Compare commits
7 Commits
e7d912ea78
...
6a2954b7d8
Author | SHA1 | Date | |
---|---|---|---|
6a2954b7d8 | |||
|
4639d23f10 | ||
c8c9526241 | |||
b8e666c075 | |||
730903d0d8 | |||
e413204215 | |||
5c42594d5d |
@ -7,6 +7,7 @@
|
||||
./gnome.nix
|
||||
./inputs.nix
|
||||
./networking.nix
|
||||
./polkit.nix
|
||||
./power.nix
|
||||
./printing.nix
|
||||
./ssh.nix
|
||||
|
7
configuration/desktop/polkit.nix
Normal file
7
configuration/desktop/polkit.nix
Normal file
@ -0,0 +1,7 @@
|
||||
{ ... }:
|
||||
|
||||
{
|
||||
|
||||
security.polkit.enable = true;
|
||||
|
||||
}
|
@ -19,6 +19,21 @@
|
||||
|
||||
services.pcscd.enable = true;
|
||||
|
||||
# pcscd sometimes breaks and seem to need a manual restart
|
||||
# so we allow users to restart that service themself
|
||||
security.polkit.extraConfig = ''
|
||||
polkit.addRule(function(action, subject) {
|
||||
if (
|
||||
action.id == "org.freedesktop.systemd1.manage-units"
|
||||
&& action.lookup("unit") == "pcscd.service"
|
||||
&& action.lookup("verb") == "restart"
|
||||
&& subject.isInGroup("users")
|
||||
) {
|
||||
return polkit.Result.YES;
|
||||
}
|
||||
});
|
||||
'';
|
||||
|
||||
services.udev.packages = with pkgs; [
|
||||
yubikey-personalization
|
||||
];
|
||||
|
@ -283,11 +283,11 @@
|
||||
},
|
||||
"nixpkgs_3": {
|
||||
"locked": {
|
||||
"lastModified": 1714253743,
|
||||
"narHash": "sha256-mdTQw2XlariysyScCv2tTE45QSU9v/ezLcHJ22f0Nxc=",
|
||||
"lastModified": 1714635257,
|
||||
"narHash": "sha256-4cPymbty65RvF1DWQfc+Bc8B233A1BWxJnNULJKQ1EY=",
|
||||
"owner": "NixOS",
|
||||
"repo": "nixpkgs",
|
||||
"rev": "58a1abdbae3217ca6b702f03d3b35125d88a2994",
|
||||
"rev": "63c3a29ca82437c87573e4c6919b09a24ea61b0f",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
|
@ -3,7 +3,7 @@
|
||||
with lib;
|
||||
|
||||
{
|
||||
age.secrets.firmware-htpasswd = {
|
||||
sops.secrets.firmware-htpasswd = {
|
||||
owner = "nginx";
|
||||
group = "nginx";
|
||||
};
|
||||
@ -14,7 +14,7 @@ with lib;
|
||||
forceSSL = true;
|
||||
locations."/" = {
|
||||
alias = "/data/firmware/";
|
||||
basicAuthFile = config.age.secrets.firmware-htpasswd.path;
|
||||
basicAuthFile = config.sops.secrets.firmware-htpasswd.path;
