caperren/nixos-configs
1
0
Fork 0
mirror of https://github.com/caperren/nixos-configs.git synced 2025-12-30 19:14:19 +00:00
Code Issues Packages Projects Releases Wiki Activity

Initial keys, and basic token file for sops cluster testing

Browse Source
This commit is contained in:
Corwin Perren
2025-12-13 01:55:25 -08:00
parent c360755253
commit 353135a2d9
6 changed files with 87 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

36
.sops.yaml Normal file
View File

@@ -0,0 +1,36 @@
keys:
- &admin_users:
- &caperren age1xjnkqv32a5nqftw6pqthapnzmgjl4lnqfpxy9utqm56yzm2mvfhqzch648
- &systems:
- &caperren_personal:
- &cap_slim7 age1a5aqj3jr3rqpjet9a7y077ak0ymstjjdnyfgn5m2ad4l2yuxr4aqym7d3d
- &cap_nr200p age1g45zy9m5g4e20cjejgd3x40722rlddgkmhtddrl8wyf63kt5kg7s9ke390
- &cluster_systems:
- &cap_clust_01 age1649y4antwgfe4fu02eppnx5gr0yc3g4lj4kwd6v9guxgxgj06y9qk7l4wl
- &cap_clust_02 age1k085uuy4fv9rfpy0ne6zl9fq0j05a4fykqe26psx2ngxqrcxcu5sksxa9u
- &cap_clust_03 age1tpeqfhc4n7swpgzx6qfdfxanx0uqh7nksr7eksnvjea70n8vaf5sntxu2l
- &cap_clust_04 age1pux20jlyzdexztdmm3lelzn2mslxhuahae4wjy74hkxfytslsfpqj708e2
- &cap_clust_05 age1f5039syajzz75s9lkdzwnv2dsvlcp69puuaucgwt05sqjdl7hels25nsfr
- &cap_clust_06 age19m6f3xtkdf3gwxqxgp9w9gyla4hk24f85l2tyjx6dxu0akzux3cs657dhz
- &cap_clust_07 age1en6vdtxspam9s3nmsyfrcrxzrzu4t9v72ztqyekpzsc35rd06a2sza7ehw
- &cap_clust_08 age1vujvq5rdzppkkdhkwyhnl6xhuvm8s5yf2wc8ke05m8jwrdwsdf0qfx5w4r
- &cap_clust_09 age1uyuudfya8etgztlt6hlssr9hkstyyhg65wdq3pj9rud2czzkaqqssg7yvp
creation_rules:
- path_regex: secrets/[^/]+\.(yaml|json|env|ini)$
key_groups:
- age:
- *caperren
- *cap_slim7
- *cap_nr200p
- path_regex: secrets/cluster.yaml
key_groups:
- age:
- *cap_clust_01
- *cap_clust_02
- *cap_clust_03
- *cap_clust_04
- *cap_clust_05
- *cap_clust_06
- *cap_clust_07
- *cap_clust_08
- *cap_clust_09

19
flake.nix
View File

@@ -5,8 +5,13 @@
nixpkgs.url = "github:nixos/nixpkgs/nixos-25.11"; nixpkgs.url = "github:nixos/nixpkgs/nixos-25.11";
nixos-hardware.url = "github:NixOS/nixos-hardware/master"; nixos-hardware.url = "github:NixOS/nixos-hardware/master";
sops-nix = {
url = "github:Mic92/sops-nix";
inputs.nixpkgs.follows = "nixpkgs";
};
home-manager = { home-manager = {
url = "github:nix-community/home-manager"; url = "github:nix-community/home-manager/release-25.11";
inputs.nixpkgs.follows = "nixpkgs"; inputs.nixpkgs.follows = "nixpkgs";
}; };
}; };
@@ -15,6 +20,7 @@
{ {
self, self,
nixpkgs, nixpkgs,
sops-nix,
home-manager, home-manager,
nixos-hardware, nixos-hardware,
... ...
@@ -24,6 +30,7 @@
system = "x86_64-linux"; system = "x86_64-linux";
modules = [ modules = [
./hosts/cap-clust-01/configuration.nix ./hosts/cap-clust-01/configuration.nix
sops-nix.nixosModules.sops
inputs.home-manager.nixosModules.default inputs.home-manager.nixosModules.default
]; ];
}; };
@@ -31,6 +38,7 @@
system = "x86_64-linux"; system = "x86_64-linux";
modules = [ modules = [
./hosts/cap-clust-02/configuration.nix ./hosts/cap-clust-02/configuration.nix
sops-nix.nixosModules.sops
inputs.home-manager.nixosModules.default inputs.home-manager.nixosModules.default
]; ];
}; };
@@ -38,6 +46,7 @@
system = "x86_64-linux"; system = "x86_64-linux";
modules = [ modules = [
./hosts/cap-clust-03/configuration.nix ./hosts/cap-clust-03/configuration.nix
sops-nix.nixosModules.sops
inputs.home-manager.nixosModules.default inputs.home-manager.nixosModules.default
]; ];
}; };
@@ -45,6 +54,7 @@
system = "x86_64-linux"; system = "x86_64-linux";
modules = [ modules = [
./hosts/cap-clust-04/configuration.nix ./hosts/cap-clust-04/configuration.nix
sops-nix.nixosModules.sops
inputs.home-manager.nixosModules.default inputs.home-manager.nixosModules.default
]; ];
}; };
@@ -52,6 +62,7 @@
system = "x86_64-linux"; system = "x86_64-linux";
modules = [ modules = [
./hosts/cap-clust-05/configuration.nix ./hosts/cap-clust-05/configuration.nix
sops-nix.nixosModules.sops
inputs.home-manager.nixosModules.default inputs.home-manager.nixosModules.default
]; ];
}; };
@@ -59,6 +70,7 @@
system = "x86_64-linux"; system = "x86_64-linux";
modules = [ modules = [
./hosts/cap-clust-06/configuration.nix ./hosts/cap-clust-06/configuration.nix
sops-nix.nixosModules.sops
inputs.home-manager.nixosModules.default inputs.home-manager.nixosModules.default
]; ];
}; };
@@ -66,6 +78,7 @@
system = "x86_64-linux"; system = "x86_64-linux";
modules = [ modules = [
./hosts/cap-clust-07/configuration.nix ./hosts/cap-clust-07/configuration.nix
sops-nix.nixosModules.sops
inputs.home-manager.nixosModules.default inputs.home-manager.nixosModules.default
]; ];
}; };
@@ -73,6 +86,7 @@
system = "x86_64-linux"; system = "x86_64-linux";
modules = [ modules = [
./hosts/cap-clust-08/configuration.nix ./hosts/cap-clust-08/configuration.nix
sops-nix.nixosModules.sops
inputs.home-manager.nixosModules.default inputs.home-manager.nixosModules.default
]; ];
}; };
@@ -80,6 +94,7 @@
system = "x86_64-linux"; system = "x86_64-linux";
modules = [ modules = [
./hosts/cap-clust-09/configuration.nix ./hosts/cap-clust-09/configuration.nix
sops-nix.nixosModules.sops
inputs.home-manager.nixosModules.default inputs.home-manager.nixosModules.default
]; ];
}; };
@@ -91,6 +106,7 @@
}; };
modules = [ modules = [
./hosts/cap-slim7/configuration.nix ./hosts/cap-slim7/configuration.nix
sops-nix.nixosModules.sops
inputs.home-manager.nixosModules.default inputs.home-manager.nixosModules.default
nixos-hardware.nixosModules.lenovo-legion-16arha7 nixos-hardware.nixosModules.lenovo-legion-16arha7
]; ];
@@ -100,6 +116,7 @@
system = "x86_64-linux"; system = "x86_64-linux";
modules = [ modules = [
./hosts/cap-nr200p/configuration.nix ./hosts/cap-nr200p/configuration.nix
sops-nix.nixosModules.sops
inputs.home-manager.nixosModules.default inputs.home-manager.nixosModules.default
]; ];
}; };

