started sops config; got ddclient to work

This commit is contained in:
Ellis Rahhal 2024-01-14 01:12:45 -08:00
parent 8bbe2396e4
commit 38e421ac0c
14 changed files with 267 additions and 26 deletions

View file

@ -28,3 +28,6 @@ setup:
ssh: ssh:
ssh-keygen -R "[localhost]:2223" ssh-keygen -R "[localhost]:2223"
ssh -o StrictHostKeychecking=no -p 2223 homefree@localhost ssh -o StrictHostKeychecking=no -p 2223 homefree@localhost
generate-sops-config:
./generate-sops-config.sh

View file

@ -16,6 +16,11 @@ TODOS
* https://blog.josefsson.org/2015/10/26/combining-dnsmasq-and-unbound/ * https://blog.josefsson.org/2015/10/26/combining-dnsmasq-and-unbound/
### Solutions ### Solutions
* Firewall
* https://www.jjpdev.com/posts/home-router-nixos/
* NAS
* https://github.com/reckenrode/nixos-configs/tree/c556206df2611af2f9ea83954aae1b51461e44c5/hosts/x86_64-linux/meteion
* https://www.reddit.com/r/NixOS/comments/yr21p1/offtheshelf_nas_supporting_nixos/
* reverse proxy * reverse proxy
* Traefik * Traefik
* HAProxy * HAProxy
@ -52,6 +57,8 @@ TODOS
* bacula * bacula
* kopia * kopia
* restic * restic
* Hypervisor
* https://vpsadminos.org/
### VyOS comparison ### VyOS comparison

