From 5c42594d5d266e238716e6405b99f5103ca4c19b Mon Sep 17 00:00:00 2001 From: clerie Date: Thu, 2 May 2024 11:31:54 +0200 Subject: [PATCH 1/6] configuration/gpg-ssh: Enable users to restart pcscd themself --- configuration/desktop/default.nix | 1 + configuration/desktop/polkit.nix | 7 +++++++ configuration/gpg-ssh/default.nix | 15 +++++++++++++++ 3 files changed, 23 insertions(+) create mode 100644 configuration/desktop/polkit.nix diff --git a/configuration/desktop/default.nix b/configuration/desktop/default.nix index 77fa67a..9f446d7 100644 --- a/configuration/desktop/default.nix +++ b/configuration/desktop/default.nix @@ -7,6 +7,7 @@ ./gnome.nix ./inputs.nix ./networking.nix + ./polkit.nix ./power.nix ./printing.nix ./ssh.nix diff --git a/configuration/desktop/polkit.nix b/configuration/desktop/polkit.nix new file mode 100644 index 0000000..c1fabf1 --- /dev/null +++ b/configuration/desktop/polkit.nix @@ -0,0 +1,7 @@ +{ ... }: + +{ + + security.polkit.enable = true; + +} diff --git a/configuration/gpg-ssh/default.nix b/configuration/gpg-ssh/default.nix index 1c29905..124e86a 100644 --- a/configuration/gpg-ssh/default.nix +++ b/configuration/gpg-ssh/default.nix @@ -19,6 +19,21 @@ services.pcscd.enable = true; + # pcscd sometimes breaks and seem to need a manual restart + # so we allow users to restart that service themself + security.polkit.extraConfig = '' + polkit.addRule(function(action, subject) { + if ( + action.id == "org.freedesktop.systemd1.manage-units" + && action.lookup("unit") == "pcscd.service" + && action.lookup("verb") == "restart" + && subject.isInGroup("users") + ) { + return polkit.Result.YES; + } + }); + ''; + services.udev.packages = with pkgs; [ yubikey-personalization ]; From e413204215415f6cf1b6de2868a76accccaa87ab Mon Sep 17 00:00:00 2001 From: clerie Date: Thu, 2 May 2024 12:10:39 +0200 Subject: [PATCH 2/6] users/clerie: Assign dedicated group --- users/clerie/default.nix | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/users/clerie/default.nix b/users/clerie/default.nix index 9b86587..d9d939b 100644 --- a/users/clerie/default.nix +++ b/users/clerie/default.nix @@ -3,7 +3,9 @@ { users.users.clerie = { isNormalUser = true; + group = "clerie"; extraGroups = [ + "users" "wheel" "dialout" ]; @@ -13,4 +15,6 @@ "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCnUBblmmVoMMBftn4EnwnzqR12m9zill51LpO124hHb10K2rqxNoq8tYSc2pMkV/3briZovffpe5SzB+m2MnXbtOBstIEXkrPZQ78vaZ/nLh7+eWg30lCmMPwjf2wIjlTXkcbxbsi7FbPW7FsolGkU/0mqGhqK1Xft/g7SnCXIoGPSSrHMXEv5dPPofCa1Z0Un+98wQTVfOSKek6TnIsfLbG01UFQVkN7afE4dqSmMiWwEm2PK9l+OiBA2/QzDpbtu9wsfTol4c192vFEWR9crB2YZ1JlMbjVWHjYmB7NFsS0A6lUOikss0Y+LUWS2/QuM/kqybSo4rasZMAIazM6D clerie" ]; }; + + users.groups.clerie = {}; } From 730903d0d8a7f754523761ffd499b5a854ac4347 Mon Sep 17 00:00:00 2001 From: clerie Date: Thu, 2 May 2024 12:28:22 +0200 Subject: [PATCH 3/6] pkgs/clerie-sops: Do not write back unchanged values in clerie-sops-edit --- pkgs/clerie-sops/clerie-sops-edit.sh | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/pkgs/clerie-sops/clerie-sops-edit.sh b/pkgs/clerie-sops/clerie-sops-edit.sh index 220660a..a1bdb52 100755 --- a/pkgs/clerie-sops/clerie-sops-edit.sh +++ b/pkgs/clerie-sops/clerie-sops-edit.sh @@ -16,8 +16,17 @@ TMP_FILE="$(mktemp)" clerie-sops --decrypt --extract "[\"${KEY}\"]" "${SECRETS_FILE}" > "${TMP_FILE}" +TMP_FILE_HASH_BEFORE="$(sha256sum "${TMP_FILE}")" + vim "${TMP_FILE}" +TMP_FILE_HASH_AFTER="$(sha256sum "${TMP_FILE}")" + +# Don't write value back when it hasn't changed +if [[ "${TMP_FILE_HASH_BEFORE}" == "${TMP_FILE_HASH_AFTER}" ]]; then + exit 0 +fi + JSON_QUOTED_SECRET="$(jq -Rs '.' "${TMP_FILE}")" rm "${TMP_FILE}" From b8e666c0750b13871a8a542eee52b92ed8e6de66 Mon Sep 17 00:00:00 2001 From: clerie Date: Thu, 2 May 2024 12:39:12 +0200 Subject: [PATCH 4/6] pkgs/clerie-sops: Properly escape json in clerie-sops-edit --- pkgs/clerie-sops/clerie-sops-edit.sh | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/pkgs/clerie-sops/clerie-sops-edit.sh b/pkgs/clerie-sops/clerie-sops-edit.sh index a1bdb52..79e2b95 100755 --- a/pkgs/clerie-sops/clerie-sops-edit.sh +++ b/pkgs/clerie-sops/clerie-sops-edit.sh @@ -7,6 +7,7 @@ set -euo pipefail SECRETS_FILE="$1" KEY="$2" +KEY_SELECTOR="$(jq -Rsc '[.]' <(echo -n "${KEY}"))" if [[ -n $EDITOR ]]; then EDITOR=vim @@ -14,7 +15,7 @@ fi TMP_FILE="$(mktemp)" -clerie-sops --decrypt --extract "[\"${KEY}\"]" "${SECRETS_FILE}" > "${TMP_FILE}" +clerie-sops --decrypt --extract "${KEY_SELECTOR}" "${SECRETS_FILE}" > "${TMP_FILE}" TMP_FILE_HASH_BEFORE="$(sha256sum "${TMP_FILE}")" @@ -27,8 +28,8 @@ if [[ "${TMP_FILE_HASH_BEFORE}" == "${TMP_FILE_HASH_AFTER}" ]]; then exit 0 fi -JSON_QUOTED_SECRET="$(jq -Rs '.' "${TMP_FILE}")" +JSON_QUOTED_SECRET="$(jq -Rsc '.' "${TMP_FILE}")" rm "${TMP_FILE}" -clerie-sops --set "[\"${KEY}\"] ${JSON_QUOTED_SECRET}" "${SECRETS_FILE}" +clerie-sops --set "${KEY_SELECTOR} ${JSON_QUOTED_SECRET}" "${SECRETS_FILE}" From c8c9526241c2c8d7a3bd49dd962b768e7406f24a Mon Sep 17 00:00:00 2001 From: clerie Date: Thu, 2 May 2024 13:10:17 +0200 Subject: [PATCH 5/6] hosts/storage-2: Migrate secrets to sops --- hosts/storage-2/firmware.nix | 4 +-- hosts/storage-2/mixcloud.nix | 6 ++-- hosts/storage-2/secrets.json | 28 +++++++++++++++++++ hosts/storage-2/secrets/firmware-htpasswd.age | 10 ------- hosts/storage-2/secrets/mixcloud-htpasswd.age | 10 ------- hosts/storage-2/secrets/wg-monitoring.age | 9 ------ 6 files changed, 33 insertions(+), 34 deletions(-) create mode 100644 hosts/storage-2/secrets.json delete mode 100644 hosts/storage-2/secrets/firmware-htpasswd.age delete mode 100644 hosts/storage-2/secrets/mixcloud-htpasswd.age delete mode 100644 hosts/storage-2/secrets/wg-monitoring.age diff --git a/hosts/storage-2/firmware.nix b/hosts/storage-2/firmware.nix index 4ba6b5d..00ca603 100644 --- a/hosts/storage-2/firmware.nix +++ b/hosts/storage-2/firmware.nix @@ -3,7 +3,7 @@ with lib; { - age.secrets.firmware-htpasswd = { + sops.secrets.firmware-htpasswd = { owner = "nginx"; group = "nginx"; }; @@ -14,7 +14,7 @@ with lib; forceSSL = true; locations."/" = { alias = "/data/firmware/"; - basicAuthFile = config.age.secrets.firmware-htpasswd.path; + basicAuthFile = config.sops.secrets.firmware-htpasswd.path; extraConfig = '' autoindex on; autoindex_exact_size off; diff --git a/hosts/storage-2/mixcloud.nix b/hosts/storage-2/mixcloud.nix index 7b81c0d..10fada4 100644 --- a/hosts/storage-2/mixcloud.nix +++ b/hosts/storage-2/mixcloud.nix @@ -46,7 +46,7 @@ let ); in { - age.secrets.mixcloud-htpasswd = { + sops.secrets.mixcloud-htpasswd = { owner = "nginx"; group = "nginx"; }; @@ -57,7 +57,7 @@ in { forceSSL = true; locations."/" = { alias = "/data/mixcloud/"; - basicAuthFile = config.age.secrets.mixcloud-htpasswd.path; + basicAuthFile = config.sops.secrets.mixcloud-htpasswd.path; extraConfig = '' autoindex on; autoindex_exact_size off; @@ -65,7 +65,7 @@ in { }; locations."