From 5fd3d3a40a804c393f6d305006d1e48d49418ab4 Mon Sep 17 00:00:00 2001
From: "RingOfStorms (Josh)" <ringofstorms@gmail.com>
Date: Tue, 7 May 2024 01:02:42 -0500
Subject: [PATCH] more secrets

---
 flake.lock                            |  6 +++---
 hosts/_common/ragenix.nix             | 18 ++++++++++++++++--
 secrets/nix2h001.age                  | 26 ++++++++++++++++++++++++++
 secrets/nix2t.age                     | 26 ++++++++++++++++++++++++++
 secrets/secrets.nix                   | 18 +++++++++++++++---
 users/_common/home_manager/ssh.nix    | 24 +++++++++++++++++++++++-
 users/_common/nix_modules/ssh-key.nix |  4 ++--
 users/root/configuration.nix          | 10 ++++++++--
 8 files changed, 119 insertions(+), 13 deletions(-)
 create mode 100644 secrets/nix2h001.age
 create mode 100644 secrets/nix2t.age

diff --git a/flake.lock b/flake.lock
index 9494caf..a0f4c68 100644
--- a/flake.lock
+++ b/flake.lock
@@ -230,11 +230,11 @@
         "nvim_plugin-declancm/cinnamon.nvim": "nvim_plugin-declancm/cinnamon.nvim"
       },
       "locked": {
-        "lastModified": 1714780617,
-        "narHash": "sha256-63lH3uFa7Mdq6z8oKQPTDH+hXC57bIr3XG7rRz+2x4U=",
+        "lastModified": 1715021116,
+        "narHash": "sha256-90rB0FN9XodUTSw8fHJSGm8qbqkQOOryQUHt7v53KPQ=",
         "owner": "RingOfStorms",
         "repo": "nvim",
-        "rev": "eb7f522795c3a2b597acb576c80b23214ff9eedb",
+        "rev": "d3212044572caeaaf969c06c66f779de96ef37ce",
         "type": "github"
       },
       "original": {
diff --git a/hosts/_common/ragenix.nix b/hosts/_common/ragenix.nix
index 9da2932..9a70e36 100644
--- a/hosts/_common/ragenix.nix
+++ b/hosts/_common/ragenix.nix
@@ -1,8 +1,14 @@
 # TODO check out the by host way this person does: https://github.com/hlissner/dotfiles/blob/089f1a9da9018df9e5fc200c2d7bef70f4546026/modules/agenix.nix
-{ settings, lib, ragenix, ... }:
+{
+  settings,
+  lib,
+  ragenix,
+  ...
+}:
 let
-  # secretsFile = (settings.secretsDir + /secrets.nix);
 in
+# TODO auto import secret files here
+# secretsFile = (settings.secretsDir + /secrets.nix);
 {
   imports = [ ragenix.nixosModules.age ];
   environment.systemPackages = [ ragenix.packages.${settings.system.system}.default ];
