more secrets

flake.lock

@@ -230,11 +230,11 @@
         "nvim_plugin-declancm/cinnamon.nvim": "nvim_plugin-declancm/cinnamon.nvim"
       },
       "locked": {
-        "lastModified": 1714780617,
+        "lastModified": 1715021116,
-        "narHash": "sha256-63lH3uFa7Mdq6z8oKQPTDH+hXC57bIr3XG7rRz+2x4U=",
+        "narHash": "sha256-90rB0FN9XodUTSw8fHJSGm8qbqkQOOryQUHt7v53KPQ=",
         "owner": "RingOfStorms",
         "repo": "nvim",
-        "rev": "eb7f522795c3a2b597acb576c80b23214ff9eedb",
+        "rev": "d3212044572caeaaf969c06c66f779de96ef37ce",
         "type": "github"
       },
       "original": {

hosts/_common/ragenix.nix

@@ -1,8 +1,14 @@
 # TODO check out the by host way this person does: https://github.com/hlissner/dotfiles/blob/089f1a9da9018df9e5fc200c2d7bef70f4546026/modules/agenix.nix
-{ settings, lib, ragenix, ... }:
+{
+  settings,
+  lib,
+  ragenix,
+  ...
+}:
 let
-  # secretsFile = (settings.secretsDir + /secrets.nix);
 in
+# TODO auto import secret files here
+# secretsFile = (settings.secretsDir + /secrets.nix);
 {
   imports = [ ragenix.nixosModules.age ];
   environment.systemPackages = [ ragenix.packages.${settings.system.system}.default ];
@@ -24,6 +30,14 @@ in
           file = /${settings.secretsDir}/nix2bitbucket.age;
           owner = settings.user.username;
         };
+        nix2h001 = {
+          file = /${settings.secretsDir}/nix2h001.age;
+          owner = settings.user.username;
+        };
+        nix2t = {
+          file = /${settings.secretsDir}/nix2t.age;
+          owner = settings.user.username;
+        };
       };
   };
 }

secrets/nix2h001.age

@@ -0,0 +1,26 @@
+-----BEGIN AGE ENCRYPTED FILE-----
+YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IDd6MzN5USB0bkd0
+ek9VaTN6ZDhFSjJWazd1RlhBbTNWTDFjWThGdnA0SGdFNjRORGtJCmRubXpJWmRy
+eGdOejhPMi9sRUlXeWNyZ1lBOFhhb2xKM0JsbWFHVmdMUzQKLT4gc3NoLWVkMjU1
+MTkgSmh2TCtRIFBuK0tEalBONVVHN1RiMDRxa0xrTjJJZGk4Nzd5RmR1bFhXVGtz
+TkdYMVUKSTFtbW5xd0E4UkhVM2c5YlMxcUxYRXl5YXUvVzV5K0wweFdqSzFiSWo4
+bwotPiBzc2gtZWQyNTUxOSBTcENqQlEgWVdmalZrZ0pxVDAzNE1jMnN1Qi9vSTlB
+emlBbFhaYzZPN1BiZWVjK3F4NApad1RQVVRBODVaQUVHT1hzbThQQUVDSG13bTRD
+OXZTWC92ZVlpcVpoYlo4Ci0+IHNzaC1lZDI1NTE5IEJZS0crdyA2MU5CRmpIWHh6
+VFEyV2F0S2dyd2xQRXJKNldMcHgwcUhiQkZqNGxhZnlZCitiMmVWUUxwVzdwdVVx
+TEo0R05ZRWlPaTJzOUhxYVZyYW42anNlRVFPY1kKLT4gc3NoLWVkMjU1MTkgWHpm
+bWFRIGgzcXJpSjMveEw4TzVzZHZlK05ycDJ1TERPQ0p6QUdZVmVxQjF3T3d6U2sK
+eVZnVk5TM01BemtzSW1BWTJoRGFNS0wvWlBXQjJ4OEdSUmZ5cktEa1dlRQotPiBA
+Nz8sLWByLWdyZWFzZQpIU0VJZm4vbWZyRkVGMjJWYXFmTDlCVTBaaElyRXIvaGk0
+Y2RVa1lxMGU1bWY3aXhmMTFNeVEKLS0tIGNVMkVLTG0rT2lWR3F1am1yRFFzaEls
+NEdFbXhTcmM3a2Q3VWRDZnNXVkkK9jNOfezOTfWyuWm99ZopI+EgwtmShWQXa5Zl
+dT2vrAihJImzohEzDckxMFnsrspD6eUEjBejY+518ZC6kyGSRbDZB5sX+70lDoNK
+rZuKxtXvhMkZXTOKIjqIIewaiCVzQH3BFnxdL2Vw6huAYzWdmPSZNttJBNbcVuOO
+6O/GnNoGoFvY0lIXXtubdacNzHEvvLG01SyyuLV45SCOnku5s5JXPAj2A1hmczJo
+0TpVaigtzVXRhsYiv3IeCv278JaMLstRtjdNipFLUGmwOzTQGJmajpCUfPTldWUK
+oZfsswqWbAMyKALDoXuOfGCR4YCL8k2xaRP8bUkwLTj68bZ1Lgyd2iwbgCMcXkxC
+7sNrY7XTV2+/ONe9fPfPG8xRjvsIvlR7Zl13bACSIyEHgYPlYszMSS+VZnV16V5X
+KwU2dCQuuETiLr1VvqplqDVOJdM3slAhFPrE3Khcb7qAmmB5pUCohHHmBXODV0cg
+l82X6PL+IO3LMOJNACi59HMF+Ze2jqh3XR0+rrK1C7TU31YzCL3qMCAglQvTnVMz
+3nTtpaMs16qpXMmU8KmvtxOn6nE=
+-----END AGE ENCRYPTED FILE-----