164
flake.lock generated
View file

@ -38,6 +38,49 @@
"type": "github" "type": "github"
} }
}, },
"agenix": {
"inputs": {
"darwin": "darwin",
"home-manager": "home-manager",
"nixpkgs": "nixpkgs",
"systems": "systems"
},
"locked": {
"lastModified": 1703433843,
"narHash": "sha256-nmtA4KqFboWxxoOAA6Y1okHbZh+HsXaMPFkYHsoDRDw=",
"owner": "ryantm",
"repo": "agenix",
"rev": "417caa847f9383e111d1397039c9d4337d024bf0",
"type": "github"
},
"original": {
"owner": "ryantm",
"repo": "agenix",
"type": "github"
}
},
"darwin": {
"inputs": {
"nixpkgs": [
"agenix",
"nixpkgs"
]
},
"locked": {
"lastModified": 1700795494,
"narHash": "sha256-gzGLZSiOhf155FW7262kdHo2YDeugp3VuIFb4/GGng0=",
"owner": "lnl7",
"repo": "nix-darwin",
"rev": "4b9b83d5a92e8c1fbfd8eb27eda375908c11ec4d",
"type": "github"
},
"original": {
"owner": "lnl7",
"ref": "master",
"repo": "nix-darwin",
"type": "github"
}
},
"flake-utils": { "flake-utils": {
"locked": { "locked": {
"lastModified": 1659877975, "lastModified": 1659877975,
@ -53,9 +96,30 @@
"type": "github" "type": "github"
} }
}, },
"home-manager": {
"inputs": {
"nixpkgs": [
"agenix",
"nixpkgs"
]
},
"locked": {
"lastModified": 1703113217,
"narHash": "sha256-7ulcXOk63TIT2lVDSExj7XzFx09LpdSAPtvgtM7yQPE=",
"owner": "nix-community",
"repo": "home-manager",
"rev": "3bfaacf46133c037bb356193bd2f1765d9dc82c1",
"type": "github"
},
"original": {
"owner": "nix-community",
"repo": "home-manager",
"type": "github"
}
},
"nix-editor": { "nix-editor": {
"inputs": { "inputs": {
"nixpkgs": "nixpkgs", "nixpkgs": "nixpkgs_2",
"utils": "utils" "utils": "utils"
}, },
"locked": { "locked": {
@ -126,20 +190,36 @@
}, },
"nixpkgs": { "nixpkgs": {
"locked": { "locked": {
"lastModified": 1675673983, "lastModified": 1703013332,
"narHash": "sha256-8hzNh1jtiPxL5r3ICNzSmpSzV7kGb3KwX+FS5BWJUTo=", "narHash": "sha256-+tFNwMvlXLbJZXiMHqYq77z/RfmpfpiI3yjL6o/Zo9M=",
"owner": "nixos", "owner": "NixOS",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "5a350a8f31bb7ef0c6e79aea3795a890cf7743d4", "rev": "54aac082a4d9bb5bbc5c4e899603abfb76a3f6d6",
"type": "github" "type": "github"
}, },
"original": { "original": {
"owner": "nixos", "owner": "NixOS",
"ref": "nixos-unstable", "ref": "nixos-unstable",
"repo": "nixpkgs", "repo": "nixpkgs",
"type": "github" "type": "github"
} }
}, },
"nixpkgs-stable": {
"locked": {
"lastModified": 1705033721,
"narHash": "sha256-K5eJHmL1/kev6WuqyqqbS1cdNnSidIZ3jeqJ7GbrYnQ=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "a1982c92d8980a0114372973cbdfe0a307f1bdea",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "release-23.05",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs-trunk": { "nixpkgs-trunk": {
"locked": { "locked": {
"lastModified": 1700973916, "lastModified": 1700973916,
@ -172,6 +252,22 @@
} }
}, },
"nixpkgs_2": { "nixpkgs_2": {
"locked": {
"lastModified": 1675673983,
"narHash": "sha256-8hzNh1jtiPxL5r3ICNzSmpSzV7kGb3KwX+FS5BWJUTo=",
"owner": "nixos",
"repo": "nixpkgs",
"rev": "5a350a8f31bb7ef0c6e79aea3795a890cf7743d4",
"type": "github"
},
"original": {
"owner": "nixos",
"ref": "nixos-unstable",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs_3": {
"locked": { "locked": {
"lastModified": 1700787330, "lastModified": 1700787330,
"narHash": "sha256-4VIBCyfqnEsdVP/SgKZ3rudwzxGdEqpKfgoWETs/I6k=", "narHash": "sha256-4VIBCyfqnEsdVP/SgKZ3rudwzxGdEqpKfgoWETs/I6k=",
@ -187,15 +283,67 @@
"type": "github" "type": "github"
} }
}, },
"nixpkgs_4": {
"locked": {
"lastModified": 1704842529,
"narHash": "sha256-OTeQA+F8d/Evad33JMfuXC89VMetQbsU4qcaePchGr4=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "eabe8d3eface69f5bb16c18f8662a702f50c20d5",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "nixpkgs-unstable",
"repo": "nixpkgs",
"type": "github"
}
},
"root": { "root": {
"inputs": { "inputs": {
"adblock-unbound": "adblock-unbound", "adblock-unbound": "adblock-unbound",
"agenix": "agenix",
"nix-editor": "nix-editor", "nix-editor": "nix-editor",
"nixos-generators": "nixos-generators", "nixos-generators": "nixos-generators",
"nixos-hardware": "nixos-hardware", "nixos-hardware": "nixos-hardware",
"nixpkgs": "nixpkgs_2", "nixpkgs": "nixpkgs_3",
"nixpkgs-trunk": "nixpkgs-trunk", "nixpkgs-trunk": "nixpkgs-trunk",
"nixpkgs-unstable": "nixpkgs-unstable" "nixpkgs-unstable": "nixpkgs-unstable",
"sops-nix": "sops-nix"
}
},
"sops-nix": {
"inputs": {
"nixpkgs": "nixpkgs_4",
"nixpkgs-stable": "nixpkgs-stable"
},
"locked": {
"lastModified": 1705201153,
"narHash": "sha256-y0/a4IMDZrc7lAkR7Gcm5R3W2iCBiARHnYZe6vkmiNE=",
"owner": "Mic92",
"repo": "sops-nix",
"rev": "70dd0d521f7849338e487a219c1a07c429a66d77",
"type": "github"
},
"original": {
"owner": "Mic92",
"repo": "sops-nix",
"type": "github"
}
},
"systems": {
"locked": {
"lastModified": 1681028828,
"narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
"owner": "nix-systems",
"repo": "default",
"rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
"type": "github"
},
"original": {
"owner": "nix-systems",
"repo": "default",
"type": "github"
} }
}, },
"utils": { "utils": {

