ringofstorms/dotfiles
ringofstorms/dotfiles
1
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

more secrets

Browse source
This commit is contained in:
RingOfStorms (Josh) 2024-05-07 01:02:42 -05:00
parent fa0974cb63
commit 5fd3d3a40a
8 changed files with 119 additions and 13 deletions
Download patch file Download diff file Expand all files Collapse all files

6
flake.lock generated
View file

@ -230,11 +230,11 @@
"nvim_plugin-declancm/cinnamon.nvim": "nvim_plugin-declancm/cinnamon.nvim"
},
"locked": {
"lastModified": 1714780617,
"narHash": "sha256-63lH3uFa7Mdq6z8oKQPTDH+hXC57bIr3XG7rRz+2x4U=",
"lastModified": 1715021116,
"narHash": "sha256-90rB0FN9XodUTSw8fHJSGm8qbqkQOOryQUHt7v53KPQ=",
"owner": "RingOfStorms",
"repo": "nvim",
"rev": "eb7f522795c3a2b597acb576c80b23214ff9eedb",
"rev": "d3212044572caeaaf969c06c66f779de96ef37ce",
"type": "github"
},
"original": {

18
hosts/_common/ragenix.nix
View file

@ -1,8 +1,14 @@
# TODO check out the by host way this person does: https://github.com/hlissner/dotfiles/blob/089f1a9da9018df9e5fc200c2d7bef70f4546026/modules/agenix.nix
{ settings, lib, ragenix, ... }:
{
settings,
lib,
ragenix,
...
}:
let
# secretsFile = (settings.secretsDir + /secrets.nix);
in
# TODO auto import secret files here
# secretsFile = (settings.secretsDir + /secrets.nix);
{
imports = [ ragenix.nixosModules.age ];
environment.systemPackages = [ ragenix.packages.${settings.system.system}.default ];
@ -24,6 +30,14 @@ in
file = /${settings.secretsDir}/nix2bitbucket.age;
owner = settings.user.username;
};
nix2h001 = {
file = /${settings.secretsDir}/nix2h001.age;
owner = settings.user.username;
};
nix2t = {
file = /${settings.secretsDir}/nix2t.age;
owner = settings.user.username;
};
};
};
}

26
secrets/nix2h001.age Normal file
View file

@ -0,0 +1,26 @@
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IDd6MzN5USB0bkd0
ek9VaTN6ZDhFSjJWazd1RlhBbTNWTDFjWThGdnA0SGdFNjRORGtJCmRubXpJWmRy
eGdOejhPMi9sRUlXeWNyZ1lBOFhhb2xKM0JsbWFHVmdMUzQKLT4gc3NoLWVkMjU1
MTkgSmh2TCtRIFBuK0tEalBONVVHN1RiMDRxa0xrTjJJZGk4Nzd5RmR1bFhXVGtz
TkdYMVUKSTFtbW5xd0E4UkhVM2c5YlMxcUxYRXl5YXUvVzV5K0wweFdqSzFiSWo4
bwotPiBzc2gtZWQyNTUxOSBTcENqQlEgWVdmalZrZ0pxVDAzNE1jMnN1Qi9vSTlB
emlBbFhaYzZPN1BiZWVjK3F4NApad1RQVVRBODVaQUVHT1hzbThQQUVDSG13bTRD
OXZTWC92ZVlpcVpoYlo4Ci0+IHNzaC1lZDI1NTE5IEJZS0crdyA2MU5CRmpIWHh6
VFEyV2F0S2dyd2xQRXJKNldMcHgwcUhiQkZqNGxhZnlZCitiMmVWUUxwVzdwdVVx
TEo0R05ZRWlPaTJzOUhxYVZyYW42anNlRVFPY1kKLT4gc3NoLWVkMjU1MTkgWHpm
bWFRIGgzcXJpSjMveEw4TzVzZHZlK05ycDJ1TERPQ0p6QUdZVmVxQjF3T3d6U2sK
eVZnVk5TM01BemtzSW1BWTJoRGFNS0wvWlBXQjJ4OEdSUmZ5cktEa1dlRQotPiBA
Nz8sLWByLWdyZWFzZQpIU0VJZm4vbWZyRkVGMjJWYXFmTDlCVTBaaElyRXIvaGk0
Y2RVa1lxMGU1bWY3aXhmMTFNeVEKLS0tIGNVMkVLTG0rT2lWR3F1am1yRFFzaEls
NEdFbXhTcmM3a2Q3VWRDZnNXVkkK9jNOfezOTfWyuWm99ZopI+EgwtmShWQXa5Zl
dT2vrAihJImzohEzDckxMFnsrspD6eUEjBejY+518ZC6kyGSRbDZB5sX+70lDoNK
rZuKxtXvhMkZXTOKIjqIIewaiCVzQH3BFnxdL2Vw6huAYzWdmPSZNttJBNbcVuOO
6O/GnNoGoFvY0lIXXtubdacNzHEvvLG01SyyuLV45SCOnku5s5JXPAj2A1hmczJo
0TpVaigtzVXRhsYiv3IeCv278JaMLstRtjdNipFLUGmwOzTQGJmajpCUfPTldWUK
oZfsswqWbAMyKALDoXuOfGCR4YCL8k2xaRP8bUkwLTj68bZ1Lgyd2iwbgCMcXkxC
7sNrY7XTV2+/ONe9fPfPG8xRjvsIvlR7Zl13bACSIyEHgYPlYszMSS+VZnV16V5X
KwU2dCQuuETiLr1VvqplqDVOJdM3slAhFPrE3Khcb7qAmmB5pUCohHHmBXODV0cg
l82X6PL+IO3LMOJNACi59HMF+Ze2jqh3XR0+rrK1C7TU31YzCL3qMCAglQvTnVMz
3nTtpaMs16qpXMmU8KmvtxOn6nE=
-----END AGE ENCRYPTED FILE-----