secrets/nix2t.age

@@ -0,0 +1,26 @@
+-----BEGIN AGE ENCRYPTED FILE-----
+YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IDd6MzN5USAxOTZK
+VytkWVFIK2ZxUmxOUmc0dkVFMTFVeGtnMlRxTDRRbjQzWUZIbDJnCjd4Ulp6bElk
+VVQ5QTNJb2RzUzdwZDdhL1BVcjhDaXUwUXpTRXJiZjlDR2MKLT4gc3NoLWVkMjU1
+MTkgSmh2TCtRIFpiaFpDMlpFWWloMFhTTUxMYnZUaW1YT0l4NW5zMDdrWFplc3lw
+V3JGVFEKOFFzT0xuQ1dhckUzQjY1RTJnMDk1WWRaNERycXVnRzJhUytJYUFNTUsz
+OAotPiBzc2gtZWQyNTUxOSBTcENqQlEgMnhnNXdtMk4relo5NmVOS0NFUXBYRU9F
+QWRvaWVuZ2lCNHN1Qmp0S0hGYwo1Z3hxUlZPVDFLcnJQN1I0S3dEbjhPeVhBc0tL
+Q1JvN3o4STczTmp0SndRCi0+IHNzaC1lZDI1NTE5IEJZS0crdyBUSzhNUXVlRkFV
+RCtxcXo5SG5oOUsxSm5BSDlyeXo0K3RMdFlKdUg5aFI0Ckhpd2dIR0lmNXFaV3Vi
+d0t3emxBWGxIZFRUa1dpRjhoQk15UVhrWmtibFUKLT4gc3NoLWVkMjU1MTkgWHpm
+bWFRIDRYWGJlTEtjTFMyYU5qaWNPMk0rMHhyU1o0Y0dXOC9HSXFnWGgwY0ZaZ28K
+ZkIvRDYvaGY1L2JWUTlsbkJ0ZkZmVTVYVWVUbmxzWDB4R05IdHBHeFBwMAotPiBV
+LnEtZ3JlYXNlIHFidHlfIFAjQAppYUdMNlhUK1JXYXNXNVp0MlQ5ZkF0Vy9wb2NW
+L3FhK2JZTFBFN25DVUtwNTlnaUVRV1Zqc1lzT0dkOGxSNWRVClBGUXhtMGF0Ci0t
+LSBxaTRGd2o5eERVekRIalJhT2UzK0JZUURUaUN1UmR6VkRleU9NMCtSNGNRCg06
+9QgOf/700c1qw3NHhg6xIMMT9ze9QCV9rSsFKBG8Fp5ZsFccvVeODVe+vENrcQs/
+6PfMLBcg6OLBvQ0k0mwN/TlFB9aRRP2vFIFRoSjD/VlDUxl2yV4AgXaqjLt4PG38
+T9/lU3e6IKTR+ReC0z+F1G+ctwy+F9xmq1EHx41KZ+4c/D5ktctPQn8EdIRqFX6O
+OQAcQmNTqgfM9AWkbS1LE8RPmKlpia2iNrlhkppdwDstnfjeIshl4fyUKCL0k5qQ
+7DRf7CxpwQSWRLyoBreR3lwmYLNtjr3nVe1Ae9RPA0O8sQc/lNejtb18yRGwMuYP
+1pN/qGR4fOVy3tzKylZ/PWUTiIzPu3jN67GqkLk/zC6qgemTk8cgWt1bJyB4siiy
+9fPfMJE9nrVXr2U7w+f/j0ZW3V4pfNDVsj96ZssMg55mOO7f4qrR2nhwnEgtarEL
+OiEOU1d5nDoxgOy79hlwUGfwH7bAwMFiPoDz508CKBKySHFi0kv5oeHMysmsS+2U
+zjSEjfmsgI+oiwcbUZGkik2mC+82wwwuFN86ip+H+cWm
+-----END AGE ENCRYPTED FILE-----