@@ -24,6 +30,14 @@ in
           file = /${settings.secretsDir}/nix2bitbucket.age;
           owner = settings.user.username;
         };
+        nix2h001 = {
+          file = /${settings.secretsDir}/nix2h001.age;
+          owner = settings.user.username;
+        };
+        nix2t = {
+          file = /${settings.secretsDir}/nix2t.age;
+          owner = settings.user.username;
+        };
       };
   };
 }
diff --git a/secrets/nix2h001.age b/secrets/nix2h001.age
new file mode 100644
index 0000000..1bda379
--- /dev/null
+++ b/secrets/nix2h001.age
@@ -0,0 +1,26 @@
+-----BEGIN AGE ENCRYPTED FILE-----
+YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IDd6MzN5USB0bkd0
+ek9VaTN6ZDhFSjJWazd1RlhBbTNWTDFjWThGdnA0SGdFNjRORGtJCmRubXpJWmRy
+eGdOejhPMi9sRUlXeWNyZ1lBOFhhb2xKM0JsbWFHVmdMUzQKLT4gc3NoLWVkMjU1
+MTkgSmh2TCtRIFBuK0tEalBONVVHN1RiMDRxa0xrTjJJZGk4Nzd5RmR1bFhXVGtz
+TkdYMVUKSTFtbW5xd0E4UkhVM2c5YlMxcUxYRXl5YXUvVzV5K0wweFdqSzFiSWo4
+bwotPiBzc2gtZWQyNTUxOSBTcENqQlEgWVdmalZrZ0pxVDAzNE1jMnN1Qi9vSTlB
+emlBbFhaYzZPN1BiZWVjK3F4NApad1RQVVRBODVaQUVHT1hzbThQQUVDSG13bTRD
+OXZTWC92ZVlpcVpoYlo4Ci0+IHNzaC1lZDI1NTE5IEJZS0crdyA2MU5CRmpIWHh6
+VFEyV2F0S2dyd2xQRXJKNldMcHgwcUhiQkZqNGxhZnlZCitiMmVWUUxwVzdwdVVx
+TEo0R05ZRWlPaTJzOUhxYVZyYW42anNlRVFPY1kKLT4gc3NoLWVkMjU1MTkgWHpm
+bWFRIGgzcXJpSjMveEw4TzVzZHZlK05ycDJ1TERPQ0p6QUdZVmVxQjF3T3d6U2sK
+eVZnVk5TM01BemtzSW1BWTJoRGFNS0wvWlBXQjJ4OEdSUmZ5cktEa1dlRQotPiBA
+Nz8sLWByLWdyZWFzZQpIU0VJZm4vbWZyRkVGMjJWYXFmTDlCVTBaaElyRXIvaGk0
+Y2RVa1lxMGU1bWY3aXhmMTFNeVEKLS0tIGNVMkVLTG0rT2lWR3F1am1yRFFzaEls
+NEdFbXhTcmM3a2Q3VWRDZnNXVkkK9jNOfezOTfWyuWm99ZopI+EgwtmShWQXa5Zl
+dT2vrAihJImzohEzDckxMFnsrspD6eUEjBejY+518ZC6kyGSRbDZB5sX+70lDoNK
+rZuKxtXvhMkZXTOKIjqIIewaiCVzQH3BFnxdL2Vw6huAYzWdmPSZNttJBNbcVuOO
+6O/GnNoGoFvY0lIXXtubdacNzHEvvLG01SyyuLV45SCOnku5s5JXPAj2A1hmczJo
+0TpVaigtzVXRhsYiv3IeCv278JaMLstRtjdNipFLUGmwOzTQGJmajpCUfPTldWUK
+oZfsswqWbAMyKALDoXuOfGCR4YCL8k2xaRP8bUkwLTj68bZ1Lgyd2iwbgCMcXkxC
+7sNrY7XTV2+/ONe9fPfPG8xRjvsIvlR7Zl13bACSIyEHgYPlYszMSS+VZnV16V5X
+KwU2dCQuuETiLr1VvqplqDVOJdM3slAhFPrE3Khcb7qAmmB5pUCohHHmBXODV0cg
+l82X6PL+IO3LMOJNACi59HMF+Ze2jqh3XR0+rrK1C7TU31YzCL3qMCAglQvTnVMz
+3nTtpaMs16qpXMmU8KmvtxOn6nE=
+-----END AGE ENCRYPTED FILE-----