View file

@ -20,6 +20,10 @@
nix-editor.url = "github:vlinkz/nix-editor"; nix-editor.url = "github:vlinkz/nix-editor";
agenix.url = "github:ryantm/agenix";
sops-nix.url = "github:Mic92/sops-nix";
adblock-unbound = { adblock-unbound = {
url = "github:MayNiklas/nixos-adblock-unbound"; url = "github:MayNiklas/nixos-adblock-unbound";
inputs.nixpkgs.follows = "nixpkgs"; inputs.nixpkgs.follows = "nixpkgs";
@ -41,6 +45,8 @@
nixos-generators, nixos-generators,
nixos-hardware, nixos-hardware,
nixpkgs, nixpkgs,
agenix,
sops-nix,
... ...
}@inputs: }@inputs:
{ {
@ -54,6 +60,8 @@
modules = [ modules = [
nixos-hardware.nixosModules.common-cpu-intel nixos-hardware.nixosModules.common-cpu-intel
nixos-hardware.nixosModules.common-pc-laptop nixos-hardware.nixosModules.common-pc-laptop
agenix.nixosModules.default
sops-nix.nixosModules.sops
# inputs.nixos-router.nixosModules.default # inputs.nixos-router.nixosModules.default
# inputs.notnft.lib.${system} # inputs.notnft.lib.${system}
@ -62,6 +70,8 @@
specialArgs = { specialArgs = {
inherit inputs; inherit inputs;
inherit system; inherit system;
inherit agenix;
inherit sops-nix;
}; };
}; };
lan-client = lan-client =

30
generate-sops-config.sh Executable file
View file

@ -0,0 +1,30 @@
#!/usr/bin/env bash
cp ~/.ssh/id_rsa /tmp/id_rsa
ssh-keygen -p -N "" -f /tmp/id_rsa
USER_GPG_FINGERPRINT=$(nix-shell -p gnupg -p ssh-to-pgp --run "ssh-to-pgp -private-key -i ~/.ssh/id_rsa | gpg --import --quiet" 2>&1)
rm /tmp/id_rsa
ssh-keygen -R "[localhost]:2223"
SERVER_GPG_FINGERPRINT=$(ssh -o StrictHostKeychecking=no -p 2223 homefree@localhost "sudo cat /etc/ssh/ssh_host_rsa_key" | nix-shell -p ssh-to-pgp --run "ssh-to-pgp -o homefree.asc" 2>&1)
# This example uses YAML anchors which allows reuse of multiple keys
# without having to repeat yourself.
# Also see https://github.com/Mic92/dotfiles/blob/master/nixos/.sops.yaml
# for a more complex example.
cat > .sops.yaml << EOF
keys:
- &user_homefree $USER_GPG_FINGERPRINT
- &server_homefree $SERVER_GPG_FINGERPRINT
creation_rules:
- path_regex: secrets/[^/]+\.(yaml|json|env|ini)$
key_groups:
- pgp:
- *user_homefree
- *server_homefree
- path_regex: secrets/homefree/[^/]+\.(yaml|json|env|ini)$
key_groups:
- pgp:
- *user_homefree
- *server_homefree
EOF

View file

@ -3,6 +3,7 @@
{ {
imports = [ imports = [
inputs.nixos-generators.nixosModules.all-formats inputs.nixos-generators.nixosModules.all-formats
../../profiles/agenix.nix
../../profiles/common.nix ../../profiles/common.nix
../../profiles/config-editor.nix ../../profiles/config-editor.nix
../../profiles/hardware-configuration.nix ../../profiles/hardware-configuration.nix
@ -39,10 +40,6 @@
# Prevent hanging when waiting for network to be up # Prevent hanging when waiting for network to be up
systemd.network.wait-online.anyInterface = true; systemd.network.wait-online.anyInterface = true;
## @TODO: Any ramifications of this?
systemd.network.wait-online.enable = false;
systemd.services.NetworkManager-wait-online.enable = false;
# -------------------------------------------------------------------------------------- # --------------------------------------------------------------------------------------
# Device specific # Device specific
@ -54,16 +51,27 @@
networking = { networking = {
# @TODO: Make this UI configurable # @TODO: Make this UI configurable
hostName = "homefree"; hostName = "homefree";
## NetworkManager disabled in favor of networkd
useNetworkd = true; useNetworkd = true;
networkmanager = {
enable = true;
};
wireless = { wireless = {
# Disable wpa_supplicant # Disable wpa_supplicant
enable = false; enable = false;
}; };
interfaces = {
ens3.useDHCP = true;
};
}; };
# services.openssh.hostKeys = [
# {
# bits = 4096;
# openSSHFormat = true;
# path = "/etc/ssh/ssh_host_rsa_key";
# rounds = 100;
# type = "rsa";
# }
# ];
# -------------------------------------------------------------------------------------- # --------------------------------------------------------------------------------------
# Hardware specific # Hardware specific
# -------------------------------------------------------------------------------------- # --------------------------------------------------------------------------------------