secrets/secrets.nix

@@ -16,7 +16,19 @@ let
   ];
 in
 {
-  # TODO come up with a rotate method/encrypt the device keys bette. This isn't very secure feeling to me the way I am doing this now. If anyone gains access to any one of my devices, then my secrets are no longer secret. This is not a good model.
+  ## Too make a new secret: `ragenix --editor=vi -v -e FILE.age` add file below and in the ragenix.nix file
-  "nix2github.age" = { inherit publicKeys; };
+  # 
-  "nix2bitbucket.age" = { inherit publicKeys; };
+  # TODO come up with a rotate method/encrypt the device keys better. This isn't very secure feeling to me the way I am doing this now. If anyone gains access to any one of my devices, then my secrets are no longer secret. This is not a good model.
+  "nix2github.age" = {
+    inherit publicKeys;
+  };
+  "nix2bitbucket.age" = {
+    inherit publicKeys;
+  };
+  "nix2h001.age" = {
+    inherit publicKeys;
+  };
+  "nix2t.age" = {
+    inherit publicKeys;
+  };
 }

users/_common/home_manager/ssh.nix

@@ -9,7 +9,29 @@
       "bitbucket.org" = {
         identityFile = age.secrets.nix2bitbucket.path;
       };
+      "h001" = {
+        identityFile = age.secrets.nix2h001.path;
+        # TODO come back to these 10.12.14.## addrs and change them to intranet IP's instead of local network.
+        hostname = "10.12.14.2";
+        user = "root";
+      };
+      "t" = {
+        identityFile = age.secrets.nix2t.path;
+        hostname = "10.12.14.103";
+        user = "joshua.bell";
+        localForwards = [
+          {
+            bind.port = 3000;
+            host.port = 3000;
+            host.address = "localhost";
+          }
+          {
+            bind.port = 3002;
+            host.port = 3002;
+            host.address = "localhost";
+          }
+        ];
+      };
     };
   };
 }
-

users/_common/nix_modules/ssh-key.nix

@@ -10,14 +10,14 @@
     };
     script = ''
       #!/run/current-system/sw/bin/bash
-      if [ ! -f /home/${settings.user.username}/.ssh/id_ed25519bbb ]; then
+      if [ ! -f /home/${settings.user.username}/.ssh/id_ed25519]; then
         if [ -v DRY_RUN ]; then
           echo "DRY_RUN is set. Would generate SSH key for ${settings.user.username}."
         else
           echo "Generating SSH key for ${settings.user.username}."
           mkdir -p /home/${settings.user.username}/.ssh
           chmod 700 /home/${settings.user.username}/.ssh
-          /run/current-system/sw/bin/ssh-keygen -t ed25519 -f /home/${settings.user.username}/.ssh/id_ed25519bbb -N ""
+          /run/current-system/sw/bin/ssh-keygen -t ed25519 -f /home/${settings.user.username}/.ssh/id_ed25519-N ""
         fi
       else
         echo "SSH key already exists for ${settings.user.username}."

users/root/configuration.nix

@@ -1,10 +1,17 @@
-{ config, lib, pkgs, settings, ... } @ args:
+{
+  config,
+  lib,
+  pkgs,
+  settings,
+  ...
+}@args:
 {
   users.users.root = {
     initialPassword = "password1";
   };
 
   system.activationScripts.sshConfig = {
+    # TODO revisit this, this is stupid and ugly what am I doing here...
     text = ''
       mkdir -p /root/.ssh
       ln -snf ${config.age.secrets.nix2github.path} /root/.ssh/nix2github
@@ -12,4 +19,3 @@
     '';
   };
 }
-