From e9c9dbfa41dc517d47e85cdbe531139bf2c1aba5 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Tristan=20Dani=C3=ABl=20Maat?= <tm@tlater.net>
Date: Tue, 18 Jan 2022 18:59:50 +0000
Subject: [PATCH] WIP: Add sops
---
.sops.yaml | 7 +++++++
configuration/default.nix | 10 ++++++++++
flake.lock | 21 +++++++++++++++++++++
flake.nix | 26 ++++++++++++++++++++++++--
4 files changed, 62 insertions(+), 2 deletions(-)
create mode 100644 .sops.yaml
diff --git a/.sops.yaml b/.sops.yaml
new file mode 100644
index 0000000..fd14552
--- /dev/null
+++ b/.sops.yaml
@@ -0,0 +1,7 @@
+keys:
+ - &tlater 535B61015823443941C744DD12264F6BBDFABA89
+
+creation_rules:
+ - key_groups:
+ - pgp:
+ - *tlater
diff --git a/configuration/default.nix b/configuration/default.nix
index 8600070..cae99d1 100644
--- a/configuration/default.nix
+++ b/configuration/default.nix
@@ -34,6 +34,16 @@
time.timeZone = "Europe/London";
+ sops = {
+ gnupg = {
+ home = "/var/lib/sops";
+ sshKeyPaths = [ ];
+ };
+
+ defaultSopsFile = "/etc/sops/secrets.yaml";
+ validateSopsFiles = false;
+ };
+
users.users.tlater = {
isNormalUser = true;
extraGroups = [ "wheel" ];
diff --git a/flake.lock b/flake.lock
index 11de3e3..983023a 100644
--- a/flake.lock
+++ b/flake.lock
@@ -73,6 +73,7 @@
"flake-utils": "flake-utils",
"nixos-hardware": "nixos-hardware",
"nixpkgs": "nixpkgs",
+ "sops-nix": "sops-nix",
"tlaternet-templates": "tlaternet-templates",
"tlaternet-webserver": "tlaternet-webserver"
}
@@ -102,6 +103,26 @@
"type": "github"
}
},
+ "sops-nix": {
+ "inputs": {
+ "nixpkgs": [
+ "nixpkgs"
+ ]
+ },
+ "locked": {
+ "lastModified": 1641374494,
+ "narHash": "sha256-a56G6Um43+0+n+yNYhRCh/mSvDdRVzQHSKcFaDEB9/8=",
+ "owner": "Mic92",
+ "repo": "sops-nix",
+ "rev": "7edb4b080023ef12f39262a3aa7aab31015a7a0e",
+ "type": "github"
+ },
+ "original": {
+ "owner": "Mic92",
+ "repo": "sops-nix",
+ "type": "github"
+ }
+ },
"tlaternet-templates": {
"inputs": {
"flake-utils": [
diff --git a/flake.nix b/flake.nix
index bc1859a..d2473f7 100644
--- a/flake.nix
+++ b/flake.nix
@@ -5,6 +5,10 @@
nixpkgs.url = "github:nixos/nixpkgs/nixos-21.11";
nixos-hardware.url = "github:nixos/nixos-hardware/master";
flake-utils.url = "github:numtide/flake-utils";
+ sops-nix = {
+ url = "github:Mic92/sops-nix";
+ inputs.nixpkgs.follows = "nixpkgs";
+ };
tlaternet-webserver = {
url = "git+https://gitea.tlater.net/tlaternet/tlaternet.git";
inputs = {
@@ -21,8 +25,8 @@
};
};
- outputs = { self, nixpkgs, nixos-hardware, flake-utils, tlaternet-webserver
- , tlaternet-templates, ... }@inputs:
+ outputs = { self, nixpkgs, nixos-hardware, flake-utils, sops-nix
+ , tlaternet-webserver, tlaternet-templates, ... }@inputs:
let
overlays = [
(final: prev: {
@@ -35,6 +39,7 @@
local-lib = self.lib.${prev.system};
};
})
+ sops-nix.overlay
];
in {
@@ -44,6 +49,8 @@
inherit system;
modules = [
+ sops-nix.nixosModules.sops
+
({ modulesPath, ... }: {
imports = [ (modulesPath + "/profiles/headless.nix") ];
nixpkgs.overlays = overlays;
@@ -61,6 +68,8 @@
inherit system;
modules = [
+ sops-nix.nixosModule
+
({ modulesPath, ... }: {
imports = [ (modulesPath + "/profiles/headless.nix") ];
nixpkgs.overlays = overlays;
@@ -78,6 +87,13 @@
# can easily test locally with the VM.
services.nginx.domain = lib.mkOverride 99 "localhost";
+ # Use a default password for the grafana instance for
+ # easy testing.
+ services.grafana.security = {
+ adminPassword = "insecure";
+ adminPasswordFile = lib.mkOverride 99 null;
+ };
+
# # Set up VM settings to match real VPS
# virtualisation.memorySize = 3941;
# virtualisation.cores = 2;
@@ -94,6 +110,8 @@
nixfmt
git-lfs
+ sops-init-gpg-key
+
# For the minecraft mod update script
(python3.withPackages (pypkgs:
with pypkgs; [
@@ -107,6 +125,10 @@
# pyls-mypy
]))
];
+
+ # nativeBuildInputs = [ sops-import-keys-hook ]; Breaks the shellHook somehow
+ sopsPGPKeyDirs = [ "./keys/hosts/" "./keys/users/" ];
+
shellHook = ''
export QEMU_OPTS="-m 3941 -smp 2 -curses"
export QEMU_NET_OPTS="hostfwd=::3022-:2222,hostfwd=::3080-:80,hostfwd=::3443-:443,hostfwd=::3021-:2221,hostfwd=::25565-:25565"