diff --git a/.gitignore b/.gitignore index 8506141..03f0937 100644 --- a/.gitignore +++ b/.gitignore @@ -1,3 +1,5 @@ README.md~ .DS_Store result +dump.txt +*~ \ No newline at end of file diff --git a/.sops.yaml b/.sops.yaml new file mode 100644 index 0000000..836be28 --- /dev/null +++ b/.sops.yaml @@ -0,0 +1,8 @@ +keys: + - &admin_olaf age1jfmngygcas0urav66tch0v4583d07smf3vnww87xpcngcklaycas4kzjlp +creation_rules: + - path_regex: secrets/[^/]+\.(yaml|json|env|ini)$ + key_groups: + - age: + - *admin_olaf + \ No newline at end of file diff --git a/apps/aarch64-darwin/check-keys b/apps/aarch64-darwin/check-keys deleted file mode 100755 index 4bd9dd8..0000000 --- a/apps/aarch64-darwin/check-keys +++ /dev/null @@ -1,33 +0,0 @@ -#!/usr/bin/env bash -set -e - -RED='\033[0;31m' -GREEN='\033[0;32m' -NC='\033[0m' - -username=${USER} -export SSH_DIR=/Users/${username}/.ssh - -lint_keys() { - if [[ -f "${SSH_DIR}/id_ed25519" && -f "${SSH_DIR}/id_ed25519.pub" && -f "${SSH_DIR}/id_ed25519_agenix" && -f "${SSH_DIR}/id_ed25519_agenix.pub" ]]; then - echo -e "${GREEN}All SSH keys are present.${NC}" - else - echo -e "${RED}Some SSH keys are missing.${NC}" - if [[ ! -f "${SSH_DIR}/id_ed25519" ]]; then - echo -e "${RED}Missing: id_ed25519${NC}" - fi - if [[ ! -f "${SSH_DIR}/id_ed25519.pub" ]]; then - echo -e "${RED}Missing: id_ed25519.pub${NC}" - fi - if [[ ! -f "${SSH_DIR}/id_ed25519_agenix" ]]; then - echo -e "${RED}Missing: id_ed25519_agenix${NC}" - fi - if [[ ! -f "${SSH_DIR}/id_ed25519_agenix.pub" ]]; then - echo -e "${RED}Missing: id_ed25519_agenix.pub${NC}" - fi - echo -e "${GREEN}Run the createKeys command to generate the missing keys.${NC}" - exit 1 - fi -} - -lint_keys diff --git a/apps/aarch64-darwin/copy-keys b/apps/aarch64-darwin/copy-keys deleted file mode 100755 index 904cc15..0000000 --- a/apps/aarch64-darwin/copy-keys +++ /dev/null @@ -1,68 +0,0 @@ -#!/usr/bin/env bash -set -e - -RED='\033[0;31m' -GREEN='\033[0;32m' -NC='\033[0m' - -username=${USER} -export SSH_DIR=/Users/${username}/.ssh - -handle_no_usb() { - echo -e ${RED}No USB drive found or mounted.${NC}" - echo -e ${GREEN}If you have not yet set up your keys, run the script to generate new SSH keys.${NC}" - exit 1 -} - -mount_usb() { - MOUNT_PATH="" - for dev in $(diskutil list | grep -o 'disk[0-9]'); do - MOUNT_PATH="$(diskutil info /dev/${dev} | grep \"Mount Point\" | awk -F: '{print $2}' | xargs)" - if [ -n "${MOUNT_PATH}" ]; then - echo -e "${GREEN}USB drive found at ${MOUNT_PATH}.${NC}" - break - fi - done - - if [ -z "${MOUNT_PATH}" ]; then - echo -e "${RED}No USB drive found.${NC}" - fi -} - -copy_keys() { - if [ -n "${MOUNT_PATH}" ]; then - cp "${MOUNT_PATH}/id_ed25519_agenix.pub" ${SSH_DIR} - cp "${MOUNT_PATH}/id_ed25519_agenix" ${SSH_DIR} - chmod 600 ${SSH_DIR}/id_ed25519_{agenix,agenix.pub} - else - echo -e "${RED}No USB drive found. Aborting.${NC}" - exit 1 - fi -} - -setup_ssh_directory() { - mkdir -p ${SSH_DIR} -} - -set_keys() { - cp ${MOUNT_PATH}/id_ed25519_github.pub ${SSH_DIR}/id_ed25519.pub - cp ${MOUNT_PATH}/id_ed25519_github ${SSH_DIR}/id_ed25519 - chmod 600 ${SSH_DIR}/id_ed25519 - chmod 644 ${SSH_DIR}/id_ed25519.pub -} - -change_ownership() { - chown ${username}:staff ${SSH_DIR}/id_ed25519{,.pub} - chown ${username}:staff ${SSH_DIR}/id_ed25519_{agenix,agenix.pub} -} - -setup_ssh_directory -mount_usb - -if [ -z "${MOUNT_PATH}" ]; then - handle_no_usb -else - copy_keys - set_keys - change_ownership -fi diff --git a/apps/aarch64-darwin/create-keys b/apps/aarch64-darwin/create-keys deleted file mode 100755 index 9fdfe43..0000000 --- a/apps/aarch64-darwin/create-keys +++ /dev/null @@ -1,46 +0,0 @@ -#!