starred/nix-config
1
0
Fork 0
mirror of https://github.com/ryan4yin/nix-config.git synced 2026-01-11 20:40:24 +01:00
Code Issues Packages Projects Releases 10 Wiki Activity

fix(secrets/nixos): assertion

Browse Source
This commit is contained in:
Ryan Yin
2024-11-17 21:31:31 +08:00
parent 2eb37b34ea
commit 4503964146
1 changed files with 214 additions and 220 deletions
Download Patch File Download Diff File Expand all files Collapse all files

434
secrets/nixos.nix
View File

@@ -10,6 +10,14 @@
with lib; let
cfg = config.modules.secrets;
enabledServerSecrets =
cfg.server.application.enable
|| cfg.server.network.enable
|| cfg.server.operation.enable
|| cfg.server.kubernetes.enable
|| cfg.server.webserver.enable
|| cfg.server.storage.enable;
noaccess = {
mode = "0000";
owner = "root";
@@ -40,244 +48,230 @@ in {
impermanence.enable = mkEnableOption "whether use impermanence and ephemeral root file system";
};
config =
mkIf (
cfg.desktop.enable
|| cfg.server.application.enable
|| cfg.server.network.enable
|| cfg.server.operation.enable
|| cfg.server.kubernetes.enable
) (mkMerge [
{
environment.systemPackages = [
agenix.packages."${pkgs.system}".default
config = mkIf (cfg.desktop.enable || enabledServerSecrets) (mkMerge [
{
environment.systemPackages = [
agenix.packages."${pkgs.system}".default
];
# if you changed this key, you need to regenerate all encrypt files from the decrypt contents!
age.identityPaths =
if cfg.impermanence.enable
then [
# To decrypt secrets on boot, this key should exists when the system is booting,
# so we should use the real key file path(prefixed by `/persistent/`) here, instead of the path mounted by impermanence.
"/persistent/etc/ssh/ssh_host_ed25519_key" # Linux
]
else [
"/etc/ssh/ssh_host_ed25519_key"
];
# if you changed this key, you need to regenerate all encrypt files from the decrypt contents!
age.identityPaths =
if cfg.impermanence.enable
then [
# To decrypt secrets on boot, this key should exists when the system is booting,
# so we should use the real key file path(prefixed by `/persistent/`) here, instead of the path mounted by impermanence.
"/persistent/etc/ssh/ssh_host_ed25519_key" # Linux
]
else [
"/etc/ssh/ssh_host_ed25519_key"
];
assertions = [
{
# This expression should be true to pass the assertion
assertion = !(cfg.desktop.enable && enabledServerSecrets);
message = "Enable either desktop or server's secrets, not both!";
}
];
}
assertions = [
(mkIf cfg.desktop.enable {
age.secrets = {
# ---------------------------------------------
# no one can read/write this file, even root.
# ---------------------------------------------
# .age means the decrypted file is still encrypted by age(via a passphrase)
"ryan4yin-gpg-subkeys.priv.age" =
{
# This expression should be true to pass the assertion
assertion =
!(cfg.desktop.enable
&& (
cfg.server.application.enable
|| cfg.server.network.enable
|| cfg.server.operation.enable
|| cfg.server.kubernetes.enable
));
message = "Enable either desktop or server's secrets, not both!";
file = "${mysecrets}/ryan4yin-gpg-subkeys-2024-01-27.priv.age.age";
}
];
}
// noaccess;
(mkIf cfg.desktop.enable {
age.secrets = {
# ---------------------------------------------
# no one can read/write this file, even root.
# ---------------------------------------------
# ---------------------------------------------
# only root can read this file.
# ---------------------------------------------
# .age means the decrypted file is still encrypted by age(via a passphrase)
"ryan4yin-gpg-subkeys.priv.age" =
{
file = "${mysecrets}/ryan4yin-gpg-subkeys-2024-01-27.priv.age.age";
}
// noaccess;
"wg-business.conf" =
{
file = "${mysecrets}/wg-business.conf.age";
}
// high_security;
