From 10e08a1fd8e9ff3700176cb48e5f7d5a046b1171 Mon Sep 17 00:00:00 2001 From: Ethan Simmons Date: Sun, 23 Jun 2024 20:03:33 -0500 Subject: [PATCH] Add secrets for laptop --- .sops.yaml | 5 ++ flake.lock | 4 +- flake.nix | 2 - hosts/alpheratz/dotfiles/fish/config.fish | 74 +++++++++++------------ hosts/alpheratz/system.nix | 44 ++++++++------ secrets/alpheratz/secrets.yaml | 23 +++++++ 6 files changed, 93 insertions(+), 59 deletions(-) create mode 100644 secrets/alpheratz/secrets.yaml diff --git a/.sops.yaml b/.sops.yaml index 8064f01..16c65c8 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -1,11 +1,16 @@ keys: - &admin_ankaa age1079fszreaakwf6xnwu9kra8xcsp4e8q8ed3y99yrhjnz9n3t9pnsj05m97 + - &admin_alpheratz age1gdtjn3jgvvvspa86q3lnklflnvyf3s75y2rw23l7nk7hwcsfpg7qkq7msr - &server_diphda age1rxqyz6watg05r3rzlme7grpgfgezhlt535gdl7psqys2ec8eegmqchfk4d creation_rules: - path_regex: secrets/[^/]+\.(yaml|json|env|ini)$ key_groups: - age: - *admin_ankaa + - path_regex: secrets/alpheratz/[^/]+\.(yaml|json|env|ini)$ + key_groups: + - age: + - *admin_alpheratz - path_regex: secrets/diphda/[^/]+\.(yaml|json|env|ini)$ key_groups: - age: diff --git a/flake.lock b/flake.lock index 73994f1..f8552d1 100644 --- a/flake.lock +++ b/flake.lock @@ -2,8 +2,8 @@ "nodes": { "currentSystem": { "locked": { - "lastModified": 1718580560, - "narHash": "sha256-M69Hx8goDX65ZC/F7ENITsGr3XYBCSsa4B+vDOnOGXs=", + "lastModified": 1717805060, + "narHash": "sha256-jgZROz6KZg2bOy4PGGd/vzpmn7v22+C+2Ivwfk26OXo=", "path": "/etc/nixos/hostname", "type": "path" }, diff --git a/flake.nix b/flake.nix index 801db86..71146f6 100644 --- a/flake.nix +++ b/flake.nix @@ -106,7 +106,6 @@ networking = { wireguard.enable = true; - nameservers = [ "192.168.0.100" ]; }; @@ -143,7 +142,6 @@ networking = { wireguard.enable = true; - nameservers = [ "192.168.0.100" ]; }; }; diff --git a/hosts/alpheratz/dotfiles/fish/config.fish b/hosts/alpheratz/dotfiles/fish/config.fish index d3d2101..797bc55 100644 --- a/hosts/alpheratz/dotfiles/fish/config.fish +++ b/hosts/alpheratz/dotfiles/fish/config.fish @@ -1,13 +1,41 @@ if status is-interactive - ### Local environment variables + fish_add_path "/home/eesim/.cargo/bin/" + + set fish_greeting + + set fish_cursor_default block + set fish_cursor_insert line + set fish_cursor_replace_one underscore + set fish_cursor_replace underscore + set fish_cursor_external line + set fish_cursor_visual block + + function fish_mode_prompt + end + + ### Local environment variables + set -x DENO_INSTALL "/home/eesim/.deno" + + direnv hook fish | source + +end + +if status is-login + + # SSH settings + eval (ssh-agent -c) + ssh-add /home/eesim/.ssh/id_ed25519 + + # Set environment variables in /etc/profile.d/ + # exec bash -c "test -e /etc/profile && source /etc/profile" + + # Disable GTK portal + set -x GTK_USE_PORTAL "0" + + + # Java fix + set -x _JAVA_AWT_WM_NONREPARENTING "1" - set -g fish_greeting - set -g fish_cursor_default block - set -g fish_cursor_insert line - set -g fish_cursor_replace_one underscore - set -g fish_cursor_replace underscore - set -g fish_cursor_external line - set -g fish_cursor_visual block end @@ -15,33 +43,3 @@ if test (tty) = "/dev/tty1" sway end -if status is-login - - ### Environment Variables - - # Set nvim to default editor - set -x SUDO_EDITOR = "/usr/bin/nvim" - - # Set R library location - set -x R_LIBS_USER = "/home/eesim/.local/lib/R" - - # Disable GTK portal - set -x GTK_USE_PORTAL=0 - - # Wayland environment variables - set -x XDG_CURRENT_DESKTOP = "sway" - set -x XDG_CURRENT_SESSION = "sway" - set -x XDG_SESSION_TYPE = "wayland" - set -x ELECTRON_OZONE_PLATFORM_HINT = "auto" - set -x QT_QPA_PLATFORM = "wayland;xcb" - set -x SDL_VIDEODRIVER = "wayland,x11" - - # Java fix - set -x _JAVA_AWT_WM_NONREPARENTING = "1" - - ### Themes - set -x QT_QPA_PLATFORMTHEME = "qt5ct" - - ### Start fish - exec fish -end diff --git a/hosts/alpheratz/system.nix b/hosts/alpheratz/system.nix index ebec6b4..463e695 100644 --- a/hosts/alpheratz/system.nix +++ b/hosts/alpheratz/system.nix @@ -22,6 +22,14 @@ }; }; + sops = { + defaultSopsFile = ../../secrets/alpheratz/secrets.yaml; + age.keyFile = "/home/eesim/.config/sops/age/keys.txt"; + + secrets."wireguard/private" = {}; + secrets."wireguard/preshared" = {}; + }; + # Use the systemd-boot EFI boot loader. boot.loader.systemd-boot.enable = true; boot.loader.systemd-boot.xbootldrMountPoint = "/boot"; @@ -30,30 +38,32 @@ powerManagement.powertop.enable = true; + hardware.graphics.enable = true; + fileSystems = { "/".options = [ "compress=zstd" ]; "/home".options = [ "compress=zstd" ]; "/nix".options = [ "compress=zstd" "noatime" ]; }; - # networking.wg-quick.interfaces = { - # wg0 = { - # address = [ "10.6.0.5" ]; - # listenPort = 51820; - # privateKeyFile = "/root/wireguard-keys/wg0/private"; - # dns = [ "10.2.0.100" ]; + networking.wg-quick.interfaces = { + wg0 = { + address = [ "10.0.0.2/32" ]; + listenPort = 51820; + privateKeyFile = "/run/secrets/wireguard/private"; + dns = [ "192.168.1.1" ]; + autostart = false; - # peers = [ - # { - # publicKey = "pEWHugUnnhWXkJzCIhXryRRZMoCAuvAITDeP4ItenQk="; - # presharedKeyFile = "/root/wireguard-keys/wg0/preshared"; - # allowedIPs = [ "10.2.0.0/24" "192.168.0.0/24" ]; - # endpoint = "simmer505.com:51820"; - # persistentKeepalive = 25; - # } - # ]; - # }; - # }; + peers = [ + { + publicKey = "sWdXHlBqH+tAgSl0Tqr46sfKvgFN/vMDiuN08HjzaSg="; + presharedKeyFile = "/run/secrets/wireguard/preshared"; + allowedIPs = [ "0.0.0.0/0" "::/0" ]; + endpoint = "simmer505.com:51820"; + } + ]; + }; + }; # Set your time zone. time.timeZone = "America/Chicago"; diff --git a/secrets/alpheratz/secrets.yaml b/secrets/alpheratz/secrets.yaml new file mode 100644 index 0000000..202d953 --- /dev/null +++ b/secrets/alpheratz/secrets.yaml @@ -0,0 +1,23 @@ +wireguard: + private: ENC[AES256_GCM,data:Vii9We3fJBFCQNfek+fKqzy4jor2mhHz7KZhoWS9fuBbccz/DHPOnpzRhJQ=,iv:eDorsjazLZjIYsL+AP7YHoBY03ByywtmuRAG0KFonu0=,tag:z7b8NiGOgz0CrhFNalK4Qw==,type:str] + preshared: ENC[AES256_GCM,data:BK3CwQ9tZ0gqErPfOt896yH3K+7xDx6Vr+Xd0JMB+RYdugsGYluhldNM3aM=,iv:o9RhmlSCVwHPUi+JRNQF9bTACOwFaKmshfiD25C5QW8=,tag:DO9a2D2zY5rFQWHIR0PsfA==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1gdtjn3jgvvvspa86q3lnklflnvyf3s75y2rw23l7nk7hwcsfpg7qkq7msr + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBVUzZyL2hHT0ZKUUViMmNP + eXluSTFpOUlPdmVoS2VoTGNKcnhFUzFRbVVzCmU3aDQ0SElqdkxySnNYUzd6TmJy + QnkwSXAyT3BmUktBWVp5eGMyeXg5bXMKLS0tIGh1S1cwUGU3dW9xRS9iQzMxZnRF + ZytUUE9YZDZjcDFvU1lkRk5hYWJscTQKQrNSlwVHQVwN1QKkF7Hh5wbDWWSLfutm + l8YTbx1rHFxakK16+HXcmRleA+qvjlmpflbq+CyZQmIkwARazT7rUQ== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-06-24T00:52:56Z" + mac: ENC[AES256_GCM,data:4eHx1JEmFa9ugyjsJYYvIJ85EYQOsxThKtFzL9Aiw16NOl58B0CNFAwVSL1KryjjmsRxxDQoAFldkfpxzKuERoUPMsRlFXlNgApXqkaH2aJBH2VCFd7jBTvqALXgWv5Gjh8yTD3qySUAeWN8F44HjGg1cx8Poxp5xOPk5VlzyXA=,iv:LrjjSM8hC8ujfXM9W+rgGLo1muDR+CIo1UfnNJcr2TE=,tag:Oosqkn1XnEpnoNH31ghL5w==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.8.1