/usr/bin/env bash -set -e - -RED='\033[0;31m' -GREEN='\033[0;32m' -NC='\033[0m' - -username=${USER} -export SSH_DIR=/Users/${username}/.ssh - -setup_ssh_directory() { - mkdir -p ${SSH_DIR} -} - -prompt_for_key_generation() { - local key_name=$1 - if [[ -f "${SSH_DIR}/${key_name}" ]]; then - echo -e "${RED}Existing SSH key found for ${key_name}.${NC}" - cat "${SSH_DIR}/${key_name}.pub" - read -p "Do you want to replace it? (y/n) " -n 1 -r - echo - if [[ $REPLY =~ ^[Yy]$ ]]; then - return 0 # Indicate key should be replaced - else - return 1 # Indicate key should be kept - fi - fi - return 0 # Indicate no key exists, so it should be created -} - -generate_key() { - local key_name=$1 - if prompt_for_key_generation "$key_name"; then - ssh-keygen -t ed25519 -f "${SSH_DIR}/${key_name}" -N "" - chown ${username}:staff "${SSH_DIR}/${key_name}"{,.pub} - else - echo -e "${GREEN}Kept existing ${key_name}.${NC}" - fi -} - -setup_ssh_directory -generate_key "id_ed25519" -generate_key "id_ed25519_agenix" - -echo -e "${GREEN}SSH key setup complete.${NC}" -echo -e "${GREEN}Remember to add the necessary keys to Github or other services as required.${NC}" diff --git a/apps/x86_64-darwin/check-keys b/apps/x86_64-darwin/check-keys deleted file mode 100644 index 4bd9dd8..0000000 --- a/apps/x86_64-darwin/check-keys +++ /dev/null @@ -1,33 +0,0 @@ -#!/usr/bin/env bash -set -e - -RED='\033[0;31m' -GREEN='\033[0;32m' -NC='\033[0m' - -username=${USER} -export SSH_DIR=/Users/${username}/.ssh - -lint_keys() { - if [[ -f "${SSH_DIR}/id_ed25519" && -f "${SSH_DIR}/id_ed25519.pub" && -f "${SSH_DIR}/id_ed25519_agenix" && -f "${SSH_DIR}/id_ed25519_agenix.pub" ]]; then - echo -e "${GREEN}All SSH keys are present.${NC}" - else - echo -e "${RED}Some SSH keys are missing.${NC}" - if [[ ! -f "${SSH_DIR}/id_ed25519" ]]; then - echo -e "${RED}Missing: id_ed25519${NC}" - fi - if [[ ! -f "${SSH_DIR}/id_ed25519.pub" ]]; then - echo -e "${RED}Missing: id_ed25519.pub${NC}" - fi - if [[ ! -f "${SSH_DIR}/id_ed25519_agenix" ]]; then - echo -e "${RED}Missing: id_ed25519_agenix${NC}" - fi - if [[ ! -f "${SSH_DIR}/id_ed25519_agenix.pub" ]]; then - echo -e "${RED}Missing: id_ed25519_agenix.pub${NC}" - fi - echo -e "${GREEN}Run the createKeys command to generate the missing keys.${NC}" - exit 1 - fi -} - -lint_keys diff --git a/apps/x86_64-darwin/copy-keys b/apps/x86_64-darwin/copy-keys deleted file mode 100644 index 904cc15..0000000 --- a/apps/x86_64-darwin/copy-keys +++ /dev/null @@ -1,68 +0,0 @@ -#!/usr/bin/env bash -set -e - -RED='\033[0;31m' -GREEN='\033[0;32m' -NC='\033[0m' - -username=${USER} -export SSH_DIR=/Users/${username}/.ssh - -handle_no_usb() { - echo -e ${RED}No USB drive found or mounted.${NC}" - echo -e ${GREEN}If you have not yet set up your keys, run the script to generate new SSH keys.${NC}" - exit 1 -} - -mount_usb() { - MOUNT_PATH="" - for dev in $(diskutil list | grep -o 'disk[0-9]'); do - MOUNT_PATH="$(diskutil info /dev/${dev} | grep \"Mount Point\" | awk -F: '{print $2}' | xargs)" - if [ -n "${MOUNT_PATH}" ]; then - echo -e "${GREEN}USB drive found at ${MOUNT_PATH}.