"secrets": {
"flake": false,
"locked": {
- "narHash": "sha256-TYk/jJI/uAAwnjWA9dFYs4ViPDQ7XoGG6HzE8ABNHWk=",
+ "narHash": "sha256-sUFisSSWsrGcLRxYXPevF6OILAIOW4inek0twLe1DuM=",
"path": "/home/julm/work/sourcephile/nix/sec",
"type": "path"
},
{
# Pin down nixpkgs from github, instead of using global, system or user registries.
-
inputs.nixpkgs.url = "github:NixOS/nixpkgs/c47fcb70c6885d6df869934280ebeb715ca7e6fd";
#inputs.nixpkgs.url = "flake:nixpkgs";
inputs.flake-utils.url = "github:numtide/flake-utils";
system.nixos.revision = lib.mkIf (inputs.self ? rev) inputs.self.rev;
# Let 'nixos-version --json' know about the Git revision of this flake.
system.configurationRevision = lib.mkIf (inputs.self ? rev) inputs.self.rev;
- boot.initrd.network.ssh.hostKeys = [ "/root/initrd/ssh.key" ];
security.gnupg.agent.enable = true;
security.gnupg.store = inputs.pass + "/hosts/${hostName}";
/*
in
{
# Example: nix -L build .#nixosConfigurations.losurdo.config.system.build.toplevel
+ # Example: nix -L build .#nixosConfigurations.losurdo.config.boot.kernelPackages.kernel.configfile
+ # Example: nix -L build .#nixosConfigurations.losurdo.pkgs.hello
# Example: nix eval .#nixosConfigurations.losurdo.config.networking.hostName
nixosConfigurations = hosts {
carotte = hosts/carotte.nix;
# Example: nix run .#losurdo.switch
"switch" = {
type = "app";
- program = (pkgs.writeShellScript "switch" ''
+ program = (pkgs.writeShellScript "switch" (''
set -eux
set -o pipefail
nix-store --add-root hosts/${hostName}.root --indirect --realise ${build.toplevel}
nix copy --to ssh://${target} --substitute-on-destination ${build.toplevel}
${sendkeys.program}
+ '' + lib.optionalString config.boot.initrd.network.ssh.enable ''
# Send the SSH key of the initrd
- test ! -e '${config.security.gnupg.store}/initrd/ssh.key.gpg' ||
gpg --decrypt '${config.security.gnupg.store}/initrd/ssh.key.gpg' |
ssh ${target} install -D -m 400 -o root -g root /dev/stdin /root/initrd/ssh.key
# Send the Wireguard key of the initrd
- test ! -e '${config.security.gnupg.store}/wireguard/wg-intra/privateKey.gpg' ||
gpg --decrypt '${config.security.gnupg.store}/wireguard/wg-intra/privateKey.gpg' |
ssh ${target} install -D -m 400 -o root -g root /dev/stdin /root/initrd/wg-intra.key
ssh ${target} \
nix-env --profile '${profile}' --set '${build.toplevel}' '&&' \
'${profile}'/bin/switch-to-configuration switch
- '').outPath;
+ '')).outPath;
};
# Example: nix run .#carotte.install-sd
"install-sd" = {
nix-store --add-root hosts/${hostName}.root --indirect --realise ${build.sdImage}
unzstd --stdout ${build.sdImage}/sd-image/*.img.zst |
sudo -k dd conv=notrunc oflag=direct,sync status=progress of="''${1:-/dev/mmcblk0}"
-
'').outPath;
};
# Example: nix run .#losurdo.sendkeys
carotte/system.nix
carotte/users.nix
(inputs.secrets + "/hosts/${hostName}/users.nix")
- (inputs.secrets + "/hosts/${hostName}/security.nix")
carotte/xserver.nix
];
}
security.gnupg.agent = {
keyring."C7BCEA3D090956E7D51E94ADFF53191D9FA89552" = {
passwordGpg = "gnupg/root.gpg";
+ passwordFile = "/root/.gnupg.C7BCEA3D090956E7D51E94ADFF53191D9FA89552.txt";
};
};
services.openssh.extraConfig = ''
fileSystems."/" = {
device = "${hostName}/root";
- fsType = "zfs";
+ fsType = "zfs"; # TODO: options = [ "zfsutil" ];
};
+
+# This will automatically load the zfs password prompt on login
+# and kill the other prompt so boot can continue
+# The pkill zfs kills the zfs load-key from the console
+# allowing the boot to continue.
