From 908d10be5da52725f451bab4b6ea095ac177ee0f Mon Sep 17 00:00:00 2001 From: Jurn Wubben Date: Fri, 28 Mar 2025 00:10:28 +0100 Subject: [PATCH] encryption bitch --- flake.lock | 146 ++++++++++++++++++++++++++------ flake.nix | 2 + hosts/default.nix | 2 + hosts/laptop/default.nix | 1 - secrets/default.nix | 6 ++ secrets/password.age | 5 ++ secrets/secrets.nix | 8 ++ secrets/transfer-sh.age | 5 ++ system/core/defaultPackages.nix | 11 ++- system/core/users.nix | 8 +- system/server/transfer-sh.nix | 5 +- 11 files changed, 168 insertions(+), 31 deletions(-) create mode 100644 secrets/default.nix create mode 100644 secrets/password.age create mode 100644 secrets/secrets.nix create mode 100644 secrets/transfer-sh.age diff --git a/flake.lock b/flake.lock index 38744d4..6dce111 100644 --- a/flake.lock +++ b/flake.lock @@ -1,5 +1,26 @@ { "nodes": { + "agenix": { + "inputs": { + "darwin": "darwin", + "home-manager": "home-manager", + "nixpkgs": "nixpkgs", + "systems": "systems" + }, + "locked": { + "lastModified": 1736955230, + "narHash": "sha256-uenf8fv2eG5bKM8C/UvFaiJMZ4IpUFaQxk9OH5t/1gA=", + "owner": "ryantm", + "repo": "agenix", + "rev": "e600439ec4c273cf11e06fe4d9d906fb98fa097c", + "type": "github" + }, + "original": { + "owner": "ryantm", + "repo": "agenix", + "type": "github" + } + }, "base16": { "inputs": { "fromYaml": "fromYaml" @@ -67,6 +88,28 @@ "type": "github" } }, + "darwin": { + "inputs": { + "nixpkgs": [ + "agenix", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1700795494, + "narHash": "sha256-gzGLZSiOhf155FW7262kdHo2YDeugp3VuIFb4/GGng0=", + "owner": "lnl7", + "repo": "nix-darwin", + "rev": "4b9b83d5a92e8c1fbfd8eb27eda375908c11ec4d", + "type": "github" + }, + "original": { + "owner": "lnl7", + "ref": "master", + "repo": "nix-darwin", + "type": "github" + } + }, "firefox-gnome-theme": { "flake": false, "locked": { @@ -172,7 +215,7 @@ }, "flake-utils": { "inputs": { - "systems": "systems_2" + "systems": "systems_3" }, "locked": { "lastModified": 1731533236, @@ -190,7 +233,7 @@ }, "flake-utils_2": { "inputs": { - "systems": "systems_4" + "systems": "systems_5" }, "locked": { "lastModified": 1731533236, @@ -330,6 +373,27 @@ } }, "home-manager": { + "inputs": { + "nixpkgs": [ + "agenix", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1703113217, + "narHash": "sha256-7ulcXOk63TIT2lVDSExj7XzFx09LpdSAPtvgtM7yQPE=", + "owner": "nix-community", + "repo": "home-manager", + "rev": "3bfaacf46133c037bb356193bd2f1765d9dc82c1", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "home-manager", + "type": "github" + } + }, + "home-manager_2": { "inputs": { "nixpkgs": [ "stylix", @@ -367,7 +431,7 @@ }, "naersk": { "inputs": { - "nixpkgs": "nixpkgs_4" + "nixpkgs": "nixpkgs_5" }, "locked": { "lastModified": 1739824009, @@ -412,8 +476,8 @@ "nixcord": { "inputs": { "flake-compat": "flake-compat", - "nixpkgs": "nixpkgs", - "systems": "systems", + "nixpkgs": "nixpkgs_2", + "systems": "systems_2", "treefmt-nix": "treefmt-nix" }, "locked": { @@ -432,16 +496,16 @@ }, "nixpkgs": { "locked": { - "lastModified": 1737003892, - "narHash": "sha256-RCzJE9wKByLCXmRBp+z8LK9EgdW+K+W/DXnJS4S/NVo=", + "lastModified": 1703013332, + "narHash": "sha256-+tFNwMvlXLbJZXiMHqYq77z/RfmpfpiI3yjL6o/Zo9M=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "ae06b9c2d83cb5c8b12d7d0e32692e93d1379713", + "rev": "54aac082a4d9bb5bbc5c4e899603abfb76a3f6d6", "type": "github" }, "original": { "owner": "NixOS", - "ref": "nixpkgs-unstable", + "ref": "nixos-unstable", "repo": "nixpkgs", "type": "github" } @@ -474,6 +538,22 @@ } }, "nixpkgs_2": { + "locked": { + "lastModified": 1737003892, + "narHash": "sha256-RCzJE9wKByLCXmRBp+z8LK9EgdW+K+W/DXnJS4S/NVo=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "ae06b9c2d83cb5c8b12d7d0e32692e93d1379713", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixpkgs-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs_3": { "locked": { "lastModified": 1735554305, "narHash": "sha256-zExSA1i/b+1NMRhGGLtNfFGXgLtgo+dcuzHzaWA6w3Q=", @@ -489,7 +569,7 @@ "type": "github" } }, - "nixpkgs_3": { + "nixpkgs_4": { "locked": { "lastModified": 1741516043, "narHash": "sha256-Hv0S630U4GVZBM1Q+NCEwyN5ct7cic+8r6qLIaUaVqI=", @@ -505,7 +585,7 @@ "type": "github" } }, - "nixpkgs_4": { + "nixpkgs_5": { "locked": { "lastModified": 1741516043, "narHash": "sha256-Hv0S630U4GVZBM1Q+NCEwyN5ct7cic+8r6qLIaUaVqI=", @@ -518,7 +598,7 @@ "type": "indirect" } }, - "nixpkgs_5": { + "nixpkgs_6": { "locked": { "lastModified": 1742707865, "narHash": "sha256-RVQQZy38O3Zb8yoRJhuFgWo/iDIDj0hEdRTVfhOtzRk=", @@ -534,7 +614,7 @@ "type": "github" } }, - "nixpkgs_6": { + "nixpkgs_7": { "locked": { "lastModified": 1740367490, "narHash": "sha256-WGaHVAjcrv+Cun7zPlI41SerRtfknGQap281+AakSAw=", @@ -599,7 +679,7 @@ "nixpkgs" ], "nmd": "nmd", - "systems": "systems_3" + "systems": "systems_4" }, "locked": { "lastModified": 1741477095, @@ -617,10 +697,11 @@ }, "root": { "inputs": { + "agenix": "agenix", "flake-parts": "flake-parts", "hm": "hm", "nixcord": "nixcord", - "nixpkgs": "nixpkgs_3", + "nixpkgs": "nixpkgs_4", "nvf": "nvf", "somcli": "somcli", "stylix": "stylix" @@ -652,7 +733,7 @@ "inputs": { "flake-utils": "flake-utils_2", "naersk": "naersk", - "nixpkgs": "nixpkgs_5" + "nixpkgs": "nixpkgs_6" }, "locked": { "lastModified": 1743031501, @@ -679,10 +760,10 @@ "flake-utils": "flake-utils_3", "git-hooks": "git-hooks", "gnome-shell": "gnome-shell", - "home-manager": "home-manager", - "nixpkgs": "nixpkgs_6", + "home-manager": "home-manager_2", + "nixpkgs": "nixpkgs_7", "nur": "nur", - "systems": "systems_5", + "systems": "systems_6", "tinted-foot": "tinted-foot", "tinted-kitty": "tinted-kitty", "tinted-schemes": "tinted-schemes", @@ -713,8 +794,9 @@ "type": "github" }, "original": { - "id": "systems", - "type": "indirect" + "owner": "nix-systems", + "repo": "default", + "type": "github" } }, "systems_2": { @@ -727,9 +809,8 @@ "type": "github" }, "original": { - "owner": "nix-systems", - "repo": "default", - "type": "github" + "id": "systems", + "type": "indirect" } }, "systems_3": { @@ -777,6 +858,21 @@ "type": "github" } }, + "systems_6": { + "locked": { + "lastModified": 1681028828, + "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", + "owner": "nix-systems", + "repo": "default", + "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", + "type": "github" + }, + "original": { + "owner": "nix-systems", + "repo": "default", + "type": "github" + } + }, "tinted-foot": { "flake": false, "locked": { @@ -861,7 +957,7 @@ }, "treefmt-nix": { "inputs": { - "nixpkgs": "nixpkgs_2" + "nixpkgs": "nixpkgs_3" }, "locked": { "lastModified": 1737103437, diff --git a/flake.nix b/flake.nix index 4ca194a..17d7ec3 100644 --- a/flake.nix +++ b/flake.nix @@ -46,5 +46,7 @@ nixcord.url = "github:kaylorben/nixcord"; somcli.url = "github:jsw08/somcli"; + + agenix.url = "github:ryantm/agenix"; }; } diff --git a/hosts/default.nix b/hosts/default.nix index 4216a11..a472c62 100644 --- a/hosts/default.nix +++ b/hosts/default.nix @@ -9,8 +9,10 @@ specialArgs = {inherit inputs