diff --git a/config/common/default.nix b/config/common/default.nix index 8ee96116..befbf069 100644 --- a/config/common/default.nix +++ b/config/common/default.nix @@ -24,6 +24,12 @@ in { trustedUsers = [ "root" "@wheel" ]; }; + secrets = { + root = "/var/lib/kat/secrets"; + persistentRoot = "/var/lib/kat/secrets"; + external = true; + }; + services.journald.extraConfig = "SystemMaxUse=512M"; environment.variables = { diff --git a/config/users/kat/default.nix b/config/users/kat/default.nix index 170e5554..c0752c3f 100644 --- a/config/users/kat/default.nix +++ b/config/users/kat/default.nix @@ -24,6 +24,10 @@ home-manager.useGlobalPkgs = true; home-manager.users.kat = { + imports = [ + ./modules + ]; + programs.fish = { enable = true; shellAliases = { nixdirfmt = "fd --color=never .nix | xargs nixfmt"; }; diff --git a/config/users/kat/modules/default.nix b/config/users/kat/modules/default.nix new file mode 100644 index 00000000..4e54c345 --- /dev/null +++ b/config/users/kat/modules/default.nix @@ -0,0 +1,7 @@ +{ ... }: +let sources = import ../../../../nix/sources.nix; +in { + imports = [ + (sources.tf-nix + "/modules/home/secrets.nix") + ]; +} \ No newline at end of file diff --git a/modules/default.nix b/modules/default.nix index b2753026..dbcf7368 100644 --- a/modules/default.nix +++ b/modules/default.nix @@ -1,4 +1,10 @@ { ... }: -let sources = import ../nix/sources.nix; -in { imports = [ ./deploy ]; } + let sources = import ../nix/sources.nix; in + { + imports = [ + ./deploy + (sources.tf-nix + "/modules/nixos/secrets.nix") + (sources.tf-nix + "/modules/nixos/secrets-users.nix") + ]; +} diff --git a/modules/deploy/default.nix b/modules/deploy/default.nix index 4b4a191e..94b01632 100644 --- a/modules/deploy/default.nix +++ b/modules/deploy/default.nix @@ -3,7 +3,15 @@ with lib; let cfg = config.meta.deploy; - +secretsScript = concatMapStrings (file: '' + ssh $NIX_SSHOPTS ${cfg.ssh.host} ' + sudo mkdir -p ${toString file.out.dir} + echo \\" + ${file.text} + " | sudo tee ${file.path} + sudo chmod ${file.mode} ${file.path} + sudo chown ${file.owner}:${file.group} ${file.path}' +'') (attrValues config.secrets.files); in { options = { meta.deploy = { @@ -42,6 +50,7 @@ in { nix copy ${ if cfg.substitute then "-s" else "" } --no-check-sigs --to ssh://${cfg.ssh.host} ${config.system.build.toplevel} + ${secretsScript} ssh $NIX_SSHOPTS ${cfg.ssh.host} "sudo nix-env -p /nix/var/nix/profiles/system -i ${config.system.build.toplevel}" ssh $NIX_SSHOPTS ${cfg.ssh.host} "sudo /nix/var/nix/profiles/system/bin/switch-to-configuration $1" ''; diff --git a/nix/sources.json b/nix/sources.json index 16e23cf0..1e3ed3fb 100644 --- a/nix/sources.json +++ b/nix/sources.json @@ -117,5 +117,17 @@ "type": "tarball", "url": "https://git.qyliss.net/nixlib/snapshot/nixlib-e14330c5be9b005d4310cd4dc0d384cff882aedc.tar.gz", "url_template": "https://git.qyliss.net/nixlib/snapshot/nixlib-.tar.gz" + }, + "tf-nix": { + "branch": "master", + "description": "terraform meets nix", + "homepage": null, + "owner": "arcnmx", + "repo": "tf-nix", + "rev": "32dae16c0aaba3412905bd80968888a767071808", + "sha256": "1c0vg42j096jp65b6indynh2y77xfv8nrfrnbv4llxfjsmd6w3lq", + "type": "tarball", + "url": "https://github.com/arcnmx/tf-nix/archive/32dae16c0aaba3412905bd80968888a767071808.tar.gz", + "url_template": "https://github.com///archive/.tar.gz" } } diff --git a/todo.org b/todo.org index 4746e8ba..f0abf5cc 100644 --- a/todo.org +++ b/todo.org @@ -3,10 +3,7 @@ ** TODO Move virtual machine config into nixfiles ** TODO Add dork.dev to mailserver ** TODO Set up proper user service for scream -** TODO Secrets handling * Secrets handling ** TODO Bitwarden integration for secrets obtainment -** TODO Secrets transposition service -** TODO Config delivery + permissions service