${NC}" - break - fi - done - - if [ -z "${MOUNT_PATH}" ]; then - echo -e "${RED}No USB drive found.${NC}" - fi -} - -copy_keys() { - if [ -n "${MOUNT_PATH}" ]; then - cp "${MOUNT_PATH}/id_ed25519_agenix.pub" ${SSH_DIR} - cp "${MOUNT_PATH}/id_ed25519_agenix" ${SSH_DIR} - chmod 600 ${SSH_DIR}/id_ed25519_{agenix,agenix.pub} - else - echo -e "${RED}No USB drive found. Aborting.${NC}" - exit 1 - fi -} - -setup_ssh_directory() { - mkdir -p ${SSH_DIR} -} - -set_keys() { - cp ${MOUNT_PATH}/id_ed25519_github.pub ${SSH_DIR}/id_ed25519.pub - cp ${MOUNT_PATH}/id_ed25519_github ${SSH_DIR}/id_ed25519 - chmod 600 ${SSH_DIR}/id_ed25519 - chmod 644 ${SSH_DIR}/id_ed25519.pub -} - -change_ownership() { - chown ${username}:staff ${SSH_DIR}/id_ed25519{,.pub} - chown ${username}:staff ${SSH_DIR}/id_ed25519_{agenix,agenix.pub} -} - -setup_ssh_directory -mount_usb - -if [ -z "${MOUNT_PATH}" ]; then - handle_no_usb -else - copy_keys - set_keys - change_ownership -fi diff --git a/apps/x86_64-darwin/create-keys b/apps/x86_64-darwin/create-keys deleted file mode 100644 index 9fdfe43..0000000 --- a/apps/x86_64-darwin/create-keys +++ /dev/null @@ -1,46 +0,0 @@ -#!/usr/bin/env bash -set -e - -RED='\033[0;31m' -GREEN='\033[0;32m' -NC='\033[0m' - -username=${USER} -export SSH_DIR=/Users/${username}/.ssh - -setup_ssh_directory() { - mkdir -p ${SSH_DIR} -} - -prompt_for_key_generation() { - local key_name=$1 - if [[ -f "${SSH_DIR}/${key_name}" ]]; then - echo -e "${RED}Existing SSH key found for ${key_name}.${NC}" - cat "${SSH_DIR}/${key_name}.pub" - read -p "Do you want to replace it? (y/n) " -n 1 -r - echo - if [[ $REPLY =~ ^[Yy]$ ]]; then - return 0 # Indicate key should be replaced - else - return 1 # Indicate key should be kept - fi - fi - return 0 # Indicate no key exists, so it should be created -} - -generate_key() { - local key_name=$1 - if prompt_for_key_generation "$key_name"; then - ssh-keygen -t ed25519 -f "${SSH_DIR}/${key_name}" -N "" - chown ${username}:staff "${SSH_DIR}/${key_name}"{,.pub} - else - echo -e "${GREEN}Kept existing ${key_name}.${NC}" - fi -} - -setup_ssh_directory -generate_key "id_ed25519" -generate_key "id_ed25519_agenix" - -echo -e "${GREEN}SSH key setup complete.${NC}" -echo -e "${GREEN}Remember to add the necessary keys to Github or other services as required.${NC}" diff --git a/flake.lock b/flake.lock index 1e45327..06d6658 100644 --- a/flake.lock +++ b/flake.lock @@ -396,7 +396,8 @@ "nix-homebrew": "nix-homebrew", "nixd": "nixd", "nixpkgs": "nixpkgs_6", - "secrets": "secrets" + "secrets": "secrets", + "sops-nix": "sops-nix" } }, "secrets": { @@ -411,6 +412,26 @@ }, "parent": [] }, + "sops-nix": { + "inputs": { + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1746485181, + "narHash": "sha256-PxrrSFLaC7YuItShxmYbMgSuFFuwxBB+qsl9BZUnRvg=", + "owner": "Mic92", + "repo": "sops-nix", + "rev": "e93ee1d900ad264d65e9701a5c6f895683433386", + "type": "github" + }, + "original": { + "owner": "Mic92", + "repo": "sops-nix", + "type": "github" + } + }, "systems": { "locked": { "lastModified": 1681028828, diff --git a/flake.nix b/flake.nix index 4d625c9..e4a4135 100644 --- a/flake.nix +++ b/flake.nix @@ -4,9 +4,6 @@ nixpkgs = { url = "github:nixos/nixpkgs/nixos-unstable"; }; - agenix = { - url = "github:ryantm/agenix"; - }; home-manager = { url = "github:nix-community/home-manager"; }; @@ -40,6 +37,10 @@ url = "git@git.kolkman.org:olaf/nix-config-secrets.git"; flake = false; }; + sops-nix = { + url = "github:Mic92/sops-nix"; + inputs.nixpkgs.follows = "nixpkgs"; + }; }; outputs = { @@ -52,9 +53,9 @@ home-manager, nixpkgs, disko, - agenix, secrets, nixd, + sops-nix, }@inputs: let user = "olaf"; @@ -79,8 +80,6 @@ nativeBuildInputs = with pkgs; [ bashInteractive git - age - age-plugin-yubikey ]; shellHook = with pkgs; '' export EDITOR=vim @@ -132,6 +131,7 @@ inherit system; specialArgs = inputs; modules = [ + # sops-nix.nixosModules.sops home-manager.darwinModules.home-manager nix-homebrew.darwinModules.nix-homebrew { @@ -158,6 +158,7 @@ inherit system; specialArgs = inputs; modules = [ + sops-nix.nixosModules.sops disko.nixosModules.disko home-manager.nixosModules.home-manager { diff --git a/hosts/darwin/default.nix b/hosts/darwin/default.nix index 6431d3e..7f5d88f 100644 --- a/hosts/darwin/default.nix +++ b/hosts/darwin/default.nix @@ -1,5 +1,4 @@ { - agenix, config, pkgs, ... @@ -22,10 +21,9 @@ in }; imports = [ - ../../modules/darwin/secrets.nix ../../modules/darwin/home-manager.nix ../../modules/shared - agenix.darwinModules.default + ]; # Setup user, packages, programs @@ -67,7 +65,6 @@ in with pkgs; [ emacs-unstable - agenix.packages."${pkgs.system}".default ] ++ (import ../../modules/shared/packages.nix { inherit pkgs; }) diff --git a/hosts/nixos/default.nix b/hosts/nixos/default.nix index 3fdd620..1d2c03f 100644 --- a/hosts/nixos/default.nix +++ b/hosts/nixos/default.nix @@ -2,7 +2,6 @@ config, inputs, pkgs, - agenix, ... }: @@ -12,10 +11,8 @@ let in { imports = [ - ../../modules/nixos/secrets.nix ../../modules/nixos/disk-config.nix ../../modules/shared - agenix.nixosModules.default ]; # Use the systemd-boot EFI boot loader. @@ -337,7 +334,6 @@ in ]; environment.systemPackages = with pkgs; [ - agenix.packages."${pkgs.system}".default # "x86_64-linux" gitAndTools.gitFull inetutils ]; diff --git a/modules/darwin/secrets.nix b/modules/darwin/secrets.nix deleted file mode 100644 index fa7de6b..0000000 --- a/modules/darwin/secrets.nix +++ /dev/null @@ -1,37 +0,0 @@ -{ config, pkgs, agenix, secrets, ... }: - -let user = "olaf"; in -{ - age.identityPaths = [ - "/Users/${user}/.ssh/id_ed25519" - ]; - - # Your secrets go here - # - # Note: the installWithSecrets command you ran to boostrap the machine actually copies over - # a Github key pair. However, if you want to store the keypair in your nix-secrets repo - # instead, you can reference the age files and specify the symlink path here. Then add your - # public key in shared/files.nix. - # - # If you change the key name, you'll need to update the SSH configuration in shared/home-manager.nix - # so Github reads it correctly. - - # - # age.secrets."github-ssh-key" = { - # symlink = true; - # path = "/Users/${user}/.ssh/id_github"; - # file = "${secrets}/github-ssh-key.age"; - # mode = "600"; - # owner = "${user}"; - # group = "staff"; - # }; - - # age.secrets."github-signing-key" = { - # symlink = false; - # path = "/Users/${user}/.ssh/pgp_github.key"; - # file = "${secrets}/github-signing-key.age"; - # mode = "600"; - # owner = "${user}"; - # }; - -} diff --git a/modules/shared/packages.nix b/modules/shared/packages.nix index f068610..1568f29 100644 --- a/modules/shared/packages.nix +++ b/modules/shared/packages.nix @@ -26,7 +26,7 @@ with pkgs; # Encryption and security tools age - age-plugin-yubikey + sops gnupg libfido2