# ---------------------------------------------
# only root can read this file.
# ---------------------------------------------
# Used only by NixOS Modules
# smb-credentials is referenced in /etc/fstab, by ../hosts/ai/cifs-mount.nix
"smb-credentials" =
{
file = "${mysecrets}/smb-credentials.age";
}
// high_security;
"wg-business.conf" =
{
file = "${mysecrets}/wg-business.conf.age";
}
// high_security;
"rclone.conf" =
{
file = "${mysecrets}/rclone.conf.age";
}
// high_security;
# Used only by NixOS Modules
# smb-credentials is referenced in /etc/fstab, by ../hosts/ai/cifs-mount.nix
"smb-credentials" =
{
file = "${mysecrets}/smb-credentials.age";
}
// high_security;
"nix-access-tokens" =
{
file = "${mysecrets}/nix-access-tokens.age";
}
// high_security;
"rclone.conf" =
{
file = "${mysecrets}/rclone.conf.age";
}
// high_security;
# ---------------------------------------------
# user can read this file.
# ---------------------------------------------
"nix-access-tokens" =
{
file = "${mysecrets}/nix-access-tokens.age";
}
// high_security;
"ssh-key-romantic" =
{
file = "${mysecrets}/ssh-key-romantic.age";
}
// user_readable;
# ---------------------------------------------
# user can read this file.
# ---------------------------------------------
# alias-for-work
"alias-for-work.nushell" =
{
file = "${mysecrets}/alias-for-work.nushell.age";
}
// user_readable;
"ssh-key-romantic" =
{
file = "${mysecrets}/ssh-key-romantic.age";
}
// user_readable;
"alias-for-work.bash" =
{
file = "${mysecrets}/alias-for-work.bash.age";
}
// user_readable;
};
# alias-for-work
"alias-for-work.nushell" =
{
file = "${mysecrets}/alias-for-work.nushell.age";
}
// user_readable;
"alias-for-work.bash" =
{
file = "${mysecrets}/alias-for-work.bash.age";
}
// user_readable;
# place secrets in /etc/
environment.etc = {
# wireguard config used with `wg-quick up wg-business`
"wireguard/wg-business.conf" = {
source = config.age.secrets."wg-business.conf".path;
};
# place secrets in /etc/
environment.etc = {
# wireguard config used with `wg-quick up wg-business`
"wireguard/wg-business.conf" = {
source = config.age.secrets."wg-business.conf".path;
};
"agenix/rclone.conf" = {
source = config.age.secrets."rclone.conf".path;
};
"agenix/ssh-key-romantic" = {
source = config.age.secrets."ssh-key-romantic".path;
mode = "0600";
user = myvars.username;
};
"agenix/ryan4yin-gpg-subkeys.priv.age" = {
source = config.age.secrets."ryan4yin-gpg-subkeys.priv.age".path;
mode = "0000";
};
# The following secrets are used by home-manager modules
# So we need to make then readable by the user
"agenix/alias-for-work.nushell" = {
source = config.age.secrets."alias-for-work.nushell".path;
mode = "0644"; # both the original file and the symlink should be readable and executable by the user
};
"agenix/alias-for-work.bash" = {
source = config.age.secrets."alias-for-work.bash".path;
mode = "0644"; # both the original file and the symlink should be readable and executable by the user
};
};
})
(mkIf cfg.server.network.enable {
age.secrets = {
"dae-subscription.dae" =
{
file = "${mysecrets}/server/dae-subscription.dae.age";
}
// high_security;
};
})
(mkIf cfg.server.application.enable {
age.secrets = {
"transmission-credentials.json" =
{
file = "${mysecrets}/server/transmission-credentials.json.age";
}
// high_security;
"sftpgo.env" = {
file = "${mysecrets}/server/sftpgo.env.age";
mode = "0400";
owner = "sftpgo";
};
"minio.env" = {
file = "${mysecrets}/server/minio.env.age";
mode = "0400";
owner = "minio";
};
};
})
(mkIf cfg.server.operation.enable {
age.secrets = {
