1
0

Compare commits

...

9 Commits

9 changed files with 129 additions and 27 deletions

View File

@ -240,11 +240,11 @@
}, },
"nixpkgs_3": { "nixpkgs_3": {
"locked": { "locked": {
"lastModified": 1715266358, "lastModified": 1715447595,
"narHash": "sha256-doPgfj+7FFe9rfzWo1siAV2mVCasW+Bh8I1cToAXEE4=", "narHash": "sha256-VsVAUQOj/cS1LCOmMjAGeRksXIAdPnFIjCQ0XLkCsT0=",
"owner": "NixOS", "owner": "NixOS",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "f1010e0469db743d14519a1efd37e23f8513d714", "rev": "062ca2a9370a27a35c524dc82d540e6e9824b652",
"type": "github" "type": "github"
}, },
"original": { "original": {

View File

@ -132,6 +132,7 @@
nix-remove-result-links nix-remove-result-links
nixfiles-auto-install nixfiles-auto-install
nixfiles-generate-config nixfiles-generate-config
nixfiles-generate-backup-secrets
nixfiles-update-ssh-host-keys nixfiles-update-ssh-host-keys
print-afra print-afra
ssh-gpg ssh-gpg

View File

@ -0,0 +1,24 @@
Nix Cache by clerie
Public key:
cache.nix.clerie.de:bAt1GJTS9BOTcXFWj3nURrSlcjqikCev9yDvqArMP5g=
NixOS Configuration:
nix.settings = {
substituters = [
"https://cache.nix.clerie.de"
];
trusted-public-keys = [
"cache.nix.clerie.de:bAt1GJTS9BOTcXFWj3nURrSlcjqikCev9yDvqArMP5g="
];
}
Try:
nix build --substituters "https://cache.nix.clerie.de" \
--trusted-public-keys "cache.nix.clerie.de:bAt1GJTS9BOTcXFWj3nURrSlcjqikCev9yDvqArMP5g=" \
"git+https://git.clerie.de/clerie/fieldpoc.git#fieldpoc"
.-*..*-.

View File

@ -13,9 +13,40 @@
enableACME = true; enableACME = true;
forceSSL = true; forceSSL = true;
locations."= /" = { locations."= /" = {
return = ''200 'Nix Cache by clerie\n\nPublic key:\n\n nix-cache.clerie.de:bAt1GJTS9BOTcXFWj3nURrSlcjqikCev9yDvqArMP5g=\n\nNixOS Configuration:\n\n nix.settings = {\n substituters = [\n "https://nix-cache.clerie.de"\n ];\n trusted-public-keys = [\n "nix-cache.clerie.de:bAt1GJTS9BOTcXFWj3nURrSlcjqikCev9yDvqArMP5g="\n ];\n }\n\nTry:\n\n nix build --substituters "https://nix-cache.clerie.de" \\\n --trusted-public-keys "nix-cache.clerie.de:bAt1GJTS9BOTcXFWj3nURrSlcjqikCev9yDvqArMP5g=" \\\n "git+https://git.clerie.de/clerie/fieldpoc.git#fieldpoc"\n\n.-*..*-.' ''; index = "/index.txt";
};
locations."= /index.txt" = {
root = ./cache.nix.clerie.de;
};
locations."/" = {
proxyPass = "http://[::1]:5005";
extraConfig = '' extraConfig = ''
types { } default_type "text/plain; charset=utf-8"; proxy_redirect http:// https://;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
'';
};
};
"cache.nix.clerie.de" = {
enableACME = true;
forceSSL = true;
locations."= /" = {
index = "/index.txt";
};
locations."= /index.txt" = {
root = ./cache.nix.clerie.de;
};
locations."= /nix/store/" = {
extraConfig = ''
return 404;
'';
};
locations."/nix/store/" = {
root = "/";
extraConfig = ''
autoindex on;
autoindex_exact_size off;
''; '';
}; };
locations."/" = { locations."/" = {

View File

@ -5,8 +5,42 @@
set -euo pipefail set -euo pipefail
print_help() {
cat << EOF
clerie-sops-edit <secrets_file> <action> <key>
This script allows editing single secrets in a secrets file by key.
<secrets_file> is a sops secrets file
<action> is one of "edit", "read", "set" and "append"
<key> is the key of the secret in the secrets file to modify
EOF
}
if [[ $# != 3 ]]; then
print_help
exit 1
fi
SECRETS_FILE="$1" SECRETS_FILE="$1"
KEY="$2"
if [[ ! -f "${SECRETS_FILE}" ]]; then
echo "File \"${SECRETS_FILE}\" does not exist"
echo
print_help
exit 1
fi
ACTION="$2"
if ! echo "edit read set append" | grep -wq "${ACTION}"; then
echo "Action \"${ACTION}\" not supported"
echo
print_help
exit 1
fi
KEY="$3"
KEY_SELECTOR="$(jq -Rsc '[.]' <(echo -n "${KEY}"))" KEY_SELECTOR="$(jq -Rsc '[.]' <(echo -n "${KEY}"))"
if [[ -n $EDITOR ]]; then if [[ -n $EDITOR ]]; then
@ -14,12 +48,36 @@ if [[ -n $EDITOR ]]; then
fi fi
TMP_FILE="$(mktemp)" TMP_FILE="$(mktemp)"
DECRYPT_ERROR_FILE="$(mktemp)"
clerie-sops --decrypt --extract "${KEY_SELECTOR}" "${SECRETS_FILE}" > "${TMP_FILE}" if ! clerie-sops --decrypt --extract "${KEY_SELECTOR}" "${SECRETS_FILE}" > "${TMP_FILE}" 2> "${DECRYPT_ERROR_FILE}"; then
# Ignore that the key does not exist, but fail for all other errors
if ! grep -q "component .* not found" "${DECRYPT_ERROR_FILE}"; then
cat "${DECRYPT_ERROR_FILE}"
exit 1
fi
fi
TMP_FILE_HASH_BEFORE="$(sha256sum "${TMP_FILE}")" TMP_FILE_HASH_BEFORE="$(sha256sum "${TMP_FILE}")"
vim "${TMP_FILE}" case "${ACTION}" in
edit)
"${EDITOR}" "${TMP_FILE}"
;;
read)
cat "${TMP_FILE}"
;;
set)
cat > "${TMP_FILE}"
;;
append)
cat >> "${TMP_FILE}"
;;
*)
echo "Unsupported action"
exit 1
;;
esac
TMP_FILE_HASH_AFTER="$(sha256sum "${TMP_FILE}")" TMP_FILE_HASH_AFTER="$(sha256sum "${TMP_FILE}")"

