move secrets out of modules into relevant config files

2025-02-18 18:57:32 -08:00 · 2024-09-14 08:47:56 -07:00 · 2024-09-14 08:47:56 -07:00 · 9be3ce3f96
commit 9be3ce3f96
parent 6ee5593da6
13 changed files with 78 additions and 64 deletions
--- a/provision/hosts/bulwark/configuration.nix
+++ b/provision/hosts/bulwark/configuration.nix
@ -46,7 +46,6 @@
      nipr.enable = true;
      ssh.enable = true;
      terminal.enable = true;
-      secrets.enable = true;
      wireguard-client.enable = false;
    };
  };
--- a/provision/hosts/default/configuration.nix
+++ b/provision/hosts/default/configuration.nix
@ -1,4 +1,4 @@
-{ config, pkgs, user, lib, ... }:
+{ config, pkgs, user, lib, inputs, ... }:
 {
  nix = {
    package = pkgs.nixFlakes;
@ -46,6 +46,7 @@
  
  environment.systemPackages = with pkgs; [
    cowsay # A program which generates ASCII pictures of a cow with a message
+    inputs.agenix.packages.x86_64-linux.default 
  ];

  # Did you read the comment?
--- a/provision/hosts/default/default.nix
+++ b/provision/hosts/default/default.nix
@ -1,4 +1,4 @@
 { ... }:
 { 
-  imports = [ ./backup.nix ./configuration.nix ./home-configuration.nix ];
+  imports = [ ./git.nix ./backup.nix ./configuration.nix ./home-configuration.nix ];
 }
--- a/provision/hosts/default/git.nix
+++ b/provision/hosts/default/git.nix
@ -0,0 +1,15 @@
+{ config, pkgs, user, lib, ... }:
+{
+  environment.systemPackages = with pkgs; [
+    git # Version control system for tracking changes in source code during software development.
+    git-annex # Manages files with git, without checking the file contents into git.
+    lazygit # Terminal-based GUI for git, making it easier to use and visualize git repositories.
+  ];
+
+  age.secrets."git/github_personal" = {
+    file = ../../secrets/git/github_personal.age;
+    owner = "${user}";
+    group = "users";
+  };
+}
+          
--- a/provision/hosts/kestrel/backup.nix
+++ b/provision/hosts/kestrel/backup.nix
@ -1,9 +1,33 @@
 { config, pkgs, user, lib, ... }:
 {
+  age.secrets."ssh/torus/id_ed25519.pub" = {
+    file = ../../secrets/ssh/torus/id_ed25519.pub.age;
+    owner = "${user}";
+    group = "users";
+  };
+  age.secrets."ssh/kestrel/id_ed25519" = {
+    file = ../../secrets/ssh/kestrel/id_ed25519.age;
+    owner = "${user}";
+    group = "users";
+  };
+  age.secrets."ssh/kestrel/id_ed25519.pub" = {
+    file = ../../secrets/ssh/kestrel/id_ed25519.pub.age;
+    owner = "${user}";
+    group = "users";
+  };
+
  # Password-less logins for backup
  users.users."${user}".openssh.authorizedKeys.keyFiles = [
    config.age.secrets."ssh/torus/id_ed25519.pub".path
  ];
+
+  # Password-less login for root
+  programs.ssh.extraConfig = ''
+    Host torus 
+      AddKeysToAgent yes
+      IdentityFile /run/agenix/ssh/kestrel/id_ed25519 
+  '';
+
  systemd.tmpfiles.rules = [
    "d /store 0775 ${user} users -"
  ];
--- a/provision/hosts/kestrel/configuration.nix
+++ b/provision/hosts/kestrel/configuration.nix
@ -61,7 +61,6 @@
    };
    system = {
      nipr.enable = true;
-      secrets.enable = true;
      ssh.enable = true;
      terminal.enable = true;
      wireguard-client = {
--- a/provision/hosts/shivan/configuration.nix
+++ b/provision/hosts/shivan/configuration.nix
@ -49,7 +49,6 @@
    };
    system = {
      nipr = true;
-      secrets.enable = true;
      ssh.enable = true;
      terminal.enable = true;
      wireguard-client.enable = false;
--- a/provision/hosts/torus/backup.nix
+++ b/provision/hosts/torus/backup.nix
@ -1,8 +1,31 @@
 { config, pkgs, user, lib, ... }:
 {
-  # Password-less logins for backup
+  age.secrets."ssh/kestrel/id_ed25519.pub" = {
+    file = ../../secrets/ssh/kestrel/id_ed25519.pub.age;
+    owner = "${user}";
+    group = "users";
+  };
+  age.secrets."ssh/torus/id_ed25519" = {
+    file = ../../secrets/ssh/torus/id_ed25519.age;
+    owner = "${user}";
+    group = "users";
+  };
+  age.secrets."ssh/torus/id_ed25519.pub" = {
+    file = ../../secrets/ssh/torus/id_ed25519.pub.age;
+    owner = "${user}";
+    group = "users";
+  };
+
+  # Password-less login for user
  users.users."${user}".openssh.authorizedKeys.keyFiles = [
    config.age.secrets."ssh/kestrel/id_ed25519.pub".path
  ];
+
+  # Password-less login for root
+  programs.ssh.extraConfig = ''
+    Host kestrel
+      AddKeysToAgent yes
+      IdentityFile /run/agenix/ssh/torus/id_ed25519 
+  '';
 }
          
