From 2a50b2098e1a6e2f350e1fc1ef0c1ebba5075682 Mon Sep 17 00:00:00 2001 From: noe Date: Sat, 23 Dec 2023 02:39:15 -0500 Subject: [PATCH] add keylime --- .sops.yaml | 8 +++ flake.nix | 33 ++---------- nixos/hosts/aerial/default.nix | 9 ++-- nixos/hosts/keylime/default.nix | 10 ++++ nixos/templates/proxmox-lxc.nix | 5 +- nixos/users/noe.nix | 2 + secrets/default.yaml | 89 ++++++++++++++++++--------------- 7 files changed, 80 insertions(+), 76 deletions(-) create mode 100644 nixos/hosts/keylime/default.nix diff --git a/.sops.yaml b/.sops.yaml index a9507ba..e9293dc 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -7,6 +7,7 @@ keys: &all - &m_cider age1kjsga2kf95lu7p5stqr5d9p87jquyypnx97cycj6jvhsm9zkn93quexx4r - &m_aerial age1jc6ghxfgxe3gx53xa55azxan447cfxaqfqeh5y5yzqapj7mw7ajql8kv02 - &m_blueberry age12p9lw3zgufcg7qx375t9lwtckzwgj0tkn2pt9uj3tnx9sn3ucqgsf5ctdd + - &m_keylime age1pvmyk2ukaaq0xqx6wcst4smlfh2l76camukfv03ykfr0qdhuce6quttryy creation_rules: - path_regex: secrets/[^/]+\.(yaml|json|env|ini)$ @@ -47,3 +48,10 @@ creation_rules: - *op_noe_2 - *op_noe_3 - *m_blueberry + - path_regex: secrets/keylime/[^/]+\.(yaml|json|env|ini)$ + key_groups: + - age: + - *op_noe + - *op_noe_2 + - *op_noe_3 + - *m_keylime diff --git a/flake.nix b/flake.nix index 7b6319b..b242ed0 100644 --- a/flake.nix +++ b/flake.nix @@ -71,7 +71,7 @@ in import ./pkgs { inherit pkgs; } // { proxmox-lxc = inputs.nixos-generators.nixosGenerate { - inherit system; + inherit system pkgs; modules = [ ./nixos/templates/proxmox-lxc.nix ]; @@ -117,35 +117,8 @@ # Main Desktop aerial = mkNixos [ ./nixos/hosts/aerial ]; - # 2015 MBP - #echo = mkNixos [ ./nixos/hosts/echo ]; - - # 2013 MBP - #who = - - # Pi4B Xbox Hacking - #xxx = mkNixos [ - - # PlanetSide Stack - #watermelon = - - # Akkoma (sapphic.engineer) - #pineapple = - - # Web Services - #honeydew = - - # Workers - #tangerine = - - # Pi3B Audio Streamer - #audiofox = - - # Router - #nekomata = - - # just give me a machine THANKS - #lab = + # Keylime Lab + keylime = mkNixos [ ./nixos/hosts/keylime ]; }; darwinConfigurations = { diff --git a/nixos/hosts/aerial/default.nix b/nixos/hosts/aerial/default.nix index 1f6ebfe..cf4b936 100644 --- a/nixos/hosts/aerial/default.nix +++ b/nixos/hosts/aerial/default.nix @@ -26,9 +26,10 @@ fsType = "ext4"; }; - networking.firewall.allowedTCPPorts = [ 42069 ]; - networking.firewall.allowedUDPPorts = [ 42069 ]; - - + environment.systemPackages = [ + pkgs.python3 + ]; + networking.firewall.allowedTCPPorts = [ 42069 8000 ]; + networking.firewall.allowedUDPPorts = [ 42069 ]; } diff --git a/nixos/hosts/keylime/default.nix b/nixos/hosts/keylime/default.nix new file mode 100644 index 0000000..ff0f513 --- /dev/null +++ b/nixos/hosts/keylime/default.nix @@ -0,0 +1,10 @@ +{...}: { + imports = [ + ../../templates/proxmox-lxc.nix + ../../server.nix + ../../features/podman.nix + ]; + + networking.hostname = "keylime"; + system.stateVersion = "24.05"; +} diff --git a/nixos/templates/proxmox-lxc.nix b/nixos/templates/proxmox-lxc.nix index 846ea11..3552079 100644 --- a/nixos/templates/proxmox-lxc.nix +++ b/nixos/templates/proxmox-lxc.nix @@ -1,13 +1,14 @@ { pkgs, config, modulesPath, lib, ... }: { imports = [ (modulesPath + "/virtualisation/proxmox-lxc.nix") + ../users/noe.nix ]; - system.stateVersion = "24.05"; + system.stateVersion = lib.mkDefault "24.05"; users.users.root.hashedPassword = "$y$j9T$kWYIRHrwP1uXV.l4vTJ67/$VGkvX09rzebYPWRI5vk0Z/IDo434bBaIqUutWp4l0L2"; users.users.root.openssh.authorizedKeys.keys = import ../users/noe-keys.nix; - + environment.systemPackages = with pkgs; [ bashInteractive ]; diff --git a/nixos/users/noe.nix b/nixos/users/noe.nix index d4d4e11..93e34c4 100644 --- a/nixos/users/noe.nix +++ b/nixos/users/noe.nix @@ -7,6 +7,8 @@ openssh.authorizedKeys.keys = import ./noe-keys.nix; }; + programs.fish.enable = true; + environment.systemPackages = [ pkgs.nixos-rebuild ]; security.sudo.extraRules = [ { diff --git a/secrets/default.yaml b/secrets/default.yaml index 4fff2fe..03f5e51 100644 --- a/secrets/default.yaml +++ b/secrets/default.yaml @@ -13,74 +13,83 @@ sops: - recipient: age1lq5q5g5qjsdcc3key0n6qytkc9z3qx3d3e96ap9zre2aqgvc9ujq82l9hd enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBybGRCRUR0KzBweXBiOWlI - ZC90eHVsYlAyVzJDWVdhK0dzcHZTd0JJZVVBCmUzcGc0dHlCSTU0Zjc3OWhOSEMx - R2JQcHJaN2tYRklVbDhNbGdRWENBTmsKLS0tIHV2dVpZWHFXOGFNdXdWUjY4dlp3 - Yk9RRDlJVWFUWFo4ZG1RTWluVmR3SWcKjG9iFgpXMUAddqv0Tmbh3Z644/lCj+lD - R2w4nxUcFJGG1NWIxA4QcdA4tw8lysH2vfegdCexlTGVJ3nqTl3dbw== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBrOFJVWUV4N2YvSkd3N0Z2 + c3Z0N0tHV2ZYaG9NUmVDSkt3dG4xTHhMTFY0ClpsSHNJNzJqTE1tQW45YkR4SnFu + NnVBeTRjejhramovbmppTDZVZjBINGsKLS0tIERTbnhoTjRlMk4yMkF0ODZONEJT + c2VmMUpyTEpnT05WMGlwYjkvbnhxKzQKoGq8kIIMAU8z+BkxaMmT5bEFmoqGboJr + KUI14WF1RMEeIJv8dtGbOUEuvu18SZhtMDUjFv0QZiL71otGOjRAkQ== -----END AGE ENCRYPTED FILE----- - recipient: age1p0f62dwatt558sf5s4equdqwtg5m7lsnaytrf3xjnvmx3e0lqu4svtugyp enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSArSWltcUQ4YVFkSTdTQTd4 - SU9yVVFVR1VINTV2OXJhNENtYkNGYmVKZ2w4CmlvdU1tN24vNHNzbFRFcW1rY2hI - RTZ4eUo0eXM1NGlIbDBoNmNzYjc1Z3MKLS0tIHJSZHE5MlZDOGhWV3RiZE5YWk16 - ZHV5dlNaWEwzT3Fyb1RsRWdPUXJ6MzgKQCVmjEZWuWcROwUus6yrbi1Qqycs2ahR - BjdjFdjjeHp/3pPyDMW3TYE0xWgi56HYJTowJxXFVKzsMDB9PjKqvA== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBzSlNjUWM0SEQvVURjbzh5 + TFBwNjNSWjZaVVErdnB6MGpodUpVdVlVRUdFCmdYYklEQXV4TDlDTnp1a3R0a3lR + aHdUYnhhaU9vdzhCNUlSNlY5dHptZXcKLS0tIFkyUHpNTGZGeHZJN2ttK2hYZmgw + eFVFdWVjUC9qYzZPVTlYNExyMVRHRHcKK8QO5IeiUkiymFKn8yWkIKdaZaPJyuQt + AFa8rzn2LHzNsRV5OJ9ivaKyXClqqZNizSVvp/O1BSr5P+PTrKqMmA== -----END AGE ENCRYPTED FILE----- - recipient: age13c5wv623jxjja5mjz7fajg9qqwvypzgsfqrs4tmk7rpgyzu7aufs4ul9f9 enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBkOTlKK09ybnUyMG1tdGF2 - U1BmNHBDdFRsWmlKK2pSNHh6VVJLSU52WWpRCk42UVFLbGV0Rmxha21uZkVXN2xJ - cUlkKzZ5MHNFc1crK0VMK0E2Ujl6TDAKLS0tIHBxSjJNNmd4VmxiTUgwcjBLR0Np - RlljdFdGS1p1bkNkT1ZwZk5mY1VRcWsKiZ8Aa9lxm/9DUEQjcnFHWZZNEH4X3yxd - 8YkmaMAoR6fcwTaczAkMnYZCd6HUIBuOfyqFON4DU2iLsdtu8uCFlQ== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBmZlRlQ09MVExpS2Z4cTZB + d3JHVkhiODY4VU5lOUppMDlCSkZQdUtrcURvCkFLM2JoUUR5UG5WTkErT2crSnBN + TnNUZlhvbExZSzgvanNLbkE5bExjbzgKLS0tIFdEVGlMSDEzN2l1S0s1Sk1hcEp1 + WDRqMVB0a09TbzFlSWJ2SEtlZG1BOFUKZvrg+etZOvfqvEd0M5MU5Pjzg7Otmb/I + g9P/+p6OKX550ronEAhpaeYi+lHhb9XTFOFDgIEyo2jJR5LWswF26g== -----END AGE ENCRYPTED FILE----- - recipient: age1f5cqspxexkl8f42v5ne47mx6xmm4v00lafdlslq9g79a508e4p9qrku72s enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB4Ti9aZ3NtWVRyWGVKRS8v - RU11b1Y4ejF2NFZHR05HdjdWQStoRDNQWG5zCk40VzM5K2lTK3l6V3piTTV3NWxW - eVFqa1NXRm5VOE5BMGtSY0dKcnVVc00KLS0tIFRUNnBIeGpIQm9TUkZnRjV1VXlX - MDhYS2p4NWIwaFBmOVBXaHh3a1pWeHcKdgYOPDBJQBLjhXEYi4HiRgA47+TGEGob - AikvcVfKEFlgbKZvbKp48PP14Go8gfsNT0fC3qkFmUlgLXUw1VOE8g== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSArVHhzLzUxbjRtcDl4S0tq + MDlNZ3F3RkRvbEZZUkJWRkgrTVlJYUxsbEdJCldsZE96L0NnRmMrcWZRVjkwKy82 + bWhuVnRVTE9jNlJZQVdVUmNTb3ZyQTAKLS0tIEN5Tk5kelBMTzIvdDZrVGlPenVW + Q1pDNFcrVytLSXNhU2pTRUxRS1NYblEKCvqyd9VcIrF9KhDMw2oq/zbyY97Xupe/ + E+6JIaMJnQzc/voS6l6Tyi1MaIzK2wrW8CXs6BaFi6ED5egVZB/DYg== -----END AGE ENCRYPTED FILE----- - recipient: age14vsmekuppm4xhp4rthhv9jjgzfv45v39a0q8dsgg6yusw0pjkvaqnr9kq8 enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBmS045d3hhVFNjS3JRYzEz - elJxLzg0MGhNdDhzMEJGY3J4L2Y3WUJ2ZFhzCmUwQnNUd0gxY0FXZ2MyUEdDTUpS - VVAvN0hDcmt1OHArREI5U0N6L29tNTQKLS0tIDlSWFA0Z3VURDROYVl1cGdaaXMw - U0dUSkVWZ282WE9xaGM0WHpYa09rdUUK9irphEREhmUw3pEKUH7nBuIOBhwSOsoH - xXMN/sQuBumqsLIXvAvV51P5b0uHwkDUQ+MndL7HiX9JxfYYGS72tA== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBQRENnQmxqdllpWG96WlRB + S1EzaVUzN0VTSkI3dWlwMWlXc1F1MThMdEJZClppRGpydnVVcEQ3bi9qeWtyYmtv + Z1ppNlN6aVA1K1N4WCtIckFqandTVUkKLS0tIGVPaDRoL2Z3REFFTE16L251YVBK + eGVmcU5TdEhLZDJHdmRMUHBvRENGVEkKiDbRJg9lEKl2WQUuBb+7CZdqlMH+mLsl + gw+POKQqmqZy/CdTzCwHiwiml+c/lp5yaWOR+bsBRfMZeaoDjJGKBg== -----END AGE ENCRYPTED FILE----- - recipient: age1kjsga2kf95lu7p5stqr5d9p87jquyypnx97cycj6jvhsm9zkn93quexx4r enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBhNTAwN3JvRGI4aWxFZFhL - OGFYL1h4Ym1SdzU1UVNyN0plTzNJWERNajJBCmg0S3dtVmEvcFp2KzEvVTdOUDhI - VzZWVld1K29qKzN5VURORlpla0xuQ28KLS0tIE02Q0pSZ21MRG5sc2xDVWxEaVR0 - M3A2RUZ2Z3U1SytQK01LeGZzbXB5cjAKN4DHBI3dkKeoYFq1bh6CuV1Avc1Ild6y - FRtXv7rUb4/sPhgGbIi7OuLxaeiztkJABjBSJ7cXUI2TLF9zXu3Y8Q== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBpdEI0N09rSGJnR2ZZd1JO + eFhPZk1iVEorbFRVTFB1SnJ4dzZMOXh4MGpnClkwQnJzeitBUFo2cTBMVGU1RU92 + cTVqZFIydUdYc2piaWF4N3dEVXVyQlEKLS0tIDcxMXg3T2orRmNQb1JSS2ZNdTZL + NWdJbFp2cE9saHdBUWxKMVM2UVdSZE0K6oYxfy/dwd54nvTA9eO3rfpejZKwTBI1 + DBvGgb+CWLWRk1MflQYlWyHgCbdD9ogkVMZAZNH9SXNfc1qtgUNwww== -----END AGE ENCRYPTED FILE----- - recipient: age1jc6ghxfgxe3gx53xa55azxan447cfxaqfqeh5y5yzqapj7mw7ajql8kv02 enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB4WW94Tyt6SFJGRmRKeWVM - aTBiTmNvWGd0Kys2a2Z5ZEZUVXdwTkp2Qm4wCmR4b2lYRkFxU2xVOHNjQThRWmpN - VlFlaXBDUVBIL0NuM1JtZlBHNnNZdXMKLS0tIDBvcVVrZjRYVnpjaGhPZWc3Tnhv - Y1ZMRnoyL0UvM0c2VDh3OUNGcUc1ZDAKaYP5I7bNU4wDqkOy2IccCKa8RIwtsZzZ - F+K2zAR0/AqbpmQqSluSc43bIMl/e8Gq0odbH7ed4zVaSEberAclVA== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBIWEZjN0d5VjRTeCtyck9t + Rysyd01OR1NYQ3o5R1pVTlZpbzdCV0liVGtNCi9TYllCT1lqQzFQUy95TVl5UFZI + SkRZRFpBSjR6R0tOQUNuNW8waTBOSzAKLS0tIGJDQUpkM3MzQ293d0hDRVFMMnRE + cnA2TFlVVWdubWI0MC8raHVLYlFuNFkK9GrFQVNPLEMFCBYtZIQFrdZkcwMez/PJ + TZZjEmn6jsUH9KBHQIB4I+L+XWlIQJDLMhTRQ+n3X+GbYA+IFVTtZw== -----END AGE ENCRYPTED FILE----- - recipient: age12p9lw3zgufcg7qx375t9lwtckzwgj0tkn2pt9uj3tnx9sn3ucqgsf5ctdd enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAvREhUMlNaRFhndTdQR2Q3 - cWhPZUt4cm50QkpsdUJ5QlVvV1lTWW1KcUJvCkRFVEJnTGRmZUtzQ3NJRGZ3dlkx - M2lTeGVJZFl0WkZjYmVJb0luc2JmVHMKLS0tIGV1WVFGcXFuMWJ1VnBLN0FrczNT - ZHRkQkVhZWFZU2t6Y1Q1dStnc3dLbDQKMmqepjfhwaSDZ1RDl+KpTPAmSG5WcY4k - CDPJZfQeXGJtVKyqRI7jIrGe1REFiN3eUZUVVoSr0tEc/1hNyKtJ7Q== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBCbXdRb2ZLWCtzOHVWRWdi + MTExQ1d4YWRNcVlWY1lTRmZvNExlcXE5aFVvCm1RR1B0Vk9LbUZiWFljRFdBcWxM + MjE0NC9wbUFCanZ6QXU2elVzeGVaYTAKLS0tIEZjYjRpcjRmM3kxdXp1bjNVN1hk + RDJQbDU4OVFjYSsrc3pnWnZqb3FFOUEKIrOroDZMQ/rQ/iTSksLxqeSKXinvU3Rs + Mcf6jmSW8jp9Zv16+ZgKGGXT04WNaG8y3a063+T1HYz6kO3ixouAcA== + -----END AGE ENCRYPTED FILE----- + - recipient: age1pvmyk2ukaaq0xqx6wcst4smlfh2l76camukfv03ykfr0qdhuce6quttryy + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBObG1wSktGTXlJTnBsN0tG + NkhVMmwvUG1lczlmaWhzZllzeXljbC92TG5zCkcxdElSSlhDSTQySllFWkRqdXFu + eDA2cXZtUGJsdkNrV3dLVVpZYllvZWsKLS0tIHYzalYzNWIzUDNGY2pLWTkreTFY + WE9Eem4yMVJwVVJuRC94cVJSNHVzODgKAiEMY3apoqHQxEOMw1MFvZMZsnUw9ESB + fSkAHnX6GduUXioH24pDTqYJuOoJwiCd9qrg89wJSnAwLs6m1Lw2Kg== -----END AGE ENCRYPTED FILE----- lastmodified: "2023-12-17T20:21:39Z" mac: ENC[AES256_GCM,data:IbpBloPeCvdYqloShrSvAIUzjCk+/1+Gl4+LbyKGnO9GUadlwJTyA/WDWiCkdmyFqqpMclD4Kq4CDYK341pSjyNdbfO2nIWU7/k+T7MaGoOzCJZhK/ysZjn7uUeNpkRNBJMht7VYGc6V4iEvJ835z4VAfnTb51mBz+Ytjpk6K+c=,iv:+RVwgp3btRyi1fCjPcMPZ5Du+3RlCkwFNqjFGrS+5zE=,tag:fpNwqMS6CH6pgd2QmaWggA==,type:str]