From 353135a2d909e30ee3435811f9872d88f74d635f Mon Sep 17 00:00:00 2001 From: Corwin Perren Date: Sat, 13 Dec 2025 01:55:25 -0800 Subject: [PATCH] Initial keys, and basic token file for sops cluster testing --- .sops.yaml | 36 ++++++++++++++++++++++ flake.nix | 19 +++++++++++- modules/application-groups/k3s-primary.nix | 4 ++- modules/system/home-manager-settings.nix | 11 ++++--- modules/system/security.nix | 7 +++++ secrets/cluster.yaml | 16 ++++++++++ 6 files changed, 87 insertions(+), 6 deletions(-) create mode 100644 .sops.yaml create mode 100644 secrets/cluster.yaml diff --git a/.sops.yaml b/.sops.yaml new file mode 100644 index 0000000..7ecb3e8 --- /dev/null +++ b/.sops.yaml @@ -0,0 +1,36 @@ +keys: + - &admin_users: + - &caperren age1xjnkqv32a5nqftw6pqthapnzmgjl4lnqfpxy9utqm56yzm2mvfhqzch648 + - &systems: + - &caperren_personal: + - &cap_slim7 age1a5aqj3jr3rqpjet9a7y077ak0ymstjjdnyfgn5m2ad4l2yuxr4aqym7d3d + - &cap_nr200p age1g45zy9m5g4e20cjejgd3x40722rlddgkmhtddrl8wyf63kt5kg7s9ke390 + - &cluster_systems: + - &cap_clust_01 age1649y4antwgfe4fu02eppnx5gr0yc3g4lj4kwd6v9guxgxgj06y9qk7l4wl + - &cap_clust_02 age1k085uuy4fv9rfpy0ne6zl9fq0j05a4fykqe26psx2ngxqrcxcu5sksxa9u + - &cap_clust_03 age1tpeqfhc4n7swpgzx6qfdfxanx0uqh7nksr7eksnvjea70n8vaf5sntxu2l + - &cap_clust_04 age1pux20jlyzdexztdmm3lelzn2mslxhuahae4wjy74hkxfytslsfpqj708e2 + - &cap_clust_05 age1f5039syajzz75s9lkdzwnv2dsvlcp69puuaucgwt05sqjdl7hels25nsfr + - &cap_clust_06 age19m6f3xtkdf3gwxqxgp9w9gyla4hk24f85l2tyjx6dxu0akzux3cs657dhz + - &cap_clust_07 age1en6vdtxspam9s3nmsyfrcrxzrzu4t9v72ztqyekpzsc35rd06a2sza7ehw + - &cap_clust_08 age1vujvq5rdzppkkdhkwyhnl6xhuvm8s5yf2wc8ke05m8jwrdwsdf0qfx5w4r + - &cap_clust_09 age1uyuudfya8etgztlt6hlssr9hkstyyhg65wdq3pj9rud2czzkaqqssg7yvp +creation_rules: + - path_regex: secrets/[^/]+\.(yaml|json|env|ini)$ + key_groups: + - age: + - *caperren + - *cap_slim7 + - *cap_nr200p + - path_regex: secrets/cluster.yaml + key_groups: + - age: + - *cap_clust_01 + - *cap_clust_02 + - *cap_clust_03 + - *cap_clust_04 + - *cap_clust_05 + - *cap_clust_06 + - *cap_clust_07 + - *cap_clust_08 + - *cap_clust_09 \ No newline at end of file diff --git a/flake.nix b/flake.nix index deb9953..04e5e61 100644 --- a/flake.nix +++ b/flake.nix @@ -5,8 +5,13 @@ nixpkgs.url = "github:nixos/nixpkgs/nixos-25.11"; nixos-hardware.url = "github:NixOS/nixos-hardware/master"; + sops-nix = { + url = "github:Mic92/sops-nix"; + inputs.nixpkgs.follows = "nixpkgs"; + }; + home-manager = { - url = "github:nix-community/home-manager"; + url = "github:nix-community/home-manager/release-25.11"; inputs.nixpkgs.follows = "nixpkgs"; }; }; @@ -15,6 +20,7 @@ { self, nixpkgs, + sops-nix, home-manager, nixos-hardware, ... @@ -24,6 +30,7 @@ system = "x86_64-linux"; modules = [ ./hosts/cap-clust-01/configuration.nix + sops-nix.nixosModules.sops inputs.home-manager.nixosModules.default ]; }; @@ -31,6 +38,7 @@ system = "x86_64-linux"; modules = [ ./hosts/cap-clust-02/configuration.nix + sops-nix.nixosModules.sops inputs.home-manager.nixosModules.default ]; }; @@ -38,6 +46,7 @@ system = "x86_64-linux"; modules = [ ./hosts/cap-clust-03/configuration.nix + sops-nix.nixosModules.sops inputs.home-manager.nixosModules.default ]; }; @@ -45,6 +54,7 @@ system = "x86_64-linux"; modules = [ ./hosts/cap-clust-04/configuration.nix + sops-nix.nixosModules.sops inputs.home-manager.nixosModules.default ]; }; @@ -52,6 +62,7 @@ system = "x86_64-linux"; modules = [ ./hosts/cap-clust-05/configuration.nix + sops-nix.nixosModules.sops inputs.home-manager.nixosModules.default ]; }; @@ -59,6 +70,7 @@ system = "x86_64-linux"; modules = [ ./hosts/cap-clust-06/configuration.nix + sops-nix.nixosModules.sops inputs.home-manager.nixosModules.default ]; }; @@ -66,6 +78,7 @@ system = "x86_64-linux"; modules = [ ./hosts/cap-clust-07/configuration.nix + sops-nix.nixosModules.sops inputs.home-manager.nixosModules.default ]; }; @@ -73,6 +86,7 @@ system = "x86_64-linux"; modules = [ ./hosts/cap-clust-08/configuration.nix + sops-nix.nixosModules.sops inputs.home-manager.nixosModules.default ]; }; @@ -80,6 +94,7 @@ system = "x86_64-linux"; modules = [ ./hosts/cap-clust-09/configuration.nix + sops-nix.nixosModules.sops inputs.home-manager.nixosModules.default ]; }; @@ -91,6 +106,7 @@ }; modules = [ ./hosts/cap-slim7/configuration.nix + sops-nix.nixosModules.sops inputs.home-manager.nixosModules.default nixos-hardware.nixosModules.lenovo-legion-16arha7 ]; @@ -100,6 +116,7 @@ system = "x86_64-linux"; modules = [ ./hosts/cap-nr200p/configuration.nix + sops-nix.nixosModules.sops inputs.home-manager.nixosModules.default ]; }; diff --git a/modules/application-groups/k3s-primary.nix b/modules/application-groups/k3s-primary.nix index eb38d46..1cb94fb 100644 --- a/modules/application-groups/k3s-primary.nix +++ b/modules/application-groups/k3s-primary.nix @@ -1,9 +1,11 @@ { config, pkgs, ... }: { + sops.secrets.k3s_token.sopsFile = secrets/cluster.yaml; + services.k3s = { enable = true; role = "server"; - token = "forinitialtestingonly"; + tokenFile = config.sops.secrets.k3s_token.path; clusterInit = true; }; } diff --git a/modules/system/home-manager-settings.nix b/modules/system/home-manager-settings.nix index cdad9dc..b4e08d1 100644 --- a/modules/system/home-manager-settings.nix +++ b/modules/system/home-manager-settings.nix @@ -1,5 +1,8 @@ -{ config, pkgs, ... }: +{ inputs, ... }: { - home-manager.useGlobalPkgs = true; - home-manager.backupFileExtension = "bkp"; -} \ No newline at end of file + home-manager.useGlobalPkgs = true; + home-manager.backupFileExtension = "bkp"; + home-manager.sharedModules = [ + inputs.sops-nix.homeManagerModules.sops + ]; +} diff --git a/modules/system/security.nix b/modules/system/security.nix index 4dbec27..69287ee 100644 --- a/modules/system/security.nix +++ b/modules/system/security.nix @@ -1,5 +1,12 @@ { pkgs, config, ... }: { + environment.systemPackages = with pkgs; [ + sops + age + ]; + + sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ]; + security.sudo = { enable = true; extraRules = [ diff --git a/secrets/cluster.yaml b/secrets/cluster.yaml new file mode 100644 index 0000000..09ebec6 --- /dev/null +++ b/secrets/cluster.yaml @@ -0,0 +1,16 @@ +k3s_token: ENC[AES256_GCM,data:UANQ7DzasppB8ZPtGY9wR9lhU+VpTjJE,iv:cvEiUt7zG4Joyd1gkaqi848ES7aPf7VoYc4zDwLKEDQ=,tag:j4EU/srhEL0+nQGhETuerA==,type:str] +sops: + age: + - recipient: age1xjnkqv32a5nqftw6pqthapnzmgjl4lnqfpxy9utqm56yzm2mvfhqzch648 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBKWHRDVXoxTVR2ZzdyUmU3 + OUI3cEk1WjE4TnpvM2o5VFFwbGNwTUVBTHhZCjFmZWVZUEc1Yk5ySDB1NEo0Qzkr + RHBxZmJEWnc5UGhRcVN4ZmIyWnhWR1kKLS0tIHh0MERwT1pOdDRkd2hzMEJTQWVz + YXE5dGd5bGZUd3BGQTNlaG1NcjJ4MXMKch4iIZaw+AL8zEgmFbbb8MElDDnbkOXO + gaxvpCqj5Eb4A2wkZAhdVE1o1LzNUcOTH2xZdb99wtwxORPUtC08dQ== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2025-12-13T09:05:22Z" + mac: ENC[AES256_GCM,data:Jg/J4ulZtAI7Kfeb8/ccmG3hV+2TF/5kTcwNRr6llVORVBZ0cGeJz5TvhqwHsSf3TRwgzS50RHWtbJ//TadWrYbf+EInV92mT+ybVO/p6ek0jiqRV9Kto697YnjjtMG1uJcIazWhShT4UTg6PNlAtRzBA3759tnw2aj0hCNH9QE=,iv:hu1m3GdLiwyVZDrlh/p63hGCaJgXIHuVnxzPKskj9Io=,tag:NW+d9m+eTgkb9Uea5aurSw==,type:str] + unencrypted_suffix: _unencrypted + version: 3.11.0