+++ /dev/null
-# Do not edit this file. To specify the files to encrypt, create your own
-# .gitattributes file in the directory where your files are.
-* !filter !diff
-*.gpg binary
--- /dev/null
+*.gpg diff=gpg
--- /dev/null
+#!/usr/bin/env bash
+# USAGE: ./creds-decrypt.sh path/to/file.cred
+# Find machine-id and credential.secret.gpg
+# in an ancestor directory, to decrypt and print path/to/file.cred
+set -eu
+cred=$(realpath "$1")
+name=${cred##*/}
+name=${name%.cred}
+
+cd "$(dirname "$cred")"
+while test "$PWD" != /
+do test ! -f machine-id || break; cd ..
+done
+
+umask 177
+SECRET=$(mktemp /dev/shm/credential.secret.XXXXXXX)
+trap 'chmod 600 $SECRET; shred --remove=unlink $SECRET' EXIT
+set -e${XTRACE:+x}
+gpg --yes --output "$SECRET" --decrypt credential.secret.gpg
+
+sudo unshare --mount sh -${XTRACE:+x}c "
+ chmod 400 $SECRET &&
+ mount --bind $SECRET /var/lib/systemd/credential.secret &&
+ mount --bind machine-id /etc/machine-id &&
+ systemd-creds decrypt --with-key=host --name '$name' '$cred' -
+"
--- /dev/null
+#!/usr/bin/env bash
+# USAGE: ./creds-encrypt.sh path/to/file.gpg
+# Find the machine-id and credential.secret.gpg files
+# in an ancestor directory, to reencrypt path/to/file.gpg
+# into path/to/file.cred
+set -eu
+set -o pipefail
+gpg=$(realpath "$1")
+base=${gpg%.gpg}
+
+cd "$(dirname "$gpg")"
+while test "$PWD" != /
+do test ! -f machine-id || break; cd ..
+done
+
+umask 177
+SECRET=$(mktemp /dev/shm/credential.secret.XXXXXXX)
+trap 'chmod 600 $SECRET; shred --remove=unlink $SECRET' EXIT
+set -e${XTRACE:+x}
+gpg --yes --output "$SECRET" --decrypt credential.secret.gpg
+
+gpg --decrypt "$gpg" |
+sudo unshare --mount sh -${XTRACE:+x}c "
+ chmod 400 $SECRET
+ mount --bind '$SECRET' /var/lib/systemd/credential.secret &&
+ mount --bind machine-id /etc/machine-id &&
+ systemd-creds encrypt --with-key=host --name '${base##*/}' - - |
+ install -m 400 -o '$USER' -g users /dev/stdin '$base.cred'
+"
--- /dev/null
+#!/usr/bin/env bash
+# USAGE: ./creds-setup.sh
+# Generate missing hosts/*/{machine-id,,credential.secret.gpg}
+set -eu${XTRACE:+x}
+set -o pipefail
+
+git config --local diff.gpg.binary true
+git config --local diff.gpg.textconv "gpg2 -d -u --quiet --yes --compress-algo=none --no-encrypt-to --batch --use-agent"
+
+for host in hosts/*.nix
+do
+ host=${host%.nix}
+ if test ! -e "$host"/machine-id
+ then
+ sudo unshare --mount sh -${XTRACE:+x}c "
+ touch $host/machine-id
+ mount --bind $host/machine-id /etc/machine-id &&
+ systemd-machine-id-setup
+ "
+ fi
+ if test ! -e "$host"/credential.secret.gpg
+ then
+ umask 077
+ systemd=$(mktemp --directory /dev/shm/systemd.XXXXXXX)
+ trap 'rm -rf $systemd' EXIT
+ sudo unshare --mount sh -${XTRACE:+x}c "