+boot.initrd.network.postCommands = ''
+ echo >>/root/.profile "zfs load-key rpool && pkill zfs"
+'';
boot.zfs.requestEncryptionCredentials = [ hostName ];
fileSystems."/nix" = {
inherit (config.networking) domain;
in
{
+# TODO: nsupdate in the initrd
systemd.services.nsupdate = {
after = [
"network-online.target"
{ pkgs, lib, config, hosts, ... }:
-let
- inherit (config.security) gnupg;
- inherit (config.users) users;
-in
{
/* Wireguard is used instead
systemd.services.ssh-mermet-reverse = {
boot.initrd.network.ssh = {
enable = true;
port = 2222;
- authorizedKeys = users.root.openssh.authorizedKeys.keys;
+ authorizedKeys = config.users.users.root.openssh.authorizedKeys.keys;
hostKeys = [ "/root/initrd/ssh.key" ];
extraConfig = ''
'';
fsType = "zfs";
};
*/
-fileSystems."/" =
- { device = "rpool/root";
- fsType = "zfs";
- };
+fileSystems."/" = {
+ device = "rpool/root";
+ fsType = "zfs"; # TODO: options = [ "zfsutil" ];
+};
+
+# This will automatically load the zfs password prompt on login
+# and kill the other prompt so boot can continue
+# The pkill zfs kills the zfs load-key from the console
+# allowing the boot to continue.
+boot.initrd.network.postCommands = ''
+ echo >>/root/.profile "zfs load-key rpool && pkill zfs"
+'';
+#boot.zfs.requestEncryptionCredentials = [ "rpool" ];
+#boot.zfs.requestEncryptionCredentials = [ hostName ];
fileSystems."/home" =
{ device = "rpool/home";
networking/ssh.nix
networking/wireguard.nix
];
-boot.initrd.network = {
- enable = true;
- ssh = {
- enable = true;
- # To prevent ssh from freaking out because a different host key is used,
- # a different port for dropbear is useful
- # (assuming the same host has also a normal sshd running)
- port = 2222;
- authorizedKeys = users.users.root.openssh.authorizedKeys.keys;
- };
- # This will automatically load the zfs password prompt on login
- # and kill the other prompt so boot can continue
- # The pkill zfs kills the zfs load-key from the console
- # allowing the boot to continue.
- postCommands = ''
- echo >>/root/.profile "zfs load-key rpool && pkill zfs"
- '';
-};
/* WARNING: using ipconfig (the ip= kernel parameter) IS NOT RELIABLE:
a 91.216.110.35/32 becomes a 91.216.110.35/8
'';
# Workaround https://github.com/NixOS/nixpkgs/issues/56822
+# TODO: the issue is now closed
#boot.initrd.kernelModules = [ "ipv6" ];
# Useless without an out-of-band access, and unsecure
add rule inet filter net2fw tcp dport 10022 counter accept comment "SSH (reverse to losurdo)"
'';
services.openssh.gatewayPorts = "clientspecified";
+boot.initrd.network.ssh = {
+ enable = true;
+ # To prevent ssh from freaking out because a different host key is used,
+ # a different port for dropbear is useful
+ # (assuming the same host has also a normal sshd running)
+ port = 2222;
+ authorizedKeys = config.users.users.root.openssh.authorizedKeys.keys;
+ hostKeys = [ "/root/initrd/ssh.key" ];
+};
+boot.initrd.network = {
+ enable = true;
+ # This will automatically load the zfs password prompt on login
+ # and kill the other prompt so boot can continue
+ # The pkill zfs kills the zfs load-key from the console
+ # allowing the boot to continue.
+ postCommands = ''
+ echo >>/root/.profile "zfs load-key rpool && pkill zfs"
+ '';
+};
}
{
meta.description = "nixos/security.gnupg: provisioning GnuPG-protected secrets through the Nix store";
url = "https://github.com/NixOS/nixpkgs/pull/93659.diff";
- sha256 = "sha256-ECdCWZNREXxtKQYG2/EmTk6VFDTsOwrVBGZhU1y79Rc=";
+ sha256 = "sha256-rHf6TRd2O6SBdk7B4FGUm3upFJavrRSxko0iQti+xzs=";
}
{
meta.description = "Update public-inbox to 1.6.1 and add systemd services";
sourcephile / git / sourcephile-nix.git / commitdiff