From 3196a30c4dda4c1d4691617af5b367523a2d5069 Mon Sep 17 00:00:00 2001 From: Jermeiah S Date: Sat, 14 Jun 2025 14:35:19 -0400 Subject: [PATCH 1/4] prep: setup sops demo for otf --- configurations/nixos/tofu/default.nix | 8 +++++++- modules/nixos/common/otf.nix | 2 +- modules/nixos/common/sops.nix | 11 ++++++++++- 3 files changed, 18 insertions(+), 3 deletions(-) diff --git a/configurations/nixos/tofu/default.nix b/configurations/nixos/tofu/default.nix index 5a6cb47..28a5cdc 100644 --- a/configurations/nixos/tofu/default.nix +++ b/configurations/nixos/tofu/default.nix @@ -1,6 +1,11 @@ # See /modules/nixos/* for actual settings # This file is just *top-level* configuration. -{ flake, modulesPath, ... }: +{ + flake, + modulesPath, + config, + ... +}: let inherit (flake) inputs; @@ -15,6 +20,7 @@ in tty-ips.enable = true; otf = { enable = true; + environmentFile = config.sops.secrets.otfenv.path; }; }; networking = { diff --git a/modules/nixos/common/otf.nix b/modules/nixos/common/otf.nix index da9284a..27692fe 100644 --- a/modules/nixos/common/otf.nix +++ b/modules/nixos/common/otf.nix @@ -19,7 +19,7 @@ in }; package = lib.mkPackageOption pkgs "otf" { }; pgPackage = lib.mkPackageOption pkgs "postgresql_16" { }; - environmentFile = lib.mkEnableOption { + environmentFile = lib.mkOption { type = with lib.types; nullOr path; default = lib.types.null; }; diff --git a/modules/nixos/common/sops.nix b/modules/nixos/common/sops.nix index beb3ad4..d40a964 100644 --- a/modules/nixos/common/sops.nix +++ b/modules/nixos/common/sops.nix @@ -9,5 +9,14 @@ imports = [ flake.inputs.sops-nix.nixosModules.sops ]; - sops.defaultSopsFile = ../../../secrets.yaml; + sops = { + defaultSopsFile = ../../../secrets.yaml; + secrets = { + otfenv = { + owner = "otf"; + group = "otf"; + mode = "0440"; + }; + }; + }; } From f204577de7c73f41d6aed28fc71aa2ba3c2e855d Mon Sep 17 00:00:00 2001 From: Jermeiah S Date: Sat, 14 Jun 2025 14:42:15 -0400 Subject: [PATCH 2/4] added ssh-to-age devtool --- modules/flake/devshell.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/modules/flake/devshell.nix b/modules/flake/devshell.nix index 85fbfb0..96412b6 100644 --- a/modules/flake/devshell.nix +++ b/modules/flake/devshell.nix @@ -6,6 +6,7 @@ name = "nixos-unified-template-shell"; meta.description = "Shell environment for modifying this Nix configuration"; packages = with pkgs; [ + ssh-to-age sops just nixd From 136d9cb3faa987ded90c5c6ce1649db9e3354ab7 Mon Sep 17 00:00:00 2001 From: Jermeiah S Date: Sat, 14 Jun 2025 14:42:32 -0400 Subject: [PATCH 3/4] secrets: add server --- .sops.yaml | 2 ++ secrets.yaml | 34 +++++++++++++++++----------------- 2 files changed, 19 insertions(+), 17 deletions(-) diff --git a/.sops.yaml b/.sops.yaml index 0d7bb80..1ce5024 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -4,8 +4,10 @@ # for a more complex example. keys: - &A_sky age1g4j0hun2ttt7h8870zf5pm7nqgw9p23r6mjj9vpm4guqetvth34s8v3t3w + - &S_tofu age1mfsjys8gzazkzurcpz2grcdljmzq0zvsllk8j7ssse6wt52jrglq5t59u8 creation_rules: - path_regex: