From 22fdcbf773e00a3b1405ccaf1b62b69f6e07efe0 Mon Sep 17 00:00:00 2001 From: Stefan Ellmauthaler Date: Tue, 31 May 2022 15:19:11 +0200 Subject: [PATCH] Move sops secrets to secrets folder enable sshd --- .sops.yaml | 2 + flake.nix | 4 +- machines/stel-xps/default.nix | 2 + modules/secrets/secrets.yaml | 0 modules/ssh.nix | 16 +++++++ {modules/secrets => secrets}/default.nix | 5 ++- secrets/keys/users/stefan_ellmauthaler.asc | 52 ++++++++++++++++++++++ 7 files changed, 79 insertions(+), 2 deletions(-) create mode 100644 .sops.yaml delete mode 100644 modules/secrets/secrets.yaml create mode 100644 modules/ssh.nix rename {modules/secrets => secrets}/default.nix (74%) create mode 100644 secrets/keys/users/stefan_ellmauthaler.asc diff --git a/.sops.yaml b/.sops.yaml new file mode 100644 index 0000000..9373c3d --- /dev/null +++ b/.sops.yaml @@ -0,0 +1,2 @@ +keys: + - &stefan_ellmauthaler 3B39 8B08 6C41 0264 A14F B353 B1E6 F030 30A4 AEAA diff --git a/flake.nix b/flake.nix index 837c0bf..7ac0493 100644 --- a/flake.nix +++ b/flake.nix @@ -97,7 +97,9 @@ inputs.home-manager.nixosModules.home-manager inputs.sops-nix.nixosModules.sops inputs.dwarffs.nixosModules.dwarffs - ] ++ (map (name: ./modules + "/${name}") (moduleNames ./modules)); + ] ++ (map (name: ./modules + "/${name}") (moduleNames ./modules)) ++ [ + ./secrets + ]; specialArgs = { nixos-hardware = inputs.nixos-hardware.nixosModules; inherit inputs; diff --git a/machines/stel-xps/default.nix b/machines/stel-xps/default.nix index 5090758..4df96b3 100644 --- a/machines/stel-xps/default.nix +++ b/machines/stel-xps/default.nix @@ -13,6 +13,8 @@ base.enable = true; # setup locale and font settings locale.enable = true; + # setup sshd + sshd.enable = true; # configure zsh zsh.enable = true; # enable X11 with lightdm and i3 diff --git a/modules/secrets/secrets.yaml b/modules/secrets/secrets.yaml deleted file mode 100644 index e69de29..0000000 diff --git a/modules/ssh.nix b/modules/ssh.nix new file mode 100644 index 0000000..3fd9d84 --- /dev/null +++ b/modules/ssh.nix @@ -0,0 +1,16 @@ +{ config, lib, pkgs, ... }: +with lib; { + options.elss.sshd.enable = mkEnableOption "Set up sshd"; + + config = + let + cfg = config.elss.sshd; + in + mkIf cfg.enable { + services.openssh = { + enable = true; + passwordAuthentication = false; + permitRootLogin = false; + }; + }; +} diff --git a/modules/secrets/default.nix b/secrets/default.nix similarity index 74% rename from modules/secrets/default.nix rename to secrets/default.nix index 9bfac45..004da7b 100644 --- a/modules/secrets/default.nix +++ b/secrets/default.nix @@ -7,6 +7,9 @@ with lib; { cfg = config.elss.sops; in mkIf cfg.enable { - sops.defaultSopsFile = ./secrets.yaml; + sops = { + defaultSopsFile = ./secrets.yaml; + + }; }; } diff --git a/secrets/keys/users/stefan_ellmauthaler.asc b/secrets/keys/users/stefan_ellmauthaler.asc new file mode 100644 index 0000000..83e249d --- /dev/null +++ b/secrets/keys/users/stefan_ellmauthaler.asc @@ -0,0 +1,52 @@ +-----BEGIN PGP PUBLIC KEY BLOCK----- + +mQINBGClB3EBEADX75a/UKReD9GfpCQwuuBG6vO00W2WutEGC+lA+xt+yQfEFSc7 +8A52n9Ypgbn0I/TdCkRl3zSyw/ysR2On0biYb6rsyZG6PVmwq6wSpgPRHh2P0E9r +tg4PLhOkmSTlxT3k3SMvP4lJpRuZBSqRHkxaVMJDVjSlrwifUkSOl0LMewCtGZOG +jV9P8OMFHy/SAE/YVlnjH2IW6yUT5n+suNJ2pf6u/PcdXCpryNPkNLmsoQ0e+ZjG +we3i/7/vJ6wkkg7DZAuCmIjo1Zq1zNRI6ouJpgO58VKO5zrRdnKIkOstcp1smDmt +KngMzzYa7J1ytvNcy3nPoePjI0HwRREDrPZ/vhTFNpdfhLiuP4nhqu/mLVMJScqK +iaX2dLZ8wRTCgpC94pPJ81fXkTtLCTfIn1Tss9sFx37IHNiwd3BZhzFtQrbAMjTz +3vvF74XaVaDFZXGWcgJLBYRRgGSSIZCzOvPyPqENA/ugGvXb3U4YwFEV9H2BR/ei +0r6CLJgr99vD9SOlaF05hqCLAqyXE+o1jCMyOEHCChTf3VS2ZIxacpp5AoTkVOq8 +ZmaoASw8uxt4UD8wNJFtJdgzNxYSRWP6UE4Io7AUwoPQmfk9RxOiMQKDgJ9oj7yc +a5DHWS03xhtW4YL1ZZZm9TRg4jo1WB6jXRGbwT0lAtRnwaeWCqaJqm7uUQARAQAB +tDNTdGVmYW4gRWxsbWF1dGhhbGVyIDxzdGVmYW4uZWxsbWF1dGhhbGVyQGdtYWls +LmNvbT6JAlQEEwEKAD4CGwMFCwkIBwIGFQoJCAsCBBYCAwECHgECF4AWIQQ7OYsI +bEECZKFPs1Ox5vAwMKSuqgUCYpYJ2gUJA9ITLwAKCRCx5vAwMKSuqsU8EACYntlq +QFfM7bvviC0VJgvAnDGLeuGOh1Ba6SnmMQCHb1uYCQslmUpoYIWz0MntLoRcfdbz +JeyKP2OXvs6jg8EGPPk30g/hvD7392D45pPYNz9xY/sqR9FrYkBzrytvJRZY00qP +yrC+CmSlC9/pnJobbnGVDPAtDbM/1yxoNQhb/L6RIRcPc/efisi8e2O2J2DF/847 +eFEpIf38QlMf4RoWO+xsOT16R4iC4xdffI7xk+gG6pXD6tqI9IY7GPyzUhz/ttrX +GA+gEdfIFH/Ro2JVG2a91V1UV7b/STx+1yWH71Oa8UCSGRFQMdDx62kPfuBzrxg3 +ZMYqaRyyqpZDel0Vt05DCYgqmk7GmsvDLZnjfu1JJ8yreAzbJstvEfg9oLoBq3mD +DjaWLl4QJMmGkwQfmZlIWkLMgvdWuaoMAAr23JKCcNUGH0rnjlJHjnbX2+Q1ASH3 +1U5UPgVavuvHTs08E09aMfjDucd9u/NhzNsokzJZ5UlwY46hcYnU/ZAopKNTHR28 +2d4WBw8P/dsoymsLBqe0rUn9gm1Sm94jJtZwDw2PsJ+QXShJv2zpiGWd7hTBzOCT +bMTxVkASmyfLuLNjJBHzYOtnnqFN6GQoLlJRwlOARCGH+8q/yT9v34TsEeYOeDep +I1CjjraAChCxw53c2TXkp05wJp+zyZaEe80I9LkCDQRgpQdxARAArwHwHId6uhSS +RmdHE0jMnbSXknd62WeX9yy7tI5st8PisxLkUvIhsYEm7820BQtyB5/6Mda3th87 +LSmlzWO5Uvr+dpcUX80ozw0MlxY4Afd2b3uN8hDq1B1yreq3p9WdPlr+tZo/1zK3 +gxosfd/BDKdn+4FHPTpO3oePpYSUnlHhLac8wjn4C6HVvQHRK0rifzaAf3TlVHjk +/rRpJZ713JahiCVu9PR5dxE8zaI3pI63JV0g7aSQUevlbdfOBtwToX+Opz7s46Ep +sj6gzW1YHYgIuRcZ0fXxjhqB3BifKRvjdKfRTWgC/SPWby/DmYJaYdf81FDhGEqt +hqnI3YbO06Apid41xmmHiSoMjUv0i78edBInxEu/jZ7UZ8jmDmqkGqrJEJqAlaG3 +oUM1Xd0csP5gCxN7Ny/u3QloKfC7EAlVNxKub/Yumc4PE7m1zs9bEt4ZH3UomX5o +Ub5D9BOnWuRjBiGewYmGHjQDNPA1NLHUs7eNcFsadNQil+w/n/9mle+qvh/C0irB +bJS/DNDExQmb9IT7SqsMQO2N3M5ZTZrkFoKEJ8mVJ+JFwNpAZG2RXjw9fFU/g4zT +bi35xODgz+WfyP9+gLY33YM44UkDDpVUzlVJ9A8bPbgTKQIuuFqRNHRLq4Nmu2Hn +EXjGDmKsmsDkNOIWrqYTsXXfo7qPbBsAEQEAAYkCPAQYAQgAJhYhBDs5iwhsQQJk +oU+zU7Hm8DAwpK6qBQJgpQdxAhsMBQkB4TOAAAoJELHm8DAwpK6qJgwQAM1btgX0 +EOMN1s2hsoZe7pNZ1itj5HI8lxctcwC9zlBSgS3M5IeCOC/zf0yj5pOHRqN595jI +NjoXNTPFunuvd33tgLGSlPPifb8Dn9n1/oEt+Ys0LuownADEdtX3L9JO5l79JK4S +gQKG5Mx7ZmD3E5WdwmvkzjUzY12p3uC78en11OCm+sp2Fk5OhUBSXXJ/BsXoTD5f +g7XbbuRfhs52x6qIgWSuqbOghYq6VCNmR1j53qZsTUZg2gmKT10cSzI2rlsws2L3 +qIeo2eXKLxlUNuxK4kse007MxyzEqlWTVTwsL8SC06ouZ/W2VMF+xGZJ8O/Br5LD +pmEX+wZXJL6H2lIRa/aMreaQ8S9d9TSXHRIuc5MpmGnd9/KOm4Sdch5IQLiJLfyw +KkB9R1evg0HZqfOt05i6A1IyJQ9OlUXfbRBow6msNDlOmEviNNeJfLMQ/YvyZ+FM +oaSW5hMYZRMSthuIhQogWH+t1Kt76gHK+WVhyD9XZ8NWu18+ZUKMV2Dg4EyzJBkf +sdiWD4kFnotONtUHouRjMr5xFbDWQ/bSoQ+QGUOmxDx6Wl/DsGiQ+6HB4cD3JAxz +w2Ykcg94PlmESgC6SyLT8pDIbd8z42QR5VNRvMRBJnX/FygNGLj0PCol1piRM1zu +KdqlWuZpbVFm5DF/TQWr9PSFUs8QJ3EL/mXR +=Vjox +-----END PGP PUBLIC KEY BLOCK-----