26
secrets/nix2t.age Normal file
View file

@ -0,0 +1,26 @@
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IDd6MzN5USAxOTZK
VytkWVFIK2ZxUmxOUmc0dkVFMTFVeGtnMlRxTDRRbjQzWUZIbDJnCjd4Ulp6bElk
VVQ5QTNJb2RzUzdwZDdhL1BVcjhDaXUwUXpTRXJiZjlDR2MKLT4gc3NoLWVkMjU1
MTkgSmh2TCtRIFpiaFpDMlpFWWloMFhTTUxMYnZUaW1YT0l4NW5zMDdrWFplc3lw
V3JGVFEKOFFzT0xuQ1dhckUzQjY1RTJnMDk1WWRaNERycXVnRzJhUytJYUFNTUsz
OAotPiBzc2gtZWQyNTUxOSBTcENqQlEgMnhnNXdtMk4relo5NmVOS0NFUXBYRU9F
QWRvaWVuZ2lCNHN1Qmp0S0hGYwo1Z3hxUlZPVDFLcnJQN1I0S3dEbjhPeVhBc0tL
Q1JvN3o4STczTmp0SndRCi0+IHNzaC1lZDI1NTE5IEJZS0crdyBUSzhNUXVlRkFV
RCtxcXo5SG5oOUsxSm5BSDlyeXo0K3RMdFlKdUg5aFI0Ckhpd2dIR0lmNXFaV3Vi
d0t3emxBWGxIZFRUa1dpRjhoQk15UVhrWmtibFUKLT4gc3NoLWVkMjU1MTkgWHpm
bWFRIDRYWGJlTEtjTFMyYU5qaWNPMk0rMHhyU1o0Y0dXOC9HSXFnWGgwY0ZaZ28K
ZkIvRDYvaGY1L2JWUTlsbkJ0ZkZmVTVYVWVUbmxzWDB4R05IdHBHeFBwMAotPiBV
LnEtZ3JlYXNlIHFidHlfIFAjQAppYUdMNlhUK1JXYXNXNVp0MlQ5ZkF0Vy9wb2NW
L3FhK2JZTFBFN25DVUtwNTlnaUVRV1Zqc1lzT0dkOGxSNWRVClBGUXhtMGF0Ci0t
LSBxaTRGd2o5eERVekRIalJhT2UzK0JZUURUaUN1UmR6VkRleU9NMCtSNGNRCg06
9QgOf/700c1qw3NHhg6xIMMT9ze9QCV9rSsFKBG8Fp5ZsFccvVeODVe+vENrcQs/
6PfMLBcg6OLBvQ0k0mwN/TlFB9aRRP2vFIFRoSjD/VlDUxl2yV4AgXaqjLt4PG38
T9/lU3e6IKTR+ReC0z+F1G+ctwy+F9xmq1EHx41KZ+4c/D5ktctPQn8EdIRqFX6O
OQAcQmNTqgfM9AWkbS1LE8RPmKlpia2iNrlhkppdwDstnfjeIshl4fyUKCL0k5qQ
7DRf7CxpwQSWRLyoBreR3lwmYLNtjr3nVe1Ae9RPA0O8sQc/lNejtb18yRGwMuYP
1pN/qGR4fOVy3tzKylZ/PWUTiIzPu3jN67GqkLk/zC6qgemTk8cgWt1bJyB4siiy
9fPfMJE9nrVXr2U7w+f/j0ZW3V4pfNDVsj96ZssMg55mOO7f4qrR2nhwnEgtarEL
OiEOU1d5nDoxgOy79hlwUGfwH7bAwMFiPoDz508CKBKySHFi0kv5oeHMysmsS+2U
zjSEjfmsgI+oiwcbUZGkik2mC+82wwwuFN86ip+H+cWm
-----END AGE ENCRYPTED FILE-----