View file

@ -35,9 +35,6 @@
# Prevent hanging when waiting for network to be up # Prevent hanging when waiting for network to be up
systemd.network.wait-online.anyInterface = true; systemd.network.wait-online.anyInterface = true;
## @TODO: Any ramifications of this?
systemd.network.wait-online.enable = false;
systemd.services.NetworkManager-wait-online.enable = false;
# -------------------------------------------------------------------------------------- # --------------------------------------------------------------------------------------
@ -49,14 +46,15 @@
networking = { networking = {
hostName = "lan-client"; hostName = "lan-client";
## NetworkManager disabled in favor of networkd
useNetworkd = true; useNetworkd = true;
networkmanager = {
enable = true;
};
wireless = { wireless = {
# Disable wpa_supplicant # Disable wpa_supplicant
enable = false; enable = false;
}; };
interfaces = {
ens3.useDHCP = true;
};
}; };
# -------------------------------------------------------------------------------------- # --------------------------------------------------------------------------------------

14
profiles/agenix.nix Normal file
View file

@ -0,0 +1,14 @@
{ agenix, options, system, ... }:
{
environment.systemPackages = [
agenix.packages.${system}.default
];
age.secrets.ddclient.file = ../secrets/ddclient.age;
age.secrets.ddclient-conf.file = ../secrets/ddclient-conf.age;
# default path is /etc/ssh/ssh_host_rsa_key
age.identityPaths = options.age.identityPaths.default ++ [
"/home/homefree/.ssh/id_rsa"
];
}

View file

@ -100,7 +100,7 @@
isNormalUser = true; isNormalUser = true;
home = "/home/homefree"; home = "/home/homefree";
description = "Homefree User"; description = "Homefree User";
extraGroups = [ "wheel" "networkmanager" ]; extraGroups = [ "wheel" ];
# @TODO: Make this dynamic, not hard coded # @TODO: Make this dynamic, not hard coded
openssh.authorizedKeys.keys = [ "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDNvmGn1/uFnfgnv5qsec0GC04LeVB1Qy/G7WivvvUZVBBDzp8goe1DsE8M8iqnBSin56gQZDWsd50co2MbFAWuqH2HxY7OGay7P/V2q+SziTYFva85WGl84qWvYMmdB+alAFBT3L4eH5cegC5NhNp+OGsQuq32RdojgXXQt6vyZnaOypuz90k3rqV6Rt+iBTLz6VziasCLcYydwOvi9f1q6YQwGPLKaupDrV6gxvoX9bXLdopqwnXPSE/Eqczxgwc3PefvAJPSd6TOqIXvbtpv/B3Evt5SPe2gq+qASc5K0tzgra8KAe813kkpq4FuKJzHbT+EmO70wiJjru7zMEhd erahhal@nfml-erahhalQFL" ]; openssh.authorizedKeys.keys = [ "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDNvmGn1/uFnfgnv5qsec0GC04LeVB1Qy/G7WivvvUZVBBDzp8goe1DsE8M8iqnBSin56gQZDWsd50co2MbFAWuqH2HxY7OGay7P/V2q+SziTYFva85WGl84qWvYMmdB+alAFBT3L4eH5cegC5NhNp+OGsQuq32RdojgXXQt6vyZnaOypuz90k3rqV6Rt+iBTLz6VziasCLcYydwOvi9f1q6YQwGPLKaupDrV6gxvoX9bXLdopqwnXPSE/Eqczxgwc3PefvAJPSd6TOqIXvbtpv/B3Evt5SPe2gq+qASc5K0tzgra8KAe813kkpq4FuKJzHbT+EmO70wiJjru7zMEhd erahhal@nfml-erahhalQFL" ];
hashedPassword = "$6$5.6V9H0g5F47ubUm$e0N.GXZ9eoqmvpO9MjZlCISC9IIxKKcf0xtnuFyuXSQEQlfaazrS4kBhplDB6GCsQgwpOxdrX2DmcwbMiX/h30"; hashedPassword = "$6$5.6V9H0g5F47ubUm$e0N.GXZ9eoqmvpO9MjZlCISC9IIxKKcf0xtnuFyuXSQEQlfaazrS4kBhplDB6GCsQgwpOxdrX2DmcwbMiX/h30";
@ -262,7 +262,6 @@
p7zip p7zip
pciutils pciutils
powertop powertop
networkmanager
sshpass sshpass
steampipe steampipe
tmux tmux

