From e89620677a91a02341e73f622c845ad18c363ded Mon Sep 17 00:00:00 2001 From: Chris Dombroski Date: Fri, 26 Apr 2024 14:14:50 -0400 Subject: [PATCH] MSMTP --- .sops.yaml | 28 +++++++++++++++ flake.lock | 40 ++++++++++++++++++++- flake.nix | 9 ++++- modules/common/msmtp.nix | 26 ++++++++++++++ modules/common/sops.nix | 7 ++++ secrets/secret.yaml | 49 ++++++++++++++++++++++++++ systems/orangepihole/configuration.nix | 1 + systems/smolboi/configuration.nix | 1 + systems/zeus/configuration.nix | 1 + 9 files changed, 160 insertions(+), 2 deletions(-) create mode 100644 .sops.yaml create mode 100644 modules/common/msmtp.nix create mode 100644 modules/common/sops.nix create mode 100644 secrets/secret.yaml diff --git a/.sops.yaml b/.sops.yaml new file mode 100644 index 0000000..1fd35ec --- /dev/null +++ b/.sops.yaml @@ -0,0 +1,28 @@ +keys: + - &admin_cdombroski age15va8dthvmn30ymex0kkrrk034aq25drmsx4mkmf480a8uq4tvcyqw5s4uk + - &system_smolboi age1qmv6x6zwxhaks86nqtsvck56ucdyc9fakgp59a30afl95p6vp4aqyf22hp + - &system_zeus age1y06hfa8ctp3tr7g2rukmst4cl064hxaqfsx8w0yq4tgmcrv7qvksct7mnl + - &system_orangepihole age12g2kuerwhpyd4t0jrynfc0wlj66rltyp34lsca4y5llmly8jppcq5ug3kc +creation_rules: + - path_regex: secrets/[^/]+\.(yaml|json|env|ini)$ + key_groups: + - age: + - *admin_cdombroski + - *system_smolboi + - *system_zeus + - *system_orangepihole + - path_regex: secrets/smolboi/[^/]+\.(yaml|json|env|ini)$ + key_groups: + - age: + - *admin_cdombroski + - *system_smolboi + - path_regex: secrets/zeus/[^/]+\.(yaml|json|env|ini)$ + key_groups: + - age: + - *admin_cdombroski + - *system_zeus + - path_regex: secrets/orangepihole/[^/]+\.(yaml|json|env|ini)$ + key_groups: + - age: + - *admin_cdombroski + - *system_orangepihole diff --git a/flake.lock b/flake.lock index b358617..6e6a059 100644 --- a/flake.lock +++ b/flake.lock @@ -91,6 +91,22 @@ "type": "github" } }, + "nixpkgs-stable": { + "locked": { + "lastModified": 1713638189, + "narHash": "sha256-q7APLfB6FmmSMI1Su5ihW9IwntBsk2hWNXh8XtSdSIk=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "74574c38577914733b4f7a775dd77d24245081dd", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "release-23.11", + "repo": "nixpkgs", + "type": "github" + } + }, "nixpkgs_2": { "locked": { "lastModified": 1713995372, @@ -111,7 +127,29 @@ "deploy-rs": "deploy-rs", "flake-utils": "flake-utils", "home-manager": "home-manager", - "nixpkgs": "nixpkgs_2" + "nixpkgs": "nixpkgs_2", + "sops-nix": "sops-nix" + } + }, + "sops-nix": { + "inputs": { + "nixpkgs": [ + "nixpkgs" + ], + "nixpkgs-stable": "nixpkgs-stable" + }, + "locked": { + "lastModified": 1713892811, + "narHash": "sha256-uIGmA2xq41vVFETCF1WW4fFWFT2tqBln+aXnWrvjGRE=", + "owner": "Mic92", + "repo": "sops-nix", + "rev": "f1b0adc27265274e3b0c9b872a8f476a098679bd", + "type": "github" + }, + "original": { + "owner": "Mic92", + "repo": "sops-nix", + "type": "github" } }, "systems": { diff --git