From f1e46521481b40d61010ae36ffa19a335bac72e3 Mon Sep 17 00:00:00 2001 From: Erwin Boskma Date: Fri, 26 Nov 2021 22:21:16 +0100 Subject: [PATCH] Secrets with sops --- .envrc | 4 +- .gitignore | 1 + .sops.yaml | 9 +++++ flake.lock | 43 ++++++++++++++------ flake.nix | 12 +++++- home-manager/modules/waybar/default.nix | 9 ++--- machines/loki/configuration.nix | 8 +++- machines/loki/secrets.yaml | 52 +++++++++++++++++++++++++ modules/desktop/default.nix | 2 +- 9 files changed, 118 insertions(+), 22 deletions(-) create mode 100644 .sops.yaml create mode 100644 machines/loki/secrets.yaml diff --git a/.envrc b/.envrc index 1867f14..3550a30 100644 --- a/.envrc +++ b/.envrc @@ -1,3 +1 @@ -PASSWORD_STORE_DIR=${PWD}/secrets - -export PASSWORD_STORE_DIR +use flake diff --git a/.gitignore b/.gitignore index 03c0084..9421db7 100644 --- a/.gitignore +++ b/.gitignore @@ -1,3 +1,4 @@ /backup /result /secrets.nix +/.direnv diff --git a/.sops.yaml b/.sops.yaml new file mode 100644 index 0000000..94f51fb --- /dev/null +++ b/.sops.yaml @@ -0,0 +1,9 @@ +keys: + - &erwin b785a9688947edabb9ec8933ee7adefe1d943c7b + - &loki a6e31f5ab2bf34ca3f614d81ed9d6ae54dbcb9f7 +creation_rules: + - path_regex: machines/loki/[^/]+\.yaml$ + key_groups: + - pgp: + - *erwin + - *loki diff --git a/flake.lock b/flake.lock index 7124058..9d9b057 100644 --- a/flake.lock +++ b/flake.lock @@ -28,11 +28,11 @@ ] }, "locked": { - "lastModified": 1637673792, - "narHash": "sha256-4hbA3vng5ARWu/rg62h73bwSJeKeIYOLcTvZ2gxazhk=", + "lastModified": 1637880148, + "narHash": "sha256-L2h6t3u6SjDNGF+X3i8Cm7ivqej0xVmqX4Z6fX5p0AE=", "ref": "main", - "rev": "dd2894089ae666bdd7fabacf5b7de4dc24ecc7cb", - "revCount": 8, + "rev": "1cc03904328e4c9414fa67d99370a338cba55219", + "revCount": 11, "type": "git", "url": "ssh://git@git.datarift.nl/erwin/ha-now-playing.git" }, @@ -49,11 +49,11 @@ ] }, "locked": { - "lastModified": 1637721183, - "narHash": "sha256-4CAKKxrt9l0Hbl57Uypo7ol93Ko+5Yn+7xWWCMUyHQ8=", + "lastModified": 1637875789, + "narHash": "sha256-kwW26kGhqNsWpTz+prw/pAfqz673GojbxZuB0boc1eM=", "owner": "nix-community", "repo": "home-manager", - "rev": "df931a59a5864d6ff0c5d83598135816f8593647", + "rev": "579f2e8bebb954a103a96b905c27b10f15ef38c7", "type": "github" }, "original": { @@ -84,11 +84,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1637595801, - "narHash": "sha256-LkIMwVFKCuEqidaUdg8uxwpESAXjsPo4oCz3eJ7RaRw=", + "lastModified": 