/media/" = { alias = "/data/media/"; - basicAuthFile = config.age.secrets.mixcloud-htpasswd.path; + basicAuthFile = config.sops.secrets.mixcloud-htpasswd.path; extraConfig = '' autoindex on; autoindex_exact_size off; diff --git a/hosts/storage-2/secrets.json b/hosts/storage-2/secrets.json new file mode 100644 index 0000000..fc59be0 --- /dev/null +++ b/hosts/storage-2/secrets.json @@ -0,0 +1,28 @@ +{ + "firmware-htpasswd": "ENC[AES256_GCM,data:ylMqgwtpUNRBatpPqbUI+NB3l5mOHr1SVT5uQg0nP0LRG2oLIFnyYh9eYYVGu5iAA6pxL/7gtRwQNVCvA1JSuGcJ,iv:zO6xNv8MxnslYTCwd3GtWFa+ps1iOF1za9QnpJpOGvc=,tag:CNsFnwvjkWqHc4Bsn1Rynw==,type:str]", + "mixcloud-htpasswd": "ENC[AES256_GCM,data:RblDvL92Vm0jsKInl9oKiX5z4VTnAy4tSpmecWp0bNOX338NCDlu297k5Bqw,iv:+d84h4Spmin2w8kHONG3qlIRbaWXSjRlS444FwRXby0=,tag:IbixitLWxScQA+fsnmXWgA==,type:str]", + "wg-monitoring": "ENC[AES256_GCM,data:toOPf8RottCJag7I5x59/0ggbORyq1SdcZJfVQw96NbZZ8gaaeYnaSsxq7Q=,iv:clPx1xB04W0RTkudwNXYRLjxCSAB7CCTRRBoNwYQVVc=,tag:2iROztOF91tt3WuZssgr4w==,type:str]", + "sops": { + "kms": null, + "gcp_kms": null, + "azure_kv": null, + "hc_vault": null, + "age": [ + { + "recipient": "age13grrd0zhs6r56ge7jqht6q3ptsr5cmw7nhuyqqjjl708e6zycakstrrrl9", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBwb2JreUo3VGFkMkZJa3Jv\nVUlNOUsxZElzaGV5bnNHZ0gycnZnTW5WUGtRClR6Tmk4cEg0clA3SUJnQjVCVzdP\nTi9BZUttWmxHYkNPeWtCZkhTd1lEMUEKLS0tIHVpOVc1YXR1VkJCa3pBcWJxdmdB\nR2Q1T0VXMHljb3d3R3lkUEJaT3ErRzAKximuwssNcIW5QAsygUEpUGNtHV9/UeuN\n6CD8OeyTg7QkNhP/lZZctN7cPMXIHaPCnj7tuzH8sRJtZZHM5vBKhg==\n-----END AGE ENCRYPTED FILE-----\n" + } + ], + "lastmodified": "2024-05-02T10:49:41Z", + "mac": "ENC[AES256_GCM,data:9Ru61GXs1b4aOlqDGWjc8yKaLh02zZlld1udCLgtCfBnEQFHsBuR4uZIOIoS4YBpBB6KsX5ocIcJ7581AL0+2wjQ4LfopDO3kVTjxGGtxcbfOahluACH6TLdUIXFLDR+v7dTAA+/rqt6ogtIo2c1Wbu88OR/aSVe9akx8jUhabw=,iv:yNFmyHPq/c83ILDa2igJpu2d0gd8Oyieyjc3k3TTr9Y=,tag:66CHYLcNif1aCzkSs4M/Vg==,type:str]", + "pgp": [ + { + "created_at": "2024-05-02T10:48:16Z", + "enc": "-----BEGIN PGP MESSAGE-----\n\nhQIMA5OzEzXewpmPAQ/9GpO3+kXtPL7TNX8upozCD/fnrtqy7GNpzYu69NEG5YKg\nm/gXla8KZGYcsZJJsbyBnBrU4MxLhHb0Pc7voMlEEng8x2nOa/kD8yrr3DUExV+M\n+tOvipiy5qdrkS4/sVt3EAyvnzEJUBs/H/ynTvjG962V/21PsCFz7uBbMUoHGY/a\n4nwO1ElG5AoM2Q5HIqC13mijnXtTbMvd9XAweqZhtvhyrZ3opX1GRxEZrFLiGZG1\ncG23H/IxHDBNlHgwIlT0SKbT1z4WgKLRsRPxuDpIAV5CUYJAzlqj37q8MCP89OQQ\n5XAN1y/i0g+1O19fcKmfNTH8yz55kFuaPFH8Y3OOEftr1v/5bmMz14ot+UXai6gb\nCpGjDmQzcxDm8izUIqSniD7rgrFsw8UACBt1QM7IzsXFKsWwRYQ+nwOBhr5mNJVu\n8halA+ZYfW/a4wvJMnZpH2Jlbv/sf+2yKWYqBwnefalPQ91ZLnse8Keg0FHliqYi\n0BZK+DSUSIMwz1ZPm56bRPUrwrILpu51SuL/UuPKO8hI+GqSN2aQD9HJ7firHcy+\nCVm1pbIeJ/mSq3370R/C/pxzvvn6MJ8y3fOiTdNFAOYYlzqlu8gHLjZOCdU6RVCC\nYE6LWfh2d2WyaeY4VCUYNll+g3lokTx6eT1+Nc4ayP/uqudjPmbjY3etEystxnmF\nAgwDvZ9WSAhwutIBD/sGKzl6LhYaL4Mu0/GIE9dIOBvblGQn6Sf9fkCIZ84PnfS+\n7H3aMI25giGSqcouFQap3/swduTqEMn2QgsDQEstpToGT8Si847087s++LbmbEz4\nGmMAR2Dml3pXRDUxOOqyvxpyQnyyfTQE29x7kQvfqFdlFYVeyPT8jYN4yW4Wrz+N\neV0oOVwcrtyYCLzR2k5IkwWOUWnPhBMrUNnnw5kLEU7r6ECgA64qPqrReL7T9Hic\nM4Z8wt7F1nQvuwHISCRUd282PGyyhkj0Rcib+KuHRhUFGpbKnWOKBrTrq3DaQQAw\ngoP7Y6SXcvyaAHE8Abf2XDYSkztYlpZHb0DWP+Ckjhwcn2qS9nhA6Cje9UAMP289\nrsLjN+pg+5urhlZBUswCesf23eS3vaCVeLbDxbiYbDunz/ksD523LFkDvw8t/DaE\nGz+iib2UGld42gBM/NJNpA8mN8R9iUZMGoMDC51/fFqAcC4d3kAdczh0W9V0/cUb\nsfkDFKFxPZmC3nC/KIC1L5vm2xhcR+tzS64jh4HU3PYW9Dfsxi7QWjoC7TTCrHzt\nqgMdYyAFZQqGb/g5r1/OyhPOIJTRFRPBlO6wpi04ksIb9oGmllDMa0ebpDpsxo8J\n0b913T+t1ivwPzJTDvDcQR7xn4S5QmLsQIZxaa+7rQO6sfkgzSLAuFHRG2La14UC\nDAM1GWv08EiACgEP/iZXnM72tWzU2w3LTa2DdfaVRXUiGokXAs4owZBesdrMIIqs\ncD1WTCitCnZf9z2alKncaHI7sI4lKydF+nNIqBjh0vBU+9PlkAGWqWA3WDhJygGn\nge7y9JoxTqskGEarSn8eL0neuBRfwwueP//xIZkfTTmevoM8hktnYJHHl0A09Bow\n25B9Ur558x7RdZhoz5m9YZWeAIy4HEWPaSPxc9afepPktmdqmbwg3kpr5rWHLb5e\n30/aU+bocKdRcAksB+kgkHfEckE11tafo/r/C2nsHdz8WKVko9lXQDAvML8eJsoO\n8T8YR3SNQPPl+uTGIeKYnK94P1o+Ro6mOJOi0Whia2TJE5qOTnbjjNB2Wo5nc2r7\nGpX8PnkAazJzjBwgI0iFZildlGcKM4clgcblU9v+2r/exNXYXM57Yf59+5W8tplZ\nF6Lq2TPRofa8ej2vkWL6esQmUlM4BSE1WvbQXYXDFVQjuVQGX0FA67dUoNP7jjqU\nN12qOjCUIJ2qX3o4+0wKGnsCL+xb47P7JPhtiyyYx3oVsxXSFwhvow6iCgCa3P71\nN+rvUmZNA5tfMDEaZQTHe381viO/nhumT4lrgDRS22DX1gIFe3tRs79NQQXlLvsV\nL0EyfhUDO6mnkDoKOZw43w8n0qvkhhZ89/lBWWp4kWuwWoW9/AKa1ZzINHX61GgB\nCQIQHpIHxtY5bjVgWuvo/RkjcILqOFEit6MH3SsLdM1RciDZfZxAj5YxvzLIw36c\nx1RtrKqxKveIZfuxh6bZwKgjkxTNaZTgqs7fz9JrGqiC+ghRWVDyQX/psRyb6fBp\n9/FTV7l6mQ==\n=61m1\n-----END PGP MESSAGE-----", + "fp": "0C982F87B7AFBA0F504F90A2629E741947C87928" + } + ], + "unencrypted_suffix": "_unencrypted", + "version": "3.8.1" + } +} \ No newline at end of file diff --git a/hosts/storage-2/secrets/firmware-htpasswd.age b/hosts/storage-2/secrets/firmware-htpasswd.age deleted file mode 100644 index efcf094..0000000 --- a/hosts/storage-2/secrets/firmware-htpasswd.age +++ /dev/null @@ -1,10 +0,0 @@ -age-encryption.org/v1 --> ssh-ed25519 HwR33w AtsznTAUQumy3G6fSBwIiezL2Zdzl33t9TU3hDotcRs -eG+bBDB+MOQk7cHx+3Ha/n83t2QEbZunRYi0idRF9RQ --> ssh-ed25519 pI7EWw egjmvw3f6zrl0XmxI7xWhKsPl8PXTkZDSY84VbtJTG4 -MFsjDhp5UrprE3w7q9W3ZmGlkNnOFbsJNVjfeO11trw --> 0=-grease Fi`a + >zPFov* a -nx2zvPHhzkSNi/8oxnL07qefB248BCwJMjpVTc8i5j5aedELas87iI/WppKoa/tq -/jYLHztLjqKy412YvA0xuzR6yZ7G ---- 7M+CSupk4WV36DU/c8ZtODB6N8kuhttk4aLMULp8/Zc -!UթұmL saYh?Uaqa} Ž l@Eqǘw䍯*.L ѓJeFy@= J \ No newline at end of file diff --git a/hosts/storage-2/secrets/mixcloud-htpasswd.age b/hosts/storage-2/secrets/mixcloud-htpasswd.age deleted file mode 100644 index 0e8e59f..0000000 --- a/hosts/storage-2/secrets/mixcloud-htpasswd.age +++ /dev/null @@ -1,10 +0,0 @@ -age-encryption.org/v1 --> ssh-ed25519 HwR33w Q6P3HFyTE3FEsrjnBx3TWIdv16GYLdAmnTZE2W5uex4 -A30r0PifK1ioVSgCTQen0gOlwKtbsAiD5YJPkQ98dIA --> ssh-ed25519 pI7EWw pFiBE+L4RrpIdOZH7EFHtQ+pVXSDMCtGbewbGAKDlkk -5jicuCBcbH2Ob1jtoZrrm+jNNgw94Co3/A2tRrrNgxY --> :7)u]4Em-grease Xe>q ~'eWf Vx;#t -fJtUbOaM0w5wrhpUl3dvjZ9BXimgrjK5eYs3g358AIEs/+BbuuR4ogCZsLyv9bXd -smyFqW2xoxiANWGWWGY ---- ba8304R6wM3M05dDRmIwZkwgrLUzwlrSGU3cGTpi00w -~HaHgcެ|v|Js-β}VF Ltme%rqxC;Ғ ֋7 \ No newline at end of file diff --git a/hosts/storage-2/secrets/wg-monitoring.age b/hosts/storage-2/secrets/wg-monitoring.age deleted file mode 100644 index a9bcd2b..0000000 --- a/hosts/storage-2/secrets/wg-monitoring.age +++ /dev/null @@ -1,9 +0,0 @@ -age-encryption.org/v1 --> ssh-ed25519 HwR33w 3DdeLEaXCmEsm5U5idLUPb2t25cbd66Cppf0xcF3GEs -V7g2WywINm7qB7WcV/zL490I/7vCqudlnzNXY1Ckzrg --> ssh-ed25519 pI7EWw HNBoCvxcX9qEJHzjO/8RxPgsy7J1RmqROFKTf/bIcgs -9JSsE7iqZ+1h5YfPPI6v4fth9wdFP8qfU/mNkaTQr6s --> 9Kh.qZ]-grease -gx3ohTVB+gSV ---- OzhRO0ke2wUPWxBayTpVLE2leygx0pT60PTpcTlVgis -alP$c8GjTGP͉{"Rc0Y=>>퉆f߸i r5vŗ# \ No newline at end of file From 4639d23f109fb654e1f0f424f5ee8aef05e5056d Mon Sep 17 00:00:00 2001 From: Flake Update Bot Date: Fri, 3 May 2024 03:04:09 +0200 Subject: [PATCH 6/6] Update nixpkgs 2024-05-03-01-03 --- flake.lock | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/flake.lock b/flake.lock index ac3e4da..f366649 100644 --- a/flake.lock +++ b/flake.lock @@ -283,11 +283,11 @@ }, "nixpkgs_3": { "locked": { - "lastModified": 1712963716, - "narHash": "sha256-WKm9CvgCldeIVvRz87iOMi8CFVB1apJlkUT4GGvA0iM=", + "lastModified": 1714635257, + "narHash": "sha256-4cPymbty65RvF1DWQfc+Bc8B233A1BWxJnNULJKQ1EY=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "cfd6b5fc90b15709b780a5a1619695a88505a176", + "rev": "63c3a29ca82437c87573e4c6919b09a24ea61b0f", "type": "github" }, "original": {