setup secrets with sops-nix

huwaireb · huwaireb · commit 7700799b0d39 · 2024-09-25T14:08:24.000+04:00
primarily for use with tailscale and for the 
matrix server.

i've also refactored the host to a "server"
module.
diff --git a/.sops.yaml b/.sops.yaml
@@ -0,0 +1,9 @@
+keys:
+  - &user_rmu age1jekavujwuvcqd76tl06nq4um3gd0sgdek2y3xquh3xuqxkyucyxqyjturt
+  - &server_uaq age19g4qp9033celgp5m8ffv35rlua2eved5pshqvnsw3kl3ya22k9vsmaungh
+creation_rules:
+  - path_regex: secrets/[^/]+\.(yaml|json|env|ini)$
+    key_groups:
+    - age:
+      - *user_rmu
+      - *server_uaq
diff --git a/flake.lock b/flake.lock
diff --git a/flake.nix b/flake.nix
@@ -11,10 +11,12 @@
       flake.nixosConfigurations.uaq = nixpkgs.lib.nixosSystem {
         system = "x86_64-linux";
         specialArgs = {inherit inputs self;};
-        modules = [./hosts/uaq ./users/rmu.nix];
+        modules = [./hosts/uaq];
       };
 
       flake.nixosModules = {
+        server = ./modules/server;
+
         roles-matrix-bridge = ./modules/roles/matrix-bridge.nix;
         roles-matrix-homeserver = ./modules/roles/matrix-homeserver.nix;
       };
@@ -28,5 +30,7 @@
 
     disko.url = "github:nix-community/disko";
     srvos.url = "github:nix-community/srvos/63ea710b10c88f2158251d49eec7cc286cefbd68";
+
+    sops-nix.url = "github:Mic92/sops-nix";
   };
 }
diff --git a/hosts/uaq/default.nix b/hosts/uaq/default.nix
@@ -2,22 +2,18 @@
   lib,
   self,
   config,
-  inputs,
   ...
 }: {
-  time.timeZone = "Asia/Dubai";
-  networking.hostName = "uaq";
-
   imports = [
-    inputs.srvos.nixosModules.server
-
-    inputs.srvos.nixosModules.mixins-terminfo
-    inputs.srvos.nixosModules.mixins-systemd-boot
+    self.nixosModules.server
 
     # self.nixosModules.roles-matrix-bridge
     # self.nixosModules.roles-matrix-homeserver
   ];
 
+  time.timeZone = "Asia/Dubai";
+
+  networking.hostName = "uaq";
   networking.useNetworkd = true;
   networking.useDHCP = false;
 
diff --git a/modules/secrets.nix b/modules/secrets.nix
@@ -0,0 +1,11 @@
+{inputs, ...}: {
+  imports = [inputs.sops-nix.nixosModules.sops];
+
+  sops = {
+    defaultSopsFile = ../secrets/server.yaml;
+    age.sshKeyPaths = ["/etc/ssh/ssh_host_ed25519_key"];
+    secrets."tailscale/authKey" = {};
+  };
+
+  services.tailscale.authKeyFile = "/run/secrets/tailscale/authKey";
+}
diff --git a/modules/server/default.nix b/modules/server/default.nix
@@ -0,0 +1,28 @@
+{
+  inputs,
+  lib,
+  ...
+}: {
+  imports = [
+    ../secrets.nix
+
+    ../../users/rmu.nix
+    ../../users/shaher.nix
+    ../../users/gaurav.nix
+
+    inputs.srvos.nixosModules.server
+
+    inputs.srvos.nixosModules.mixins-terminfo
+    inputs.srvos.nixosModules.mixins-systemd-boot
+  ];
+
+  programs.fish.enable = true;
+
+  services.openssh.settings = {
+    MaxSessions = lib.mkDefault 4;
+    PasswordAuthentication = false;
+  };
+
+  services.tailscale.enable = true;
+  services.tailscale.extraUpFlags = ["--ssh"];
+}
diff --git a/secrets/server.yaml b/secrets/server.yaml
@@ -0,0 +1,31 @@
+tailscale:
+    authKey: ENC[AES256_GCM,data:UqYlhwxGqPqHWespWKEV+JVrP+tn0pAJ2Klj/3hemtEqZ0ANIJE/t6WsSFLKfthbyTQjurI48/vXExx+BBQ=,iv:MAR7Mk5XjFlswRfFWs+2USo7g2WcOWsLxPUVdpUzyag=,tag:gJjS8R5SB4jIGe6ygcv2Vw==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1jekavujwuvcqd76tl06nq4um3gd0sgdek2y3xquh3xuqxkyucyxqyjturt
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBiVzQzdzh3aWVWYXBqazJI
+            LzgxTTYzbjdkWWxvYTBKTXY3a21FYk04SlQ4CjkvOXI2QmtWSTN1aWwyRXNkbGpt
+            VjdyYnM2K0d3SU9XalpwdG5aNGl4VDgKLS0tIEt5bGllM3ArbzlmSzVxaW5IZ2dm
+            emZWNHlPZ3BDMElMekVoajV1MTBFdE0KkXAa2Yfy4rFvvlrM92H9OVwOCjw2FfQH
+            Ku2tIUokxRgFKMu+CC2ICP9izxN+cffXLRqWECpCyv3Z6monDY2ZGg==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age19g4qp9033celgp5m8ffv35rlua2eved5pshqvnsw3kl3ya22k9vsmaungh
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBxTmhMRFd4LzdsY2RPazBx
+            QU5XU0ZQalArQllLSFI2czZCeTFJTkxHTFFZCmxRdmJla3cvZVdEVm0wOGd2eHVR
+            YzlJd3c5VVJ4OUZLaFhaeEJQWm9TOVUKLS0tIHdVUXJQcThKai9ncDBsKzZFdHFZ
+            d0hBMEVrWExwdFB3dUZjSm5YUDJzU1kKVGKKYyG3h2FQuU7K74+O7q0WlzIl1vAF
+            pir2NWOKR8C1FG1czAR2nytPH/bgndp1aL+7vGNg6Z+QEIlsY2WYEQ==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2024-09-25T09:59:04Z"
+    mac: ENC[AES256_GCM,data:/uejUEt4so86IWJuC2JHF3cVE9shFRgTMUzvg8+/DYGHPloOa43x3DOvnyafZ081hOYnBN0sXz5fPu+vn6F3em1ptMIF+K1TsazmTfO1DSaNtsfCr72HFBIEBPrMsybYvOPk4vTbn+SGLCfJLvzpYqt5KhIRwsSxdiZiK9hB/0Q=,iv:k2MJSiX45to3H51ZClJYfEV/Ms9pr3Tgll0gAMkw5z0=,tag:lCJKchBIrjlo/xCArUjiwQ==,type:str]
+    pgp: []
+    unencrypted_suffix: _unencrypted
+    version: 3.9.0
diff --git a/users/default.nix b/users/default.nix
diff --git a/users/rmu.nix b/users/rmu.nix
@@ -1,9 +1,11 @@
-{
+{pkgs, ...}: {
   users.users.rmu = {
     isNormalUser = true;
     description = "Rashid Almheiri";
     extraGroups = ["wheel"];
 
+    shell = pkgs.fish;
+
     openssh.authorizedKeys.keys = [
       "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEIniejxbTn4cW/0iTk2eLin7ZTQfpCIP3hiNP318kS8 uaq"
     ];