1637841632, + "narHash": "sha256-QYqiKHdda0EOnLGQCHE+GluD/Lq2EJj4hVTooPM55Ic=", "owner": "nixos", "repo": "nixpkgs", - "rev": "263ef4cc4146c9fab808085487438c625d4426a9", + "rev": "73369f8d0864854d1acfa7f1e6217f7d6b6e3fa1", "type": "github" }, "original": { @@ -132,7 +132,28 @@ "home-manager": "home-manager", "naersk": "naersk", "nixpkgs": "nixpkgs", - "pamedia": "pamedia" + "pamedia": "pamedia", + "sops": "sops" + } + }, + "sops": { + "inputs": { + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1637735079, + "narHash": "sha256-VC6FEfYHkNMrCd9+0nATtUQAtkWOrkH4gzwGHNG4TTQ=", + "owner": "Mic92", + "repo": "sops-nix", + "rev": "871408582627f43d0ecc5e4595dcf20cfe2ee227", + "type": "github" + }, + "original": { + "owner": "Mic92", + "repo": "sops-nix", + "type": "github" } } }, diff --git a/flake.nix b/flake.nix index 7b8d536..6c531b3 100644 --- a/flake.nix +++ b/flake.nix @@ -16,6 +16,11 @@ inputs.nixpkgs.follows = "nixpkgs"; }; + sops = { + url = "github:Mic92/sops-nix"; + inputs.nixpkgs.follows = "nixpkgs"; + }; + ha-now-playing = { url = "git+ssh://git@git.datarift.nl/erwin/ha-now-playing.git?ref=main"; inputs.nixpkgs.follows = "nixpkgs"; @@ -31,7 +36,7 @@ }; }; - outputs = { self, ha-now-playing, pamedia, ... }@inputs: + outputs = { self, sops, ha-now-playing, pamedia, ... }@inputs: with inputs; let @@ -62,6 +67,7 @@ system.configurationRevision = nixpkgs.lib.mkIf (self ? rev) self.rev; nix.registry.nixpkgs.flake = nixpkgs; }) + sops.nixosModules.sops ]; }; @@ -128,6 +134,10 @@ rofi-wayland = flake-utils.lib.mkApp { drv = packages.rofi-wayland; }; nix-plugins = flake-utils.lib.mkApp { drv = packages.nix-plugins; }; }; + + devShell = with pkgs; mkShell { + nativeBuildInputs = [ sops ssh-to-pgp ]; + }; } ); } diff --git a/home-manager/modules/waybar/default.nix b/home-manager/modules/waybar/default.nix index 6c3c678..c203184 100644 --- a/home-manager/modules/waybar/default.nix +++ b/home-manager/modules/waybar/default.nix @@ -2,7 +2,6 @@ with lib; let cfg = config.eboskma.programs.waybar; - token = ""; in { options.eboskma.programs.waybar.enable = mkEnableOption "Enable waybar"; @@ -91,12 +90,12 @@ in # TODO: package as nix thingy "custom/now_playing" = { - exec = "${pkgs.ha-now-playing}/bin/ha-now-playing --host home.datarift.nl --entity media_player.sonos_woonkamer --token ${token}"; + exec = "${pkgs.ha-now-playing}/bin/ha-now-playing --host home.datarift.nl --entity media_player.sonos_woonkamer --token-file /run/secrets/ha_now_playing_token"; format = " ♪ {}"; interval = 2; - on-click = "${pkgs.ha-now-playing}/bin/ha-now-playing --host home.datarift.nl --entity media_player.sonos_woonkamer --token ${token} play-pause"; - on-scroll-down = "${pkgs.ha-now-playing}/bin/ha-now-playing --host home.datarift.nl --entity media_player.sonos_woonkamer --token ${token} volume-up"; - on-scroll-up = "${pkgs.ha-now-playing}/bin/ha-now-playing --host home.datarift.nl --entity media_player.sonos_woonkamer --token ${token} volume-down"; + on-click = "${pkgs.ha-now-playing}/bin/ha-now-playing --host home.datarift.nl --entity media_player.sonos_woonkamer --token-file /run/secrets/ha_now_playing_token play-pause"; + on-scroll-down = "${pkgs.ha-now-playing}/bin/ha-now-playing --host home.datarift.nl --entity media_player.sonos_woonkamer --token-file /run/secrets/ha_now_playing_token volume-up"; + on-scroll-up = "${pkgs.ha-now-playing}/bin/ha-now-playing --host home.datarift.nl --entity media_player.sonos_woonkamer --token-file /run/secrets/ha_now_playing_token volume-down"; }; "sway/window" = { diff --git a/machines/loki/configuration.nix b/machines/loki/configuration.nix index bc6817c..5805526 100644 --- a/machines/loki/configuration.nix +++ b/machines/loki/configuration.nix @@ -1,6 +1,6 @@ { self, ... }: { - imports = [ ./hardware-configuration.nix ]; + imports = [ ./hardware-configuration.nix ../../users/erwin.nix ../../users/root.nix ]; eboskma = { base = { @@ -44,6 +44,12 @@ # }; services.openssh.enable = true; + + sops.defaultSopsFile = ./secrets.yaml; + sops.secrets.ha_now_playing_token = { + owner = "erwin"; + }; + # This value determines the NixOS release from which the default # settings for stateful data, like file locations and database versions # on your system were taken. It‘s perfectly fine and recommended to leave diff --git a/machines/loki/secrets.yaml b/machines/loki/secrets.yaml new file mode 100644 index 0000000..b2efffb --- /dev/null +++ b/machines/loki/secrets.yaml @@ -0,0 +1,52 @@ +ha_now_playing_token: ENC[AES256_GCM,data:2NKdfEn0tQx+DTE6HBVo79Ico8+afqJ2XFaBVOgIikaL4eMa34CqHwhX91T64VVdmWyjvhaC1kRzxsALoJvw1ZHEnSG2va6lX0vN36j/n8R3ulcX23ZJetMHYQQE6ss7A+gvnBHTnTBG+F9XyrPFT7xnfQ363lWHQ3nRFiGAZJjj6eYqLxSuG7KMWHtfSozy5gSy2JKoxyV4KnqpDs39PhBmNA7OSh3FRYZPIaq+i4qhdCfHRET+,iv:Znl6IW36aqhL/KBr0cRgPBPtqkhuc1GtoqCQEQJ/cXI=,tag:ubvLck9m9qiutU2zcQtdDw==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: [] + lastmodified: "2021-11-25T22:00:28Z" + mac: ENC[AES256_GCM,data:yhO2fjE5BwdAF9Hj69k2tTgxr/gOVTZrkWNCJD/bkSX6rZLuMWQ4XqUSPiZ1/lRTliUnvnpOWqm3Fnvh7Nbhydyd6wyzwI799mSczLu4OUAImpCAfF6X95RGJ50lXQE+e/rO6+YwuWqS8FaRdgjWRBT3fvqoSYhqypiTRxVw0ew=,iv:+XxbiT49RnC+lqrbnLvzkH1nljNindQjYiCZ2cPyHDE=,tag:k3WIVby2WjSpDrv4SjYoRQ==,type:str] + pgp: + - created_at: "2021-11-25T22:00:17Z" + enc: | + -----BEGIN PGP MESSAGE----- + + hQIMA6BoiFpcAxNSAQ//R7e0KvxQrF+UBrs2TA7vP5LvPHAB+Isnn1VueHDxLj5j + UcLi1ts4rDquDiWdkJVN+A53hOee3IvOe+m0BkVJyetEbocEaFgwpRmzhSIhTFvX + jQI3C+Mn+WtYmq6vUcC7mhLiBgvGFRueQNcroYEAZFwLSYKLUM7nT01Njn4ADSIi + EJj1Ogssgt/jptB71jA3DD56+yMayCKsB+5XtaooZn7uEPPxZKyhcGcmx8a7anBr + V8bil0FLGqx3QaRGgXqj23kL8NOOCuJGdyQFeNfRVXyXjK3FQixCXfYKv/li3hOZ + Ge+gh3o3aiQexmfxh5Yi0u+KiyF5jlG/FVN9VSGi2sDrnjNUW3KX/eS2Rkd553EA + XhnVMoMztKpQ0DhZmvcTT9ynKTJrG28OXsWkWRe4zfrwHgBnfyEnP4TXRlAgO3TS + 6giORbtWTdTVedYW+tbwK1XLxrqDfkMsSBVYgL+x96A1RQMYZfRvpA8kKsefN54p + stKeOySSo9ypquxzA0mdogyvhhIa5Cg0fSCzOE+Y7P4GRUe+OGqP0rMpIBzZsfyF + lefXRxBGL+1wtaE/zNqI1Rf0jxzFlF0DExfAcqveIaElCQJbTWvhalTGSD+O+oVj + Q1HDpa/iu0BqlzBMEKGxUhwqtsl/prpYMSKxLTgjqfCOecwNyVEpKTRFnFlP12/S + XgHa43zpA5RYfcp4hcB/3XeAt69AKwnJKD+C0Pv5l2rTveD8/jgZnt1NfJohTm58 + chz6V0qSeGro41CjP3HEdzD+iIez+Dyv8BWahLvznTNeHROCHat5SLeEf9FNm9E= + =onPc + -----END PGP MESSAGE----- + fp: b785a9688947edabb9ec8933ee7adefe1d943c7b + - created_at: "2021-11-25T22:00:17Z" + enc: | + -----BEGIN PGP MESSAGE----- + + hQIMA+2dauVNvLn3ARAAmQgafR035XrvwMSOaGq+N5VbSC0FhQ0dJbNkew8ixQqT + iR3AIHKDv8Uvdi3XlMtupVD5YIlazc+NoOKJk1xzrvYGO4bouH1k0KinXbea3Wm2 + 5NHSPWwzkRkA+S1GawsTgBx3IrWlDagsCADZ7B4TGuEuZt/i6J/C56JikG7aIpM4 + qgm+KZBTbyW8IHcVjoDqTTtEdhU+1IN3MtgzQeI362nKTn27LnoLsLxhXg2mHQcM + 8zu3D246mRriwPgfXAyADwx57k7G06t63JwSCXzzY20H2m3DFc0Woxcbo8zrkLLp + NZKirM/LS3wLELg+e+NYk7dZG/s1tR3ZL000wss97jZlTbRUr9aEj6YVklG4kxiW + v0IsovsFqqE+IgYEuMacYqteBpaKduixxooPsRYTvsqJubhAPWD7oe5bGgojF0i3 + elTT1nUY9w9JMfutzUSzYBV+1ld2hpMXDGKZ1uNUionfk3+8NBXql/NE90mvlVhv + FDmnpVF/DsuS68tkb5FvZ+gI1prjz6D0TBX9CKbQTGNef6mm2Jshx7zzRGx1w90X + M9sN/KGEkeYI+htxw9zC5ulsuKZTf00omsl6mKX7cPOr0tQgRCN+TMpGwGbRjP2d + 31uXUPJMyMDQpO3qFq5Ak0iVHBp0C9FyRyLFD1E2AJGnOVTKXFDgPZCViAWIGdHS + UAHR6gC+bPX66ZEOjMFqDl0IsWyz/tphkdIbVce2j+/KcMbntqNxUI0uP5sWySmp + Wke3WX8EENOQUbjr9KHNg+n4Er5NRyJ3czSU6jtydo87 + =Cpa9 + -----END PGP MESSAGE----- + fp: a6e31f5ab2bf34ca3f614d81ed9d6ae54dbcb9f7 + unencrypted_suffix: _unencrypted + version: 3.7.1 diff --git a/modules/desktop/default.nix b/modules/desktop/default.nix index c205847..1c3b5c4 100644 --- a/modules/desktop/default.nix +++ b/modules/desktop/default.nix @@ -5,7 +5,7 @@ let bt = config.eboskma.bluetooth; in { - imports = [ ../../users/erwin.nix ../../users/root.nix ]; + # imports = [ ../../users/erwin.nix ../../users/root.nix ]; options.eboskma.desktop = { enable = mkEnableOption "Enable default desktop configuration";