4
modules/application-groups/k3s-primary.nix
View File

@@ -1,9 +1,11 @@
{ config, pkgs, ... }: { config, pkgs, ... }:
{ {
sops.secrets.k3s_token.sopsFile = secrets/cluster.yaml;
services.k3s = { services.k3s = {
enable = true; enable = true;
role = "server"; role = "server";
token = "forinitialtestingonly"; tokenFile = config.sops.secrets.k3s_token.path;
clusterInit = true; clusterInit = true;
}; };
} }

9
modules/system/home-manager-settings.nix
View File

@@ -1,5 +1,8 @@
{ config, pkgs, ... }: { inputs, ... }:
{ {
home-manager.useGlobalPkgs = true; home-manager.useGlobalPkgs = true;
home-manager.backupFileExtension = "bkp"; home-manager.backupFileExtension = "bkp";
home-manager.sharedModules = [
inputs.sops-nix.homeManagerModules.sops
];
} }

7
modules/system/security.nix
View File

@@ -1,5 +1,12 @@
{ pkgs, config, ... }: { pkgs, config, ... }:
{ {
environment.systemPackages = with pkgs; [
sops
age
];
sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
security.sudo = { security.sudo = {
enable = true; enable = true;
extraRules = [ extraRules = [

16
secrets/cluster.yaml Normal file
View File

@@ -0,0 +1,16 @@
k3s_token: ENC[AES256_GCM,data:UANQ7DzasppB8ZPtGY9wR9lhU+VpTjJE,iv:cvEiUt7zG4Joyd1gkaqi848ES7aPf7VoYc4zDwLKEDQ=,tag:j4EU/srhEL0+nQGhETuerA==,type:str]
sops:
age:
- recipient: age1xjnkqv32a5nqftw6pqthapnzmgjl4lnqfpxy9utqm56yzm2mvfhqzch648
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBKWHRDVXoxTVR2ZzdyUmU3
OUI3cEk1WjE4TnpvM2o5VFFwbGNwTUVBTHhZCjFmZWVZUEc1Yk5ySDB1NEo0Qzkr
RHBxZmJEWnc5UGhRcVN4ZmIyWnhWR1kKLS0tIHh0MERwT1pOdDRkd2hzMEJTQWVz
YXE5dGd5bGZUd3BGQTNlaG1NcjJ4MXMKch4iIZaw+AL8zEgmFbbb8MElDDnbkOXO
gaxvpCqj5Eb4A2wkZAhdVE1o1LzNUcOTH2xZdb99wtwxORPUtC08dQ==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2025-12-13T09:05:22Z"
mac: ENC[AES256_GCM,data:Jg/J4ulZtAI7Kfeb8/ccmG3hV+2TF/5kTcwNRr6llVORVBZ0cGeJz5TvhqwHsSf3TRwgzS50RHWtbJ//TadWrYbf+EInV92mT+ybVO/p6ek0jiqRV9Kto697YnjjtMG1uJcIazWhShT4UTg6PNlAtRzBA3759tnw2aj0hCNH9QE=,iv:hu1m3GdLiwyVZDrlh/p63hGCaJgXIHuVnxzPKskj9Io=,tag:NW+d9m+eTgkb9Uea5aurSw==,type:str]
unencrypted_suffix: _unencrypted
version: 3.11.0