diff --git a/.sops.yaml b/.sops.yaml new file mode 100644 index 0000000..791bb2b --- /dev/null +++ b/.sops.yaml @@ -0,0 +1,17 @@ +keys: + - &admin_torjus age1lznyk4ee7e7x8n92cq2n87kz9920473ks5u9jlhd3dczfzq4wamqept56u + - &server_gunter age1whxf34vjdndqzwgm7yyaexdm46gdnv9sf3nal7qqyjr0nyhhndlsrmc0g3 +creation_rules: + - path_regex: secrets/[^/]+\.(yaml|json|env|ini|toml) + key_groups: + - age: + - *admin_torjus + - path_regex: secrets/gunter/[^/]+\.(yaml|json|env|ini|toml) + key_groups: + - age: + - *admin_torjus + - *server_gunter + - path_regex: secrets/torjus/[^/]+\.(yaml|json|env|ini|toml) + key_groups: + - age: + - *admin_torjus diff --git a/flake.lock b/flake.lock index 5a88a07..ab48357 100644 --- a/flake.lock +++ b/flake.lock @@ -37,6 +37,22 @@ "type": "github" } }, + "nixpkgs-stable": { + "locked": { + "lastModified": 1709428628, + "narHash": "sha256-//ZCCnpVai/ShtO2vPjh3AWgo8riXCaret6V9s7Hew4=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "66d65cb00b82ffa04ee03347595aa20e41fe3555", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "release-23.11", + "repo": "nixpkgs", + "type": "github" + } + }, "nixpkgs-unstable": { "locked": { "lastModified": 1709479366, @@ -53,11 +69,47 @@ "type": "github" } }, + "nixpkgs_2": { + "locked": { + "lastModified": 1709356872, + "narHash": "sha256-mvxCirJbtkP0cZ6ABdwcgTk0u3bgLoIoEFIoYBvD6+4=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "458b097d81f90275b3fdf03796f0563844926708", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixpkgs-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, "root": { "inputs": { "home-manager": "home-manager", "nixpkgs": "nixpkgs", - "nixpkgs-unstable": "nixpkgs-unstable" + "nixpkgs-unstable": "nixpkgs-unstable", + "sops-nix": "sops-nix" + } + }, + "sops-nix": { + "inputs": { + "nixpkgs": "nixpkgs_2", + "nixpkgs-stable": "nixpkgs-stable" + }, + "locked": { + "lastModified": 1709711091, + "narHash": "sha256-L0rSIU9IguTG4YqSj4B/02SyTEz55ACq5t8gXpzteYc=", + "owner": "Mic92", + "repo": "sops-nix", + "rev": "25dd60fdd08fcacee2567a26ba6b91fe098941dc", + "type": "github" + }, + "original": { + "owner": "Mic92", + "repo": "sops-nix", + "type": "github" } } }, diff --git a/flake.nix b/flake.nix index 8496140..cd9b020 100644 --- a/flake.nix +++ b/flake.nix @@ -9,9 +9,10 @@ url = "github:nix-community/home-manager?ref=release-23.11"; inputs.nixpkgs.follows = "nixpkgs"; }; + sops-nix.url = "github:Mic92/sops-nix"; }; - outputs = { self, nixpkgs, nixpkgs-unstable, ... }@inputs: + outputs = { self, nixpkgs, nixpkgs-unstable, sops-nix, ... }@inputs: let system = "x86_64-linux"; user = "torjus"; @@ -36,10 +37,11 @@ }; gunter = nixpkgs.lib.nixosSystem { inherit system; - specialArgs = { inherit inputs self user; }; + specialArgs = { inherit inputs self user sops-nix; }; modules = [ ({ config, pkgs, ... }: { nixpkgs.overlays = [ overlay-unstable ]; }) ./hosts/gunter + sops-nix.nixosModules.sops ]; }; }; diff --git a/home/default.nix b/home/default.nix index 424fac0..673e8bf 100644 --- a/home/default.nix +++ b/home/default.nix @@ -1,4 +1,4 @@ -{ pkgs, inputs, self, user, ... }: { +{ pkgs, inputs, user, ... }: { imports = [ inputs.home-manager.nixosModules.home-manager ]; home-manager = { useUserPackages = true; @@ -6,6 +6,8 @@ extraSpecialArgs = { inherit pkgs inputs user; }; users.