+ mount --bind $systemd /var/lib/systemd &&
+ systemd-creds setup --with-key=host
+ cat $systemd/credential.secret
+ shred --remove=unlink $systemd/credential.secret
+ " |
+ pass insert --multiline "$host"/credential.secret
+ fi
+done
system = "x86_64-linux";
specialArgs = {
inherit hostName inputs;
- # Encrypted using git-crypt, hence kept out of /nix/store
- private = "/root/private";
- # Encrypted using systemd-creds, hence can go into the /nix/store
- credentials = private/hosts + "/${hostName}/credentials";
};
pkgs = import nixpkgsPath {
inherit system;
program = (pkgs.writeShellScript "switch" (''
set -eux
set -o pipefail
+ shopt -s globstar
+ chmod -R g-rwx,o-rwx **/*.gpg
+ trap 'git reset **/*.gpg' EXIT
+ git rm -rf --cached --ignore-unmatch **/*.gpg # prevent copying to /nix/store
- chmod -R g-rwx,o-rwx "private/root"
- trap 'git reset private/root private/hosts/*/root' EXIT
- git rm -rf --cached --ignore-unmatch private/root private/hosts/*/root # prevent copying to /nix/store
-
- nix-store --add-root hosts/${hostName}.root --indirect --realise ${build.toplevel}
nix-store --add-root hosts/${hostName}.nixpkgs --indirect --realise ${nixpkgsPath}
nix-store --add-root hosts/${hostName}.root --indirect --realise ${build.toplevel}
nix copy --to ssh://${target}${lib.optionalString config.install.substituteOnDestination " --substitute-on-destination"} ${build.toplevel}
-{ config, pkgs, lib, inputs, private, hostName, ... }:
+{ config, pkgs, lib, inputs, hostName, ... }:
{
imports = [
#../nixos/profiles/debug.nix
# Lower kernel's security for better performances
boot.kernelParams = [ "mitigations=off" ];
-environment.etc.machine-id.source = ../private + "/hosts/${hostName}/root/machine-id";
+environment.etc.machine-id.source = aubergine/machine-id;
home-manager.users.julm = {
imports = [ ../homes/julm.nix ];
uid = 1000;
# Put the hashedPassword in /nix/store, but it will also be in /etc/passwd
# which is already world readable.
- hashedPassword = lib.readFile ../private/world/julm/hashedPassword;
+ # printf %s $(mkpasswd -m md5crypt)
+ hashedPassword = lib.readFile aubergine/users/julm/login/hashedPassword;
extraGroups = [
"adbusers"
"dialout"
# zfs set overlay=yes ${hostName}/home
createHome = true;
openssh.authorizedKeys.keys = map lib.readFile [
- ../private/shared/ssh/root/losurdo.pub
- ../private/shared/ssh/julm/losurdo.pub
- ../private/shared/ssh/julm/oignon.pub
- ../private/shared/ssh/julm/redmi.pub
+ ../users/root/ssh/losurdo.pub
+ ../users/julm/ssh/losurdo.pub
+ ../users/julm/ssh/oignon.pub
+ ../users/julm/ssh/redmi.pub
];
};
users.users.root = {
hashedPassword = "!";
- openssh.authorizedKeys.keys = map lib.readFile [
- ../private/shared/ssh/root/losurdo.pub