diff --git a/secrets/nix2t.age b/secrets/nix2t.age
new file mode 100644
index 0000000..f04bb68
--- /dev/null
+++ b/secrets/nix2t.age
@@ -0,0 +1,26 @@
+-----BEGIN AGE ENCRYPTED FILE-----
+YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IDd6MzN5USAxOTZK
+VytkWVFIK2ZxUmxOUmc0dkVFMTFVeGtnMlRxTDRRbjQzWUZIbDJnCjd4Ulp6bElk
+VVQ5QTNJb2RzUzdwZDdhL1BVcjhDaXUwUXpTRXJiZjlDR2MKLT4gc3NoLWVkMjU1
+MTkgSmh2TCtRIFpiaFpDMlpFWWloMFhTTUxMYnZUaW1YT0l4NW5zMDdrWFplc3lw
+V3JGVFEKOFFzT0xuQ1dhckUzQjY1RTJnMDk1WWRaNERycXVnRzJhUytJYUFNTUsz
+OAotPiBzc2gtZWQyNTUxOSBTcENqQlEgMnhnNXdtMk4relo5NmVOS0NFUXBYRU9F
+QWRvaWVuZ2lCNHN1Qmp0S0hGYwo1Z3hxUlZPVDFLcnJQN1I0S3dEbjhPeVhBc0tL
+Q1JvN3o4STczTmp0SndRCi0+IHNzaC1lZDI1NTE5IEJZS0crdyBUSzhNUXVlRkFV
+RCtxcXo5SG5oOUsxSm5BSDlyeXo0K3RMdFlKdUg5aFI0Ckhpd2dIR0lmNXFaV3Vi
+d0t3emxBWGxIZFRUa1dpRjhoQk15UVhrWmtibFUKLT4gc3NoLWVkMjU1MTkgWHpm
+bWFRIDRYWGJlTEtjTFMyYU5qaWNPMk0rMHhyU1o0Y0dXOC9HSXFnWGgwY0ZaZ28K
+ZkIvRDYvaGY1L2JWUTlsbkJ0ZkZmVTVYVWVUbmxzWDB4R05IdHBHeFBwMAotPiBV
+LnEtZ3JlYXNlIHFidHlfIFAjQAppYUdMNlhUK1JXYXNXNVp0MlQ5ZkF0Vy9wb2NW
+L3FhK2JZTFBFN25DVUtwNTlnaUVRV1Zqc1lzT0dkOGxSNWRVClBGUXhtMGF0Ci0t
+LSBxaTRGd2o5eERVekRIalJhT2UzK0JZUURUaUN1UmR6VkRleU9NMCtSNGNRCg06
+9QgOf/700c1qw3NHhg6xIMMT9ze9QCV9rSsFKBG8Fp5ZsFccvVeODVe+vENrcQs/
+6PfMLBcg6OLBvQ0k0mwN/TlFB9aRRP2vFIFRoSjD/VlDUxl2yV4AgXaqjLt4PG38
+T9/lU3e6IKTR+ReC0z+F1G+ctwy+F9xmq1EHx41KZ+4c/D5ktctPQn8EdIRqFX6O
+OQAcQmNTqgfM9AWkbS1LE8RPmKlpia2iNrlhkppdwDstnfjeIshl4fyUKCL0k5qQ
+7DRf7CxpwQSWRLyoBreR3lwmYLNtjr3nVe1Ae9RPA0O8sQc/lNejtb18yRGwMuYP
+1pN/qGR4fOVy3tzKylZ/PWUTiIzPu3jN67GqkLk/zC6qgemTk8cgWt1bJyB4siiy
+9fPfMJE9nrVXr2U7w+f/j0ZW3V4pfNDVsj96ZssMg55mOO7f4qrR2nhwnEgtarEL
+OiEOU1d5nDoxgOy79hlwUGfwH7bAwMFiPoDz508CKBKySHFi0kv5oeHMysmsS+2U
+zjSEjfmsgI+oiwcbUZGkik2mC+82wwwuFN86ip+H+cWm
+-----END AGE ENCRYPTED FILE-----
diff --git a/secrets/secrets.nix b/secrets/secrets.nix
index f766a8f..93a477b 100644
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@@ -16,7 +16,19 @@ let
   ];
 in
 {
-  # TODO come up with a rotate method/encrypt the device keys bette. This isn't very secure feeling to me the way I am doing this now. If anyone gains access to any one of my devices, then my secrets are no longer secret. This is not a good model.
