diff --git a/.gitignore b/.gitignore deleted file mode 100644 index 19ed1549..00000000 --- a/.gitignore +++ /dev/null @@ -1,3 +0,0 @@ - - -.smb_credentials \ No newline at end of file diff --git a/Makefile b/Makefile index 32d15e33..7e98dff0 100644 --- a/Makefile +++ b/Makefile @@ -1,6 +1,9 @@ deploy: sudo nixos-rebuild switch --flake . +debug: + sudo nixos-rebuild switch --flake . --show-trace --verbose + update: nix flake update diff --git a/README.md b/README.md index 2f82846e..8986c444 100644 --- a/README.md +++ b/README.md @@ -9,7 +9,6 @@ This repository is home to the nix code that builds my systems. ## TODO -- [sops-nix](https://github.com/Mic92/sops-nix): secret management - make fcitx5-rime work in vscode/chrome on wayland - adjust the structure of this repo, make it more flexible, and can easily switch between i3, sway and hyprland. - migrate my private tools & wireguard configurations into nixos, make it a private flake(private github repo), and used it as flake inputs in this repo. @@ -33,8 +32,13 @@ sudo nixos-rebuild switch --flake .#nixos-test # deploy my PC's configuration sudo nixos-rebuild switch --flake .#msi-rtx4090 -``` +# or just deploy with hostname +sudo nixos-rebuild switch + +# we can also deploy using make, which is defined in Makefile +make deploy +``` ## Install Apps from Flatpak diff --git a/flake.lock b/flake.lock index f122fe8e..3b101118 100644 --- a/flake.lock +++ b/flake.lock @@ -1,10 +1,53 @@ { "nodes": { + "agenix": { + "inputs": { + "darwin": "darwin", + "home-manager": "home-manager", + "nixpkgs": "nixpkgs" + }, + "locked": { + "lastModified": 1684153753, + "narHash": "sha256-PVbWt3qrjYAK+T5KplFcO+h7aZWfEj1UtyoKlvcDxh0=", + "owner": "ryantm", + "repo": "agenix", + "rev": "db5637d10f797bb251b94ef9040b237f4702cde3", + "type": "github" + }, + "original": { + "owner": "ryantm", + "repo": "agenix", + "rev": "db5637d10f797bb251b94ef9040b237f4702cde3", + "type": "github" + } + }, + "darwin": { + "inputs": { + "nixpkgs": [ + "agenix", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1684343812, + "narHash": "sha256-ZTEjiC8PDKeP8JRchuwcFXUNlMcyQ4U+DpyVZ3pB6Q4=", + "owner": "lnl7", + "repo": "nix-darwin", + "rev": "dfbdabbb3e797334172094d4f6c0ffca8c791281", + "type": "github" + }, + "original": { + "owner": "lnl7", + "ref": "master", + "repo": "nix-darwin", + "type": "github" + } + }, "devenv": { "inputs": { "flake-compat": "flake-compat", "nix": "nix", - "nixpkgs": "nixpkgs", + "nixpkgs": "nixpkgs_2", "pre-commit-hooks": "pre-commit-hooks" }, "locked": { @@ -131,6 +174,27 @@ } }, "home-manager": { + "inputs": { + "nixpkgs": [ + "agenix", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1684596126, + "narHash": "sha256-4RZZmygeEXpuBqEXGs38ZAcWjWKGwu13Iqbxub6wuJk=", + "owner": "nix-community", + "repo": "home-manager", + "rev": "27ef11f0218d9018ebb2948d40133df2b1de622d", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "home-manager", + "type": "github" + } + }, + "home-manager_2": { "inputs": { "nixpkgs": [ "nixpkgs" @@ -153,7 +217,7 @@ "hyprland": { "inputs": { "hyprland-protocols": "hyprland-protocols", - "nixpkgs": "nixpkgs_2", + "nixpkgs": "nixpkgs_3", "wlroots": "wlroots", "xdph": "xdph" }, @@ -255,7 +319,7 @@ "nix-eval-jobs": { "inputs": { "flake-parts": "flake-parts", - "nixpkgs": "nixpkgs_4" + "nixpkgs": "nixpkgs_5" }, "locked": { "lastModified": 1682480188, @@ -273,16 +337,16 @@ }, "nixpkgs": { "locked": { - "lastModified": 1677534593, - "narHash": "sha256-PuZSAHeq4/9pP/uYH1FcagQ3nLm/DrDrvKi/xC9glvw=", + "lastModified": 1684570954, + "narHash": "sha256-FX5y4Sm87RWwfu9PI71XFvuRpZLowh00FQpIJ1WfXqE=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "3ad64d9e2d5bf80c877286102355b1625891ae9a", + "rev": "3005f20ce0aaa58169cdee57c8aa12e5f1b6e1b3", "type": "github" }, "original": { "owner": "NixOS", - "ref": "nixpkgs-unstable", + "ref": "nixos-unstable", "repo": "nixpkgs", "type": "github" } @@ -355,14 +419,14 @@ "flake-compat": "flake-compat_2", "lib-aggregate": "lib-aggregate", "nix-eval-jobs": "nix-eval-jobs", - "nixpkgs": "nixpkgs_5" + "nixpkgs": "nixpkgs_6" }, "locked": { - "lastModified": 1684578926, - "narHash": "sha256-gOC+D019uldIP0hdhr2uHn6scZJFWioETOvZy8mkX3Q=", + "lastModified": 1684592015, + "narHash": "sha256-6gFt1LE/stVQFeGI263pU6O5EAeY1TPTGee1vvbkwZo=", "owner": "nix-community", "repo": "nixpkgs-wayland", - "rev": "17eb467ccf21704e9d079eafc0083597e84020e5", + "rev": "aeb1b88206756e867e398d18e2856b60fc803e12", "type": "github" }, "original": { @@ -372,6 +436,22 @@ } }, "nixpkgs_2": { + "locked": { + "lastModified": 1677534593, + "narHash": "sha256-PuZSAHeq4/9pP/uYH1FcagQ3nLm/DrDrvKi/xC9glvw=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "3ad64d9e2d5bf80c877286102355b1625891ae9a", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixpkgs-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs_3": { "locked": { "lastModified": 1683014792, "narHash": "sha256-6Va9iVtmmsw4raBc3QKvQT2KT/NGRWlvUlJj46zN8B8=", @@ -387,7 +467,7 @@ "type": "github" } }, - "nixpkgs_3": { + "nixpkgs_4": { "locked": { "lastModified": 1684570954, "narHash": "sha256-FX5y4Sm87RWwfu9PI71XFvuRpZLowh00FQpIJ1WfXqE=", @@ -403,7 +483,7 @@ "type": "github" } }, - "nixpkgs_4": { + "nixpkgs_5": { "locked": { "lastModified": 1681347147, "narHash": "sha256-B+hTioRc3Jdf4SJyeCiO0fW5ShIznJk2OTiW2vOV+mc=", @@ -419,13 +499,13 @@ "type": "github" } }, - "nixpkgs_5": { + "nixpkgs_6": { "locked": { - "lastModified": 1684528365, - "narHash": "sha256-2b5IfkV6WPZ3S9SgIajbftinfGlBnwUwOcmLiyCck+w=", + "lastModified": 1684570954, + "narHash": "sha256-FX5y4Sm87RWwfu9PI71XFvuRpZLowh00FQpIJ1WfXqE=", "owner": "nixos", "repo": "nixpkgs", - "rev": "5ae23a806c7cb16e2ade63400d0c6e5aa8e54797", + "rev": "3005f20ce0aaa58169cdee57c8aa12e5f1b6e1b3", "type": "github" }, "original": { @@ -480,10 +560,11 @@ }, "root": { "inputs": { + "agenix": "agenix", "devenv": "devenv", - "home-manager": "home-manager", + "home-manager": "home-manager_2", "hyprland": "hyprland", - "nixpkgs": "nixpkgs_3", + "nixpkgs": "nixpkgs_4", "nixpkgs-stable": "nixpkgs-stable_2", "nixpkgs-wayland": "nixpkgs-wayland", "nur": "nur" diff --git a/flake.nix b/flake.nix index 25681bd4..9c3899fb 100644 --- a/flake.nix +++ b/flake.nix @@ -54,6 +54,9 @@ # use devenv to manage my development environment devenv.url = "github:cachix/devenv/v0.6.2"; + + # secrets management, lock with git commit at 2023/5/15 + agenix.url = "github:ryantm/agenix/db5637d10f797bb251b94ef9040b237f4702cde3"; }; # outputs 的参数都是 inputs 中定义的依赖项,可以通过它们的名称来引用。 