- ../private/shared/ssh/julm/losurdo.pub
- ../private/shared/ssh/julm/oignon.pub
- ../private/shared/ssh/julm/redmi.pub
- ];
+ openssh.authorizedKeys.keys =
+ config.users.users.julm.openssh.authorizedKeys.keys;
};
+systemd.services.nix-daemon.serviceConfig.LoadCredentialEncrypted =
+ "secret-key-files:" + aubergine/nix/secret-key-files;
nix = {
extraOptions = ''
#secret-key-files = /run/credentials/nix-daemon.service/secret-key-files.pem
- #secret-key-files = ${private}/${hostName}/nix/binary-cache/priv.pem
'';
settings = {
trusted-users = [ config.users.users."julm".name ];
--- /dev/null
+@julm@autogeree.net
--- /dev/null
+8c85ce9f6f5be09714d6de4caca4c3b2
--- /dev/null
+$1$sbMu6nnC$VDwkK.dvI0pej5qMPTVuA/
\ No newline at end of file
--- /dev/null
+Whxqht+dQJax1aZeCGLxmiAAAAABAAAADAAAABAAAACUQ1IFi3E2Cr1d8K8AAAAALIhIpO2PaS1eqib
+iz2b0mlys9D/21CqbkJi+aOJu4fCoXsHF5OIRGTz+Lgf2qQXwFENbiEkmHPtGpyVf61Pdj8a1Kk2DdA
+ygwQLOTj/4rsZQBoN+MGRDjI7Bheq2
--- /dev/null
+losurdo.sourcephile.fr:yi2tx2OAu9/CdeskErvvy7pKC6HCXEaKAnnn8ng+2FQ=
-{ config, pkgs, lib, inputs, private, hostName, ... }:
+{ config, pkgs, lib, inputs, hostName, ... }:
{
imports = [
../nixos/profiles/builder.nix
'';
users.users.root = {
openssh.authorizedKeys.keys = map lib.readFile [
- ../private/shared/ssh/julm/oignon.pub
+ # For nix -L run .#oignon.switch
+ ../users/julm/ssh/oignon.pub
];
};
users.users.julm = {
isNormalUser = true;
uid = 1000;
- # Put the hashedPassword in /nix/store, but it will also be in /etc/passwd
- # which is already world readable.
- hashedPassword = lib.readFile ../private/world/julm/hashedPassword;
+ # Put the hashedPassword in /nix/store,
+ # though /etc/shadow is not world readable...
+ # printf %s $(mkpasswd -m md5crypt)
+ hashedPassword = lib.readFile oignon/users/julm/login/hashedPassword;
extraGroups = [
"adbusers"
"dialout"
# zfs set overlay=yes ${hostName}/home
createHome = false;
openssh.authorizedKeys.keys = map lib.readFile [
- ../private/shared/ssh/julm/losurdo.pub
+ ../users/julm/ssh/losurdo.pub
];
};
nix = {
extraOptions = ''
#secret-key-files = /run/credentials/nix-daemon.service/secret-key-files.pem
- secret-key-files = ${private}/${hostName}/nix/binary-cache/priv.pem
'';
settings = {
trusted-users = [ config.users.users."julm".name ];
"ssh://nix-ssh@losurdo.wg?priority=30"
];
trusted-public-keys = map lib.readFile [
- ../private/shared/nix/losurdo.pub
+ ../hosts/losurdo/nix/key.pub
];
};
nixPath = lib.mkForce [ "nixpkgs=${inputs.nixpkgs}" ];
nix.sshServe = {
enable = true;
keys = map lib.readFile [
- ../private/shared/ssh/julm/losurdo.pub
- ../private/shared/ssh/sevy/patate.pub
- ../private/shared/ssh/julm/oignon.pub
+ ../users/julm/ssh/losurdo.pub
+ ../users/julm/ssh/oignon.pub