View file

@ -13,7 +13,7 @@
virtualHosts."localhost" = { virtualHosts."localhost" = {
extraConfig = '' extraConfig = ''
respond "Hello, world!" respond "Hello, my world!"
''; '';
}; };

View file

@ -1,4 +1,4 @@
{ pkgs, inputs, ... }: { config, inputs, pkgs, ... }:
let let
# @TODO: How to determine interface names? # @TODO: How to determine interface names?
@ -337,7 +337,13 @@ in
# @TODO: https://discourse.nixos.org/t/ddclient-options/20935 # @TODO: https://discourse.nixos.org/t/ddclient-options/20935
services.ddclient = { services.ddclient = {
enable = true; enable = true;
quiet = true; interval = "10m";
# protocol = "zoneedit1";
# username = "erahhal";
# zone = "homefree.host";
# passwordFile = config.age.secrets.ddclient.path;
# verbose = true;
configFile = config.age.secrets.ddclient-conf.path;
}; };
#----------------------------------------------------------------------------------------------------- #-----------------------------------------------------------------------------------------------------

BIN
secrets/ddclient-conf.age Normal file

Binary file not shown.

10
secrets/ddclient.age Normal file
View file

@ -0,0 +1,10 @@
age-encryption.org/v1
-> ssh-rsa I5kVuQ
iYzn4Eih+pduA/dTEdIN4KRbz11v7h5y+vc4YVLJzwNq9ehK1yvkMwbqYyufFgpr
6HYOhW+gYqD31Go2HFYjC68Lw0sXfsAjP7wAh6xBI5NQxfZO+o2eDYV9c2zGs1oL
yM7AC0jBiK8jTIeKrwruL9FM/k9+OO21Cpib+ud3otzNAn6sqK8uWq4ls+nw+M5j
9JvoDt7pWsawwXA6mf5zQ9NDi6sBV8hRO+Kd1WmlEvViXjkdNNjIE6tMH5Aa8nTs
pJt6sQYfsQgtgFOuCekBGJfJXpwwgnG0q7NNVi1L6shU72SugHUnO6q85qY5vTuV
SVVjkfN//hwgoSe5sUYorA
--- Sm8ZkBgdgHoPgQ/p2fzn3LSM3umbuK7UNTO1RuVFVk8
˜'se"ûa·›$]ͲΜ½l`a Z|…V{[òÊàáºô×ÎÙcŠãÿ¥

8
secrets/secrets.nix Normal file
View file

@ -0,0 +1,8 @@
let
erahhal = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDNvmGn1/uFnfgnv5qsec0GC04LeVB1Qy/G7WivvvUZVBBDzp8goe1DsE8M8iqnBSin56gQZDWsd50co2MbFAWuqH2HxY7OGay7P/V2q+SziTYFva85WGl84qWvYMmdB+alAFBT3L4eH5cegC5NhNp+OGsQuq32RdojgXXQt6vyZnaOypuz90k3rqV6Rt+iBTLz6VziasCLcYydwOvi9f1q6YQwGPLKaupDrV6gxvoX9bXLdopqwnXPSE/Eqczxgwc3PefvAJPSd6TOqIXvbtpv/B3Evt5SPe2gq+qASc5K0tzgra8KAe813kkpq4FuKJzHbT+EmO70wiJjru7zMEhd erahhal@nfml-erahhalQFL";
users = [ erahhal ];
in
{
"ddclient.age".publicKeys = users;
"ddclient-conf.age".publicKeys = users;
}