From bba89088e75291983d8fdf4b5be422bae4098ea8 Mon Sep 17 00:00:00 2001 From: Swarsel Date: Thu, 17 Oct 2024 10:53:48 +0200 Subject: [PATCH] chore: remove work toybox package on phone --- .sops.yaml | 65 +----------------------------- SwarselSystems.org | 68 +++++++++++++++++++------------- profiles/mysticant/default.nix | 2 +- profiles/optional/nixos/work.nix | 64 ++++++++++++++++++------------ secrets/work/secrets.yaml | 55 ++++++++++++++++++++++++++ 5 files changed, 138 insertions(+), 116 deletions(-) create mode 100644 secrets/work/secrets.yaml diff --git a/.sops.yaml b/.sops.yaml index 37d749d..756af40 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -8,18 +8,8 @@ keys: - &server_nixos age1h72072slm2pthn9m2qwjsyy2dsazc6hz97kpzh4gksvv0r2jqecqul8w63 - &server_surface age1zlnxraee6tddr07xn59mx5rdexw8qxryd53eqlsajasfhfy78fkq705dfg - &server_fourside age1s3faa0due0fvp9qu2rd8ex0upg4mcms8wl936yazylv72r6nn3rq2xv5g0 - - &server_stand age1hkajkcje5xvg8jd4zj2e0s9tndpv36hwhn7p38x9lyq2z8g7v45q2nhlej - &server_nbl age16lnmuuxfuxxtty3atnhut8wseppwnhp7rdhmxqd5tdvs9qnjffjq42sqyy - - &server_nginx age1zyts3egct4he229klgrfkd9r442xw9r3qg3hyydh44pvk3wjhd3s2zjqvt - - &server_calibre age1q2k4j9m6ge6dgygehulzd8vqjcdgv5s7s4zrferaq29qlu94a4uqpv76s5 - - &server_transmiss age1wevwwytv5q8wx8yttc85gly678hn4k3qe4csgnq2frf3wxes63jqlt8kqs - - &server_matrix age1t2uj8arq8nnmd5s3h32p7z7masj2gqe5ec49dtr8ex2nlgef3yfqtgcnj6 - - &server_spotifyd age16d6wulu4vzuawvsnqv0cqjhxdz9e20qm3xdnzq2lp7787srl8shqsqlfps - - &server_sound age1w7tfe7k0r0hm6mzz0kmz8302kfn0rlh96w7g6zwqd4muqg7u9anqv07745 - &server_sync age1glge4e97vgqzh332mqs5990vteezu2m8k4wq3z35jk0q8czw3gks2d7a3h - - &server_paperless age1j4y7mwh6hg8kvktgvq5g3xstnmlnaxkdhfrps8lnl029nfpr03dq2nr4cd - - &server_sandbox age1d4ywpqztawcw0eswn42udt4hhcktdcrm54v9kmt3uspkwkz8e52qx7d5aa - - &server_omatrix age198gj3dmryk7sya5c77tsrm3gdrct6xh7w7cx4gsfywe675aehu8sw2xw6q creation_rules: - path_regex: secrets/general/[^/]+\.(yaml|json|env|ini)$ key_groups: @@ -29,7 +19,6 @@ creation_rules: - *server_nixos - *server_sandbox - *server_surface - - *server_stand - *server_fourside - *server_nbl - path_regex: secrets/certs/[^/]+\.(yaml|json|env|ini)$ @@ -40,78 +29,28 @@ creation_rules: - *server_nixos - *server_sandbox - *server_surface - - *server_stand - *server_fourside - - *server_transmiss - path_regex: secrets/server/winters/[^/]+\.(yaml|json|env|ini)$ key_groups: - pgp: - *admin_swarsel age: - *server_nixos - - path_regex: secrets/surface/[^/]+\.(yaml|json|env|ini)$ + - path_regex: secrets/work/[^/]+\.