View File

@ -4,7 +4,7 @@ pkgs.writeShellApplication {
name = "nixfiles-generate-backup-secrets"; name = "nixfiles-generate-backup-secrets";
text = builtins.readFile ./nixfiles-generate-backup-secrets.sh; text = builtins.readFile ./nixfiles-generate-backup-secrets.sh;
runtimeInputs = with pkgs; [ runtimeInputs = with pkgs; [
agenix clerie-sops-edit
apacheHttpd apacheHttpd
git git
pwgen pwgen

View File

@ -12,21 +12,9 @@ target_cyan_htpasswd="$(htpasswd -nbB "${host}" "${target_cyan}")"
target_magenta="$(pwgen -1 64 1)" target_magenta="$(pwgen -1 64 1)"
target_magenta_htpasswd="$(htpasswd -nbB "${host}" "${target_magenta}")" target_magenta_htpasswd="$(htpasswd -nbB "${host}" "${target_magenta}")"
mkdir -p "hosts/${host}/secrets" echo "$job_main" | clerie-sops-edit "hosts/${host}/secrets.json" set "clerie-backup-job-main"
echo "$target_cyan" | clerie-sops-edit "hosts/${host}/secrets.json" set "clerie-backup-target-cyan"
echo "$target_magenta" | clerie-sops-edit "hosts/${host}/secrets.json" set "clerie-backup-target-magenta"
echo "$job_main" | agenix -e "hosts/${host}/secrets/new" echo "${target_cyan_htpasswd}" | clerie-sops-edit "hosts/clerie-backup/secrets.json" append "restic-server-cyan-htpasswd"
mv "hosts/${host}/secrets/new" "hosts/${host}/secrets/clerie-backup-job-main.age" echo "$target_magenta_htpasswd" | clerie-sops-edit "hosts/backup-4/secrets.json" append "restic-server-magenta-htpasswd"
echo "$target_cyan" | agenix -e "hosts/${host}/secrets/new"
mv "hosts/${host}/secrets/new" "hosts/${host}/secrets/clerie-backup-target-cyan.age"
echo "$target_magenta" | agenix -e "hosts/${host}/secrets/new"
mv "hosts/${host}/secrets/new" "hosts/${host}/secrets/clerie-backup-target-magenta.age"
prev_htpasswd_cyan="$(agenix -d hosts/clerie-backup/secrets/restic-server-cyan-htpasswd.age)"
cat <(echo "$prev_htpasswd_cyan") <(echo "$target_cyan_htpasswd") | agenix -e "hosts/clerie-backup/secrets/new"
mv "hosts/clerie-backup/secrets/new" "hosts/clerie-backup/secrets/restic-server-cyan-htpasswd.age"
prev_htpasswd_magenta="$(agenix -d "hosts/backup-4/secrets/restic-server-magenta-htpasswd.age")"
cat <(echo "$prev_htpasswd_magenta") <(echo "$target_magenta_htpasswd") | agenix -e "hosts/backup-4/secrets/new"
mv "hosts/backup-4/secrets/new" "hosts/backup-4/secrets/restic-server-magenta-htpasswd.age"

View File

@ -11,6 +11,7 @@ final: prev: {
nix-remove-result-links = final.callPackage ./nix-remove-result-links {}; nix-remove-result-links = final.callPackage ./nix-remove-result-links {};
nixfiles-auto-install = final.callPackage ./nixfiles/nixfiles-auto-install.nix {}; nixfiles-auto-install = final.callPackage ./nixfiles/nixfiles-auto-install.nix {};
nixfiles-generate-config = final.callPackage ./nixfiles/nixfiles-generate-config.nix {}; nixfiles-generate-config = final.callPackage ./nixfiles/nixfiles-generate-config.nix {};
nixfiles-generate-backup-secrets = final.callPackage ./nixfiles/nixfiles-generate-backup-secrets.nix {};
nixfiles-update-ssh-host-keys = final.callPackage ./nixfiles/nixfiles-update-ssh-host-keys.nix {}; nixfiles-update-ssh-host-keys = final.callPackage ./nixfiles/nixfiles-update-ssh-host-keys.nix {};
print-afra = final.callPackage ./print-afra {}; print-afra = final.callPackage ./print-afra {};
ssh-gpg = final.callPackage ./ssh-gpg {}; ssh-gpg = final.callPackage ./ssh-gpg {};

View File

@ -1 +0,0 @@
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIzEQEWeunhkzP+invKjdsZe4rbUloixa374bYEhBSA5 clerie_id