"grafana-admin-password" = {
file = "${mysecrets}/server/grafana-admin-password.age";
mode = "0400";
owner = "grafana";
};
"alertmanager.env" =
{
file = "${mysecrets}/server/alertmanager.env.age";
}
// high_security;
};
})
(mkIf cfg.server.kubernetes.enable {
age.secrets = {
"k3s-prod-1-token" =
{
file = "${mysecrets}/server/k3s-prod-1-token.age";
}
// high_security;
"k3s-test-1-token" =
{
file = "${mysecrets}/server/k3s-test-1-token.age";
}
// high_security;
};
})
(mkIf cfg.server.webserver.enable {
age.secrets = {
"caddy-ecc-server.key" = {
file = "${mysecrets}/certs/ecc-server.key.age";
mode = "0400";
owner = "caddy";
};
"postgres-ecc-server.key" = {
file = "${mysecrets}/certs/ecc-server.key.age";
mode = "0400";
owner = "postgres";
};
};
})
(mkIf cfg.server.storage.enable {
age.secrets = {
"hdd-luks-crypt-key" = {
file = "${mysecrets}/hdd-luks-crypt-key.age";
mode = "0400";
owner = "root";
};
"agenix/rclone.conf" = {
source = config.age.secrets."rclone.conf".path;
};
# place secrets in /etc/
environment.etc = {
"agenix/hdd-luks-crypt-key" = {
source = config.age.secrets."hdd-luks-crypt-key".path;
mode = "0400";
user = "root";
};
"agenix/ssh-key-romantic" = {
source = config.age.secrets."ssh-key-romantic".path;
mode = "0600";
user = myvars.username;
};
})
]);
"agenix/ryan4yin-gpg-subkeys.priv.age" = {
source = config.age.secrets."ryan4yin-gpg-subkeys.priv.age".path;
mode = "0000";
};
# The following secrets are used by home-manager modules
# So we need to make then readable by the user
"agenix/alias-for-work.nushell" = {
source = config.age.secrets."alias-for-work.nushell".path;
mode = "0644"; # both the original file and the symlink should be readable and executable by the user
};
"agenix/alias-for-work.bash" = {
source = config.age.secrets."alias-for-work.bash".path;
mode = "0644"; # both the original file and the symlink should be readable and executable by the user
};
};
})
(mkIf cfg.server.network.enable {
age.secrets = {
"dae-subscription.dae" =
{
file = "${mysecrets}/server/dae-subscription.dae.age";
}
// high_security;
};
})
(mkIf cfg.server.application.enable {
age.secrets = {
"transmission-credentials.json" =
{
file = "${mysecrets}/server/transmission-credentials.json.age";
}
// high_security;
"sftpgo.env" = {
file = "${mysecrets}/server/sftpgo.env.age";
mode = "0400";
owner = "sftpgo";
};
"minio.env" = {
file = "${mysecrets}/server/minio.env.age";
mode = "0400";
owner = "minio";
};
};
})
(mkIf cfg.server.operation.enable {
age.secrets = {
"grafana-admin-password" = {
file = "${mysecrets}/server/grafana-admin-password.age";
mode = "0400";
owner = "grafana";
};
"alertmanager.env" =
{
file = "${mysecrets}/server/alertmanager.env.age";
}
// high_security;
};
})
(mkIf cfg.server.kubernetes.enable {
age.secrets = {
"k3s-prod-1-token" =
{
file = "${mysecrets}/server/k3s-prod-1-token.age";
}
// high_security;
"k3s-test-1-token" =
{
file = "${mysecrets}/server/k3s-test-1-token.age";
}
// high_security;
};
})
(mkIf cfg.server.webserver.enable {
age.secrets = {
"caddy-ecc-server.key" = {
file = "${mysecrets}/certs/ecc-server.key.age";
mode = "0400";
owner = "caddy";
};
"postgres-ecc-server.key" = {
file = "${mysecrets}/certs/ecc-server.key.age";
mode = "0400";
owner = "postgres";
};
};
})
(mkIf cfg.server.storage.enable {
age.secrets = {
"hdd-luks-crypt-key" = {
file = "${mysecrets}/hdd-luks-crypt-key.age";
mode = "0400";
owner = "root";
};
};
# place secrets in /etc/
environment.etc = {
"agenix/hdd-luks-crypt-key" = {
source = config.age.secrets."hdd-luks-crypt-key".path;
mode = "0400";
user = "root";
};
};
})
]);
}