diff --git a/hosts/msi-rtx4090/cifs-mount.nix b/hosts/msi-rtx4090/cifs-mount.nix index f9078648..520c2e0d 100644 --- a/hosts/msi-rtx4090/cifs-mount.nix +++ b/hosts/msi-rtx4090/cifs-mount.nix @@ -5,7 +5,9 @@ fileSystems."/home/ryan/SMB-Downloads" = { device = "//192.168.5.194/Downloads"; fsType = "cifs"; - options = ["vers=3.0,uid=1000,gid=100,dir_mode=0755,file_mode=0755,mfsymlinks,credentials=/etc/nixos/.smb_credentials,nofail"]; + options = [ + "vers=3.0,uid=1000,gid=100,dir_mode=0755,file_mode=0755,mfsymlinks,credentials=${config.age.secrets.smb-credentials.path},nofail" + ]; }; } diff --git a/hosts/msi-rtx4090/default.nix b/hosts/msi-rtx4090/default.nix index 5017df3c..eb201159 100644 --- a/hosts/msi-rtx4090/default.nix +++ b/hosts/msi-rtx4090/default.nix @@ -21,17 +21,19 @@ # Use `config.nur.repos..` in NixOS Module for packages from the NUR. nur.nixosModules.nur - ./cifs-mount.nix - ../../modules/system.nix - ../../modules/hyprland.nix - #../../modules/i3.nix - ../../modules/fcitx5 - ../../modules/nur-packages.nix - ../../modules/fhs-fonts.nix - # Include the results of the hardware scan. ./hardware-configuration.nix + + ../../modules/fcitx5 + ../../modules/fhs-fonts.nix + ../../modules/hyprland.nix + #../../modules/i3.nix + ../../modules/nur-packages.nix + ../../modules/system.nix + ../../modules/user_group.nix + + ../../secrets ]; # Bootloader. diff --git a/hosts/nixos-test/default.nix b/hosts/nixos-test/default.nix index e0dd5042..d733eca5 100644 --- a/hosts/nixos-test/default.nix +++ b/hosts/nixos-test/default.nix @@ -20,16 +20,18 @@ # Use `config.nur.repos..` in NixOS Module for packages from the NUR. nur.nixosModules.nur - - ../../modules/system.nix - ../../modules/hyprland.nix - #../../modules/i3.nix - ../../modules/fcitx5 - ../../modules/nur-packages.nix - ../../modules/fhs-fonts.nix - # Include the results of the hardware scan. ./hardware-configuration.nix + + ../../modules/fcitx5 + ../../modules/fhs-fonts.nix + ../../modules/hyprland.nix + #../../modules/i3.nix + ../../modules/nur-packages.nix + ../../modules/system.nix + ../../modules/user_group.nix + + ../../secrets ]; # Bootloader. diff --git a/modules/system.nix b/modules/system.nix index 7f254cb9..3766472c 100644 --- a/modules/system.nix +++ b/modules/system.nix @@ -214,19 +214,4 @@ # android development tools, this will install adb/fastboot and other android tools and udev rules # see https://github.com/NixOS/nixpkgs/blob/nixos-unstable/nixos/modules/programs/adb.nix programs.adb.enable = true; - - - # users.groups = { - # docker = {}; - # wireshark = {}; - # }; - # Define a user account. Don't forget to set a password with ‘passwd’. - users.users.ryan = { - isNormalUser = true; - description = "ryan"; - extraGroups = [ "users" "networkmanager" "wheel" "docker" "wireshark" "adbusers" ]; - openssh.authorizedKeys.keys = [ - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJx3Sk20pLL1b2PPKZey2oTyioODrErq83xG78YpFBoj admin@ryan-MBP" - ]; - }; } \ No newline at end of file diff --git a/modules/user_group.nix b/modules/user_group.nix new file mode 100644 index 00000000..1aaebb86 --- /dev/null +++ b/modules/user_group.nix @@ -0,0 +1,18 @@ +{config, pkgs, ...