pub-solar/os
5
0
Fork 2
Code Issues 4 Pull requests Packages Projects 1 Releases Wiki Activity

secrets via agenix

Browse source
This commit is contained in:
Benjamin Bädorf 2021-10-23 13:24:22 +02:00
parent cd5e19b10e
commit 87a9d94d0a
No known key found for this signature in database
GPG key ID: 4406E80E13CD656C
6 changed files with 38 additions and 7 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
hosts/chocolatebar/base.nix
View file

@ -11,7 +11,7 @@ in
];
config = {
pub-solar.x-os.keyfile = "/etc/nixos/hosts/chocolatebar/secrets/keyfile.bin";
pub-solar.x-os.keyfile = "keyfile-chocolatebar.bin";
pub-solar.virtualisation.isolateGPU = "rx550x";

1
modules/devops/default.nix
View file

@ -12,6 +12,7 @@ in
config = mkIf cfg.enable {
home-manager = with pkgs; pkgs.lib.setAttrByPath [ "users" psCfg.user.name ] {
home.packages = [
croc
drone-cli
nmap
python38Packages.ansible

5
modules/x-os/boot.nix
View file

@ -1,4 +1,4 @@
{ config, pkgs, lib, ... }:
{ config, pkgs, lib, self, ... }:
let
cfg = config.pub-solar.x-os;
@ -17,8 +17,9 @@ with lib; {
# Use Keyfile to unlock the root partition to avoid keying in twice.
# Allow fstrim to work on it.
age.secrets.luksKeyFile.file = "${self}/secrets/${cfg.keyfile}";
boot.initrd = {
secrets = { "/keyfile.bin" = cfg.keyfile; };
secrets = { "/keyfile.bin" = "/run/secrets/${cfg.keyfile}"; };
luks.devices."cryptroot" = {
keyFile = "/keyfile.bin";
allowDiscards = true;

BIN
secrets/keyfile-biolimo.bin Normal file
View file

Binary file not shown.

BIN
secrets/keyfile-chocolatebar.bin Normal file
View file

Binary file not shown.

37
secrets/secrets.nix
View file

@ -1,9 +1,38 @@
let
# set ssh public keys here for your system and user
system = "";
user = "";
allKeys = [ system user ];
bbcom = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCmXpOU6vzQiVSSYCoxHYv7wDxC63Qg3dxlAMR6AOzwIABCU5PFFNcO0NWYms/YR7MOViorl+19LCLRABar9JgHU1n+uqxKV6eGph3OPeMp5sN8LAh7C9N+TZj8iJzBxQ3ch+Z/LdmLRwYNJ7KSUI+gwGK6xRS3+z1022Y4P0G0sx7IeCBl4lealQEIIF10ZOfjUdBcLQar7XTc5AxyGKnHCerXHRtccCoadLQujk0AvPXbv3Ma4JwX9X++AnCWRWakqS5UInu2tGuZ/6Hrjd2a9AKWjTaBVDcbYqCvY4XVuMj2/A2bCceFBaoi41apybSk26FSFTU4qiEUNQ6lxeOwG4+1NCXyHe2bGI4VyoxinDYa8vLLzXIRfTRA0qoGfCweXNeWPf0jMqASkUKaSOH5Ot7O5ps34r0j9pWzavDid8QeKJPyhxKuF1a5G4iBEZ0O9vuti60dPSjJPci9oTxbune2/jb7Sa0yO06DtLFJ2ncr5f70s/BDxKk4XIwQLy+KsvzlQEGdY8yA6xv28bOGxL3sQ0HE2pDTsvIbAisVOKzdJeolStL9MM5W8Hg0r/KkGj2bg0TfoRp1xHV9hjKkvJrsQ6okaPvNFeZq0HXzPhWMOVQ+/46z80uaQ1ByRLr3FTwuWJ7F/73ndfxiq6bDE4z2Ji0vOjeWJm6HCxTdGw== hello@benjaminbaedorf.com";
biolimo-host = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBZzg8pfVtFonx/IvO2MKG5uVF/sMJAOt1Ifm9Vds2eA root@biolimo";
biolimo-user = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDDoYNvXWunQYFORRjcYH1F98+zr20U79ROh+gmaC7AY/x3yf4y8uyMayF56VgQLVNwgEchT5t4dNb9qo2+1oUnjiKrKAVfQMN6WMMMEr4F4WT784uvBx5Uo6vmhgAa+xoo62c4TV2Uf49ZiPd+zAApBHW1F/whPtunPF28Wfr9g+ozSidhnAr+3nkfJh331tz9s+wgQ39AFzFWftQ60Guulpfj8SaVyxyv/yZZAuFpXNzN0Cz4fWBIWFOsib6Z8y+SlUCzSzOguZ7FygHjwlvOxoISsASAuf0OfUKHxVshiL5F5AX1ddmUgXbUKUTp/3Iunr74pfOQC8TXzZHqhrlFzYDmK5J9E6eADSpgx++bCCaHycl73BWeertCBZSHBXeb3Db9HX+mxwpfP3alVAt4ZqQb3YD/VB7XGDvHbmLn+wSfecO2qA9PxiA0yX7e2BZLN9r3G3bRNSk0GpnYM0i84FE9IipiKKnWVjj7J0UPQmz7rzAn2Lki1CnX9PDdxZneqTxgpBomHJt4H+vXMw13scA4xxEDBvfS5KkjbEJqWLbfklCoER6nV3NPLZ6CBl0Xe/VQBSkqEuUEIXih/oa8emDOGUODNF75ck5NJmKiGg6AFZoeiDa7PZMIxhhOq4vsR2Ty43rztUJ0CMX7iSIk3Eql7kqNdvrJaJ7z0GBsiw== ben@biolimo";
chocolatebar-host = "";
chocolatebar-user = "";
allKeys = [
bbcom
biolimo-host
biolimo-user
chocolatebar-host
chocolatebar-user
];
biolimoKeys = [
bbcom
biolimo-host
biolimo-user
];
chocolatebarKeys = [
bbcom
chocolatebar-host
chocolatebar-user
];
in
{
"secret.age".publicKeys = allKeys;
"keyfile-biolimo.bin".publicKeys = biolimoKeys;
"keyfile-chocolatebar.bin".publicKeys = biolimoKeys;
}