--- a/provision/hosts/torus/configuration.nix
+++ b/provision/hosts/torus/configuration.nix
@ -102,7 +102,6 @@
    system = {
      terminal.enable = true;
      ssh.enable = true;
-      secrets.enable = true;
    };
  };

--- a/provision/modules/gaming/emulation.nix
+++ b/provision/modules/gaming/emulation.nix
@ -21,5 +21,16 @@ in {
        ];
      })
    ];
+
+    age.secrets."emu/switch/prod.keys" = {
+      file = ../../secrets/emu/switch/prod.keys.age;
+      owner = "${user}";
+      group = "users";
+    };
+    age.secrets."emu/switch/title.keys" = {
+      file = ../../secrets/emu/switch/title.keys.age;
+      owner = "${user}";
+      group = "users";
+    };
  };
 }
--- a/provision/modules/system/default.nix
+++ b/provision/modules/system/default.nix
@ -1,4 +1,4 @@
 { ... }:
 {
-  imports = [ ./nipr.nix ./secrets.nix ./ssh.nix ./terminal.nix ./wireguard-client.nix ];
+  imports = [ ./nipr.nix ./ssh.nix ./terminal.nix ./wireguard-client.nix ];
 }
--- a/provision/modules/system/secrets.nix
+++ b/provision/modules/system/secrets.nix
@ -1,53 +0,0 @@
-{ config, lib, pkgs, user, inputs, ... }:
-
-let cfg = config.modules.system.secrets;
-in {
-  options.modules.system.secrets.enable = lib.mkEnableOption "secrets";
-  config = lib.mkIf cfg.enable {
-     
-    environment.systemPackages = [
-      inputs.agenix.packages.x86_64-linux.default 
-    ];
-   
-    # git secrets
-    age.secrets."git/github_personal" = {
-      file = ../../secrets/git/github_personal.age;
-      owner = "${user}";
-      group = "users";
-    };
-
-    # ssh secrets
-    age.secrets."ssh/kestrel/id_ed25519" = {
-      file = ../../secrets/ssh/kestrel/id_ed25519.age;
-      owner = "${user}";
-      group = "users";
-    };
-    age.secrets."ssh/kestrel/id_ed25519.pub" = {
-      file = ../../secrets/ssh/kestrel/id_ed25519.pub.age;
-      owner = "${user}";
-      group = "users";
-    };
-    age.secrets."ssh/torus/id_ed25519" = {
-      file = ../../secrets/ssh/torus/id_ed25519.age;
-      owner = "${user}";
-      group = "users";
-    };
-    age.secrets."ssh/torus/id_ed25519.pub" = {
-      file = ../../secrets/ssh/torus/id_ed25519.pub.age;
-      owner = "${user}";
-      group = "users";
-    };
-
-    # emu secrets
-    age.secrets."emu/switch/prod.keys" = {
-      file = ../../secrets/emu/switch/prod.keys.age;
-      owner = "${user}";
-      group = "users";
-    };
-    age.secrets."emu/switch/title.keys" = {
-      file = ../../secrets/emu/switch/title.keys.age;
-      owner = "${user}";
-      group = "users";
-    };
-  };
-}
--- a/provision/modules/system/terminal.nix
+++ b/provision/modules/system/terminal.nix
@ -6,9 +6,6 @@ in {
  config = lib.mkIf cfg.enable {

    environment.systemPackages = with pkgs; [
-      git # Version control system for tracking changes in source code during software development.
-      git-annex # Manages files with git, without checking the file contents into git.
-      lazygit # Terminal-based GUI for git, making it easier to use and visualize git repositories.
      killall # Command-line utility to terminate processes by name.
      pciutils # Utilities for inspecting and manipulating devices connected to the PCI bus.
      chezmoi # Manages your dotfiles across multiple machines, ensuring consistency and version control.