From e888c4ec3049b1889b0d79feada691c7269c394a Mon Sep 17 00:00:00 2001 From: Chris Dombroski Date: Sat, 4 May 2024 13:21:11 -0400 Subject: [PATCH] Secreted passwords --- secrets/smolboi/users.yaml | 33 +++++++++++++++++++++++++++++++ systems/smolboi/configuration.nix | 28 ++++++++++++++++++++------ 2 files changed, 55 insertions(+), 6 deletions(-) create mode 100644 secrets/smolboi/users.yaml diff --git a/secrets/smolboi/users.yaml b/secrets/smolboi/users.yaml new file mode 100644 index 0000000..7b68729 --- /dev/null +++ b/secrets/smolboi/users.yaml @@ -0,0 +1,33 @@ +root: + password: ENC[AES256_GCM,data:82Kb0rIShlbfK1Q4rISjzDcP7JZ7Z0AfIW2a3QbXm4nM+IZvKMp6yo3xknOSCDWLmLyDeCB+ZJ2b8DCEt4HESEGLgWFXTye0cg==,iv:sAczzEFpsR18Ze5jIpjLzIa6bgEschzP33pJhCp8CMU=,tag:272F/o7uQI5Pe1c5C8Sxgw==,type:str] +cdombroski: + password: ENC[AES256_GCM,data:y4WEliyhHI+M9GHkH40jnbjcsR6pcNOx0TNvGvGSjqy82589XyfjTWsuM63d6RApQAr67xp9rDK2e42/II+IBgmZhrCy4ZNfkw==,iv:YRroI8xD9OAoTZ2dvN7QgCX8bXCdjGwEnN/STbI8UcU=,tag:MGt22XEvxZegvEGA6xEGQw==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age15va8dthvmn30ymex0kkrrk034aq25drmsx4mkmf480a8uq4tvcyqw5s4uk + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBDSXNFeWttQkxPT1oxV01V + ZlVHeHlQencrcVQyVzlpRDM1b3JOd0ZTK1Y0CndXQWg2dHB6L3BvS3IwYlBteU91 + cmZSb1BnSFViVHNaUXNVOXNBOG8ySzAKLS0tIGxwYzlWSnpTT3VaM2RqbWFLc0or + alczZGxNR1VCZkFmY3JRNmlaWHI4U2cKjIRtFLGaSnD+qiNQu1vZmAW3Ct0Mt3vW + 6fhU0J1X3pdv/dtmuhtc3Bc0SyrUsdqJwPimSdoVd+mtutPrUHWijQ== + -----END AGE ENCRYPTED FILE----- + - recipient: age1qmv6x6zwxhaks86nqtsvck56ucdyc9fakgp59a30afl95p6vp4aqyf22hp + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBsdVRZSDdwTGpGWjZQZmQy + WDJmS1IzeXMrZk5rUEJ5dXJKMXlKUCsyV0JrCjJkbDZyQTB2SU9IeUZtVkxUREtp + ZDlPZEhRWE9vT1hCS0s3bi9qNWNLVU0KLS0tIE9Bd09yZHgrdDg2RnlFbXArcEV1 + TGJhc2xmQ0dYdzBscDJac056dWx5ZDQK0cqHidbDzQ69Tg+HK/t52BN4+8Sjmbyh + McK8kBR738UH8DvrJOGTzNOVMGp07FF8hUKOw0KcpFULb7ir/foXLg== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-05-04T17:20:01Z" + mac: ENC[AES256_GCM,data:abnIPL8ULXltUg/E0S3q1qdDTpOApMKoT8kbZQAlBcVfmwV1IasidfyJV89gVO0yn4FX95cbZbfFTpYb36vfkn9Mjk0D6FZuhqcrneHrWvUhlmBoGaBgCUWiTQvCES/X9T5kLlve0K9afzFY46vN/K1R65Ndx+hqV+U/13TC81E=,iv:GOiqavfTbJev13X+IfyIRbgCjJ++C68ogc/70xHkWJk=,tag:hfjZSd5lfMKjXZDlFUQgQQ==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.8.1 diff --git a/systems/smolboi/configuration.nix b/systems/smolboi/configuration.nix index 98ae192..ad31ed3 100644 --- a/systems/smolboi/configuration.nix +++ b/systems/smolboi/configuration.nix @@ -1,4 +1,4 @@ -{ config, lib, pkgs, ... }: +{ config, lib, pkgs, sops, ... }: { imports = @@ -25,7 +25,14 @@ }; }; powerManagement.cpuFreqGovernor = "schedutil"; - + sops.secrets."cdombroski/password" = { + neededForUsers = true; + sopsFile = ../../secrets/smolboi/users.yaml; + }; + sops.secrets."root/password" = { + neededForUsers = true; + sopsFile = ../../secrets/smolboi/users.yaml; + }; networking = { hostName = "smolboi"; # Define your hostname. @@ -102,10 +109,19 @@ security = { rtkit.enable = true; }; - users.users.cdombroski = { - isNormalUser = true; - extraGroups = [ "wheel" ]; - uid = 1000; + users = { + mutableUsers = false; + users = { + root = { + hashedPasswordFile = config.sops.secrets."root/password".path; + }; + cdombroski = { + isNormalUser = true; + extraGroups = [ "wheel" ]; + uid = 1000; + hashedPasswordFile = config.sops.secrets."cdombroski/password".path; + }; + }; }; environment = {