|
||||
extraConfig = ''
|
||||
autoindex on;
|
||||
autoindex_exact_size off;
|
||||
|
@ -46,7 +46,7 @@ let
|
||||
);
|
||||
|
||||
in {
|
||||
age.secrets.mixcloud-htpasswd = {
|
||||
sops.secrets.mixcloud-htpasswd = {
|
||||
owner = "nginx";
|
||||
group = "nginx";
|
||||
};
|
||||
@ -57,7 +57,7 @@ in {
|
||||
forceSSL = true;
|
||||
locations."/" = {
|
||||
alias = "/data/mixcloud/";
|
||||
basicAuthFile = config.age.secrets.mixcloud-htpasswd.path;
|
||||
basicAuthFile = config.sops.secrets.mixcloud-htpasswd.path;
|
||||
extraConfig = ''
|
||||
autoindex on;
|
||||
autoindex_exact_size off;
|
||||
@ -65,7 +65,7 @@ in {
|
||||
};
|
||||
locations."/media/" = {
|
||||
alias = "/data/media/";
|
||||
basicAuthFile = config.age.secrets.mixcloud-htpasswd.path;
|
||||
basicAuthFile = config.sops.secrets.mixcloud-htpasswd.path;
|
||||
extraConfig = ''
|
||||
autoindex on;
|
||||
autoindex_exact_size off;
|
||||
|
28
hosts/storage-2/secrets.json
Normal file
28
hosts/storage-2/secrets.json
Normal file
@ -0,0 +1,28 @@
|
||||
{
|
||||
"firmware-htpasswd": "ENC[AES256_GCM,data:ylMqgwtpUNRBatpPqbUI+NB3l5mOHr1SVT5uQg0nP0LRG2oLIFnyYh9eYYVGu5iAA6pxL/7gtRwQNVCvA1JSuGcJ,iv:zO6xNv8MxnslYTCwd3GtWFa+ps1iOF1za9QnpJpOGvc=,tag:CNsFnwvjkWqHc4Bsn1Rynw==,type:str]",
|
||||
"mixcloud-htpasswd": "ENC[AES256_GCM,data:RblDvL92Vm0jsKInl9oKiX5z4VTnAy4tSpmecWp0bNOX338NCDlu297k5Bqw,iv:+d84h4Spmin2w8kHONG3qlIRbaWXSjRlS444FwRXby0=,tag:IbixitLWxScQA+fsnmXWgA==,type:str]",
|
||||
"wg-monitoring": "ENC[AES256_GCM,data:toOPf8RottCJag7I5x59/0ggbORyq1SdcZJfVQw96NbZZ8gaaeYnaSsxq7Q=,iv:clPx1xB04W0RTkudwNXYRLjxCSAB7CCTRRBoNwYQVVc=,tag:2iROztOF91tt3WuZssgr4w==,type:str]",
|
||||
"sops": {
|
||||
"kms": null,
|
||||
"gcp_kms": null,
|
||||
"azure_kv": null,
|
||||
"hc_vault": null,
|
||||
"age": [
|
||||
{
|
||||
"recipient": "age13grrd0zhs6r56ge7jqht6q3ptsr5cmw7nhuyqqjjl708e6zycakstrrrl9",
|
||||
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBwb2JreUo3VGFkMkZJa3Jv\nVUlNOUsxZElzaGV5bnNHZ0gycnZnTW5WUGtRClR6Tmk4cEg0clA3SUJnQjVCVzdP\nTi9BZUttWmxHYkNPeWtCZkhTd1lEMUEKLS0tIHVpOVc1YXR1VkJCa3pBcWJxdmdB\nR2Q1T0VXMHljb3d3R3lkUEJaT3ErRzAKximuwssNcIW5QAsygUEpUGNtHV9/UeuN\n6CD8OeyTg7QkNhP/lZZctN7cPMXIHaPCnj7tuzH8sRJtZZHM5vBKhg==\n-----END AGE ENCRYPTED FILE-----\n"