${user} = { pkgs, ... }: { imports = [ + inputs.sops-nix.homeManagerModules.sops + ./sops ./editor/neovim ./programs/firefox ./programs/tmux diff --git a/home/packages/default.nix b/home/packages/default.nix index 3bbf455..1abfbc5 100644 --- a/home/packages/default.nix +++ b/home/packages/default.nix @@ -28,6 +28,7 @@ restic ripgrep rofi-rbw-wayland + sops spotify spicetify-cli sshfs diff --git a/home/services/backup-home.nix b/home/services/backup-home.nix index f5eb077..0d39a3d 100644 --- a/home/services/backup-home.nix +++ b/home/services/backup-home.nix @@ -1,10 +1,17 @@ -{ pkgs, ... }: +{ pkgs, config, ... }: let # Backup home script backup-home = pkgs.writeShellScriptBin "backup-home.sh" '' export RESTIC_PASSWORD="gunter.home.2rjus.net" export RESTIC_REPOSITORY="rest:http://10.69.12.52:8000/gunter.home.2rjus.net" + GOTIFY_TOKEN=$(<"$XDG_RUNTIME_DIR/gotify_backup_home.txt") + + if [ -z "$GOTIFY_TOKEN" ]; then + ${pkgs.libnotify}/bin/notify-send -u critical "Backup issue" "No Gotify token found" + fi + + echo "GOTIFY_TOKEN=$GOTIFY_TOKEN" # Send start notification ${pkgs.libnotify}/bin/notify-send -e -t 3000 "Backup started" "Backup of /home/torjus started" @@ -26,7 +33,7 @@ let retval=$? if [ $retval -ne 0 ]; then # TODO: put token in sops - ${pkgs.curl}/bin/curl "https://gotify.t-juice.club/message?token=ABgV8XT62bxyCzF" \ + ${pkgs.curl}/bin/curl "https://gotify.t-juice.club/message?token=$GOTIFY_TOKEN" \ -F "title=Backup of home@gunter failed!" \ -F "message=Please check status of backup-home service" fi @@ -59,10 +66,12 @@ let ''; in { + sops.secrets."gotify_backup_home" = { }; + systemd.user.services.backup-home = { Unit = { Description = "Backup home directory"; - After = [ "network.target" ]; + After = [ "network.target" "sops-nix.service" ]; }; Service = { Type = "oneshot"; diff --git a/home/sops/default.nix b/home/sops/default.nix new file mode 100644 index 0000000..451ba1f --- /dev/null +++ b/home/sops/default.nix @@ -0,0 +1,6 @@ +{ user, ... }: { + sops = { + age.keyFile = "/home/${user}/.config/sops/age/keys.txt"; + defaultSopsFile = ../../secrets/torjus/secret.yaml; + }; +} diff --git a/hosts/gunter/configuration.nix b/hosts/gunter/configuration.nix index f61c8ec..a65146a 100644 --- a/hosts/gunter/configuration.nix +++ b/hosts/gunter/configuration.nix @@ -1,7 +1,15 @@ -{ config, lib, pkgs, ... }: +{ config, inputs, pkgs, ... }: { - imports = [ ./hardware-configuration.nix ]; + imports = [ + ./hardware-configuration.nix + ]; + + # Sops stuff + sops.defaultSopsFile = ../../secrets/gunter/secrets.yaml; + sops.age.keyFile = "/var/lib/sops-nix/key.txt"; + sops.age.generateKey = true; + sops.secrets."gotify_tokens/backup-home" = { }; # Bootloader stuff boot.kernelParams = [ diff --git a/secrets/gunter/secrets.yaml b/secrets/gunter/secrets.yaml new file mode 100644 index 0000000..5d38ae3 --- /dev/null +++ b/secrets/gunter/secrets.yaml @@ -0,0 +1,31 @@ +gotify_tokens: + backup-home: ENC[AES256_GCM,data:sq5ijJ0/jms=,iv:r+hobBUbO3wOp+Xx22yff2sXc44XrCXVDhbD/IS3Rtg=,tag:ypOiz21arspX3TGYeGtgxg==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1lznyk4ee7e7x8n92cq2n87kz9920473ks5u9jlhd3dczfzq4wamqept56u + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBwNm9vK1k0ODFwVTVDUEIw + VXVIdllUZnJEUUVHdGY1VzV4d2grekFRNTJVCjR3MkJwQ1p2TDdDUzJEV3psQ0VR + S3ZwNXhPK01MREJaOTJPKzcvYXh5NXMKLS0tIEU2b05pUXlKNHdqVHYzWFJrL0NO + eUNJUHNxR1JQVUozc3ZBVVN2TVM2bjAK7BZLtjEEefxf53xPRbw2xeXNke/JK99u + xj1FtTTnQhNAQ0jgR2N4jtwJ1L2+1usjSF1Lq16Y5TqZ/wO6368XOw== + -----END AGE ENCRYPTED FILE----- + - recipient: age1whxf34vjdndqzwgm7yyaexdm46gdnv9sf3nal7qqyjr0nyhhndlsrmc0g3 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBnTmdSdWZESDI2WE9CU0Uy + SzhWNXlpV2QyK3JGQ0FHWVh3TEZqM3Fzbm44CnRNbGlmaVBiZURJSFUvdDVZWnIw + RU53Uk9KRGZKeE9mRHQxRTFjdVM2WWMKLS0tIEZjWkxKYnBFb0pYTitvdVZBckht + NElxU2dyQ3l2RmpERXZPcHJZVEJuTDAKEDpzlk5kOQ8ZYduWVy+2g8f/r4XEtcL5 + 32tNuXEaM+qS49Ef6g84uuwKyQ2ju1UJUtC4XcoRn6nQ9yUkMVWtMQ== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-03-06T19:27:51Z" + mac: ENC[AES256_GCM,data:IrgIp2evBmZYQGvo29kkIFfNsECVlqU3ZyksxKapK/yY45DWLlxtz5TBn6wpDZ8grygCz8SCJR8Ug4Yik7TTJRCgdSGtNjp3gvt3aUF+K9aJQgSQCsh/Uk0S+ZYK2YxZDmrgRo2I5unSdEtFV3X0Rp/aGmzCptLa2ZMnxrbgsis=,iv:nRXCllfgJ8QkBFC7FC9QLaKFLLFyUQe8NKmgGG+waGI=,tag:vXOw1nNMoJa7PSPvoNsYRQ==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.8.1 diff --git a/secrets/torjus/secret.yaml b/secrets/torjus/secret.yaml new file mode 100644 index 0000000..9dcac5d --- /dev/null +++ b/secrets/torjus/secret.yaml @@ -0,0 +1,21 @@ +gotify_backup_home: ENC[AES256_GCM,data:DV22pltF1db7mP8dK4fb,iv:487nKwVToOX2KSBmz3pp1T0wwi2JTMZzwH2arp8DatA=,tag:uVmONZ1fznTXDxySh+xXvA==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1lznyk4ee7e7x8n92cq2n87kz9920473ks5u9jlhd3dczfzq4wamqept56u + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBDdDRDc0UvaWY4U0loZzQ0 + bDZCMitGbGVYaGJyUXNrZGpnZHJlWHRkK3drCnJ2TlovSUI0OEVrV2FBbVdlSm1z + OE9lYXNMSXpCS0NMSkZDcjhtWENOUTAKLS0tIEZFMnVqcktwWkR5VHBGQXdobXlp + Q3gxalhGVjNlS3B3YlFsK0VQMUFITEUKE87+RpOG6ucXHHQ0DMQ9F3yo0n1aXbv7 + OX5ibHU7RroUQwFmDj87u59VUTvpWRQjsBW4c4WrZRk9KcjwinZZZQ== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-03-06T20:24:35Z" + mac: ENC[AES256_GCM,data:1+fxim6Z9BLqpxRVUse5yfGyv5Y1OYLnWjuw//WtPU1Y1noXQC2SapbqaMgrJo5wDddom41RnOnJw7wjXLmA4cKndcrmotpXQIq1gYFrQtDoVuZjhcBzbY4rQiHUsMtQHQXFvn9SpreO5RMz9o5Zl25cWe1txH0K/DqavHlh+1c=,iv:1sWteDKqcDTPBfnFVSVO0V1JBfw9aj2OC/K0mVbwsdI=,tag:/AlPi/Y0Ztd6KghctMD9jg==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.8.1