+ ../users/sevy/ssh/patate.pub
];
};
"ServerAliveInterval=15"
];
in {
+ "/mnt/aubergine" = {
+ device = "${pkgs.sshfs-fuse}/bin/sshfs#julm@aubergine.wg:/";
+ fsType = "fuse";
+ inherit options;
+ };
"/mnt/losurdo" = {
device = "${pkgs.sshfs-fuse}/bin/sshfs#julm@losurdo.wg:/";
fsType = "fuse";
--- /dev/null
+@julm@autogeree.net
--- /dev/null
+65b44688876248cc90c71f1a839b5783
--- /dev/null
+Whxqht+dQJax1aZeCGLxmiAAAAABAAAADAAAABAAAADd1Y8nx3Ngm4vDaWYAAAAA4tk7Ww1kOnvyOMt
+B2CtPSukYgpF4nINDe9ivdUSPc7745J5ta3OuBKvvGY1IQXQ6gzfgiW7AdGcpQmN82qQC1mHCFI20TK
+D/rzLEOaDUxPDF5Mud7sGA4VhynpIIRoXi0H6APGMo8jfIQIDozhw/77A0MgAPDOHjiT0Cg0Pxt7/U0
+7yp1e4UkFaibvk0QyDy99xyOoSf/3bmZex2dHuY4LddhMx78w1oXq8FAfS9
--- /dev/null
+�\ 2\f\ 3Ù`�!��\ 1\ f�zF �\ 4`��maa��*���0\15B3\10'@����xj|7\\1f:��7��\ 5|����_�����w往B\ ej�{Ȼ��� *�
+TQ��!��nf���\1c�,\10\1ca/k~���()us����,�ނ6[�C��\7fHQ��"Y\v
+-]�\ 2G�o\10�𨗭��\ e��O�F���K��aOo�˂���\f@a��U���ݭV��Ңe(E.u�e�>���\19<���\ 5:G�\1c�=�]�J\�iݹ\15\ f�N��
+\ 5*\ f�F���ȸ���\7f\11+��>�gkV(�� �ϯa���pX����U�A>��\ f��'\ f6z�C��}\f�}�\ 2%[�7Z��]K����y|���\ 2Q��9���?��\16\11�\15ѵ�\e7�B�W� �\ 4�\ 6�p&0�\ 5ҞUY�\ 6 p��b�
+�\15V3\18�\vc�&\13��D�4�N���U�ਭՑ`\1f\16�\10\18+\1du\12zj&�_\17|\1c\17\1cҢFl��\7f}\ 6\1a`I���V�\10*\1c/�$g:��.{/��=ϱ� �\a�\18�c\14�p�݅�q�&�\ e8;\11J�r����z$���\16j�ݬ�\11Gt�� x?\16�\1a�2wۍ���v���\ 4=�ҟ\ 1�7\ 2b@�M�V�\1f �E\ e�\1fM:��\1c|���7��g�I�D�b��Rđqp�/�6\ 2��\10�<\ f%:P�b��\15��x��tV�*0�k�\18��\a\ f�
+�\1f$4�eweB�4ӿ�P~�\ 4ȩ�+��AD��h�w�B�z\13�W��-�\17�\1c3�33j\e����}R�)�,[��\ 4Q�����
\ No newline at end of file
--- /dev/null
+oignon.sourcephile.fr:atcadS2SbSN8tWlx3V3LweckNTbnO/7oaltyi+F0rSk=
\ No newline at end of file
--- /dev/null
+$1$2XnK6jdY$gzI9EtBWqpCsIs.oxfv19/
\ No newline at end of file
--- /dev/null
+Whxqht+dQJax1aZeCGLxmiAAAAABAAAADAAAABAAAABN7VGPc0uJLQrlzSwAAAAAyEmnV6PePEKHoZ5
+6G/026hVy1JRWoMqGuxW4KjuPDXbZ+wLzDU121zaW0P7A4TSghk+aDcF0wGLA/a0zs180HMiVqF81iJ
+1E1eSHZwWJNJ+nubrwzfDH3k8S+v0b
--- /dev/null
+@julm@autogeree.net
+@severine.popek@autistici.org
enable = lib.mkDefault true;
forwardX11 = lib.mkDefault true;
openFirewall = lib.mkDefault false;
+ # Enable to switch-to-configuration
+ # with the same remotely and locally
listenAddresses = [
- { addr = wg-intra-peers.${hostName}.ipv4; port = 22; }
+ { addr = "127.0.0.1"; port = 22; }
];
};
-{ pkgs, lib, config, hostName, credentials, ... }:
+{ inputs, pkgs, lib, config, hostName, ... }:
let
wgIface = "wg-intra";
peers = import wg-intra/peers.nix;
enable = lib.mkEnableOption "this peer";
});
config = {
-systemd.services."wireguard-${wgIface}".serviceConfig.LoadCredentialEncrypted = "privateKey:${credentials}/wireguard/${wgIface}/privateKey.secret";
+systemd.services."wireguard-${wgIface}".serviceConfig.LoadCredentialEncrypted =
