From d75734ec593bb5556f4bb2d8a29e14c47849702f Mon Sep 17 00:00:00 2001 From: Peder Bergebakken Sundt Date: Sun, 15 Oct 2023 00:43:59 +0200 Subject: [PATCH] secrets, flexget --- .remoteignore.toml | 2 +- .sops.yaml | 57 +++++++++++++++++++++++++++++++ README.md | 4 +-- flake.lock | 38 +++++++++++++++++++++ flake.nix | 25 +++++++++++--- profiles/web/services/flexget.nix | 27 +++++++-------- secrets/noximilien.yaml | 39 +++++++++++++++++++++ 7 files changed, 171 insertions(+), 21 deletions(-) create mode 100644 .sops.yaml create mode 100644 secrets/noximilien.yaml diff --git a/.remoteignore.toml b/.remoteignore.toml index 7a33597..4cd5b34 100644 --- a/.remoteignore.toml +++ b/.remoteignore.toml @@ -4,7 +4,7 @@ include = [] [pull] exclude = ["*"] -include = [] +include = [ ".sops.yaml" ] [both] exclude = [ ".remote.toml", "result", ".direnv"] diff --git a/.sops.yaml b/.sops.yaml new file mode 100644 index 0000000..d6f1633 --- /dev/null +++ b/.sops.yaml @@ -0,0 +1,57 @@ +key: + # test -s ~/.config/sops/age/keys.txt || ( mkdir -p ~/.config/sops/age; age-keygen -o ~/.config/sops/age/keys.txt >/dev/null ); age-keygen -y ~/.config/sops/age/keys.txt + - &user_pbsds_sopp age1hmpdk4h69wxpwqk9tkud39f66hprhehxtzhgw97r6dvr7v0mx5jscsuhkn + - &user_pbsds_nord age1wrssr4z4g6vl3fd3qme5cewchmmhm0j2xe6wf2meu4r6ycn37anse98mfs + # ssh host cat /etc/ssh/ssh_host_ed25519_key.pub | ssh-to-age + - &host_sopp age1zvqjaanff7x3f2a7853sd9ylna99khw4x6qfpf6am4yupsc44phsr2vfy3 + - &host_nox age1zh3nmy2a7s2v7g9t7zg56p8sjqwmvqv5s7dn2v22x5nxyl5wfdcsaf5tw7 + - &host_bolle age14d0ahjjk02jyc25hhx9ws333r0yk5e06yf4ys8xhz2um7jp6qqaqfcdksg + - &host_garp age14qunhxz08gmw5r8ky0ez9rjf9dj3ue9hrzz580gwwj4cms46vd7ss4rutf + - &host_nord age19xrvt0gjl4fcfjyy62mrl9uuzrq9e0wgemtkykr07ewz7nqn9cwshngel5 +creation_rules: +# # global +# - path_regex: secrets/default.yaml$ +# key_groups: +# - age: +# - *user_pbsds_sopp +# - *user_pbsds_nord +# - *host_sopp +# - *host_nox +# - *host_bolle +# - *host_garp +# - *host_nord + # sopp only + - path_regex: secrets/sopp(/[^/]+)?\.yaml$ + key_groups: + - age: + - *user_pbsds_sopp + - *user_pbsds_nord + - *host_sopp + # nox only + - path_regex: secrets/noximilien(/[^/]+)?\.yaml$ + key_groups: + - age: + - *user_pbsds_sopp + - *user_pbsds_nord + - *host_nox + # bolle only + - path_regex: secrets/bolle(/[^/]+)?\.yaml$ + key_groups: + - age: + - *user_pbsds_sopp + - *user_pbsds_nord + - *host_bolle + # garp only + - path_regex: secrets/garp(/[^/]+)?\.yaml$ + key_groups: + - age: + - *user_pbsds_sopp + - *user_pbsds_nord + - *host_garp + # nord only + - path_regex: secrets/nord(/[^/]+)?\.yaml$ + key_groups: + - age: + - *user_pbsds_sopp + - *user_pbsds_nord + - *host_nord diff --git a/README.md b/README.md index d963e9b..cb67a2d 100644 --- a/README.md +++ b/README.md @@ -64,8 +64,8 @@ * [ ] zfs, declarative pools? * [ ] some tunneling for NFS hosts * [ ] transgui config -* [ ] secrets - nix-sops ? - * [ ] flexget +* [x] secrets - nix-sops ? + * [x] flexget * [ ] transmission * [ ] transmission remote gui * [ ] domeneshop diff --git a/flake.lock b/flake.lock index c5d6e73..8b42a1b 100644 --- a/flake.lock +++ b/flake.lock @@ -173,6 +173,22 @@ "type": "github" } }, + "nixpkgs-stable": { + "locked": { + "lastModified": 