a/flake.nix b/flake.nix index 2eab46c..3929e51 100644 --- a/flake.nix +++ b/flake.nix @@ -8,8 +8,12 @@ url = github:nix-community/home-manager/release-23.11; inputs.nixpkgs.follows = "nixpkgs"; }; + sops-nix = { + url = "github:Mic92/sops-nix"; + inputs.nixpkgs.follows = "nixpkgs"; + }; }; - outputs = inputs@{ self, nixpkgs, flake-utils, home-manager, deploy-rs, ... }: + outputs = inputs@{ self, nixpkgs, flake-utils, home-manager, deploy-rs, sops-nix, ... }: let pkgs = import nixpkgs { system = "x86_64-linux"; }; aarch64Pkgs = import nixpkgs { system = "aarch64-linux"; }; @@ -32,6 +36,7 @@ nixosConfigurations = { smolboi = nixpkgs.lib.nixosSystem { system = "x86_64-linux"; + specialArgs = { inherit inputs; }; modules = [ ./systems/smolboi/configuration.nix home-manager.nixosModules.home-manager @@ -43,10 +48,12 @@ }; zeus = nixpkgs.lib.nixosSystem { system = "x86_64-linux"; + specialArgs = { inherit inputs; }; modules = [ ./systems/zeus/configuration.nix ]; }; orangepihole = nixpkgs.lib.nixosSystem { system = "aarch64-linux"; + specialArgs = { inherit inputs; }; modules = [ ./systems/orangepihole/configuration.nix ]; }; }; diff --git a/modules/common/msmtp.nix b/modules/common/msmtp.nix new file mode 100644 index 0000000..eccdc33 --- /dev/null +++ b/modules/common/msmtp.nix @@ -0,0 +1,26 @@ +{ config, ... }: { + sops.secrets."gmail/password" = {}; + programs.msmtp = { + enable = true; + accounts.default = { + auth = true; + tls = true; + host = "smtp.gmail.com"; + port = 587; + from = "${config.networking.hostName}@notification.icanttype.org"; + user = "cdombroski"; + passwordeval = "cat ${config.sops.secrets."gmail/password".path}"; + }; + defaults.aliases = "/etc/aliases"; + }; + + environment.etc = { + "aliases" = { + text = '' + root: cdombroski@gmail.com + ''; + mode = "0644"; + }; + }; +} + diff --git a/modules/common/sops.nix b/modules/common/sops.nix new file mode 100644 index 0000000..293f192 --- /dev/null +++ b/modules/common/sops.nix @@ -0,0 +1,7 @@ +{ inputs, ... } : { + imports = [ inputs.sops-nix.nixosModules.sops ]; + sops.defaultSopsFile = ../../secrets/secret.yaml; + sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ]; + sops.age.keyFile = "/var/lib/sops-nix/key.txt"; + sops.age.generateKey = true; +} diff --git a/secrets/secret.yaml b/secrets/secret.yaml new file mode 100644 index 0000000..d55cab4 --- /dev/null +++ b/secrets/secret.yaml @@ -0,0 +1,49 @@ +gmail: + password: ENC[AES256_GCM,data:rCL2RzU1INRT5KOyl1JriQ==,iv:jhFDcNHgIJnZTBN9msECQWvy75IH1wO5IFAxqR4Ugng=,tag:cK+A4Os/9xchpNjpb2KAbQ==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age15va8dthvmn30ymex0kkrrk034aq25drmsx4mkmf480a8uq4tvcyqw5s4uk + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBRbEdQaDZhUVdIMUFjSVlK + WUF6NDU2SnUrRHNQUmNRKzVKV0NtYnljMjNJCkdIbGNvZVN5Mkl1Uk5qclZNcnBJ + MlBEbUlUdFIxM0krRnZ2ZWgwVThpYXMKLS0tIDVxZjRMUjBQM2oySmJFR2RnSWpT + TnprMkgzckJRUmF4VkJjMGJIWWdQbmcKr82c2dd+xN+aNA7dnH0ewD/Y3Ed8/qcE + JP5U19gTNah/DmeKB0X0J+iX5akjxNAfe2LmgYGJseLqqaIj9uyatg== + -----END AGE ENCRYPTED FILE----- + - recipient: age1qmv6x6zwxhaks86nqtsvck56ucdyc9fakgp59a30afl95p6vp4aqyf22hp + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBJRUpyOFJSeS9XN0NWUDI5 + QS9nZDVOWGlRNmZXa0ZnSGNIMGtMTDV5TDBBCkkwcHBtcjVRLzhiejhreWxXS2Fj + dWpRaXByS1hlWCs4U2tQdCtWOWpSRzQKLS0tIFhheWxDNjNxOGlsdzNyN1FUblNa + ZEMrUmhYUXhZVStjRlhVYVB2U25PRW8KMruYhZ46Yf2K/DiUu6SUWMAWmCqKE6dm + ijtyMzEI5JLlQs8NfbujlGx9giVtUD9tHiNcNim2cb5m49nriaIuTg== + -----END AGE ENCRYPTED FILE----- + - recipient: age1y06hfa8ctp3tr7g2rukmst4cl064hxaqfsx8w0yq4tgmcrv7qvksct7mnl + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA0WjBBMnRERWsyUkQ5WCt6 + Tndvdml0UFlnS3RRY0FyT2thYkpDYmZFeTA4ClY5QXN1SWFxYWsydm55QmZIaldT + WFI4VC9CdjFqOUdWeDhOcDIveDN4ZjgKLS0tIEI0c3Y0SnlJTGl0T3JjSlRpYVpF + MW4rYXM5SFg2T1dRN2FBelRVQTBvMXcK32StTJfp44BepZ4pAZbZQJ0qZxF/FkZd + xhzpwvzG0ztrRA3uQy5tEhNYuge4hyn2gNV4lgT13RJSngXULXVt+A== + -----END AGE ENCRYPTED FILE----- + - recipient: age12g2kuerwhpyd4t0jrynfc0wlj66rltyp34lsca4y5llmly8jppcq5ug3kc + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA1eFJSeVJQSjRmZ1cyUGRt + SXF3bUdLZjIrb1JHMzFQeVpaTFVxNk02b2lJCkVSUysyQVlNajNjNzhmUFhjTk1s + bzQ2VVU0RXhVNnYwTEhzRlRMK2NyK0kKLS0tIFdzN0xIOHM0YnRqaDBHRXBqeWJs + OFd1RTNYcGJGSXJOaFpnbjR6YzhjQzAKUZxz47g2MKCVTS1gGJ7p6XCubBu+/CUM + IPQ9uBaW99BB9W9JuIih34/qMVxd/1EHDVk3IDiNB3F3bM8f2LL1yA== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-04-26T17:48:10Z" + mac: ENC[AES256_GCM,data:H2ZvNgVmtUgeNOvXGWxLFC6t8sCzingICyD6Raj42FIYRVaFLbrVblhESVrCYM2LclehBlSS9ceCk6+B/zaYyd5iE8ENzgz287S6t6RfZR9kfWFrtOJ4RINyGDKIFQ4mlt7+QB83DeW7jONeIRbrdI2Imx7fhXes3uHDc51wjGQ=,iv:PDiijPXwGneoo/QQBovxpoT5b0EBpgAGpExnrQ8lfvQ=,tag:PveY9JhZxpMHIbFHLGoSgA==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.8.1 diff --git a/systems/orangepihole/configuration.nix b/systems/orangepihole/configuration.nix index 570583d..cbab4e5 100644 --- a/systems/orangepihole/configuration.nix +++ b/systems/orangepihole/configuration.nix @@ -4,6 +4,7 @@ imports = [ # Include the results of the hardware scan. ./hardware-configuration.nix + ../../modules/common.nix ]; boot.loader.grub.enable = false; diff --git a/systems/smolboi/configuration.nix b/systems/smolboi/configuration.nix index bb807f5..2b32c10 100644 --- a/systems/smolboi/configuration.nix +++ b/systems/smolboi/configuration.nix @@ -8,6 +8,7 @@ imports = [ # Include the results of the hardware scan. ./hardware-configuration.nix + ../../modules/common.nix ../../modules/smartd.nix ]; diff --git a/systems/zeus/configuration.nix b/systems/zeus/configuration.nix index 2aeccc8..f3be970 100644 --- a/systems/zeus/configuration.nix +++ b/systems/zeus/configuration.nix @@ -8,6 +8,7 @@ imports = [ # Include the results of the hardware scan. ./hardware-configuration.nix + ../../modules/common.nix ../../modules/smartd.nix ];