}: + +{ + users.groups = { + ryan = {}; + docker = {}; + wireshark = {}; + }; + # Define a user account. Don't forget to set a password with ‘passwd’. + users.users.ryan = { + isNormalUser = true; + description = "ryan"; + extraGroups = [ "ryan" "users" "networkmanager" "wheel" "docker" "wireshark" "adbusers" ]; + openssh.authorizedKeys.keys = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJx3Sk20pLL1b2PPKZey2oTyioODrErq83xG78YpFBoj" + ]; + }; +} \ No newline at end of file diff --git a/secrets/REAME.md b/secrets/REAME.md new file mode 100644 index 00000000..11d98110 --- /dev/null +++ b/secrets/REAME.md @@ -0,0 +1,87 @@ +# secrets management + +This directory contains my secret files, encrypt by agenix: + +- my wireguard configuration files, which is used by `wg-quick` +- github token, used by nix flakes to query and downloads flakes from github + - without this, you may reach out github api rate limit. +- ssh key pairs for my homelab and other servers +- ... + +## Add or Update Secrets + +This job is done by `agenix` CLI tool with the `./secrets.nix` file. + +Pretend you want to add a new secret file `xxx.age`, then: + +1. `cd` to this directory +1. edit `secrets.nix`, add a new entry for `xxx.age`, which defines the + encryption keys and the secret file path, e.g. + ```nix + # This file is not imported into your NixOS configuration. It is only used for the agenix CLI. + # agenix use the public keys defined in this file to encrypt the secrets. + # and users can decrypt the secrets by any of the corresponding private keys. + + let + # get user's ssh public key by command: + # cat ~/.ssh/id_ed25519.pub + # if you do not have one, you can generate it by command: + # ssh-keygen -t ed25519 + ryan = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJx3Sk20pLL1b2PPKZey2oTyioODrErq83xG78YpFBoj"; + users = [ ryan ]; + + # get system's ssh public key by command: + # cat /etc/ssh/ssh_host_ed25519_key.pub + msi-rtx4090 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICGeXNCazqiqxn8TmbCRjA+pLWrxwenn+CFhizBMP6en root@msi-rtx4090"; + systems = [ msi-rtx4090 ]; + in + { + "./encrypt/xxx.age".publicKeys = users ++ systems; + } + ``` +2. create and edit the secret file `xxx.age` interactively by command: + ```shell + agenix -e ./encrypt/xxx.age + ``` +3. or you can also encrypt an existing file to `xxx.age` by command: + ```shell + agenix -e ./encrypt/xxx.age < /path/to/xxx + ``` + + +## Deploy Secrets + +This job is done by `nixos-rebuild` with the `./default.nix` file. + +An nixos module exmaple(need to set agenix as flake inputs first...): + +```nix +{ config, pkgs, agenix, ... }: + +{ + imports = [ + agenix.nixosModules.default + ]; + + environment.systemPackages = [ + agenix.packages."