18
secrets/secrets.nix
View file

@ -16,7 +16,19 @@ let
];
in
{
# TODO come up with a rotate method/encrypt the device keys bette. This isn't very secure feeling to me the way I am doing this now. If anyone gains access to any one of my devices, then my secrets are no longer secret. This is not a good model.
"nix2github.age" = { inherit publicKeys; };
"nix2bitbucket.age" = { inherit publicKeys; };
## Too make a new secret: `ragenix --editor=vi -v -e FILE.age` add file below and in the ragenix.nix file
#
# TODO come up with a rotate method/encrypt the device keys better. This isn't very secure feeling to me the way I am doing this now. If anyone gains access to any one of my devices, then my secrets are no longer secret. This is not a good model.
"nix2github.age" = {
inherit publicKeys;
};
"nix2bitbucket.age" = {
inherit publicKeys;
};
"nix2h001.age" = {
inherit publicKeys;
};
"nix2t.age" = {
inherit publicKeys;
};
}

24
users/_common/home_manager/ssh.nix
View file

@ -9,7 +9,29 @@
"bitbucket.org" = {
identityFile = age.secrets.nix2bitbucket.path;
};
"h001" = {
identityFile = age.secrets.nix2h001.path;
# TODO come back to these 10.12.14.## addrs and change them to intranet IP's instead of local network.
hostname = "10.12.14.2";
user = "root";
};
"t" = {
identityFile = age.secrets.nix2t.path;
hostname = "10.12.14.103";
user = "joshua.bell";
localForwards = [
{
bind.port = 3000;
host.port = 3000;
host.address = "localhost";
}
{
bind.port = 3002;
host.port = 3002;
host.address = "localhost";
}
];
};
};
};
}

4
users/_common/nix_modules/ssh-key.nix
View file

@ -10,14 +10,14 @@
};
script = ''
#!/run/current-system/sw/bin/bash
if [ ! -f /home/${settings.user.username}/.ssh/id_ed25519bbb ]; then
if [ ! -f /home/${settings.user.username}/.ssh/id_ed25519]; then
if [ -v DRY_RUN ]; then
echo "DRY_RUN is set. Would generate SSH key for ${settings.user.username}."
else
echo "Generating SSH key for ${settings.user.username}."
mkdir -p /home/${settings.user.username}/.ssh
chmod 700 /home/${settings.user.username}/.ssh
/run/current-system/sw/bin/ssh-keygen -t ed25519 -f /home/${settings.user.username}/.ssh/id_ed25519bbb -N ""
/run/current-system/sw/bin/ssh-keygen -t ed25519 -f /home/${settings.user.username}/.ssh/id_ed25519-N ""
fi
else
echo "SSH key already exists for ${settings.user.username}."

10
users/root/configuration.nix
View file

@ -1,10 +1,17 @@
{ config, lib, pkgs, settings, ... } @ args:
{
config,
lib,
pkgs,
settings,
...
}@args:
{
users.users.root = {
initialPassword = "password1";
};
system.activationScripts.sshConfig = {
# TODO revisit this, this is stupid and ugly what am I doing here...
text = ''
mkdir -p /root/.ssh
ln -snf ${config.age.secrets.nix2github.path} /root/.ssh/nix2github
@ -12,4 +19,3 @@
'';
};
}