secrets\.yaml key_groups: - age: - *A_sky + - *S_tofu diff --git a/secrets.yaml b/secrets.yaml index 7a2d112..42c10f1 100644 --- a/secrets.yaml +++ b/secrets.yaml @@ -1,25 +1,25 @@ -hello: ENC[AES256_GCM,data:Rq1GdoMwMFgQ7Bvy78aMmM6DferRk0Bn5J4VVI8a5x2PaaFbZBAfsADZewD8,iv:sgJJM2UO4KZ+qE8uzNmdhsBhJ3/arEZd4kNvqnK2bqo=,tag:FZHKmkX1VfQLYPP0mDTIiQ==,type:str] -example_key: ENC[AES256_GCM,data:h6UKojkibcw0wegDOQ==,iv:XVb8m9Ek4pNl6CCFU1MlxYusIOY6MBq9Z7lqoaG1/cM=,tag:FolHw4euj4PoqnTuuhlh4w==,type:str] -#ENC[AES256_GCM,data:2ivQ7NDtZHDNMiyK8hf/7Q==,iv:sFv9WyyHJb+tkbjRGnD4OfEYJWt8PQIGteIViVyihEU=,tag:chbHtXfFQb5OJsB3rrMQbg==,type:comment] -example_array: - - ENC[AES256_GCM,data:EQKOFW+qJ0Z/ooEr9Y0=,iv:732cR53nJfxctdVH0AZmfD/qBPoI7oPxemsYo4B92jQ=,tag:VMSYfVzTUAODwNtdz0xI6g==,type:str] - - ENC[AES256_GCM,data:3N1qsEA4L4YTw4qZjvs=,iv:mdCoLmqRA5OX3VpNM/f1AhmRIxOBvTswEvwPRadeYCQ=,tag:z9nueE2d4Kb/uWSCvK55jA==,type:str] -example_number: ENC[AES256_GCM,data:PSY/N8noNaQYug==,iv:189g+CnKC5lBdJBBTcA4HUC3i98ZXa5thARY8U42DyI=,tag:hdWoyngTGnBszqCW3I+wXQ==,type:float] -example_booleans: - - ENC[AES256_GCM,data:SFFumQ==,iv:G2iEbkil+oUuJCyxQAfaAMaXHPsOdAtdw8l8dnvqviY=,tag:WPfOOyjrWf/4p2UjoiILAQ==,type:bool] - - ENC[AES256_GCM,data:2GWLfxY=,iv:nSqxDcqvUeIDbvOoJlhW/lQs9j2iENsazpuZFUoOKc8=,tag:eh3HVtgzBrJjf0S9lGiqGQ==,type:bool] +otfenv: ENC[AES256_GCM,data:di+SAxH65nRJJFhBzKQ0VwRcLT9RrLfr9VLvZQUwfD60YlvWQD6lGoxsbLakdorBVLAFVda5wLxcH1AbhNP4sWkWsNQeI+GJrW8K8rz1,iv:uleGmUbinqQMU+d6jXJrtccKWSUBGAznK4o6zJtxd1Q=,tag:k5+ViYUJugp8glwl1vu2RA==,type:str] sops: age: - recipient: age1g4j0hun2ttt7h8870zf5pm7nqgw9p23r6mjj9vpm4guqetvth34s8v3t3w enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA3aFBMUWVvV1UzRlgvaGd5 - TWtUd1VEa0RyYmxRUy9MVzA0OXdLOFU2MkhrCmMxYlVSZjFlSW9lN3RvUm8rUUht - N05aSUZ5UU51ZSt0Vzg3ZjkwRXVKSzAKLS0tIFJIaUtqMXhLcDZ3cnYyWFJRZ20z - cVpseXdzZHh6amduSFBUT1RMdkcxS2MKJhBQbcufwWc+kxFf/k/pHLClnPJkUucH - 6kEbeF+T49PoyxWyR1oXWhxC6Xuwcx+w3vA59gvP54Bx2Mrj2ylYwQ== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA3MGZ5Z25rZjh1b2E5eWZk + ZUpyZXhrZVdtRTlCTUovMFd5dWpmZERtc0NvCk01UUdxVHFFZVliTDU2bmpSeWpK + My84a1Q3SzcyR0xQSHlQQmROaFlkOEEKLS0tIFBMaCtEbVhRb2tRcDBkS2Nkc3hO + eGtzRVVLamtXOEJEbDUvRHVaNDlaOVUKGDG+gUXU7GcvpfkgIStYg8KIW0jY2NTh + /eKWOfuH/8zz25Ye8zS1s7Yp5WiXi3rJSY2qS8PFq9PTmBzVEFoVpQ== -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-06-14T17:54:53Z" - mac: ENC[AES256_GCM,data:wxaNv7XOLCWKkrvESr4R09sVTxbm9Otm6ImuaCbFMKuZlvAsp93wi54W5YK+aOugZtMfEBrz648A7GaR0ahb0ggvuhiHgCH667dMGBUZCp81vVBvF5RMhoPaR6IXnrdlQN4ypmbj3p07T+1BBMG6MJVieoI/liHMn//UDbWWOKQ=,iv:Y1ZS1gIGnwABpTNx3afjTHMGRxr3iu2t9uvwZ6RR0Wc=,tag:+uwoTYioDywkke9gMhEkkA==,type:str] + - recipient: age1mfsjys8gzazkzurcpz2grcdljmzq0zvsllk8j7ssse6wt52jrglq5t59u8 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA4VjRvcjQyV25McEZYSEVV + d0pON0NnUDlFdGZzaE9KZitSY09ISCt3VlhRCkx6MitueW5PYUdMWU4wRmVhTTJU + RkpWakNlYVlzcHVOT3gxdHZKUjJla1UKLS0tIG9SYTlUOXcwNFNzT29FazE4Z0g0 + MlJ1bjRvS0VQMkRFSG0yNDc5Y3lSM28KS50BUA6S61AJYZRefGbW76TotkDOv1FD + Q1CyfEDDkrhbUPtPeOagG3tStP9ZfkRRfmm7TzkB4PfHDTpfAg6V/g== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2025-06-14T18:26:35Z" + mac: ENC[AES256_GCM,data:FmHsg5h50Za2WUFe00ZRIw3RR8sKDj2X2ZjtaXhkdcHKMKxvycs9Uh77hHXWK7/70YBxEDv8Ry32lFF+n2tHHC0FFXSXlWyaW0ydiIH/ruHoF/fa5ZnTjFpTxSo1o0iARl+lfe5MjfAyYgplWOxXCzXajgYGZbr4CkMofHQBeuI=,iv:3hOEmXqBv9aupUw89hUd9+s39Pt1//NTZLCb9CXaP9w=,tag:A2PPg7JOuXGXlq6RVUbD6g==,type:str] unencrypted_suffix: _unencrypted version: 3.10.2 From 717c5b98808b6c08b24cfd7642d440c0d5126a2c Mon Sep 17 00:00:00 2001 From: Jermeiah S Date: Sat, 14 Jun 2025 14:58:50 -0400 Subject: [PATCH 4/4] secrets: now fully reliant --- modules/nixos/common/otf.nix | 13 +++++-------- secrets.yaml | 6 +++--- 2 files changed, 8 insertions(+), 11 deletions(-) diff --git a/modules/nixos/common/otf.nix b/modules/nixos/common/otf.nix index 27692fe..bbc8e03 100644 --- a/modules/nixos/common/otf.nix +++ b/modules/nixos/common/otf.nix @@ -36,14 +36,11 @@ in ); default = { OTF_ADDRESS = "localhost:9000"; - OTF_SITE_TOKEN = "my-token"; - OTF_SSL = "false"; - # the application needs a secret for encryption and other things - # TODO: make mechanism to load via file - OTF_SECRET = "f73e55eada59bd1c37d69ae3bbacd982"; - # more options can be set but these are a reminder for myself - OTF_CERT_FILE = ""; - OTF_KEY_FILE = ""; + # OTF_SITE_TOKEN = "my-token"; + # OTF_SSL = "false"; + # OTF_SECRET = ""; + # OTF_CERT_FILE = ""; + # OTF_KEY_FILE = ""; }; description = "Environment variables for the OTF service."; }; diff --git a/secrets.yaml b/secrets.yaml index 42c10f1..f901c48 100644 --- a/secrets.yaml +++ b/secrets.yaml @@ -1,4 +1,4 @@ -otfenv: ENC[AES256_GCM,data:di+SAxH65nRJJFhBzKQ0VwRcLT9RrLfr9VLvZQUwfD60YlvWQD6lGoxsbLakdorBVLAFVda5wLxcH1AbhNP4sWkWsNQeI+GJrW8K8rz1,iv:uleGmUbinqQMU+d6jXJrtccKWSUBGAznK4o6zJtxd1Q=,tag:k5+ViYUJugp8glwl1vu2RA==,type:str] +otfenv: ENC[AES256_GCM,data:HwZC2IPM9w5FqFlpc/zLA+m9bSC6m19hnvuS103Iwct84QM/HHkez3pdLdCZM5tNZN+oItxMHcIizbcA7mQn1eezdt+Pb9RC4hk=,iv:rcvPhmVEg79XPpJ6o8/DBP4YgN+lgjvxLB1mJYARdCo=,tag:SSZiiKngO+vWjcEppnhARg==,type:str] sops: age: - recipient: age1g4j0hun2ttt7h8870zf5pm7nqgw9p23r6mjj9vpm4guqetvth34s8v3t3w @@ -19,7 +19,7 @@ sops: MlJ1bjRvS0VQMkRFSG0yNDc5Y3lSM28KS50BUA6S61AJYZRefGbW76TotkDOv1FD Q1CyfEDDkrhbUPtPeOagG3tStP9ZfkRRfmm7TzkB4PfHDTpfAg6V/g== -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-06-14T18:26:35Z" - mac: ENC[AES256_GCM,data:FmHsg5h50Za2WUFe00ZRIw3RR8sKDj2X2ZjtaXhkdcHKMKxvycs9Uh77hHXWK7/70YBxEDv8Ry32lFF+n2tHHC0FFXSXlWyaW0ydiIH/ruHoF/fa5ZnTjFpTxSo1o0iARl+lfe5MjfAyYgplWOxXCzXajgYGZbr4CkMofHQBeuI=,iv:3hOEmXqBv9aupUw89hUd9+s39Pt1//NTZLCb9CXaP9w=,tag:A2PPg7JOuXGXlq6RVUbD6g==,type:str] + lastmodified: "2025-06-14T18:56:57Z" + mac: ENC[AES256_GCM,data:oPKok5QCr8edihXzZUZl3+5Abss6OMas4rYqQZWeLkkIX+b3uzCi0p6KJsZK1SyxZC48Wa4ax8cGLb1BOIQVCjyR80OkXDzQACee9War2LVceXcoT1ARqgl21nthmckLxYzs+YOxWbB3gFQNOD09aeenLpSJUzMM7kDV901sCVg=,iv:ywJaJYj2xrNkgQsWZJF51ZUAwBwMk14eQDe9EC6EXaQ=,tag:GQlHIofanq/yETLbAqS2Nw==,type:str] unencrypted_suffix: _unencrypted version: 3.10.2