starred/nix-config-ryan4yin
1
0
Fork 0
mirror of https://github.com/ryan4yin/nix-config.git synced 2026-01-11 22:30:25 +01:00
Code Issues Packages Projects Releases 10 Wiki Activity

fix: bypass router

Browse Source
This commit is contained in:
Ryan Yin
2024-02-16 11:41:37 +08:00
parent 7cbff9ef3b
commit ae238d401d
28 changed files with 891 additions and 439 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
secrets/darwin.nix
View File

@@ -20,7 +20,6 @@
"/etc/ssh/ssh_host_ed25519_key" # macOS, using the host key for decryption
];
# owner = root
age.secrets = let
noaccess = {
mode = "0000";

276
secrets/nixos.nix
View File

@@ -1,137 +1,175 @@
{
lib,
config,
pkgs,
agenix,
mysecrets,
username,
...
}: {
}:
with lib; let
cfg = config.modules.secrets;
noaccess = {
mode = "0000";
owner = "root";
};
high_security = {
mode = "0500";
owner = "root";
};
user_readable = {
mode = "0500";
owner = username;
};
in {
imports = [
agenix.nixosModules.default
];
environment.systemPackages = [
agenix.packages."${pkgs.system}".default
];
# if you changed this key, you need to regenerate all encrypt files from the decrypt contents!
age.identityPaths = [
# To decrypt secrets on boot, this key should exists when the system is booting,
# so we should use the real key file path(prefixed by `/persistent/`) here, instead of the path mounted by impermanence.
"/persistent/etc/ssh/ssh_host_ed25519_key" # Linux
];
# owner = root
age.secrets = let
noaccess = {
mode = "0000";
owner = "root";
};
high_security = {
mode = "0500";
owner = "root";
};
user_readable = {
mode = "0500";
owner = username;
};
in {
# ---------------------------------------------
# no one can read/write this file, even root.
# ---------------------------------------------
# .age means the decrypted file is still encrypted by age(via a passphrase)
"ryan4yin-gpg-subkeys.priv.age" =
{
file = "${mysecrets}/ryan4yin-gpg-subkeys-2024-01-27.priv.age.age";
}
// noaccess;
# ---------------------------------------------
# only root can read this file.
# ---------------------------------------------
"wg-business.conf" =
{
file = "${mysecrets}/wg-business.conf.age";
}
// high_security;
# Used only by NixOS Modules
# smb-credentials is referenced in /etc/fstab, by ../hosts/ai/cifs-mount.nix
"smb-credentials" =
{
file = "${mysecrets}/smb-credentials.age";
}
// high_security;
"rclone.conf" =
{
file = "${mysecrets}/rclone.conf.age";
}
// high_security;
"nix-access-tokens" =
{
file = "${mysecrets}/nix-access-tokens.age";
}
// high_security;
# ---------------------------------------------
# user can read this file.
# ---------------------------------------------
"ssh-key-romantic" =
{
file = "${mysecrets}/ssh-key-romantic.age";
}
// user_readable;
# alias-for-work
"alias-for-work.nushell" =
{
file = "${mysecrets}/alias-for-work.nushell.age";
}
// user_readable;
"alias-for-work.bash" =
{
file = "${mysecrets}/alias-for-work.bash.age";
}
// user_readable;
options.modules.secrets = {
desktop.enable = mkEnableOption "NixOS Secrets for Desktops";
server.enable = mkEnableOption "NixOS Secrets for Servers";
impermanence.enable = mkEnableOption "Wether use impermanence and ephemeral root file sytem";
};
# place secrets in /etc/
environment.etc = {
# wireguard config used with `wg-quick up wg-business`
"wireguard/wg-business.conf" = {
source = config.age.secrets."wg-business.conf".path;
};
config = mkIf (cfg.server.enable || cfg.desktop.enable) (mkMerge [
{
environment.systemPackages = [
agenix.packages."${pkgs.system}".default
];
"agenix/rclone.conf" = {
source = config.age.secrets."rclone.conf".path;
};
# if you changed this key, you need to regenerate all encrypt files from the decrypt contents!
age.identityPaths =
if cfg.impermanence.enable
then [