-  "nix2github.age" = { inherit publicKeys; };
-  "nix2bitbucket.age" = { inherit publicKeys; };
+  ## Too make a new secret: `ragenix --editor=vi -v -e FILE.age` add file below and in the ragenix.nix file
+  # 
+  # TODO come up with a rotate method/encrypt the device keys better. This isn't very secure feeling to me the way I am doing this now. If anyone gains access to any one of my devices, then my secrets are no longer secret. This is not a good model.
+  "nix2github.age" = {
+    inherit publicKeys;
+  };
+  "nix2bitbucket.age" = {
+    inherit publicKeys;
+  };
+  "nix2h001.age" = {
+    inherit publicKeys;
+  };
+  "nix2t.age" = {
+    inherit publicKeys;
+  };
 }
diff --git a/users/_common/home_manager/ssh.nix b/users/_common/home_manager/ssh.nix
index bb28163..f409172 100644
--- a/users/_common/home_manager/ssh.nix
+++ b/users/_common/home_manager/ssh.nix
@@ -9,7 +9,29 @@
       "bitbucket.org" = {
         identityFile = age.secrets.nix2bitbucket.path;
       };
+      "h001" = {
+        identityFile = age.secrets.nix2h001.path;
+        # TODO come back to these 10.12.14.## addrs and change them to intranet IP's instead of local network.
+        hostname = "10.12.14.2";
+        user = "root";
+      };
+      "t" = {
+        identityFile = age.secrets.nix2t.path;
+        hostname = "10.12.14.103";
+        user = "joshua.bell";
+        localForwards = [
+          {
+            bind.port = 3000;
+            host.port = 3000;
+            host.address = "localhost";
+          }
+          {
+            bind.port = 3002;
+            host.port = 3002;
+            host.address = "localhost";
+          }
+        ];
+      };
     };
   };
 }
-
diff --git a/users/_common/nix_modules/ssh-key.nix b/users/_common/nix_modules/ssh-key.nix
index 311084a..3acebb6 100644
--- a/users/_common/nix_modules/ssh-key.nix
+++ b/users/_common/nix_modules/ssh-key.nix
@@ -10,14 +10,14 @@
     };
     script = ''
       #!/run/current-system/sw/bin/bash
-      if [ ! -f /home/${settings.user.username}/.ssh/id_ed25519bbb ]; then
+      if [ ! -f /home/${settings.user.username}/.ssh/id_ed25519]; then
         if [ -v DRY_RUN ]; then
           echo "DRY_RUN is set. Would generate SSH key for ${settings.user.username}."
         else
           echo "Generating SSH key for ${settings.user.username}."
           mkdir -p /home/${settings.user.username}/.ssh
           chmod 700 /home/${settings.user.username}/.ssh
-          /run/current-system/sw/bin/ssh-keygen -t ed25519 -f /home/${settings.user.username}/.ssh/id_ed25519bbb -N ""
+          /run/current-system/sw/bin/ssh-keygen -t ed25519 -f /home/${settings.user.username}/.ssh/id_ed25519-N ""
         fi
       else
         echo "SSH key already exists for ${settings.user.username}."
diff --git a/users/root/configuration.nix b/users/root/configuration.nix
index 59935d2..721d513 100644
--- a/users/root/configuration.nix
+++ b/users/root/configuration.nix
@@ -1,10 +1,17 @@
-{ config, lib, pkgs, settings, ... } @ args:
+{
+  config,
+  lib,
+  pkgs,
+  settings,
+  ...
+}@args:
 {
   users.users.root = {
     initialPassword = "password1";
   };
 
   system.activationScripts.sshConfig = {
+    # TODO revisit this, this is stupid and ugly what am I doing here...
     text = ''
       mkdir -p /root/.ssh
       ln -snf ${config.age.secrets.nix2github.path} /root/.ssh/nix2github
@@ -12,4 +19,3 @@
     '';
   };
 }
-