self;}; modules = [ inputs.hm.nixosModules.home-manager + inputs.agenix.nixosModules.default ../system + ../secrets ]; in { flake = let diff --git a/hosts/laptop/default.nix b/hosts/laptop/default.nix index 925c2ae..6d82b24 100644 --- a/hosts/laptop/default.nix +++ b/hosts/laptop/default.nix @@ -11,7 +11,6 @@ desktop = true; portable = true; neovim = true; - server = true; }; home-manager.users.jsw.wayland.windowManager.hyprland.settings.monitor = ["eDP-1,2880x1920@120,0x0,1.5,vrr,1"]; diff --git a/secrets/default.nix b/secrets/default.nix new file mode 100644 index 0000000..e2f7a80 --- /dev/null +++ b/secrets/default.nix @@ -0,0 +1,6 @@ +{ + age.secrets = { + transferSh.file = ./transfer-sh.age; + password.file = ./password.age; + }; +} diff --git a/secrets/password.age b/secrets/password.age new file mode 100644 index 0000000..8418744 --- /dev/null +++ b/secrets/password.age @@ -0,0 +1,5 @@ +age-encryption.org/v1 +-> ssh-ed25519 GQzYWA T2tf/5zlOEUtq3E9hcOfGfV3T0SoJi9fPu3wO3gSqnQ +uiu/dIhoCfQG5NGzrkmqgndPOety048r6muc+x7M3Ks +--- kn3Gvkl870rhV0Nf6EURV2kMWEzx5WMqJ2QZisgeCfI + xUy򽃟#:&1Sߍo/3[&͵+@ G~+,oMQĝB6w'X9+z|$ލX,'݊-UPjJNbY[pξ'Ofk#>K \ No newline at end of file diff --git a/secrets/secrets.nix b/secrets/secrets.nix new file mode 100644 index 0000000..0d631f5 --- /dev/null +++ b/secrets/secrets.nix @@ -0,0 +1,8 @@ +let + laptop = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHB3qkRCskSMiAs2kLTsG+ruESK4h1pP1FHm+rVnKWx4"; + + systems = [laptop]; +in { + "transfer-sh.age".publicKeys = systems; + "password.age".publicKeys = systems; +} diff --git a/secrets/transfer-sh.age b/secrets/transfer-sh.age new file mode 100644 index 0000000..5996bef --- /dev/null +++ b/secrets/transfer-sh.age @@ -0,0 +1,5 @@ +age-encryption.org/v1 +-> ssh-ed25519 GQzYWA xjixbP+i0eov3HgpjCdBJuboEZ39ZTrfL1UgSewMQ3Y +ByXb8aKlgNaWeeUmCTppYN1h4gEPO5dvvXexxAN70AY +--- PJkB6ivTLCMx4ny0olODmbZDsppm7LKJLHorowjxtEI +C\y>?\h{TmvƼsZbtxC%Qt \ No newline at end of file diff --git a/system/core/defaultPackages.nix b/system/core/defaultPackages.nix index 6748032..bdd4528 100644 --- a/system/core/defaultPackages.nix +++ b/system/core/defaultPackages.nix @@ -1,3 +1,10 @@ -{pkgs,...}: { - environment.defaultPackages = [pkgs.neovim]; # Still have to be able to edit configs. +{ + pkgs, + inputs, + ... +}: { + environment.defaultPackages = [ + pkgs.neovim + inputs.agenix.packages.${pkgs.system}.default + ]; # Still have to be able to edit configs. } diff --git a/system/core/users.nix b/system/core/users.nix index aec816d..157aeaf 100644 --- a/system/core/users.nix +++ b/system/core/users.nix @@ -1,8 +1,12 @@ -{pkgs, ...}: { +{ + config, + pkgs, + ... +}: { users.users.jsw = { isNormalUser = true; shell = pkgs.fish; - initialPassword = "changeme"; + hashedPasswordFile = config.age.secrets.password.path; extraGroups = [ "libvirtd" "NetworkManager" diff --git a/system/server/transfer-sh.nix b/system/server/transfer-sh.nix index 32b8a86..1b83057 100644 --- a/system/server/transfer-sh.nix +++ b/system/server/transfer-sh.nix @@ -3,11 +3,14 @@ enable = config.niksos.server; settings = { PURGE_DAYS = 7; - MAX_UPLOAD_SIZE = 4 * 1000 * 1000; # 2gb + MAX_UPLOAD_SIZE = 4 * 1000 * 1000; # 4gb # CORS_DOMAINS = "transfer.jsw.tf"; #FIXME: open it to the world wide web. BASEDIR = "/var/lib/transfer.sh"; LISTENER = ":9000"; + HTTP_AUTH_USER = "jsw"; + EMAIL_CONTACT = "jurnwubben@gmail.com"; }; + secretFile = config.age.secrets.transferSh.path; }; systemd.services.transfer-sh.serviceConfig = { StateDirectory = "transfer.sh";