+ "privateKey:" + inputs.self.outPath + "/hosts/${hostName}/wireguard/${wgIface}/privateKey.cred";
networking.wireguard.interfaces.${wgIface} = lib.recursiveUpdate
(removeAttrs peers.${hostName} ["ipv4" "persistentKeepalive" "peer"])
{
(lib.attrValues peers);
networking.networkmanager.unmanaged = [ wgIface ];
systemd.services.sshd.after = ["wireguard-${wgIface}.service"];
+services.openssh.listenAddresses = [
+ { addr = peers.${hostName}.ipv4; port = 22; }
+];
};
}
+++ /dev/null
-#!/usr/bin/env sh
-set -eu
-dir=${0%/*}
-key=$1
-host=${key##*hosts/}
-host=${host%%/*}
-name=${key##*/}
-name=${name%.secret}
-sudo unshare --mount sh -xc "
- mount --bind $dir/$host/root/credential.secret /var/lib/systemd/credential.secret &&
- mount --bind $dir/$host/root/machine-id /etc/machine-id &&
- systemd-creds decrypt --with-key=host --name '$name' '$key' -
-"
+++ /dev/null
-#!/usr/bin/env sh
-set -eux
-dir=${0%/*}
-key=$1
-host=${key#*/}
-host=${host%%/*}
-hostkey=${key#*/*/}
-mkdir -p "$dir/$host/credentials/${hostkey%/*}"
-${pass:-pass} "$key" |
-sudo unshare --mount sh -xc "
- mount --bind $dir/$host/root /var/lib/systemd &&
- mount --bind $dir/$host/root/machine-id /etc/machine-id &&
- systemd-creds setup &&
- chown $USER:users /var/lib/systemd/crendentials.secret &&
- systemd-creds encrypt --with-key=host --name '${hostkey##*/}' - - |
- install -m 400 -o $USER -g users /dev/stdin '$dir/$host/credentials/$hostkey.secret'
-"
(pkgs.nixos []).nixos-install
];
#enableParallelBuilding = true;
- PASSWORD_STORE_DIR = "pass";
NIX_PATH = pkgs.lib.concatStringsSep ":" [
"nixpkgs=${inputs.nixpkgs}"
"nixpkgs-overlays=${inputs.self}/nixpkgs/overlays.nix"
shellHook = ''
echo >&2 "nix: running shellHook"
PATH="${inputs.home-manager.defaultPackage.${system}}/bin:$PATH"
+ PASSWORD_STORE_DIR=$PWD
'';
}
--- /dev/null
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJ7x5HBzsaocE2UBgfPRQyyeQxjYfIbhEx/LYIqXi5EV julm@losurdo
--- /dev/null
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAC1q2wHyOKumrw8O5pEFavZXeXf3P5332jGGB3EuXAb julm@oignon
--- /dev/null
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKlhpn9VE6+neq2TENE9Hl7FjFFy1HAX3yn7h0bN7LtG julm@redmi
--- /dev/null
+losurdo.sourcephile.fr-1:XGeaIE2AA2mZskSZ5bIDrfx53q+TDDWJOUEpZDX7los=
\ No newline at end of file
--- /dev/null
+oignon.sourcephile.fr:slxL7XLsGXlD1r6gvw1imL5uQntW0TTlQgGQt3LBJgQ=
\ No newline at end of file
--- /dev/null
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHJkAq1T0Dxozt4RPylvWrUmeuejiG+n/owb3ucnWP9F root@losurdo
--- /dev/null
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOOaag1MS41CRZrAji3K5IDROh5szSo34SDB0HNXGQtX sevy@patate
sourcephile / git / julm / julm-nix.git / commitdiff