# To decrypt secrets on boot, this key should exists when the system is booting,
# so we should use the real key file path(prefixed by `/persistent/`) here, instead of the path mounted by impermanence.
"/persistent/etc/ssh/ssh_host_ed25519_key" # Linux
]
else [
"/etc/ssh/ssh_host_ed25519_key"
];
"agenix/ssh-key-romantic" = {
source = config.age.secrets."ssh-key-romantic".path;
mode = "0600";
user = username;
};
assertions = [
{
# this expression should be true to pass the assertion
assertion = !(cfg.server.enable && cfg.desktop.enable);
message = "Enable either desktop or server's secrets, not both!";
}
];
}
"agenix/ryan4yin-gpg-subkeys.priv.age" = {
source = config.age.secrets."ryan4yin-gpg-subkeys.priv.age".path;
mode = "0000";
};
(mkIf cfg.desktop.enable {
age.secrets = {
# ---------------------------------------------
# no one can read/write this file, even root.
# ---------------------------------------------
# The following secrets are used by home-manager modules
# So we need to make then readable by the user
"agenix/alias-for-work.nushell" = {
source = config.age.secrets."alias-for-work.nushell".path;
mode = "0644"; # both the original file and the symlink should be readable and executable by the user
};
"agenix/alias-for-work.bash" = {
source = config.age.secrets."alias-for-work.bash".path;
mode = "0644"; # both the original file and the symlink should be readable and executable by the user
};
};
# .age means the decrypted file is still encrypted by age(via a passphrase)
"ryan4yin-gpg-subkeys.priv.age" =
{
file = "${mysecrets}/ryan4yin-gpg-subkeys-2024-01-27.priv.age.age";
}
// noaccess;
# ---------------------------------------------
# only root can read this file.
# ---------------------------------------------
"wg-business.conf" =
{
file = "${mysecrets}/wg-business.conf.age";
}
// high_security;
# Used only by NixOS Modules
# smb-credentials is referenced in /etc/fstab, by ../hosts/ai/cifs-mount.nix
"smb-credentials" =
{
file = "${mysecrets}/smb-credentials.age";
}
// high_security;
"rclone.conf" =
{
file = "${mysecrets}/rclone.conf.age";
}
// high_security;
"nix-access-tokens" =
{
file = "${mysecrets}/nix-access-tokens.age";
}
// high_security;
# ---------------------------------------------
# user can read this file.
# ---------------------------------------------
"ssh-key-romantic" =
{
file = "${mysecrets}/ssh-key-romantic.age";
}
// user_readable;
# alias-for-work
"alias-for-work.nushell" =
{
file = "${mysecrets}/alias-for-work.nushell.age";
}
// user_readable;
"alias-for-work.bash" =
{
file = "${mysecrets}/alias-for-work.bash.age";
}
// user_readable;
};
# place secrets in /etc/
environment.etc = {
# wireguard config used with `wg-quick up wg-business`
"wireguard/wg-business.conf" = {
source = config.age.secrets."wg-business.conf".path;
};
"agenix/rclone.conf" = {
source = config.age.secrets."rclone.conf".path;
};
"agenix/ssh-key-romantic" = {
source = config.age.secrets."ssh-key-romantic".path;
mode = "0600";
user = username;
};
"agenix/ryan4yin-gpg-subkeys.priv.age" = {
source = config.age.secrets."ryan4yin-gpg-subkeys.priv.age".path;
mode = "0000";
};
# The following secrets are used by home-manager modules
# So we need to make then readable by the user
"agenix/alias-for-work.nushell" = {
source = config.age.secrets."alias-for-work.nushell".path;
mode = "0644"; # both the original file and the symlink should be readable and executable by the user
};
"agenix/alias-for-work.bash" = {
source = config.age.secrets."alias-for-work.bash".path;
mode = "0644"; # both the original file and the symlink should be readable and executable by the user
};
};
})
(mkIf cfg.server.enable {
age.secrets = {
"dae-subscription.dae" =
{
file = "${mysecrets}/server/dae-subscription.dae.age";
}
// high_security;
};
})
]);
}