented for yubikey
This commit is contained in:
Leon Schwarzäugl
parent
609bb1597f
commit
85cbd5e1f6
GPG key ID:
26A54C31F2A4FD84
11 changed files with 230 additions and 60 deletions
|
|
@ -3990,6 +3990,7 @@ Modules that need to be loaded on the NixOS level. Note that these will not be a
|
|||
network = lib.mkDefault true;
|
||||
time = lib.mkDefault true;
|
||||
commonSops = lib.mkDefault true;
|
||||
pii = lib.mkDefault true;
|
||||
stylix = lib.mkDefault true;
|
||||
programs = lib.mkDefault true;
|
||||
zsh = lib.mkDefault true;
|
||||
|
|
@ -4249,6 +4250,7 @@ Modules that need to be loaded on the NixOS level. Note that these will not be a
|
|||
modules = {
|
||||
general = lib.mkDefault true;
|
||||
nix-ld = lib.mkDefault true;
|
||||
pii = lib.mkDefault true;
|
||||
home-manager = lib.mkDefault true;
|
||||
home-managerExtra = lib.mkDefault true;
|
||||
xserver = lib.mkDefault true;
|
||||
|
|
@ -4297,6 +4299,7 @@ Modules that need to be loaded on the NixOS level. Note that these will not be a
|
|||
modules = {
|
||||
general = lib.mkDefault true;
|
||||
nix-ld = lib.mkDefault true;
|
||||
pii = lib.mkDefault true;
|
||||
home-manager = lib.mkDefault true;
|
||||
home-managerExtra = lib.mkDefault true;
|
||||
xserver = lib.mkDefault true;
|
||||
|
|
@ -4753,8 +4756,8 @@ in
|
|||
nixFile:
|
||||
assert assertMsg (builtins.isPath nixFile)
|
||||
"The file to decrypt must be given as a path to prevent impurity.";
|
||||
assert assertMsg (hasSuffix ".nix.age" nixFile)
|
||||
"The content of the decrypted file must be a nix expression and should therefore end in .nix.age";
|
||||
assert assertMsg (hasSuffix ".nix.enc" nixFile)
|
||||
"The content of the decrypted file must be a nix expression and should therefore end in .nix.enc";
|
||||
exec [
|
||||
./sops-decrypt-and-cache.sh
|
||||
nixFile
|
||||
|
|
@ -4778,7 +4781,7 @@ in
|
|||
file="$1"
|
||||
shift
|
||||
|
||||
basename="$file"
|
||||
basename="${file%".enc"}"
|
||||
# store path prefix or ./ if applicable
|
||||
[[ $file == "/nix/store/"* ]] && basename="${basename#*"-"}"
|
||||
[[ $file == "./"* ]] && basename="${basename#"./"}"
|
||||
|
|
@ -5684,6 +5687,20 @@ Setup timezone and locale. I want to use the US layout, but have the rest adapte
|
|||
}
|
||||
#+end_src
|
||||
|
||||
**** Meta options
|
||||
|
||||
|
||||
#+begin_src nix :tangle modules/nixos/common/meta.nix
|
||||
{ lib, ... }:
|
||||
{
|
||||
options.node.secretsDir = lib.mkOption {
|
||||
description = "Path to the secrets directory for this node.";
|
||||
type = lib.types.path;
|
||||
default = ./.;
|
||||
};
|
||||
}
|
||||
#+end_src
|
||||
|
||||
**** sops
|
||||
:PROPERTIES:
|
||||
:CUSTOM_ID: h:d87d80fd-2ac7-4f29-b338-0518d06b4deb
|
||||
|
|
@ -5753,6 +5770,84 @@ I use sops-nix to handle secrets that I want to have available on my machines at
|
|||
}
|
||||
#+end_src
|
||||
|
||||
**** PII management
|
||||
|
||||
#+begin_src nix :tangle modules/nixos/common/pii.nix
|
||||
{ config, inputs, lib, ... }:
|
||||
let
|
||||
|
||||
# If the given expression is a bare set, it will be wrapped in a function,
|
||||
# so that the imported file can always be applied to the inputs, similar to
|
||||
# how modules can be functions or sets.
|
||||
constSet = x: if builtins.isAttrs x then (_: x) else x;