1696717752, + "narHash": "sha256-qEq1styCyQHSrw7AOhskH2qwCFx93bOwsGEzUIrZC0g=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "2f3b6b3fcd9fa0a4e6b544180c058a70890a7cc1", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "release-23.05", + "repo": "nixpkgs", + "type": "github" + } + }, "nixpkgs-unstable": { "locked": { "lastModified": 1686582075, @@ -235,9 +251,31 @@ "nixos-hardware": "nixos-hardware", "nixpkgs": "nixpkgs", "pbsds-papers": "pbsds-papers", + "sops-nix": "sops-nix", "unstable": "unstable" } }, + "sops-nix": { + "inputs": { + "nixpkgs": [ + "nixpkgs" + ], + "nixpkgs-stable": "nixpkgs-stable" + }, + "locked": { + "lastModified": 1697321388, + "narHash": "sha256-3TdXq13fSYIj3BGo320vuGFjDQUJPQUrhXJ5jaMk7lo=", + "owner": "Mic92", + "repo": "sops-nix", + "rev": "7711514b8543891eea6ae84392c74a379c5010de", + "type": "github" + }, + "original": { + "owner": "Mic92", + "repo": "sops-nix", + "type": "github" + } + }, "unstable": { "locked": { "lastModified": 1697059129, diff --git a/flake.nix b/flake.nix index a36c6c0..48dfbef 100644 --- a/flake.nix +++ b/flake.nix @@ -20,12 +20,11 @@ nixos-generators.url = "github:nix-community/nixos-generators"; nixos-generators.inputs.nixpkgs.follows = "nixpkgs"; - #TODO: - /** / # https://github.com/Mic92/sops-nix sops-nix.url = "github:Mic92/sops-nix"; sops-nix.inputs.nixpkgs.follows = "nixpkgs"; + /** / matrix-next.url = "github:dali99/nixos-matrix-modules"; # see https://git.pvv.ntnu.no/Drift/pvv-nixos-config/src/main/flake.nix #https://github.com/considerate/nixos-odroidhc4 #https://cyberchaos.dev/cyberchaoscreatures/musl-nixos/ @@ -69,6 +68,8 @@ nixos-hardware, nixos-generators, home-manager, + sops-nix, + #flake-programs-sqlite, ... } @ inputs: let @@ -103,8 +104,19 @@ flakes = flake inputs system; }; /**/ - imports = [ ./base.nix "${self}/hosts/${hostname}"] ++ modules; - #++ inputs.flake-programs-sqlite.nixosModules.programs-sqlite; # TODO: make work + imports = [ + ./base.nix + "${self}/hosts/${hostname}" + sops-nix.nixosModules.sops + ] ++ modules; + #++ flake-programs-sqlite.nixosModules.programs-sqlite; # TODO: make work + + sops = lib.mkIf (builtins.pathExists ./secrets/${hostname}.yaml) { + defaultSopsFile = ./secrets/${hostname}.yaml; + age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ]; + age.keyFile = "/var/lib/sops-nix/key.txt"; + age.generateKey = true; + }; # still needed even if using networkd networking.hostName = hostname; @@ -198,6 +210,9 @@ pkgs.home-manager pkgs.nix-output-monitor pkgs.cachix + pkgs.age + pkgs.sops + pkgs.ssh-to-age ]; in { envrc-local = mkShell envrc-pkgs; @@ -208,6 +223,8 @@ ]); remoteenv = mkShell [ flakes.self.pkgs.nixos-rebuild-nom + pkgs.age + pkgs.ssh-to-age ]; }); diff --git a/profiles/web/services/flexget.nix b/profiles/web/services/flexget.nix index 400612f..ff46c57 100644 --- a/profiles/web/services/flexget.nix +++ b/profiles/web/services/flexget.nix @@ -1,27 +1,21 @@ -{ config, pkgs, lib, mkDomain, ... }: +{ config, pkgs, lib, ... }: +let + cfg = config.services.flexget; +in { # Flexget # Multipurpose automation tool for all of your media + sops.secrets.flexget.owner = "flexget"; + sops.secrets.flexget.group = "flexget"; + services.flexget = { enable = true; user = "flexget"; # The user under which to run flexget. homeDir = "/var/lib/flexget"; interval = "30m"; - config = '' - tasks: - shanaproject: - rss: 'https://www.shanaproject.com/feeds/secure/user/35853/J98B7OXAHO/' - accept_all: yes - no_entries_ok: yes - transmission: - host: 192.168.1.3 - port: 9091 - path: '/Reidun/shared/Downloads/shana project/' - username: pbsds - password: spismeg - ''; + config = ""; }; users.groups."