From 991a8b4bbc25d1b5a2022aae37ee2a963b3a9525 Mon Sep 17 00:00:00 2001 From: ulic-youthlic Date: Sun, 12 Jan 2025 17:18:01 +0800 Subject: [PATCH] change encypt key from gnupg to age. And encrypt dae url --- .sops.yaml | 6 ++-- .../configurations/Tytonidae/default.nix | 5 +-- .../configurations/Tytonidae/dae/default.nix | 15 ++++++-- nixos/configurations/Tytonidae/dae/urls.txt | 1 - nixos/configurations/Tytonidae/default.nix | 4 +++ nixos/modules/default.nix | 1 + nixos/modules/sops.nix | 20 +++++++++++ secrets/general.yaml | 34 +++++++++---------- secrets/ssh-config.yaml | 31 ++++++++--------- 9 files changed, 73 insertions(+), 44 deletions(-) delete mode 100644 nixos/configurations/Tytonidae/dae/urls.txt create mode 100644 nixos/modules/sops.nix diff --git a/.sops.yaml b/.sops.yaml index 0fc59f6..0da102d 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -1,7 +1,7 @@ keys: - - &admin C6FCBD7F49E1CBBABD6661F7FC02063F04331A95 + - &master age1smmqun9h3cszaza85ty33yenyaqtat572u9r3we4l5gh85njgvws6q680g creation_rules: - path_regex: secrets/[^/]+\.(yaml|json|env|ini)$ key_groups: - - pgp: - - *admin + - age: + - *master diff --git a/home/david/configurations/Tytonidae/default.nix b/home/david/configurations/Tytonidae/default.nix index 13752d0..b1dd794 100644 --- a/home/david/configurations/Tytonidae/default.nix +++ b/home/david/configurations/Tytonidae/default.nix @@ -124,8 +124,9 @@ sopsFile = rootPath + "/secrets/ssh-config.yaml"; }; - sops.gnupg = { - home = "${config.home.homeDirectory}/.gnupg"; + sops.age = { + keyFile = "${config.home.homeDirectory}/.config/sops/age/keys.txt"; + generateKey = false; }; sops.defaultSopsFile = rootPath + "/secrets/general.yaml"; } diff --git a/nixos/configurations/Tytonidae/dae/default.nix b/nixos/configurations/Tytonidae/dae/default.nix index 442641f..f4fa4d9 100644 --- a/nixos/configurations/Tytonidae/dae/default.nix +++ b/nixos/configurations/Tytonidae/dae/default.nix @@ -1,4 +1,9 @@ -{ pkgs, config, ... }: +{ + pkgs, + config, + rootPath, + ... +}: { services.dae = { enable = true; @@ -9,7 +14,10 @@ disableTxChecksumIpGeneric = false; config = builtins.readFile ./config.dae; }; - environment.etc."dae/urls.txt".source = ./urls.txt; + sops.secrets.url = { + mode = "0444"; + sopsFile = rootPath + "/secrets/general.yaml"; + }; systemd.services = let new_proxy = "/etc/dae/proxy.d.new"; @@ -17,7 +25,7 @@ update = '' num=0 check=1 - urls="$(${pkgs.coreutils}/bin/cat /etc/dae/urls.txt)" + urls="$(${pkgs.coreutils}/bin/cat ${config.sops.secrets.url.path})" mkdir -p ${new_proxy} for url in "''${urls}"; do txt=${new_proxy}/''${num}.txt @@ -49,6 +57,7 @@ before = [ "dae.service" ]; serviceConfig = { Type = "oneshot"; + User = "root"; ExecStart = let script = pkgs.writeTextFile { diff --git a/nixos/configurations/Tytonidae/dae/urls.txt b/nixos/configurations/Tytonidae/dae/urls.txt deleted file mode 100644 index 4e9e00a..0000000 --- a/nixos/configurations/Tytonidae/dae/urls.txt +++ /dev/null @@ -1 +0,0 @@ -https://bava8u2znaj6bdzzjnfb.wgetcloud.online/link/df057715-3fa5-38c8-b550-316aa84c22c1?target=v2rayn&list=1&simple=1 diff --git a/nixos/configurations/Tytonidae/default.nix b/nixos/configurations/Tytonidae/default.nix index 4794314..373137f 100644 --- a/nixos/configurations/Tytonidae/default.nix +++ b/nixos/configurations/Tytonidae/default.nix @@ -25,6 +25,10 @@ hostName = "Tytonidae"; }; + programs.gnupg.agent = { + enable = true; + }; + networking.hostName = "Tytonidae"; time.timeZone = "Asia/Shanghai"; diff --git a/nixos/modules/default.nix b/nixos/modules/default.nix index 81d5c56..0179a9b 100644 --- a/nixos/modules/default.nix +++ b/nixos/modules/default.nix @@ -16,6 +16,7 @@ ++ [ ./nix.nix ./home.nix + ./sops.nix ]; config = { diff --git a/nixos/modules/sops.nix b/nixos/modules/sops.nix new file mode 100644 index 0000000..8728615 --- /dev/null +++ b/nixos/modules/sops.nix @@ -0,0 +1,20 @@ +{ + rootPath, + config, + ... +}: +{ + config = { + sops.defaultSopsFile = rootPath + "/secrets/general.yaml"; + sops.age = + let + unixName = config.youthlic.home-manager.unixName; + cfg = config.users.users."${unixName}"; + in + { + keyFile = "${cfg.home}/.config/sops/age/keys.txt"; + sshKeyPaths = [ ]; + generateKey = false; + }; + }; +} diff --git a/secrets/general.yaml b/secrets/general.yaml index 9632c92..b8eac3b 100644 --- a/secrets/general.yaml +++ b/secrets/general.yaml @@ -1,25 +1,23 @@ -ssh-private-key: ENC[AES256_GCM,data:TzcvWxAsQTmoGTR4xMsDIWTKIjr6InWUoqSz3zPnX6cIDyAMHQLN7cNRQcNJ9VAX1IxjlF6+WsTWZahKIZmQ0kfjWr9bsEcx6r4VZp73AGudP7UQ4ntmCYO5cw2iHTiGxbrdIPYYcPf4y7aRjusWxGDeqaPtRB20xGCMigKqazGBN3vsgnQXPj46wcwy7ibsCAtg1DBP1q9c8nspvVOL4bhByxjcLi2p3E54C79fTGOlKRx2HRZh6tFRxH56C6mnuFnDg+TF7I/5t3vw7+EBo7roVJJPypW0tRq+lnbmU4TFFEqf4v+2BaEVKtSBQZd4gb4PRyEgcmmrh2wJjx2JvBi4ansZZWB6d7GRHB1e1Yh16ONJ3Y1XuTjzVNPLbWtPAhPffcg6TDZzWrWxHqES7eI9p+0k8gZZv7vRZM5XpbXlcZpNm1XA2YktJL36asoE1ZjXLzDHNxLAGaq/l1tsxHzx/vZXhIw/dNFEF9xzXH7Jt9oY9I68VbLw/4F4C7epiRJK55Fj/3+ninrsTyMswDlNLfnO6skgpFFcWftTJOAIKhsA2v6a5Wh6jqa9JaxupdYD/ZC+Emp+mivT,iv:3j79GakhiOvvqYUiCc0RaWsD60xl1aRCKnJ0WuEFqt8=,tag:SsUiEzMs/aOwPrv2ZisklQ==,type:str] -git-credential: ENC[AES256_GCM,data:WTuAE/627ke6Jt2ctTteS9v2Lrtkr2n0NYUHZvfGn8lro/eplTtF8/3SkCmftbT3XsKA9Os=,iv:hpgeqy6NVvxe+5Tsvom/k1qTj0VvRtdwXqmXkROPm2s=,tag:HTwL//8RUgeqod9B97OnIw==,type:str] +ssh-private-key: ENC[AES256_GCM,data:hT2/OaZBAXK8eQe0qAxHw8nO6Z9ErzUdGWUgN/0c04NKUz6dyynKXsSEE7sC/P/WfUCOTXVgf7u/SY2/hMBG2tpceEwx2FDVJnUDF6Wi/2U8C1z3TjBitjYY1apku3lMTNYF7GwflUA+lB3xcKJ9dKnJlU/5moPqCf58G5w9DFXM1YJcUfVQ1Cl5MKguJkxpSw4MMm7QxGhruX5C/a84TYIZC/IHll3f1e6qvM+5TEibXIa9LBMcT7pxw4SQ/vhPmAJO54/GHbktTHxkjPbo2keGr3J1Im+TlX9OB81cbNZMxIn++Igw9iffF0LZmudmndLhWFPUK0itpkP8pjMY3rIrI6KsPG/7w4zQMO0p6rNfeGjkLvKp3mj5mYRlBdMaqtiqngAxzelsKaVhXlO+JXR+qdpONico8mRP+f3KSJU6gmGCIw0RNFcBlV/NN2VNUTxBS7/cwYGKF1kkb4Or9h5l5N7Ta1U5m2PEYclrneuclx6fdKXfChLG65E0l86EgpMyC6hHSL1x51e8QJSnHBkbjAMI59Kj9sy4QE8J4/a3q1D/sr/bn2t2Y7W0CckK7iPqyeiA0RSXiIVZ,iv:QVQCQJyc2ZgSzBpJ2MIrjgxBKghpr48k9yGzBUIoffg=,tag:3zo3vzwqWhQkAWB4N4R0NQ==,type:str] +git-credential: ENC[AES256_GCM,data:Rt6ccMJ+D/Jv1U7Ex51j4zIKp5KIyPFJdWZwJyW6liU5CHxBfrFWeNOJobhT5tFPrhzHRUI=,iv:f2SYFKpAcHoKG3dMsniKRi02EFDzwgzzli5Qzw8CWqo=,tag:hUi0FAZ7+2+mcqUsz5HtbQ==,type:str] +url: ENC[AES256_GCM,data:n152X334cpUJXgm/0D+mbF2xDOSq/xT4xO3rBLjxEkcAexkn7lIm2mHKLaumBO0M7YC6gP/AVZlhOrpC7EtwwyzvxFgZIYBT0u3pKRpp2ifedMXd/7iKq45vu3xltX8blFF5TcMslO4UsXJEc+NxnCMS/PvO,iv:RWFUzHi2t06CqY1fHPTFUJevyW0bXc1xuhsjfZd3UAw=,tag:BWGxxAtfoJ8tbbbKbkzQRw==,type:str] sops: kms: [] gcp_kms: [] azure_kv: [] hc_vault: [] - age: [] - lastmodified: "2025-01-11T14:58:31Z" - mac: ENC[AES256_GCM,data:exP8VRjXNq0mCDDcS0qvuUXrmJ86IMU6GIXINud9n2T6143B3y/uNPH44UtDsVQ2z7DhJqhvRNQgWTrUz0b/QFqmF74MA28JAbzz8bKEHRKzKlATT/nPesTX87FONf/vmmDpAWMh0kolU+Rj10q8VIRLKhxto9WwoKO4j8HPRhE=,iv:cWhuEHCFngGAfUh6UqiFi4uUKPogE5oYoNJPodtIgxU=,tag:XUlPPLTCiw/kSdHyM8/28w==,type:str] - pgp: - - created_at: "2025-01-10T12:20:32Z" - enc: |- - -----BEGIN PGP MESSAGE----- - - hF4DNZgse+e4B/gSAQdAeJeXZE+thM6aaFDfs13nnljAvJWXlpBWvGACRVKzUEkw - IzAT4aLTVpRhaKLZ+neZX1Ky3uQJZrosGgbjj4OoJY0yTjPdo3FoEGZ8VXKexxoy - 1GgBCQIQeyJY0eJh38MIpxxLu2/xSpwOXRzdugPLhvMX0ZYRefntC0NXyjTjCN1H - +/YUlb+K4qNeZNDpKS2JyvZl5u8N2w/pZ98+HDgMpieJrdbv4gkiXmmnUaw8y3Ct - EgBuPA8pkBt+DQ== - =h3Bi - -----END PGP MESSAGE----- - fp: C6FCBD7F49E1CBBABD6661F7FC02063F04331A95 + age: + - recipient: age1smmqun9h3cszaza85ty33yenyaqtat572u9r3we4l5gh85njgvws6q680g + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBjQ2IrRG90eUJUT1grZEtV + N25XNDI0Z0JlZ2RJWU5LN05jbDQwL0hMMkU4Cm5sVHpiVHV5UVdIY24xNFZYTmpm + TUlyZmQ1TTZuaHB3aFpzV2hPZnNNZGcKLS0tIGJrN1lqWUFOU09XcFJ5Mys0WjV6 + dTkwcThVQTNYZ0RKWnIwMEgzQ2lYMVEKWs0OsGlPCRfsjZwntyVa6RGhZLye35kX + 3PDxZ66jP63OGi5Hai17fp5IvT3/mIRWh6UMq44TFz9OQoUWCymakg== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2025-01-12T08:58:47Z" + mac: ENC[AES256_GCM,data:XXdGGA/S6tg3xlsLwEtRjLHIVRRQHR2MBIeZv+9VtGYG1cBJD64RGZBCAJ5Jaw7WctcqZqj0Q1C9rIgNyv8ZYJTum3ok469WNFfcoDkPCr12nAO7vujvZp5xA5KfOdiP3wrHmorD4hl8qfv2oURm2RDcfzMIL2LWgNiwWndXs+I=,iv:RVHpsunJlOzN3QxxPfQdkUiC+Tf71j4L7SGEeTfDzYM=,tag:BgMqfCz1RG5Kl5PCIf/HdQ==,type:str] + pgp: [] unencrypted_suffix: _unencrypted version: 3.9.2 diff --git a/secrets/ssh-config.yaml b/secrets/ssh-config.yaml index 0c42556..8835406 100644 --- a/secrets/ssh-config.yaml +++ b/secrets/ssh-config.yaml @@ -1,24 +1,21 @@ -ssh-config: ENC[AES256_GCM,data:NIYcwDJ9ycS2C/BZA0GFETURDUPcuPlP9Cn1Ku0AZNiWtqI3w+kIhu2G37j9F6k04gSS+BviQ2C5LRJbJb9+blHHeL7+pACgWVJGLBw=,iv:gpE8RdvX4ZWgBrgYKOXbV6aIwFHbLT6mb+plVkRISdU=,tag:GPGn0B0ibPA6ddt/ae68Lg==,type:str] +ssh-config: ENC[AES256_GCM,data:kQe12czlvgScrtOae32PpKNrXREh1XP5n7WrFvBb4NcGLRj0j61T490D5v6vgTzppyQnU84tTNVtMBUfdLN6jjdli8cEM71qcKy4eLw=,iv:FaUEI9dYamBt7kI9quCNBXZwDzTosR4ad1JQq6IatBE=,tag:R4TTA6iMrRQPt1ApYBGfEg==,type:str] sops: kms: [] gcp_kms: [] azure_kv: [] hc_vault: [] - age: [] - lastmodified: "2025-01-11T15:33:47Z" - mac: ENC[AES256_GCM,data:nGi6Z8XV67/VssmOFlAGy9F+nwgO0OwtMl1VSHvHEM8zeOIvdftcCh7jTdLUpRXi/bNY/3eidSLr9HWdNprPed98E8qA37OdFYwb7nousqVjWMWLZlMNCBfGeCbUQxu1+fiJnMzrYKJGQHPfYhWr0rOizOCUT707uOT+6Rs+CJE=,iv:1p9q2m4HQrouf6vymlA1PG2fCZNnRTZruhEqRna+1UY=,tag:uD0a/NwXKsaH5DhPbJ8aWg==,type:str] - pgp: - - created_at: "2025-01-11T14:58:53Z" - enc: |- - -----BEGIN PGP MESSAGE----- - - hF4DNZgse+e4B/gSAQdAHHLJHSheWR76VPjKuHzcELWfkfWecafPv29r5TnXGFgw - QfAypb7nQT5v01tKI4V6VCtsevDL868voABCwu7Izg6onDOxH26zsRg+m0GvfFwK - 1GYBCQIQH8VmTueJ7KN6CS6vqdEFEVrpuwrmQAa6aS94ir0U5qE3xDXfsgb61ETq - 6ybtGXmNpmd2Gy842DxngHnxgL+v8YG61bJ2L0tB1S/MxOxVGueIkxNs2C5Bg6e/ - wCz2U/E31Q4= - =cnit - -----END PGP MESSAGE----- - fp: C6FCBD7F49E1CBBABD6661F7FC02063F04331A95 + age: + - recipient: age1smmqun9h3cszaza85ty33yenyaqtat572u9r3we4l5gh85njgvws6q680g + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBmWklncVlZbTFXdndXUmJ4 + bTlyOEkvZE5aUnJHQzRJVjRBK2dja2RmaGpZCnNQRTdJeXJHSTFLaGx3SUpBUUI5 + R1p5Y0w3OG1KYmZScDczelVkdFBReDAKLS0tIHZSM2Y5NExYVzArVWppK01vQUtF + K1A5bnBxMjJPV2NyRzNuOXVSY2tkZFUKinl6fL9caEM/bzTfQYk8ZCYLsMdgwmJE + LhNSWMFL9zqxSFFZ5GrrT/hATR+5AckKydD+3uYxQbGKO8TO39HVKQ== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2025-01-12T08:59:41Z" + mac: ENC[AES256_GCM,data:uJ7GrffSlgKCxxmCVrrs1gNTpEEs/B8F9aEHHTdwlSFCTxcueNbIP2RaQVRQmyZO5CDTD/srmCT1dwPwAaxQE49OFUwUDgpn2JMjQdTyLmbK5+JDfvvMNnv/OVNaQUvVPsPoA1CqCqrpKOLh6kfp1FpYkPpZFOoQWByKw/FmSL8=,iv:CX4RJvRJce7wLUxyM1Fi89G1PINte9gxXoBfYMHn4NQ=,tag:12eZ1TZLsdlDpUZa/1HPWA==,type:str] + pgp: [] unencrypted_suffix: _unencrypted version: 3.9.2