|
||||
|
||||
# Try to access the extra builtin we loaded via nix-plugins.
|
||||
# Throw an error if that doesn't exist.
|
||||
sopsImportEncrypted =
|
||||
assert lib.assertMsg (builtins ? extraBuiltins.sopsImportEncrypted)
|
||||
"The extra builtin 'sopsImportEncrypted' is not available, so repo.secrets cannot be decrypted. Did you forget to add nix-plugins and point it to `<flakeRoot>/nix/extra-builtins.nix` ?";
|
||||
builtins.extraBuiltins.sopsImportEncrypted;
|
||||
|
||||
# This "imports" an encrypted .nix.age file by evaluating the decrypted content.
|
||||
importEncrypted =
|
||||
path:
|
||||
constSet (
|
||||
if builtins.pathExists path then
|
||||
sopsImportEncrypted path
|
||||
else
|
||||
{ }
|
||||
);
|
||||
in
|
||||
{
|
||||
options = {
|
||||
repo = {
|
||||
secretFiles = lib.mkOption {
|
||||
default = { };
|
||||
type = lib.types.attrsOf lib.types.path;
|
||||
example = lib.literalExpression "{ local = ./pii.nix.enc; }";
|
||||
description = ''
|
||||
This file manages the origin for this machine's repository-secrets. Anything that is
|
||||
technically not a secret in the classical sense (i.e. that it has to be protected
|
||||
after it has been deployed), but something you want to keep secret from the public;
|
||||
Anything that you wouldn't want people to see on GitHub, but that can live unencrypted
|
||||
on your own devices. Consider it a more ergonomic nix alternative to using git-crypt.
|
||||
|
||||
All of these secrets may (and probably will be) put into the world-readable nix-store
|
||||
on the build and target hosts. You'll most likely want to store personally identifiable
|
||||
information here, such as:
|
||||
- MAC Addreses
|
||||
- Static IP addresses
|
||||
- Your full name (when configuring your users)
|
||||
- Your postal address (when configuring e.g. home-assistant)
|
||||
- ...
|
||||
|
||||
Each path given here must be an sops-encrypted .nix file. For each attribute `<name>`,
|
||||
the corresponding file will be decrypted, imported and exposed as {option}`repo.secrets.<name>`.
|
||||
'';
|
||||
};
|
||||
|
||||
secrets = lib.mkOption {
|
||||
readOnly = true;
|
||||
default = lib.mapAttrs (_: x: importEncrypted x inputs) config.repo.secretFiles;
|
||||
type = lib.types.unspecified;
|
||||
description = "Exposes the loaded repo secrets. This option is read-only.";
|
||||
};
|
||||
};
|
||||
swarselsystems.modules.pii = lib.mkEnableOption "enable pii management";
|
||||
};
|
||||
config = lib.mkIf config.swarselsystems.modules.pii {
|
||||
repo.secretFiles =
|
||||
let
|
||||
local = config.node.secretsDir + "/pii.nix.enc";
|
||||
in
|
||||
(lib.optionalAttrs (lib.pathExists local) { inherit local; }) // {
|
||||
common = ../../../secrets/repo/pii.nix.enc;
|
||||
};
|
||||
};
|
||||
}
|
||||
|
||||
#+end_src
|
||||
|
||||
**** Theme (stylix)
|
||||
:PROPERTIES:
|
||||
:CUSTOM_ID: h:e6e44705-94af-49fe-9ca0-0629d0f7d932
|
||||
|
|
@ -10459,19 +10554,15 @@ I use sops-nix to handle secrets that I want to have available on my machines at
|
|||
:END:
|
||||
|
||||
#+begin_src nix :tangle modules/home/common/yubikey.nix
|
||||
{ lib, config, nix-secrets, ... }:
|
||||
let
|
||||
secretsDirectory = builtins.toString nix-secrets;
|
||||
yubikey1 = lib.swarselsystems.getSecret "${secretsDirectory}/yubikey/yubikey1";
|
||||
yubikey2 = lib.swarselsystems.getSecret "${secretsDirectory}/yubikey/yubikey2";
|
||||
in
|
||||
{ lib, config, nixosConfig, ... }:
|
||||
{
|
||||
options.swarselsystems.modules.yubikey = lib.mkEnableOption "yubikey settings";
|
||||
|
||||
config = lib.mkIf config.swarselsystems.modules.yubikey {
|
||||
pam.yubico.authorizedYubiKeys = {
|
||||
ids = [
|
||||
"${yubikey1}"
|
||||
"${yubikey2}"
|
||||
nixosConfig.repo.secrets.common.yubikeys.dev1
|
||||
nixosConfig.repo.secrets.common.yubikeys.dev2
|
||||
];
|
||||
};
|
||||
};
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue