starred/nix-config
1
0
Fork 0
mirror of https://github.com/ryan4yin/nix-config.git synced 2026-04-25 10:18:37 +02:00
Code Issues Packages Projects Releases 10 Wiki Activity

fix(secrets/nixos): assertion

Browse Source
This commit is contained in:
Ryan Yin
2024-11-17 21:31:31 +08:00
parent 2eb37b34ea
commit 4503964146
1 changed files with 214 additions and 220 deletions
Download Patch File Download Diff File Expand all files Collapse all files

434
secrets/nixos.nix
View File

@@ -10,6 +10,14 @@
with lib; let with lib; let
cfg = config.modules.secrets; cfg = config.modules.secrets;
enabledServerSecrets =
cfg.server.application.enable
|| cfg.server.network.enable
|| cfg.server.operation.enable
|| cfg.server.kubernetes.enable
|| cfg.server.webserver.enable
|| cfg.server.storage.enable;
noaccess = { noaccess = {
mode = "0000"; mode = "0000";
owner = "root"; owner = "root";
@@ -40,244 +48,230 @@ in {
impermanence.enable = mkEnableOption "whether use impermanence and ephemeral root file system"; impermanence.enable = mkEnableOption "whether use impermanence and ephemeral root file system";
}; };
config = config = mkIf (cfg.desktop.enable || enabledServerSecrets) (mkMerge [
mkIf ( {
cfg.desktop.enable environment.systemPackages = [
|| cfg.server.application.enable agenix.packages."${pkgs.system}".default
|| cfg.server.network.enable ];
|| cfg.server.operation.enable
|| cfg.server.kubernetes.enable # if you changed this key, you need to regenerate all encrypt files from the decrypt contents!
) (mkMerge [ age.identityPaths =
{ if cfg.impermanence.enable
environment.systemPackages = [ then [
agenix.packages."${pkgs.system}".default # To decrypt secrets on boot, this key should exists when the system is booting,
# so we should use the real key file path(prefixed by `/persistent/`) here, instead of the path mounted by impermanence.
"/persistent/etc/ssh/ssh_host_ed25519_key" # Linux
]
else [
"/etc/ssh/ssh_host_ed25519_key"
]; ];
# if you changed this key, you need to regenerate all encrypt files from the decrypt contents! assertions = [
age.identityPaths = {
if cfg.impermanence.enable # This expression should be true to pass the assertion
then [ assertion = !(cfg.desktop.enable && enabledServerSecrets);
# To decrypt secrets on boot, this key should exists when the system is booting, message = "Enable either desktop or server's secrets, not both!";
# so we should use the real key file path(prefixed by `/persistent/`) here, instead of the path mounted by impermanence. }
"/persistent/etc/ssh/ssh_host_ed25519_key" # Linux ];
] }
else [
"/etc/ssh/ssh_host_ed25519_key"
];
assertions = [ (mkIf cfg.desktop.enable {
age.secrets = {
# ---------------------------------------------
# no one can read/write this file, even root.
# ---------------------------------------------
# .age means the decrypted file is still encrypted by age(via a passphrase)
"ryan4yin-gpg-subkeys.priv.age" =
{ {
# This expression should be true to pass the assertion file = "${mysecrets}/ryan4yin-gpg-subkeys-2024-01-27.priv.age.age";
assertion =
!(cfg.desktop.enable
&& (
cfg.server.application.enable
|| cfg.server.network.enable
|| cfg.server.operation.enable
|| cfg.server.kubernetes.enable
));
message = "Enable either desktop or server's secrets, not both!";
} }
]; // noaccess;
}
(mkIf cfg.desktop.enable { # ---------------------------------------------
age.secrets = { # only root can read this file.
# --------------------------------------------- # ---------------------------------------------
# no one can read/write this file, even root.
# ---------------------------------------------
# .age means the decrypted file is still encrypted by age(via a passphrase) "wg-business.conf" =
"ryan4yin-gpg-subkeys.priv.age" = {
{ file = "${mysecrets}/wg-business.conf.age";
file = "${mysecrets}/ryan4yin-gpg-subkeys-2024-01-27.priv.age.age"; }
} // high_security;
// noaccess;
# --------------------------------------------- # Used only by NixOS Modules
# only root can read this file. # smb-credentials is referenced in /etc/fstab, by ../hosts/ai/cifs-mount.nix
# --------------------------------------------- "smb-credentials" =
{
file = "${mysecrets}/smb-credentials.age";
}
// high_security;
"wg-business.conf" = "rclone.conf" =
{ {
file = "${mysecrets}/wg-business.conf.age"; file = "${mysecrets}/rclone.conf.age";
} }
// high_security; // high_security;
# Used only by NixOS Modules "nix-access-tokens" =
# smb-credentials is referenced in /etc/fstab, by ../hosts/ai/cifs-mount.nix {
"smb-credentials" = file = "${mysecrets}/nix-access-tokens.age";
{ }
file = "${mysecrets}/smb-credentials.age"; // high_security;
}
// high_security;
"rclone.conf" = # ---------------------------------------------
{ # user can read this file.
file = "${mysecrets}/rclone.conf.age"; # ---------------------------------------------
}
// high_security;
"nix-access-tokens" = "ssh-key-romantic" =
{ {
file = "${mysecrets}/nix-access-tokens.age"; file = "${mysecrets}/ssh-key-romantic.age";
} }
// high_security; // user_readable;
# --------------------------------------------- # alias-for-work
# user can read this file. "alias-for-work.nushell" =
# --------------------------------------------- {
file = "${mysecrets}/alias-for-work.nushell.age";
}
// user_readable;
"ssh-key-romantic" = "alias-for-work.bash" =
{ {
file = "${mysecrets}/ssh-key-romantic.age"; file = "${mysecrets}/alias-for-work.bash.age";
} }
// user_readable; // user_readable;
};
# alias-for-work # place secrets in /etc/
"alias-for-work.nushell" = environment.etc = {
{ # wireguard config used with `wg-quick up wg-business`
file = "${mysecrets}/alias-for-work.nushell.age"; "wireguard/wg-business.conf" = {
} source = config.age.secrets."wg-business.conf".path;
// user_readable;
"alias-for-work.bash" =
{
file = "${mysecrets}/alias-for-work.bash.age";
}
// user_readable;
}; };
# place secrets in /etc/ "agenix/rclone.conf" = {
environment.etc = { source = config.age.secrets."rclone.conf".path;
# wireguard config used with `wg-quick up wg-business`
"wireguard/wg-business.conf" = {
source = config.age.secrets."wg-business.conf".path;
};
"agenix/rclone.conf" = {
source = config.age.secrets."rclone.conf".path;
};
"agenix/ssh-key-romantic" = {
source = config.age.secrets."ssh-key-romantic".path;
mode = "0600";
user = myvars.username;
};
"agenix/ryan4yin-gpg-subkeys.priv.age" = {
source = config.age.secrets."ryan4yin-gpg-subkeys.priv.age".path;
mode = "0000";
};
# The following secrets are used by home-manager modules
# So we need to make then readable by the user
"agenix/alias-for-work.nushell" = {
source = config.age.secrets."alias-for-work.nushell".path;
mode = "0644"; # both the original file and the symlink should be readable and executable by the user
};
"agenix/alias-for-work.bash" = {
source = config.age.secrets."alias-for-work.bash".path;
mode = "0644"; # both the original file and the symlink should be readable and executable by the user
};
};
})
(mkIf cfg.server.network.enable {
age.secrets = {
"dae-subscription.dae" =
{
file = "${mysecrets}/server/dae-subscription.dae.age";
}
// high_security;
};
})
(mkIf cfg.server.application.enable {
age.secrets = {
"transmission-credentials.json" =
{
file = "${mysecrets}/server/transmission-credentials.json.age";
}
// high_security;
"sftpgo.env" = {
file = "${mysecrets}/server/sftpgo.env.age";
mode = "0400";
owner = "sftpgo";
};
"minio.env" = {
file = "${mysecrets}/server/minio.env.age";
mode = "0400";
owner = "minio";
};
};
})
(mkIf cfg.server.operation.enable {
age.secrets = {
"grafana-admin-password" = {
file = "${mysecrets}/server/grafana-admin-password.age";
mode = "0400";
owner = "grafana";
};
"alertmanager.env" =
{
file = "${mysecrets}/server/alertmanager.env.age";
}
// high_security;
};
})
(mkIf cfg.server.kubernetes.enable {
age.secrets = {
"k3s-prod-1-token" =
{
file = "${mysecrets}/server/k3s-prod-1-token.age";
}
// high_security;
"k3s-test-1-token" =
{
file = "${mysecrets}/server/k3s-test-1-token.age";
}
// high_security;
};
})
(mkIf cfg.server.webserver.enable {
age.secrets = {
"caddy-ecc-server.key" = {
file = "${mysecrets}/certs/ecc-server.key.age";
mode = "0400";
owner = "caddy";
};
"postgres-ecc-server.key" = {
file = "${mysecrets}/certs/ecc-server.key.age";
mode = "0400";
owner = "postgres";
};
};
})
(mkIf cfg.server.storage.enable {
age.secrets = {
"hdd-luks-crypt-key" = {
file = "${mysecrets}/hdd-luks-crypt-key.age";
mode = "0400";
owner = "root";
};
}; };
# place secrets in /etc/ "agenix/ssh-key-romantic" = {
environment.etc = { source = config.age.secrets."ssh-key-romantic".path;
"agenix/hdd-luks-crypt-key" = { mode = "0600";
source = config.age.secrets."hdd-luks-crypt-key".path; user = myvars.username;
mode = "0400";
user = "root";
};
}; };
})
]); "agenix/ryan4yin-gpg-subkeys.priv.age" = {
source = config.age.secrets."ryan4yin-gpg-subkeys.priv.age".path;
mode = "0000";
};
# The following secrets are used by home-manager modules
# So we need to make then readable by the user
"agenix/alias-for-work.nushell" = {
source = config.age.secrets."alias-for-work.nushell".path;
mode = "0644"; # both the original file and the symlink should be readable and executable by the user
};
"agenix/alias-for-work.bash" = {
source = config.age.secrets."alias-for-work.bash".path;
mode = "0644"; # both the original file and the symlink should be readable and executable by the user
};
};
})
(mkIf cfg.server.network.enable {
age.secrets = {
"dae-subscription.dae" =
{
file = "${mysecrets}/server/dae-subscription.dae.age";
}
// high_security;
};
})
(mkIf cfg.server.application.enable {
age.secrets = {
"transmission-credentials.json" =
{
file = "${mysecrets}/server/transmission-credentials.json.age";
}
// high_security;
"sftpgo.env" = {
file = "${mysecrets}/server/sftpgo.env.age";
mode = "0400";
owner = "sftpgo";
};
"minio.env" = {
file = "${mysecrets}/server/minio.env.age";
mode = "0400";
owner = "minio";
};
};
})
(mkIf cfg.server.operation.enable {
age.secrets = {
"grafana-admin-password" = {
file = "${mysecrets}/server/grafana-admin-password.age";
mode = "0400";
owner = "grafana";
};
"alertmanager.env" =
{
file = "${mysecrets}/server/alertmanager.env.age";
}
// high_security;
};
})
(mkIf cfg.server.kubernetes.enable {
age.secrets = {
"k3s-prod-1-token" =
{
file = "${mysecrets}/server/k3s-prod-1-token.age";
}
// high_security;
"k3s-test-1-token" =
{
file = "${mysecrets}/server/k3s-test-1-token.age";
}
// high_security;
};
})
(mkIf cfg.server.webserver.enable {
age.secrets = {
"caddy-ecc-server.key" = {
file = "${mysecrets}/certs/ecc-server.key.age";
mode = "0400";
owner = "caddy";
};
"postgres-ecc-server.key" = {
file = "${mysecrets}/certs/ecc-server.key.age";
mode = "0400";
owner = "postgres";
};
};
})
(mkIf cfg.server.storage.enable {
age.secrets = {
"hdd-luks-crypt-key" = {
file = "${mysecrets}/hdd-luks-crypt-key.age";
mode = "0400";
owner = "root";
};
};
# place secrets in /etc/
environment.etc = {
"agenix/hdd-luks-crypt-key" = {
source = config.age.secrets."hdd-luks-crypt-key".path;
mode = "0400";
user = "root";
};
};
})
]);
} }