${pkgs.system}".default + ]; + + age.secrets."xxx" = { + # wether secrets are symlinked to age.secrets..path + symlink = true; + # target path for decrypted file + path = "/etc/xxx/"; + # encrypted file path + file = ./encrypt/xxx.age; + mode = "0400"; + owner = "root"; + group = "root"; + }; +} +``` + +`nixos-rebuild` will decrypt the secrets using the private keys defined by argument `age.identityPaths`, +And then symlink the secrets to the path defined by argument `age.secrets..path`, it defaults to `/etc/secrets`. + +NOTE: `age.identityPaths` it defaults to `~/.ssh/id_ed25519` and `~/.ssh/id_rsa`, so you should put your decrypt keys there. if you're deploying to the same machine as you're encrypting from, it should work out of the box. diff --git a/secrets/default.nix b/secrets/default.nix new file mode 100644 index 00000000..f4a26805 --- /dev/null +++ b/secrets/default.nix @@ -0,0 +1,32 @@ +{ config, pkgs, agenix, ... }: + +{ + imports = [ + agenix.nixosModules.default + ]; + + environment.systemPackages = [ + agenix.packages."${pkgs.system}".default + ]; + + # # wireguard config used with `wg-quick up wg-business` + age.secrets."wg-business.conf" = { + # wether secrets are symlinked to age.secrets..path + symlink = true; + # target path for decrypted file + path = "/etc/wireguard/"; + # encrypted file path + file = ./encrypt/wg-business.conf.age; + mode = "0400"; + owner = "root"; + group = "root"; + }; + + # smb-credentials is referenced in /etc/fstab, by ../hosts/msi-rtx4090/cifs-mount.nix + age.secrets."smb-credentials" = { + # wether secrets are symlinked to age.secrets..path + symlink = true; + # encrypted file path + file = ./encrypt/smb-credentials.age; + }; +} \ No newline at end of file diff --git a/secrets/encrypt/smb-credentials.age b/secrets/encrypt/smb-credentials.age new file mode 100644 index 00000000..140d25ed --- /dev/null +++ b/secrets/encrypt/smb-credentials.age @@ -0,0 +1,11 @@ +age-encryption.org/v1 +-> ssh-ed25519 YVM6Sg vO0DYm8iol7IBG6rscZq/LQpRHh54+DdOFUR01b6yR0 +gqEePw0Fvo2uDAcwEObd7PLjA2vU6e6JhGGVoGULazA +-> ssh-ed25519 Q4ARMQ fyGN9P+rvYJ8Qk5Iiyjn++Ml/XiVMvk62EshD9JOvDA +ikPmvDRZwhkHAZ2U8R10QgpJlTTynHI5Vm50xxQiKT8 +-> b[1(F-grease 23C oS"65TE ~50zBiB +eMwvm36CT7qLNS6gXVezB3m8pCKyTbKfuCq3vgi/D4DQXfDq4IdAANp0o6DKuaTX +gQOZK5zIELG4bHS9SQRW4H7eAjJBUgA +--- 1p8fRawaLk8WpQHYAE7sD016F6bo4agn2UxDuUtZzmI +ggs=k+nN"oá/=^Z<~ӎki Gw3є=( Am  +U# \ No newline at end of file diff --git a/secrets/encrypt/wg-business.conf.age b/secrets/encrypt/wg-business.conf.age new file mode 100644 index 00000000..76829f37 Binary files /dev/null and b/secrets/encrypt/wg-business.conf.age differ diff --git a/secrets/secrets.nix b/secrets/secrets.nix new file mode 100644 index 00000000..eaa72db6 --- /dev/null +++ b/secrets/secrets.nix @@ -0,0 +1,20 @@ +# This file is not imported into your NixOS configuration. It is only used for the agenix CLI. + +let + # get user's ssh public key by command: + # cat ~/.ssh/id_ed25519.pub + # if you do not have one, you can generate it by command: + # ssh-keygen -t ed25519 + ryan = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJx3Sk20pLL1b2PPKZey2oTyioODrErq83xG78YpFBoj"; + users = [ ryan ]; + + # get system's ssh public key by command: + # cat /etc/ssh/ssh_host_ed25519_key.pub + msi-rtx4090 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICGeXNCazqiqxn8TmbCRjA+pLWrxwenn+CFhizBMP6en root@msi-rtx4090"; + systems = [ msi-rtx4090 ]; +in +{ + "./encrypt/wg-business.conf.age".publicKeys = users ++ systems; + "./encrypt/smb-credentials.age".publicKeys = users ++ systems; + # "./encrypt/secret123.age".publicKeys = [ user1 system1 ]; +} \ No newline at end of file