From 8ee88f922c9e4288fee2b99c1152ce7e7d874a7b Mon Sep 17 00:00:00 2001 From: Julien Malka Date: Thu, 9 May 2024 00:48:35 +0200 Subject: [PATCH] feat: move to agenix secrets --- home-manager-modules/git/default.nix | 22 +++--- machines/base.nix | 59 +++++++-------- machines/core-security/default.nix | 105 +++++++++++++-------------- machines/lisa/home-julien.nix | 21 ++---- modules/buildbot/default.nix | 49 +++++-------- modules/deluge/default.nix | 25 ++----- modules/mailserver/default.nix | 68 ++++++++--------- modules/navidrome/default.nix | 36 +++------ modules/secrets/default.nix | 29 +++----- users/default.nix | 19 +++-- users/julien.nix | 34 ++++----- 11 files changed, 214 insertions(+), 253 deletions(-) diff --git a/home-manager-modules/git/default.nix b/home-manager-modules/git/default.nix index 4b19f26..ac93457 100644 --- a/home-manager-modules/git/default.nix +++ b/home-manager-modules/git/default.nix @@ -1,4 +1,9 @@ -{ config, pkgs, lib, ... }: +{ + config, + pkgs, + lib, + ... +}: let cfg = config.luj.programs.git; in @@ -18,9 +23,7 @@ with lib; key = "6FC74C847011FD83"; }; delta.enable = true; - ignores = [ - ".direnv" - ]; + ignores = [ ".direnv" ]; extraConfig = { init.defaultBranch = "main"; diff.colorMoved = "zebra"; @@ -32,11 +35,10 @@ with lib; }; home.extraActivationPath = [ pkgs.gnupg ]; - home.activation = - { - myActivationAction = lib.hm.dag.entryAfter [ "writeBoundary" ] '' - gpg --import /run/secrets/git-gpg-private-key - ''; - }; + home.activation = { + myActivationAction = lib.hm.dag.entryAfter [ "writeBoundary" ] '' + gpg --import /run/agenix/git-gpg-private-key + ''; + }; }; } diff --git a/machines/base.nix b/machines/base.nix index bcdb5d8..d39ff8e 100644 --- a/machines/base.nix +++ b/machines/base.nix @@ -13,9 +13,6 @@ luj.programs.mosh.enable = true; luj.deployment.enable = true; - sops.defaultSopsFile = ../secrets/secrets.yaml; - sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ]; - time.timeZone = "Europe/Paris"; i18n.defaultLocale = "en_US.UTF-8"; console = { @@ -42,32 +39,36 @@ systemd.services.NetworkManager-wait-online.enable = false; - - security.pki.certificates = [ - ''-----BEGIN CERTIFICATE----- -MIIByzCCAXKgAwIBAgIQAcJCOR+99m5v3dHWQw5m9jAKBggqhkjOPQQDAjAwMRIw -EAYDVQQKEwlTYXVtb25OZXQxGjAYBgNVBAMTEVNhdW1vbk5ldCBSb290IENBMB4X -DTIyMDQyNDIwMDE1MFoXDTMyMDQyMTIwMDE1MFowODESMBAGA1UEChMJU2F1bW9u -TmV0MSIwIAYDVQQDExlTYXVtb25OZXQgSW50ZXJtZWRpYXRlIENBMFkwEwYHKoZI -zj0CAQYIKoZIzj0DAQcDQgAE5Sk6vYJcYlh4aW0vAN84MWr84TTVTTdsM2s8skH6 -7fDsqNMb7FMwUMEAFwQRiADjYy3saU2Dogh2ESuB1dDFFqNmMGQwDgYDVR0PAQH/ -BAQDAgEGMBIGA1UdEwEB/wQIMAYBAf8CAQAwHQYDVR0OBBYEFO5iTfZiutpsM7ja -mP3yuMIy6iNTMB8GA1UdIwQYMBaAFBWOQHe4eAeothQTmTNKiG/pAowGMAoGCCqG -SM49BAMCA0cAMEQCICu8u19I7RMfnQ7t3QXHP5fdUm/fX/puqF+jYSf9SZEoAiBc -oVcd0OfuAExWHhOMUZ0OV4bws9WCax333I+Pg4nDNw== ------END CERTIFICATE-----'' - ''-----BEGIN CERTIFICATE----- -MIIBpTCCAUqgAwIBAgIRALevKnnElllot/cRNGjnUqUwCgYIKoZIzj0EAwIwMDES -MBAGA1UEChMJU2F1bW9uTmV0MRowGAYDVQQDExFTYXVtb25OZXQgUm9vdCBDQTAe -Fw0yMjA0MjQyMDAxNDlaFw0zMjA0MjEyMDAxNDlaMDAxEjAQBgNVBAoTCVNhdW1v -bk5ldDEaMBgGA1UEAxMRU2F1bW9uTmV0IFJvb3QgQ0EwWTATBgcqhkjOPQIBBggq -hkjOPQMBBwNCAAQG356Ui437dBTSOiJILKjVkwrJMsXN3eba/T1N+IJeqRBfigo7 -BW9YZfs1xIbMZ5wL0Zc/DsSEo5xCC7j4YaXro0UwQzAOBgNVHQ8BAf8EBAMCAQYw -EgYDVR0TAQH/BAgwBgEB/wIBATAdBgNVHQ4EFgQUFY5Ad7h4B6i2FBOZM0qIb+kC -jAYwCgYIKoZIzj0EAwIDSQAwRgIhALdsEqiRa4ak5Cnin6Tjnel5uOiHSjoC6LKf -VfXtULncAiEA2gmqdr+ugFz5tvPdKwanroTiMTUMhhCRYVlQlyTApyQ= ------END CERTIFICATE-----'' + age.identityPaths = [ + "/etc/ssh/ssh_host_ed25519_key" + "/persistent/etc/ssh/ssh_host_ed25519_key" ]; - + security.pki.certificates = [ + '' + -----BEGIN CERTIFICATE----- + MIIByzCCAXKgAwIBAgIQAcJCOR+99m5v3dHWQw5m9jAKBggqhkjOPQQDAjAwMRIw + EAYDVQQKEwlTYXVtb25OZXQxGjAYBgNVBAMTEVNhdW1vbk5ldCBSb290IENBMB4X + DTIyMDQyNDIwMDE1MFoXDTMyMDQyMTIwMDE1MFowODESMBAGA1UEChMJU2F1bW9u + TmV0MSIwIAYDVQQDExlTYXVtb25OZXQgSW50ZXJtZWRpYXRlIENBMFkwEwYHKoZI + zj0CAQYIKoZIzj0DAQcDQgAE5Sk6vYJcYlh4aW0vAN84MWr84TTVTTdsM2s8skH6 + 7fDsqNMb7FMwUMEAFwQRiADjYy3saU2Dogh2ESuB1dDFFqNmMGQwDgYDVR0PAQH/ + BAQDAgEGMBIGA1UdEwEB/wQIMAYBAf8CAQAwHQYDVR0OBBYEFO5iTfZiutpsM7ja + mP3yuMIy6iNTMB8GA1UdIwQYMBaAFBWOQHe4eAeothQTmTNKiG/pAowGMAoGCCqG + SM49BAMCA0cAMEQCICu8u19I7RMfnQ7t3QXHP5fdUm/fX/puqF+jYSf9SZEoAiBc + oVcd0OfuAExWHhOMUZ0OV4bws9WCax333I+Pg4nDNw== + -----END CERTIFICATE-----'' + '' + -----BEGIN CERTIFICATE----- + MIIBpTCCAUqgAwIBAgIRALevKnnElllot/cRNGjnUqUwCgYIKoZIzj0EAwIwMDES + MBAGA1UEChMJU2F1bW9uTmV0MRowGAYDVQQDExFTYXVtb25OZXQgUm9vdCBDQTAe + Fw0yMjA0MjQyMDAxNDlaFw0zMjA0MjEyMDAxNDlaMDAxEjAQBgNVBAoTCVNhdW1v + bk5ldDEaMBgGA1UEAxMRU2F1bW9uTmV0IFJvb3QgQ0EwWTATBgcqhkjOPQIBBggq + hkjOPQMBBwNCAAQG356Ui437dBTSOiJILKjVkwrJMsXN3eba/T1N+IJeqRBfigo7 + BW9YZfs1xIbMZ5wL0Zc/DsSEo5xCC7j4YaXro0UwQzAOBgNVHQ8BAf8EBAMCAQYw + EgYDVR0TAQH/BAgwBgEB/wIBATAdBgNVHQ4EFgQUFY5Ad7h4B6i2FBOZM0qIb+kC + jAYwCgYIKoZIzj0EAwIDSQAwRgIhALdsEqiRa4ak5Cnin6Tjnel5uOiHSjoC6LKf + VfXtULncAiEA2gmqdr+ugFz5tvPdKwanroTiMTUMhhCRYVlQlyTApyQ= + -----END CERTIFICATE-----'' + ]; } diff --git a/machines/core-security/default.nix b/machines/core-security/default.nix index b48173a..9beb169 100644 --- a/machines/core-security/default.nix +++ b/machines/core-security/default.nix @@ -1,11 +1,15 @@ -{ config, pkgs, lib, ... }: +{ + config, + pkgs, + lib, + ... +}: { - imports = - [ - ./hardware.nix - ./home-julien.nix - ]; + imports = [ + ./hardware.nix + ./home-julien.nix + ]; # Bootloader. boot.loader.grub.enable = true; @@ -18,7 +22,6 @@ systemd.network.enable = true; - systemd.network.networks."10-wan" = { matchConfig.Name = "ens18"; networkConfig = { @@ -31,7 +34,6 @@ linkConfig.RequiredForOnline = "routable"; }; - # Set your time zone. time.timeZone = "Europe/Paris"; @@ -66,15 +68,20 @@ services.openssh.enable = true; - networking.firewall.allowedTCPPorts = [ 80 443 ]; - networking.firewall.allowedUDPPorts = [ 80 443 ]; + networking.firewall.allowedTCPPorts = [ + 80 + 443 + ]; + networking.firewall.allowedUDPPorts = [ + 80 + 443 + ]; networking.firewall.checkReversePath = "loose"; systemd.services.NetworkManager-wait-online.enable = lib.mkForce false; systemd.services.systemd-networkd-wait-online.enable = lib.mkForce false; - luj.nginx.enable = true; services.nginx.virtualHosts."vaults.malka.family" = { forceSSL = true; @@ -99,7 +106,7 @@ services.keycloak = { enable = true; database.createLocally = true; - database.passwordFile = "/run/secrets/keycloak"; + database.passwordFile = "/run/agenix/keycloak-db"; settings = { hostname = "auth.julienmalka.me"; hostname-admin-url = "https://auth.julienmalka.me"; @@ -107,7 +114,9 @@ hostname-strict-backchannel = true; proxy = "edge"; }; - themes = { keywind = pkgs.keycloak-keywind; }; + themes = { + keywind = pkgs.keycloak-keywind; + }; }; services.nginx.virtualHosts."auth.julienmalka.me" = { @@ -115,22 +124,15 @@ enableACME = true; locations."/" = { proxyPass = "http://127.0.0.1:8080"; - extraConfig = '' - proxy_buffer_size 128k; - proxy_buffers 4 256k; - proxy_busy_buffers_size 256k; + extraConfig = '' + proxy_buffer_size 128k; + proxy_buffers 4 256k; + proxy_busy_buffers_size 256k; ''; }; }; - - sops.secrets.keycloak = { - owner = "root"; - sopsFile = ../../secrets/keycloak-db; - format = "binary"; - }; - - + age.secrets.keycloak-db.file = ../../secrets/keycloak-db.age; services.openssh.extraConfig = '' HostCertificate /etc/ssh/ssh_host_ed25519_key-cert.pub @@ -139,8 +141,6 @@ MaxAuthTries 20 ''; - - services.step-ca.enable = true; services.step-ca.intermediatePasswordFile = "/root/capw"; services.step-ca.address = "100.100.45.14"; @@ -162,38 +162,37 @@ }; }; - security.acme.certs."ca.luj".server = "https://127.0.0.1:8444/acme/acme/directory"; systemd.services."step-ca".after = [ "keycloak.service" ]; security.pki.certificates = [ - ''-----BEGIN CERTIFICATE----- -MIIByzCCAXKgAwIBAgIQAcJCOR+99m5v3dHWQw5m9jAKBggqhkjOPQQDAjAwMRIw -EAYDVQQKEwlTYXVtb25OZXQxGjAYBgNVBAMTEVNhdW1vbk5ldCBSb290IENBMB4X -DTIyMDQyNDIwMDE1MFoXDTMyMDQyMTIwMDE1MFowODESMBAGA1UEChMJU2F1bW9u -TmV0MSIwIAYDVQQDExlTYXVtb25OZXQgSW50ZXJtZWRpYXRlIENBMFkwEwYHKoZI -zj0CAQYIKoZIzj0DAQcDQgAE5Sk6vYJcYlh4aW0vAN84MWr84TTVTTdsM2s8skH6 -7fDsqNMb7FMwUMEAFwQRiADjYy3saU2Dogh2ESuB1dDFFqNmMGQwDgYDVR0PAQH/ -BAQDAgEGMBIGA1UdEwEB/wQIMAYBAf8CAQAwHQYDVR0OBBYEFO5iTfZiutpsM7ja -mP3yuMIy6iNTMB8GA1UdIwQYMBaAFBWOQHe4eAeothQTmTNKiG/pAowGMAoGCCqG -SM49BAMCA0cAMEQCICu8u19I7RMfnQ7t3QXHP5fdUm/fX/puqF+jYSf9SZEoAiBc -oVcd0OfuAExWHhOMUZ0OV4bws9WCax333I+Pg4nDNw== ------END CERTIFICATE-----'' - ''-----BEGIN CERTIFICATE----- -MIIBpTCCAUqgAwIBAgIRALevKnnElllot/cRNGjnUqUwCgYIKoZIzj0EAwIwMDES -MBAGA1UEChMJU2F1bW9uTmV0MRowGAYDVQQDExFTYXVtb25OZXQgUm9vdCBDQTAe -Fw0yMjA0MjQyMDAxNDlaFw0zMjA0MjEyMDAxNDlaMDAxEjAQBgNVBAoTCVNhdW1v -bk5ldDEaMBgGA1UEAxMRU2F1bW9uTmV0IFJvb3QgQ0EwWTATBgcqhkjOPQIBBggq -hkjOPQMBBwNCAAQG356Ui437dBTSOiJILKjVkwrJMsXN3eba/T1N+IJeqRBfigo7 -BW9YZfs1xIbMZ5wL0Zc/DsSEo5xCC7j4YaXro0UwQzAOBgNVHQ8BAf8EBAMCAQYw -EgYDVR0TAQH/BAgwBgEB/wIBATAdBgNVHQ4EFgQUFY5Ad7h4B6i2FBOZM0qIb+kC -jAYwCgYIKoZIzj0EAwIDSQAwRgIhALdsEqiRa4ak5Cnin6Tjnel5uOiHSjoC6LKf -VfXtULncAiEA2gmqdr+ugFz5tvPdKwanroTiMTUMhhCRYVlQlyTApyQ= ------END CERTIFICATE-----'' + '' + -----BEGIN CERTIFICATE----- + MIIByzCCAXKgAwIBAgIQAcJCOR+99m5v3dHWQw5m9jAKBggqhkjOPQQDAjAwMRIw + EAYDVQQKEwlTYXVtb25OZXQxGjAYBgNVBAMTEVNhdW1vbk5ldCBSb290IENBMB4X + DTIyMDQyNDIwMDE1MFoXDTMyMDQyMTIwMDE1MFowODESMBAGA1UEChMJU2F1bW9u + TmV0MSIwIAYDVQQDExlTYXVtb25OZXQgSW50ZXJtZWRpYXRlIENBMFkwEwYHKoZI + zj0CAQYIKoZIzj0DAQcDQgAE5Sk6vYJcYlh4aW0vAN84MWr84TTVTTdsM2s8skH6 + 7fDsqNMb7FMwUMEAFwQRiADjYy3saU2Dogh2ESuB1dDFFqNmMGQwDgYDVR0PAQH/ + BAQDAgEGMBIGA1UdEwEB/wQIMAYBAf8CAQAwHQYDVR0OBBYEFO5iTfZiutpsM7ja + mP3yuMIy6iNTMB8GA1UdIwQYMBaAFBWOQHe4eAeothQTmTNKiG/pAowGMAoGCCqG + SM49BAMCA0cAMEQCICu8u19I7RMfnQ7t3QXHP5fdUm/fX/puqF+jYSf9SZEoAiBc + oVcd0OfuAExWHhOMUZ0OV4bws9WCax333I+Pg4nDNw== + -----END CERTIFICATE-----'' + '' + -----BEGIN CERTIFICATE----- + MIIBpTCCAUqgAwIBAgIRALevKnnElllot/cRNGjnUqUwCgYIKoZIzj0EAwIwMDES + MBAGA1UEChMJU2F1bW9uTmV0MRowGAYDVQQDExFTYXVtb25OZXQgUm9vdCBDQTAe + Fw0yMjA0MjQyMDAxNDlaFw0zMjA0MjEyMDAxNDlaMDAxEjAQBgNVBAoTCVNhdW1v + bk5ldDEaMBgGA1UEAxMRU2F1bW9uTmV0IFJvb3QgQ0EwWTATBgcqhkjOPQIBBggq + hkjOPQMBBwNCAAQG356Ui437dBTSOiJILKjVkwrJMsXN3eba/T1N+IJeqRBfigo7 + BW9YZfs1xIbMZ5wL0Zc/DsSEo5xCC7j4YaXro0UwQzAOBgNVHQ8BAf8EBAMCAQYw + EgYDVR0TAQH/BAgwBgEB/wIBATAdBgNVHQ4EFgQUFY5Ad7h4B6i2FBOZM0qIb+kC + jAYwCgYIKoZIzj0EAwIDSQAwRgIhALdsEqiRa4ak5Cnin6Tjnel5uOiHSjoC6LKf + VfXtULncAiEA2gmqdr+ugFz5tvPdKwanroTiMTUMhhCRYVlQlyTApyQ= + -----END CERTIFICATE-----'' ]; - system.stateVersion = "22.11"; - } diff --git a/machines/lisa/home-julien.nix b/machines/lisa/home-julien.nix index b300d3c..3fa01cd 100644 --- a/machines/lisa/home-julien.nix +++ b/machines/lisa/home-julien.nix @@ -1,25 +1,20 @@ -_: -{ +_: { - sops.secrets.ssh-lisa-pub = { + age.secrets.ssh-lisa-pub = { + file = ../../secrets/ssh-lisa-pub.age; + mode = "0644"; owner = "julien"; path = "/home/julien/.ssh/id_ed25519.pub"; - mode = "0644"; - format = "binary"; - sopsFile = ../../secrets/ssh-lisa-pub; }; - sops.secrets.ssh-lisa-priv = { + age.secrets.ssh-lisa-priv = { + file = ../../secrets/ssh-lisa-priv.age; + mode = "0600"; owner = "julien"; path = "/home/julien/.ssh/id_ed25519"; - mode = "0600"; - format = "binary"; - sopsFile = ../../secrets/ssh-lisa-priv; }; - - - luj.hmgr.julien = { + luj.hmgr.julien = { luj.programs.neovim.enable = true; luj.programs.ssh-client.enable = true; luj.programs.git.enable = true; diff --git a/modules/buildbot/default.nix b/modules/buildbot/default.nix index 4f564b2..0afb121 100644 --- a/modules/buildbot/default.nix +++ b/modules/buildbot/default.nix @@ -1,4 +1,4 @@ -{ lib, pkgs, config, ... }: +{ lib, config, ... }: with lib; let cfg = config.luj.buildbot; @@ -14,12 +14,15 @@ in services.buildbot-nix.master = { enable = true; domain = "ci.julienmalka.me"; - workersFile = config.sops.secrets.buildbot-nix-workers.path; - buildSystems = [ "x86_64-linux" "aarch64-linux" ]; + workersFile = config.age.secrets.buildbot-nix-workers.path; + buildSystems = [ + "x86_64-linux" + "aarch64-linux" + ]; github = { - tokenFile = config.sops.secrets.github-token.path; - webhookSecretFile = config.sops.secrets.github-webhook-secret.path; - oauthSecretFile = config.sops.secrets.github-oauth-secret.path; + tokenFile = config.age.secrets.github-token.path; + webhookSecretFile = config.age.secrets.github-webhook-secret.path; + oauthSecretFile = config.age.secrets.github-oauth-secret.path; oauthId = "bba3e144501aa5b8a5dd"; user = "JulienMalka"; admins = [ "JulienMalka" ]; @@ -33,37 +36,21 @@ in enableACME = true; }; - sops.secrets = { - github-token = { - format = "binary"; - sopsFile = ../../secrets/github-token-secret; - }; - github-webhook-secret = { - format = "binary"; - sopsFile = ../../secrets/github-webhook-secret; - }; - github-oauth-secret = { - format = "binary"; - sopsFile = ../../secrets/github-oauth-secret; - }; - buildbot-nix-workers = { - format = "binary"; - sopsFile = ../../secrets/buildbot-nix-workers; + age.secrets = { + github-token.file = ../../secrets/github-token-secret.age; + github-webhook-secret.file = ../../secrets/github-webhook-secret.age; + github-oauth-secret.file = ../../secrets/github-oauth-secret.age; + buildbot-nix-workers.file = ../../secrets/buildbot-nix-workers.age; + buildbot-nix-worker-password = { + file = ../../secrets/buildbot-nix-worker-password.age; + owner = "buildbot-worker"; }; }; systemd.services.buildbot-worker.environment.WORKER_COUNT = "14"; services.buildbot-nix.worker = { enable = true; - workerPasswordFile = config.sops.secrets.buildbot-nix-worker-password.path; + workerPasswordFile = config.age.secrets.buildbot-nix-worker-password.path; }; - - sops.secrets.buildbot-nix-worker-password = { - format = "binary"; - owner = "buildbot-worker"; - sopsFile = ../../secrets/buildbot-nix-worker-password; - }; - }; } - diff --git a/modules/deluge/default.nix b/modules/deluge/default.nix index ab3678f..2b2d784 100644 --- a/modules/deluge/default.nix +++ b/modules/deluge/default.nix @@ -22,19 +22,15 @@ in }; nginx.enable = mkEnableOption "activate nginx"; - nginx.subdomain = mkOption { - type = types.str; - }; - + nginx.subdomain = mkOption { type = types.str; }; }; - config = mkIf cfg.enable ( - mkMerge [{ + config = mkIf cfg.enable (mkMerge [ + { - sops.secrets.deluge = { + age.secrets.deluge-webui-password = { owner = cfg.user; - format = "binary"; - sopsFile = ../../secrets/deluge-login; + file = ../../secrets/deluge-webui-password.age; }; services.deluge = { @@ -42,21 +38,16 @@ in inherit (cfg) user group; openFirewall = true; declarative = true; - authFile = "/run/secrets/deluge"; + authFile = "/run/agenix/deluge-webui-password"; web.enable = true; config = { download_location = "/home/mediaserver/downloads/complete/"; allow_remote = true; }; dataDir = "/home/mediaserver/deluge"; - }; } - - - (mkIf cfg.nginx.enable (mkVPNSubdomain cfg.nginx.subdomain port))]); - - - + (mkIf cfg.nginx.enable (mkVPNSubdomain cfg.nginx.subdomain port)) + ]); } diff --git a/modules/mailserver/default.nix b/modules/mailserver/default.nix index 66a52c2..277b348 100644 --- a/modules/mailserver/default.nix +++ b/modules/mailserver/default.nix @@ -8,45 +8,45 @@ with lib; enable = mkEnableOption "Enable mailserver"; }; - config = mkIf cfg.enable - { - mailserver = { - enable = true; - fqdn = "mail.julienmalka.me"; - domains = [ "malka.sh" "ens.school" ]; + config = mkIf cfg.enable { + mailserver = { + enable = true; + fqdn = "mail.julienmalka.me"; + domains = [ + "malka.sh" + "ens.school" + ]; - enableManageSieve = true; - - # A list of all login accounts. To create the password hashes, use - # nix run nixpkgs.apacheHttpd -c htpasswd -nbB "" "super secret password" | cut -d: -f2 - loginAccounts = { - "julien@malka.sh" = { - hashedPasswordFile = "/run/secrets/malkash-pw"; - aliases = [ "@malka.sh" ]; - sieveScript = builtins.readFile ./malka-sh.sieve; - }; - "julien.malka@ens.school" = { - hashedPasswordFile = "/run/secrets/ensmailmalka-pw"; - }; - "camille.mondon@ens.school" = { - hashedPasswordFile = "/run/secrets/ensmailmondon-pw"; - }; + enableManageSieve = true; + # A list of all login accounts. To create the password hashes, use + # nix run nixpkgs.apacheHttpd -c htpasswd -nbB "" "super secret password" | cut -d: -f2 + loginAccounts = { + "julien@malka.sh" = { + hashedPasswordFile = "/run/agenix/malkash-pw"; + aliases = [ "@malka.sh" ]; + sieveScript = builtins.readFile ./malka-sh.sieve; }; - extraVirtualAliases = { - "postmaster@ens.school" = "julien.malka@ens.school"; + "julien.malka@ens.school" = { + hashedPasswordFile = "/run/agenix/ensmailmalka-pw"; + }; + "camille.mondon@ens.school" = { + hashedPasswordFile = "/run/agenix/ensmailmondon-pw"; }; - certificateScheme = "acme-nginx"; }; - - services.roundcube = { - enable = true; - hostName = "webmail.julienmalka.me"; + extraVirtualAliases = { + "postmaster@ens.school" = "julien.malka@ens.school"; }; - - sops.secrets.malkash-pw = { }; - sops.secrets.ensmailmalka-pw = { }; - sops.secrets.ensmailmondon-pw = { }; - + certificateScheme = "acme-nginx"; }; + + services.roundcube = { + enable = true; + hostName = "webmail.julienmalka.me"; + }; + + age.secrets.malkash-pw.file = ../../secrets/julien-malka-sh-mail-password.age; + age.secrets.ensmailmalka-pw.file = ../../secrets/malka-ens-school-mail-password.age; + age.secrets.ensmailmondon-pw.file = ../../secrets/mondon-ens-school-mail-password.age; + }; } diff --git a/modules/navidrome/default.nix b/modules/navidrome/default.nix index 0b09562..96f1a6c 100644 --- a/modules/navidrome/default.nix +++ b/modules/navidrome/default.nix @@ -1,4 +1,9 @@ -{ lib, pkgs, config, ... }: +{ + lib, + pkgs, + config, + ... +}: with lib; let cfg = config.luj.navidrome; @@ -22,23 +27,12 @@ in description = "Group under which Navidrome runs."; }; - nginx.enable = mkEnableOption "activate nginx"; - nginx.subdomain = mkOption { - type = types.str; - }; + nginx.subdomain = mkOption { type = types.str; }; }; - config = mkIf cfg.enable ( - mkMerge [{ - - sops.secrets."navidrome.json" = { - owner = cfg.user; - format = "binary"; - sopsFile = ../../secrets/navidrome-config; - }; - - + config = mkIf cfg.enable (mkMerge [ + { systemd.services.navidrome = { @@ -55,16 +49,10 @@ in WorkingDirectory = "/var/lib/navidrome"; }; }; - - - } + (mkIf cfg.nginx.enable (mkSubdomain cfg.nginx.subdomain port)) - - (mkIf cfg.nginx.enable (mkSubdomain cfg.nginx.subdomain port)) - - (mkIf cfg.nginx.enable (mkVPNSubdomain cfg.nginx.subdomain port))]); - - + (mkIf cfg.nginx.enable (mkVPNSubdomain cfg.nginx.subdomain port)) + ]); } diff --git a/modules/secrets/default.nix b/modules/secrets/default.nix index 2a5d491..9094942 100644 --- a/modules/secrets/default.nix +++ b/modules/secrets/default.nix @@ -8,24 +8,19 @@ with lib; enable = mkEnableOption "Create secrets"; }; - config = mkIf cfg.enable - { - sops.secrets.ens-mail-passwd = { - owner = "julien"; - path = "/home/julien/.config/ens-mail-passwd"; - }; - - sops.secrets.sendinblue-mail-passwd = { }; - sops.secrets.git-gpg-private-key = { - owner = "julien"; - mode = "0440"; - group = config.users.groups.keys.name; - sopsFile = ../secrets/git-gpg-private-key; - format = "binary"; - }; - + config = mkIf cfg.enable { + age.secrets.ens-mail-password = { + file = ../../secrets/ens-mail-password.age; + owner = "julien"; + path = "/home/julien/.config/ens-mail-passwd"; }; - + age.secrets.git-gpg-private-key = { + file = ../../secrets/git-gpg-private-key.age; + owner = "julien"; + mode = "0440"; + group = config.users.groups.keys.name; + }; + }; } diff --git a/users/default.nix b/users/default.nix index 8aa7c2b..bc73138 100644 --- a/users/default.nix +++ b/users/default.nix @@ -1,20 +1,27 @@ -{ config, pkgs, lib, ... }: { +{ + config, + pkgs, + lib, + ... +}: +{ users.mutableUsers = false; users.defaultUserShell = pkgs.fish; - sops.secrets.user-root-password.neededForUsers = true; programs.fish.enable = true; + age.secrets.user-root-password.file = ../secrets/user-root-password.age; + users.users.root = { uid = config.ids.uids.root; description = "System administrator"; home = "/root"; shell = lib.mkForce config.users.defaultUserShell; group = "root"; - hashedPasswordFile = config.sops.secrets.user-root-password.path; - openssh.authorizedKeys.keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGa+7n7kNzb86pTqaMn554KiPrkHRGeTJ0asY1NjSbpr julien@tower" ]; + hashedPasswordFile = config.age.secrets.user-root-password.path; + openssh.authorizedKeys.keys = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGa+7n7kNzb86pTqaMn554KiPrkHRGeTJ0asY1NjSbpr julien@tower" + ]; }; - - } diff --git a/users/julien.nix b/users/julien.nix index edbc593..eb31ea6 100644 --- a/users/julien.nix +++ b/users/julien.nix @@ -1,30 +1,26 @@ -{ config, pkgs, ... }: { - - sops.secrets.user-julien-password.neededForUsers = true; +{ config, pkgs, ... }: +{ users.users.julien = { isNormalUser = true; home = "/home/julien"; - extraGroups = [ "wheel" config.users.groups.keys.name "networkmanager" "davfs2" "adbusers" "audio" "pipewire" "dialout" "video" ]; + extraGroups = [ + "wheel" + config.users.groups.keys.name + "networkmanager" + "davfs2" + "adbusers" + "audio" + "pipewire" + "dialout" + "video" + ]; shell = pkgs.fish; - hashedPasswordFile = config.sops.secrets.user-julien-password.path; + hashedPasswordFile = config.age.secrets.julien-password.path; }; nix.settings.allowed-users = [ "julien" ]; nix.settings.trusted-users = [ "julien" ]; - sops.secrets.ens-mail-passwd = { - owner = "julien"; - path = "/home/julien/.config/ens-mail-passwd"; - }; - - sops.secrets.git-gpg-private-key = { - owner = "julien"; - mode = "0440"; - group = config.users.groups.keys.name; - sopsFile = ../secrets/git-gpg-private-key; - format = "binary"; - }; - - + age.secrets.julien-password.file = ../secrets/user-julien-password.age; }