${config.services.flexget.user}" = lib.mkIf config.services.flexget.enable { }; users.users."${config.services.flexget.user}" = lib.mkIf config.services.flexget.enable { @@ -31,5 +25,10 @@ group = "${config.services.flexget.user}"; }; + # TODO: https://github.com/NixOS/nixpkgs/pull/208199 + systemd.services.flexget.serviceConfig.ExecStartPre = lib.mkForce + "${pkgs.coreutils}/bin/ln -sf /run/secrets/flexget ${toString cfg.homeDir}/flexget.yml"; + systemd.services.flexget-runner.serviceConfig.ExecStartPre = lib.mkForce + "${pkgs.coreutils}/bin/ln -sf /run/secrets/flexget ${toString cfg.homeDir}/flexget.yml"; } diff --git a/secrets/noximilien.yaml b/secrets/noximilien.yaml new file mode 100644 index 0000000..58d7b41 --- /dev/null +++ b/secrets/noximilien.yaml @@ -0,0 +1,39 @@ +flexget: ENC[AES256_GCM,data:vh9famQgmQI0nc9/5F8egDCwI9OvevPLATiepEcSpy+eCjJxU0WkG9NPECOCNlteW7xOOZfXAXfn8KW7j4vqHseLKu3MwGO98dYJXeW3KKyKNlVW1UF0dEb6BGLjqBnQDzURE5L8gRR5pFZ8nepWo0UG6Zuy93XrthTZ/tjuz6wvaKv0761ULtfMLQ9HddF14y666h/OkSPftkPvEA35fOdiBgPj9O/mZu11KvyBYKoQLkQxihCvwNMzMXmMSehH9WMOPk4EU3ZGLHHjlfTXa3Syn2yf28PazNao/XMEs8H9FlhPw42r1Tku5tMLM3wObKpin0t50sqbEf/LxUPo6Vu/i6e4E3UkDrEbyKFA4VXGd6vxD+gyELydrkDrHRm50JWGZmbwvW3be+Ezqe7eXuzgoNabe4BG4wogTszOpM2uXrveTiSmoQyC4JZ6lszdnodlGVFIvaKU5xdrpLQAI9W2OA==,iv:AeadtoIAjTrPiB5iPgIW7FTwLZa2BQFr/jhaTvs8WAc=,tag:VW480DHQ315YLPtDuaFYtg==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1hmpdk4h69wxpwqk9tkud39f66hprhehxtzhgw97r6dvr7v0mx5jscsuhkn + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB4OGQ4cVBHMlJiYXVYLzlC + TERQbm5ja0RiWUYvcVhSYzJURkE2SkxuZGxBCkgvNW9acEh0WGVEK1pDaUgrTUVz + M2NzY1RESHk2UUVoZFRvY1BYckVpYkkKLS0tIFVwNWl4NGU5VXNIRHByR2Vkb0hU + SWFEZW82QXZMRkVISGY1MU9jaEJLNm8KoHLDKI69uPhaIydeC18HTuOaWwDtyoUn + hGTcZDPDP8yw1+/zH1lGn865STnZGI0GO+kh2s2DWLEUXHK9GMrnJg== + -----END AGE ENCRYPTED FILE----- + - recipient: age1wrssr4z4g6vl3fd3qme5cewchmmhm0j2xe6wf2meu4r6ycn37anse98mfs + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA5aDZ6YkdrYW1pRHlZMU8y + cER1NHRtQVZpY3VtSTRXUkhYckRZZWZuZ0RBCnZrdEZ0NzB6SHlxU1FhOWRLa0NL + Vk50YllpdVVEQUkweHFRNUZuSXVEdk0KLS0tIERGTzBxTXpoN2E4b1ZtQm9zd1g0 + OUNXcUZrMFFEazRUa2lsSWRCQkkxblkK2s2Msm7k0qj08WqVnKR9IvU1vAa57/Ew + wGTVMlWaoUPXJ5CkpAG+PEoDbVaZDISyap7PAKUjMBTMh6T/jBhExw== + -----END AGE ENCRYPTED FILE----- + - recipient: age1zh3nmy2a7s2v7g9t7zg56p8sjqwmvqv5s7dn2v22x5nxyl5wfdcsaf5tw7 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBUZE5GQ0JYWGtONFNGaEla + dFg2ejJxaUdwOXhDVWdxanNkeG0vOFFEcURNCjVpcFFMc1h5cG1yZTFHWk9ETnNq + VlBvUERpQWxMRndYcDdqTTB1Y3hKb1EKLS0tIE9iT0loSS9Gcyt3ZElVSm9YODZ6 + SkU1Q0NZOGVXRENrOThBT1lDdGxWWW8KtypJmkOVD0Ej14fXZzKzKrnPNv7O5SAp + jdQe7GSwCJKqqHuX2T/E4mzCVrSPsB/GVfqh0IymZg6NJZjYO79Wbg== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2023-10-14T23:43:49Z" + mac: ENC[AES256_GCM,data:krcWdjXtd8ammOUQvqaIxE5U3UylnUMHuAqTdM82QsmQ2d+kvsjbY4ftvbNdJ1wwNQmq2PzhmtH7iunTSC9pTlmZkUxyXM43cM/EC0KqzZJA2ST6h86vZwkZ0gExWJLgk+uxoYDPT2M3c3sn6hZot8BHlUCiO1wQABHH57+FPvY=,iv:mV+q86wp9lV8ACZaL9LnUCAOcCjdvqQjVr2Fs+q6rv0=,tag:lvJoIrjExFitcAUKvsuF/Q==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.7.3