(yaml|json|env|ini)$ key_groups: - pgp: - *admin_swarsel age: - - *server_surface - - path_regex: secrets/nginx/[^/]+\.(yaml|json|env|ini)$ - key_groups: - - pgp: - - *admin_swarsel - age: - - *server_nginx - - path_regex: secrets/calibre/[^/]+\.(yaml|json|env|ini)$ - key_groups: - - pgp: - - *admin_swarsel - age: - - *server_calibre - - path_regex: secrets/transmission/[^/]+\.(yaml|json|env|ini)$ - key_groups: - - pgp: - - *admin_swarsel - age: - - *server_transmiss - - path_regex: secrets/matrix/[^/]+\.(yaml|json|env|ini)$ - key_groups: - - pgp: - - *admin_swarsel - age: - - *server_matrix - - path_regex: secrets/spotifyd/[^/]+\.(yaml|json|env|ini)$ - key_groups: - - pgp: - - *admin_swarsel - age: - - *server_spotifyd - - path_regex: secrets/sound/[^/]+\.(yaml|json|env|ini)$ - key_groups: - - pgp: - - *admin_swarsel - age: - - *server_sound + - *server_nbl - path_regex: secrets/sync/[^/]+\.(yaml|json|env|ini)$ key_groups: - pgp: - *admin_swarsel age: - *server_sync - - path_regex: secrets/paperless/[^/]+\.(yaml|json|env|ini)$ - key_groups: - - pgp: - - *admin_swarsel - age: - - *server_paperless - path_regex: secrets/sandbox/[^/]+\.(yaml|json|env|ini)$ key_groups: - pgp: - *admin_swarsel age: - *server_sandbox - - path_regex: secrets/omatrix/[^/]+\.(yaml|json|env|ini)$ - key_groups: - - pgp: - - *admin_swarsel - age: - - *server_omatrix diff --git a/SwarselSystems.org b/SwarselSystems.org index 214d867..a677847 100644 --- a/SwarselSystems.org +++ b/SwarselSystems.org @@ -1993,7 +1993,7 @@ My work machine. Built for more security, this is the gold standard of my config vim git openssh - toybox + # toybox dig man gnupg @@ -6698,28 +6698,39 @@ This smashes Atmosphere 1.3.2 on the switch, which is what I am currenty using. :CUSTOM_ID: h:bbf2ecb6-c8ff-4462-b5d5-d45b28604ddf :END: -Integrates 1password mostly. There are more options at [[#h:f0b2ea93-94c8-48d8-8d47-6fe58f58e0e6][Work]] (home-manager side). +Options that I need specifically at work. There are more options at [[#h:f0b2ea93-94c8-48d8-8d47-6fe58f58e0e6][Work]] (home-manager side). #+begin_src nix :tangle profiles/optional/nixos/work.nix - { pkgs, ... }: + { pkgs, config, ... }: { sops = { secrets = { - clad = { }; - dcad = { }; - wsad = { }; - imbad= { }; + clad = { sopsFile = ../../../secrets/work/secrets.yaml; }; + dcad = { sopsFile = ../../../secrets/work/secrets.yaml; }; + wsad = { sopsFile = ../../../secrets/work/secrets.yaml; }; + imbad= { sopsFile = ../../../secrets/work/secrets.yaml; }; }; }; # boot.initrd.luks.yubikeySupport = true; - programs.browserpass.enable = true; - programs._1password.enable = true; - programs._1password-gui = { - enable = true; - polkitPolicyOwners = [ "swarsel" ]; + programs = { + zsh.shellInit = '' + export CLAD="$(cat ${config.sops.secrets.clad.path})" + export DCAD="$(cat ${config.sops.secrets.dcad.path})" + export WSAD="$(cat ${config.sops.secrets.wsad.path})" + export IMBAD="$(cat ${config.sops.secrets.imbad.path})" + ''; + + browserpass.enable = true; + _1password.enable = true; + _1password-gui = { + enable = true; + polkitPolicyOwners = [ "swarsel" ]; + }; }; + virtualisation.docker.enable = true; + environment.systemPackages = with pkgs; [ # (python39.withPackages (ps: with ps; [ # cryptography @@ -6733,27 +6744,31 @@ Integrates 1password mostly. There are more options at [[#h:f0b2ea93-94c8-48d8-8 govc ]; - services.openssh = { - enable = true; - extraConfig = '' + + services = { + openssh = { + enable = true; + extraConfig = '' ''; - }; + }; - services.syncthing = { - settings = { - "winters" = { - id = "O7RWDMD-AEAHPP7-7TAVLKZ-BSWNBTU-2VA44MS-EYGUNBB-SLHKB3C-ZSLMOAA"; - }; - folders = { - "Documents" = { - path = "/home/swarsel/Documents"; - devices = [ "magicant" "winters" ]; - id = "hgr3d-pfu3w"; + syncthing = { + settings = { + "winters" = { + id = "O7RWDMD-AEAHPP7-7TAVLKZ-BSWNBTU-2VA44MS-EYGUNBB-SLHKB3C-ZSLMOAA"; + }; + folders = { + "Documents" = { + path = "/home/swarsel/Documents"; + devices = [ "magicant" "winters" ]; + id = "hgr3d-pfu3w"; + }; }; }; }; }; + # cgroups v1 is required for centos7 dockers specialisation = { cgroup_v1.configuration = { boot.kernelParams = [ @@ -6763,7 +6778,6 @@ Integrates 1password mostly. There are more options at [[#h:f0b2ea93-94c8-48d8-8 }; }; - } #+end_src diff --git a/profiles/mysticant/default.nix b/profiles/mysticant/default.nix index e025a79..8743b81 100644 --- a/profiles/mysticant/default.nix +++ b/profiles/mysticant/default.nix @@ -4,7 +4,7 @@ vim git openssh - toybox + # toybox dig man gnupg diff --git a/profiles/optional/nixos/work.nix b/profiles/optional/nixos/work.nix index c01f145..6986ed2 100644 --- a/profiles/optional/nixos/work.nix +++ b/profiles/optional/nixos/work.nix @@ -1,22 +1,33 @@ -{ pkgs, ... }: +{ pkgs, config, ... }: { sops = { secrets = { - clad = { }; - dcad = { }; - wsad = { }; - imbad = { }; + clad = { sopsFile = ../../../secrets/work/secrets.yaml; }; + dcad = { sopsFile = ../../../secrets/work/secrets.yaml; }; + wsad = { sopsFile = ../../../secrets/work/secrets.yaml; }; + imbad = { sopsFile = ../../../secrets/work/secrets.yaml; }; }; }; # boot.initrd.luks.yubikeySupport = true; - programs.browserpass.enable = true; - programs._1password.enable = true; - programs._1password-gui = { - enable = true; - polkitPolicyOwners = [ "swarsel" ]; + programs = { + zsh.shellInit = '' + export CLAD="$(cat ${config.sops.secrets.clad.path})" + export DCAD="$(cat ${config.sops.secrets.dcad.path})" + export WSAD="$(cat ${config.sops.secrets.wsad.path})" + export IMBAD="$(cat ${config.sops.secrets.imbad.path})" + ''; + + browserpass.enable = true; + _1password.enable = true; + _1password-gui = { + enable = true; + polkitPolicyOwners = [ "swarsel" ]; + }; }; + virtualisation.docker.enable = true; + environment.systemPackages = with pkgs; [ # (python39.withPackages (ps: with ps; [ # cryptography @@ -30,27 +41,31 @@ govc ]; - services.openssh = { - enable = true; - extraConfig = '' + + services = { + openssh = { + enable = true; + extraConfig = '' ''; - }; + }; - services.syncthing = { - settings = { - "winters" = { - id = "O7RWDMD-AEAHPP7-7TAVLKZ-BSWNBTU-2VA44MS-EYGUNBB-SLHKB3C-ZSLMOAA"; - }; - folders = { - "Documents" = { - path = "/home/swarsel/Documents"; - devices = [ "magicant" "winters" ]; - id = "hgr3d-pfu3w"; + syncthing = { + settings = { + "winters" = { + id = "O7RWDMD-AEAHPP7-7TAVLKZ-BSWNBTU-2VA44MS-EYGUNBB-SLHKB3C-ZSLMOAA"; + }; + folders = { + "Documents" = { + path = "/home/swarsel/Documents"; + devices = [ "magicant" "winters" ]; + id = "hgr3d-pfu3w"; + }; }; }; }; }; + # cgroups v1 is required for centos7 dockers specialisation = { cgroup_v1.configuration = { boot.kernelParams = [ @@ -60,5 +75,4 @@ }; }; - } diff --git a/secrets/work/secrets.yaml b/secrets/work/secrets.yaml new file mode 100644 index 0000000..f57dd89 --- /dev/null +++ b/secrets/work/secrets.yaml @@ -0,0 +1,55 @@ +clad: ENC[AES256_GCM,data:pE/sks9TK6acHwAjNLD0SdRHj6b2ZMkge2w=,iv:aJESPMVXdK1iJ7ItZYZMTcWGgAwTWuMB4d78OlqFbYY=,tag:AtLY/myOjpE6fbQpatfgGg==,type:str] +dcad: ENC[AES256_GCM,data:advwwnnNSD53JaWwi3zlLbUTx515xw==,iv:4/B9Vr/IaV0HJUC73snbOeF9FvhCKvgp3CcK7GWh6uA=,tag:69yEWNJEjYnYWNTzXSBJmg==,type:str] +wsad: ENC[AES256_GCM,data:yNL4Ql93sr9PcK0mMihArl2FhATFAzZF1Fy6fgbykeDU,iv:qet1Aba9PkXpFUmTqFVifAN4EKw5BpOxhKxXnHeJYkU=,tag:AJSMdOky0HYEgdS5B/PAcw==,type:str] +imbad: ENC[AES256_GCM,data:/8bq5AtzsZrbXOLY73K2ie9R4GNEAA==,iv:EZHUbS58y1NVM6wkzlmxvWaDMjjWU0VU+9nrGmt9fcw=,tag:axFWhsQ7w1DOHN4yOoF1og==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age16lnmuuxfuxxtty3atnhut8wseppwnhp7rdhmxqd5tdvs9qnjffjq42sqyy + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBtZW9GQzBRSTAvMk52VEd6 + L0hobkJmVmRaQ2hzeXdGL2w3OElGRHFIbVZVCnhxOVlXTENKNzc3RHdCTlZva29I + NVptV1JiUzNTU1N2MVpCdXJEell4MGcKLS0tIG1nQm1CN04xa2ZqckZFbUpOejln + TTNXbUd5MEhsUkYwdjM3bjlMWE5IMUkKxm0j9wK4OEiMv4J4cic2M8R02NBRiYc5 + wmmlJyPhlkLCn++z36872JqlG368MwzomJI2llyW94l2qrrn8RHISg== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-10-17T08:36:23Z" + mac: ENC[AES256_GCM,data:gVfvTcYIzp4xdmAE14VzdVyef1f7KYykWcoehSc6nkkKNEg7+wjkcsrGoJvE4lbx64IahOJLEzD5aL695RzV32uFz+V+juQVvPW9rZIwz8Y62LYN+Vnowa4VfANPQ7uuUVrk29GPOHfwII5SJWOJcddQwu1XOX1VabIqq9ZweMw=,iv:+HXbFohCMJGytoKbTZ+aR3Lo7bg7O1Wgy2R3KiLv9hE=,tag:dSxMKKqwF4HMW/PtL6ALGw==,type:str] + pgp: + - created_at: "2024-10-17T08:35:11Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQIMAwDh3VI7VctTARAAti+kUHPffcFm6XqY5kZpgAFDDlSv3ONn+Ojc9KLgsHdt + q+q2nCQaXv5frmpMng0tUi2V3AFD2ELhRXJyY6l3RDIKK0gPvDbJmdfmGQ2hEt0w + af9CsdXcJhlgdV+eUBGpUu4wbZldkdR4nyQm5KCp2ThqiL3IQzDm0HGnbimvdHPH + 0gU8Q6qDN4DdnsvfSLkS89WkW0UH8tFUVOr17aMWGEtloZUOgafBkxT5u+bKC7FH + AwKQs9Y5DzRjzr/szLufu9iyR92ikPLcDLtc34CoPeg2xH9XEiUd8uE3aK61Ezr4 + yDZGW1urJaH/Xx6Dip2Hse1pmx3j8xqB6wIZ4r+mDcaM67tMSHNDxVqJJ5251qwZ + +mlwo/Uphm9l7JP/jGyIu9JbbOTdJF0uNrlL8EkR4Hn3905z+GvN8jYNKv4OhG+P + zCvgnkpBnZXJWfqSG1yFpitDo/ncIUfc2w1p4D78tr4HN8aZRGAvpKDU5/guK46Q + hwKUAqmoSAA2Zl9FJkX6TEIpRqJw3ADmCaR7Vt+5bxiLHCUOCTio+3L080IHll6C + sGbV8WMDxhFiaDDsKDR1OOD2t6ClwPEXLFkQTK4qzGN0rTvqNxVgV4Nfqb5lvoyC + ++7bRPj7zmM56xH0cL8kIzu1K7g+uDE7jVJAFUpxOOttEIzfRgLxDjaWkrIzQkyF + AgwDC9FRLmchgYQBD/9BxMQc++b2ujqEnFcLxFRqqSGyolaUJWaVjd9kST1xz9cD + 0RppY9n4ukFIVDIM6aL/EiGKFvYMKymwusegDP933RiIZY746m4XbQz3+pyn6fHl + hMexItwshq8L36B1K/pmSbMIkhfSmHUHL3/qzCP+OomtKjcZR0PKk2VYSOYTMTRy + 2JZjv4eK/hvpXJJrdLoB4AkYrT95xT5dp53WWFChyGS9nju0hvBdAn71rQMoww1T + rev7GfzBJlQCoEkQTP6UMUOHhTUpyJxDTn1AFvP+SqUD/VAZ3MvfNaiGcs6Dr2ox + t7BokccVctXOyEuqAb/iYD8y23xt3QYxsFpNTW5BpfKE90FGsJqTSX9gsWbzS5I4 + rUpcwqp3ib1f6gH/onubhwA79zFgVSSqUCOJa6lIH8CD9repkl2jxiA78ewYujnS + kANH2kgEn/fXhugeM4VMGecAr5TziQRiR8HV8ZQ8920vKrB5CATVGgL0l9rvh//M + f0FmQnOTlUZnqr9P99WGAk6nabdhmHrU07TIvEAz5Flrw5vySIPN8C1711Vw9syk + YXHmN4O1ZOr1PjXqiedZoyGYsF9L7CF3q3lYYYas4ia3NT9ZktfEac+ctC6KCiQ3 + skt+2cUkjXbYrZK/qQ9Ouzts/GEFEDLGVvDrw4CUXkiF54TFvEK4KmbAlmYW3NJe + ATqXOKybIjlmh7X30H8rsXTblgAgx+kfOLhAQAiA425Wk5LqRV1eHwQW1seoOX0X + 8HbO3ii6BWv19QyO1ste9+5wFDFTH4uxQKJxwyRlPKKg3QwYQsym9l2sQ9Nm0g== + =9VuO + -----END PGP MESSAGE----- + fp: 4BE7925262289B476DBBC17B76FD3810215AE097 + unencrypted_suffix: _unencrypted + version: 3.9.1