diff --git a/.sops.yaml b/.sops.yaml new file mode 100644 index 0000000..fd14552 --- /dev/null +++ b/.sops.yaml @@ -0,0 +1,7 @@ +keys: + - &tlater 535B61015823443941C744DD12264F6BBDFABA89 + +creation_rules: + - key_groups: + - pgp: + - *tlater diff --git a/configuration/default.nix b/configuration/default.nix index 8600070..cae99d1 100644 --- a/configuration/default.nix +++ b/configuration/default.nix @@ -34,6 +34,16 @@ time.timeZone = "Europe/London"; + sops = { + gnupg = { + home = "/var/lib/sops"; + sshKeyPaths = [ ]; + }; + + defaultSopsFile = "/etc/sops/secrets.yaml"; + validateSopsFiles = false; + }; + users.users.tlater = { isNormalUser = true; extraGroups = [ "wheel" ]; diff --git a/flake.lock b/flake.lock index 11de3e3..983023a 100644 --- a/flake.lock +++ b/flake.lock @@ -73,6 +73,7 @@ "flake-utils": "flake-utils", "nixos-hardware": "nixos-hardware", "nixpkgs": "nixpkgs", + "sops-nix": "sops-nix", "tlaternet-templates": "tlaternet-templates", "tlaternet-webserver": "tlaternet-webserver" } @@ -102,6 +103,26 @@ "type": "github" } }, + "sops-nix": { + "inputs": { + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1641374494, + "narHash": "sha256-a56G6Um43+0+n+yNYhRCh/mSvDdRVzQHSKcFaDEB9/8=", + "owner": "Mic92", + "repo": "sops-nix", + "rev": "7edb4b080023ef12f39262a3aa7aab31015a7a0e", + "type": "github" + }, + "original": { + "owner": "Mic92", + "repo": "sops-nix", + "type": "github" + } + }, "tlaternet-templates": { "inputs": { "flake-utils": [ diff --git a/flake.nix b/flake.nix index bc1859a..d2473f7 100644 --- a/flake.nix +++ b/flake.nix @@ -5,6 +5,10 @@ nixpkgs.url = "github:nixos/nixpkgs/nixos-21.11"; nixos-hardware.url = "github:nixos/nixos-hardware/master"; flake-utils.url = "github:numtide/flake-utils"; + sops-nix = { + url = "github:Mic92/sops-nix"; + inputs.nixpkgs.follows = "nixpkgs"; + }; tlaternet-webserver = { url = "git+https://gitea.tlater.net/tlaternet/tlaternet.git"; inputs = { @@ -21,8 +25,8 @@ }; }; - outputs = { self, nixpkgs, nixos-hardware, flake-utils, tlaternet-webserver - , tlaternet-templates, ... }@inputs: + outputs = { self, nixpkgs, nixos-hardware, flake-utils, sops-nix + , tlaternet-webserver, tlaternet-templates, ... }@inputs: let overlays = [ (final: prev: { @@ -35,6 +39,7 @@ local-lib = self.lib.${prev.system}; }; }) + sops-nix.overlay ]; in { @@ -44,6 +49,8 @@ inherit system; modules = [ + sops-nix.nixosModules.sops + ({ modulesPath, ... }: { imports = [ (modulesPath + "/profiles/headless.nix") ]; nixpkgs.overlays = overlays; @@ -61,6 +68,8 @@ inherit system; modules = [ + sops-nix.nixosModule + ({ modulesPath, ... }: { imports = [ (modulesPath + "/profiles/headless.nix") ]; nixpkgs.overlays = overlays; @@ -78,6 +87,13 @@ # can easily test locally with the VM. services.nginx.domain = lib.mkOverride 99 "localhost"; + # Use a default password for the grafana instance for + # easy testing. + services.grafana.security = { + adminPassword = "insecure"; + adminPasswordFile = lib.mkOverride 99 null; + }; + # # Set up VM settings to match real VPS # virtualisation.memorySize = 3941; # virtualisation.cores = 2; @@ -94,6 +110,8 @@ nixfmt git-lfs + sops-init-gpg-key + # For the minecraft mod update script (python3.withPackages (pypkgs: with pypkgs; [ @@ -107,6 +125,10 @@ # pyls-mypy ])) ]; + + # nativeBuildInputs = [ sops-import-keys-hook ]; Breaks the shellHook somehow + sopsPGPKeyDirs = [ "./keys/hosts/" "./keys/users/" ]; + shellHook = '' export QEMU_OPTS="-m 3941 -smp 2 -curses" export QEMU_NET_OPTS="hostfwd=::3022-:2222,hostfwd=::3080-:80,hostfwd=::3443-:443,hostfwd=::3021-:2221,hostfwd=::25565-:25565"