|
||||
}
|
||||
],
|
||||
"lastmodified": "2024-05-02T10:49:41Z",
|
||||
"mac": "ENC[AES256_GCM,data:9Ru61GXs1b4aOlqDGWjc8yKaLh02zZlld1udCLgtCfBnEQFHsBuR4uZIOIoS4YBpBB6KsX5ocIcJ7581AL0+2wjQ4LfopDO3kVTjxGGtxcbfOahluACH6TLdUIXFLDR+v7dTAA+/rqt6ogtIo2c1Wbu88OR/aSVe9akx8jUhabw=,iv:yNFmyHPq/c83ILDa2igJpu2d0gd8Oyieyjc3k3TTr9Y=,tag:66CHYLcNif1aCzkSs4M/Vg==,type:str]",
|
||||
"pgp": [
|
||||
{
|
||||
"created_at": "2024-05-02T10:48:16Z",
|
||||
"enc": "-----BEGIN PGP MESSAGE-----\n\nhQIMA5OzEzXewpmPAQ/9GpO3+kXtPL7TNX8upozCD/fnrtqy7GNpzYu69NEG5YKg\nm/gXla8KZGYcsZJJsbyBnBrU4MxLhHb0Pc7voMlEEng8x2nOa/kD8yrr3DUExV+M\n+tOvipiy5qdrkS4/sVt3EAyvnzEJUBs/H/ynTvjG962V/21PsCFz7uBbMUoHGY/a\n4nwO1ElG5AoM2Q5HIqC13mijnXtTbMvd9XAweqZhtvhyrZ3opX1GRxEZrFLiGZG1\ncG23H/IxHDBNlHgwIlT0SKbT1z4WgKLRsRPxuDpIAV5CUYJAzlqj37q8MCP89OQQ\n5XAN1y/i0g+1O19fcKmfNTH8yz55kFuaPFH8Y3OOEftr1v/5bmMz14ot+UXai6gb\nCpGjDmQzcxDm8izUIqSniD7rgrFsw8UACBt1QM7IzsXFKsWwRYQ+nwOBhr5mNJVu\n8halA+ZYfW/a4wvJMnZpH2Jlbv/sf+2yKWYqBwnefalPQ91ZLnse8Keg0FHliqYi\n0BZK+DSUSIMwz1ZPm56bRPUrwrILpu51SuL/UuPKO8hI+GqSN2aQD9HJ7firHcy+\nCVm1pbIeJ/mSq3370R/C/pxzvvn6MJ8y3fOiTdNFAOYYlzqlu8gHLjZOCdU6RVCC\nYE6LWfh2d2WyaeY4VCUYNll+g3lokTx6eT1+Nc4ayP/uqudjPmbjY3etEystxnmF\nAgwDvZ9WSAhwutIBD/sGKzl6LhYaL4Mu0/GIE9dIOBvblGQn6Sf9fkCIZ84PnfS+\n7H3aMI25giGSqcouFQap3/swduTqEMn2QgsDQEstpToGT8Si847087s++LbmbEz4\nGmMAR2Dml3pXRDUxOOqyvxpyQnyyfTQE29x7kQvfqFdlFYVeyPT8jYN4yW4Wrz+N\neV0oOVwcrtyYCLzR2k5IkwWOUWnPhBMrUNnnw5kLEU7r6ECgA64qPqrReL7T9Hic\nM4Z8wt7F1nQvuwHISCRUd282PGyyhkj0Rcib+KuHRhUFGpbKnWOKBrTrq3DaQQAw\ngoP7Y6SXcvyaAHE8Abf2XDYSkztYlpZHb0DWP+Ckjhwcn2qS9nhA6Cje9UAMP289\nrsLjN+pg+5urhlZBUswCesf23eS3vaCVeLbDxbiYbDunz/ksD523LFkDvw8t/DaE\nGz+iib2UGld42gBM/NJNpA8mN8R9iUZMGoMDC51/fFqAcC4d3kAdczh0W9V0/cUb\nsfkDFKFxPZmC3nC/KIC1L5vm2xhcR+tzS64jh4HU3PYW9Dfsxi7QWjoC7TTCrHzt\nqgMdYyAFZQqGb/g5r1/OyhPOIJTRFRPBlO6wpi04ksIb9oGmllDMa0ebpDpsxo8J\n0b913T+t1ivwPzJTDvDcQR7xn4S5QmLsQIZxaa+7rQO6sfkgzSLAuFHRG2La14UC\nDAM1GWv08EiACgEP/iZXnM72tWzU2w3LTa2DdfaVRXUiGokXAs4owZBesdrMIIqs\ncD1WTCitCnZf9z2alKncaHI7sI4lKydF+nNIqBjh0vBU+9PlkAGWqWA3WDhJygGn\nge7y9JoxTqskGEarSn8eL0neuBRfwwueP//xIZkfTTmevoM8hktnYJHHl0A09Bow\n25B9Ur558x7RdZhoz5m9YZWeAIy4HEWPaSPxc9afepPktmdqmbwg3kpr5rWHLb5e\n30/aU+bocKdRcAksB+kgkHfEckE11tafo/r/C2nsHdz8WKVko9lXQDAvML8eJsoO\n8T8YR3SNQPPl+uTGIeKYnK94P1o+Ro6mOJOi0Whia2TJE5qOTnbjjNB2Wo5nc2r7\nGpX8PnkAazJzjBwgI0iFZildlGcKM4clgcblU9v+2r/exNXYXM57Yf59+5W8tplZ\nF6Lq2TPRofa8ej2vkWL6esQmUlM4BSE1WvbQXYXDFVQjuVQGX0FA67dUoNP7jjqU\nN12qOjCUIJ2qX3o4+0wKGnsCL+xb47P7JPhtiyyYx3oVsxXSFwhvow6iCgCa3P71\nN+rvUmZNA5tfMDEaZQTHe381viO/nhumT4lrgDRS22DX1gIFe3tRs79NQQXlLvsV\nL0EyfhUDO6mnkDoKOZw43w8n0qvkhhZ89/lBWWp4kWuwWoW9/AKa1ZzINHX61GgB\nCQIQHpIHxtY5bjVgWuvo/RkjcILqOFEit6MH3SsLdM1RciDZfZxAj5YxvzLIw36c\nx1RtrKqxKveIZfuxh6bZwKgjkxTNaZTgqs7fz9JrGqiC+ghRWVDyQX/psRyb6fBp\n9/FTV7l6mQ==\n=61m1\n-----END PGP MESSAGE-----",
|
||||
"fp": "0C982F87B7AFBA0F504F90A2629E741947C87928"
|
||||
}
|
||||
],
|
||||
"unencrypted_suffix": "_unencrypted",
|
||||
"version": "3.8.1"
|
||||
}
|
||||
}
|
@ -1,10 +0,0 @@
|
||||
age-encryption.org/v1
|
||||
-> ssh-ed25519 HwR33w AtsznTAUQumy3G6fSBwIiezL2Zdzl33t9TU3hDotcRs
|
||||
eG+bBDB+MOQk7cHx+3Ha/n83t2QEbZunRYi0idRF9RQ
|
||||
-> ssh-ed25519 pI7EWw egjmvw3f6zrl0XmxI7xWhKsPl8PXTkZDSY84VbtJTG4
|
||||
MFsjDhp5UrprE3w7q9W3ZmGlkNnOFbsJNVjfeO11trw
|
||||
-> 0=-grease Fi`a + >zPFov* a
|
||||
nx2zvPHhzkSNi/8oxnL07qefB248BCwJMjpVTc8i5j5aedELas87iI/WppKoa/tq
|
||||
/jYLHztLjqKy412YvA0xuzR6yZ7G
|
||||
--- 7M+CSupk4WV36DU/c8ZtODB6N8kuhttk4aLMULp8/Zc
|
||||
†!U©ÊÀÍÕ©ÁÒ±m<C2B1>îL¦ˆsøaYh?<3F>Uaq®a¤}¯¦ ˜ÂŽ•Ÿ¾ô®Ål@Eqǘ˜Óà¦w¯ä<C2AF>¯¾þÈ*.¼ýL¯Ñ“JeFy@= J™õ¹÷°
|
@ -1,10 +0,0 @@
|
||||
age-encryption.org/v1
|
||||
-> ssh-ed25519 HwR33w Q6P3HFyTE3FEsrjnBx3TWIdv16GYLdAmnTZE2W5uex4
|
||||
A30r0PifK1ioVSgCTQen0gOlwKtbsAiD5YJPkQ98dIA
|
||||
-> ssh-ed25519 pI7EWw pFiBE+L4RrpIdOZH7EFHtQ+pVXSDMCtGbewbGAKDlkk
|
||||
5jicuCBcbH2Ob1jtoZrrm+jNNgw94Co3/A2tRrrNgxY
|
||||
-> :7)u]4Em-grease Xe>q ~'eWf Vx;#t
|
||||
fJtUbOaM0w5wrhpUl3dvjZ9BXimgrjK5eYs3g358AIEs/+BbuuR4ogCZsLyv9bXd
|
||||
smyFqW2xoxiANWGWWGY
|
||||
--- ba8304R6wM3M05dDRmIwZkwgrLUzwlrSGU3cGTpi00w
|
||||
~Hî±aÒHgÇÀcÞ¬|<05>vðÔ|Js-β}Áš„€VF¤ÄÙLï”»tme%ûrqxCñöÝõ;Ò’âÀÆÖ‹7è
|
@ -1,9 +0,0 @@
|
||||
age-encryption.org/v1
|
||||
-> ssh-ed25519 HwR33w 3DdeLEaXCmEsm5U5idLUPb2t25cbd66Cppf0xcF3GEs
|
||||
V7g2WywINm7qB7WcV/zL490I/7vCqudlnzNXY1Ckzrg
|
||||
-> ssh-ed25519 pI7EWw HNBoCvxcX9qEJHzjO/8RxPgsy7J1RmqROFKTf/bIcgs
|
||||
9JSsE7iqZ+1h5YfPPI6v4fth9wdFP8qfU/mNkaTQr6s
|
||||
-> 9Kh.qZ]-grease
|
||||
gx3ohTVB+gSV
|
||||
--- OzhRO0ke2wUPWxBayTpVLE2leygx0pT60PTpcTlVgis
|
||||
£þ²¶ÄaÅlP‚$c8êGãjøì¦ÄT½¸ä—â¸G½žP͉{"ÓR„c0Y=Ñç>Ê>퉆fþ®ß¸i©
r®ø5ûv‡Å—å#
|
@ -7,6 +7,7 @@ set -euo pipefail
|
||||
|
||||
SECRETS_FILE="$1"
|
||||
KEY="$2"
|
||||
KEY_SELECTOR="$(jq -Rsc '[.]' <(echo -n "${KEY}"))"
|
||||
|
||||
if [[ -n $EDITOR ]]; then
|
||||
EDITOR=vim
|
||||
@ -14,12 +15,21 @@ fi
|
||||
|
||||
TMP_FILE="$(mktemp)"
|
||||
|
||||
clerie-sops --decrypt --extract "[\"${KEY}\"]" "${SECRETS_FILE}" > "${TMP_FILE}"
|
||||
clerie-sops --decrypt --extract "${KEY_SELECTOR}" "${SECRETS_FILE}" > "${TMP_FILE}"
|
||||
|
||||
TMP_FILE_HASH_BEFORE="$(sha256sum "${TMP_FILE}")"
|
||||
|
||||
vim "${TMP_FILE}"
|
||||
|
||||
JSON_QUOTED_SECRET="$(jq -Rs '.' "${TMP_FILE}")"
|
||||
TMP_FILE_HASH_AFTER="$(sha256sum "${TMP_FILE}")"
|
||||
|
||||
# Don't write value back when it hasn't changed
|
||||
if [[ "${TMP_FILE_HASH_BEFORE}" == "${TMP_FILE_HASH_AFTER}" ]]; then
|
||||
exit 0
|
||||
fi
|
||||
|
||||
JSON_QUOTED_SECRET="$(jq -Rsc '.' "${TMP_FILE}")"
|
||||
|
||||
rm "${TMP_FILE}"
|
||||
|
||||
clerie-sops --set "[\"${KEY}\"] ${JSON_QUOTED_SECRET}" "${SECRETS_FILE}"
|
||||
clerie-sops --set "${KEY_SELECTOR} ${JSON_QUOTED_SECRET}" "${SECRETS_FILE}"
|
||||
|
@ -3,7 +3,9 @@
|
||||
{
|
||||
users.users.clerie = {
|
||||
isNormalUser = true;
|
||||
group = "clerie";
|
||||
extraGroups = [
|
||||
"users"
|
||||
"wheel"
|
||||
"dialout"
|
||||
];
|
||||
@ -13,4 +15,6 @@
|
||||
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCnUBblmmVoMMBftn4EnwnzqR12m9zill51LpO124hHb10K2rqxNoq8tYSc2pMkV/3briZovffpe5SzB+m2MnXbtOBstIEXkrPZQ78vaZ/nLh7+eWg30lCmMPwjf2wIjlTXkcbxbsi7FbPW7FsolGkU/0mqGhqK1Xft/g7SnCXIoGPSSrHMXEv5dPPofCa1Z0Un+98wQTVfOSKek6TnIsfLbG01UFQVkN7afE4dqSmMiWwEm2PK9l+OiBA2/QzDpbtu9wsfTol4c192vFEWR9crB2YZ1JlMbjVWHjYmB7NFsS0A6lUOikss0Y+LUWS2/QuM/kqybSo4rasZMAIazM6D clerie"
|
||||
];
|
||||
};
|
||||
|
||||
users.groups.clerie = {};
|
||||
}
|
||||
|
Loading…
Reference in New Issue
Block a user