youthlic/nixos
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions 1

change encypt key from gnupg to age. And encrypt dae url

Browse source
This commit is contained in:
ulic-youthlic 2025-01-12 17:18:01 +08:00
parent 7d52c44603
commit 991a8b4bbc
Signed by: youthlic
GPG key ID: 63E86C3C14A0D721
9 changed files with 73 additions and 44 deletions
Download patch file Download diff file Expand all files Collapse all files

6
.sops.yaml
View file

@ -1,7 +1,7 @@
keys: keys:
- &admin C6FCBD7F49E1CBBABD6661F7FC02063F04331A95 - &master age1smmqun9h3cszaza85ty33yenyaqtat572u9r3we4l5gh85njgvws6q680g
creation_rules: creation_rules:
- path_regex: secrets/[^/]+\.(yaml|json|env|ini)$ - path_regex: secrets/[^/]+\.(yaml|json|env|ini)$
key_groups: key_groups:
- pgp: - age:
- *admin - *master

5
home/david/configurations/Tytonidae/default.nix
View file

@ -124,8 +124,9 @@
sopsFile = rootPath + "/secrets/ssh-config.yaml"; sopsFile = rootPath + "/secrets/ssh-config.yaml";
}; };
sops.gnupg = { sops.age = {
home = "${config.home.homeDirectory}/.gnupg"; keyFile = "${config.home.homeDirectory}/.config/sops/age/keys.txt";
generateKey = false;
}; };
sops.defaultSopsFile = rootPath + "/secrets/general.yaml"; sops.defaultSopsFile = rootPath + "/secrets/general.yaml";
} }

15
nixos/configurations/Tytonidae/dae/default.nix
View file

@ -1,4 +1,9 @@
{ pkgs, config, ... }: {
pkgs,
config,
rootPath,
...
}:
{ {
services.dae = { services.dae = {
enable = true; enable = true;
@ -9,7 +14,10 @@
disableTxChecksumIpGeneric = false; disableTxChecksumIpGeneric = false;
config = builtins.readFile ./config.dae; config = builtins.readFile ./config.dae;
}; };
environment.etc."dae/urls.txt".source = ./urls.txt; sops.secrets.url = {
mode = "0444";
sopsFile = rootPath + "/secrets/general.yaml";
};
systemd.services = systemd.services =
let let
new_proxy = "/etc/dae/proxy.d.new"; new_proxy = "/etc/dae/proxy.d.new";
@ -17,7 +25,7 @@
update = '' update = ''
num=0 num=0
check=1 check=1
urls="$(${pkgs.coreutils}/bin/cat /etc/dae/urls.txt)" urls="$(${pkgs.coreutils}/bin/cat ${config.sops.secrets.url.path})"
mkdir -p ${new_proxy} mkdir -p ${new_proxy}
for url in "''${urls}"; do for url in "''${urls}"; do
txt=${new_proxy}/''${num}.txt txt=${new_proxy}/''${num}.txt
@ -49,6 +57,7 @@
before = [ "dae.service" ]; before = [ "dae.service" ];
serviceConfig = { serviceConfig = {
Type = "oneshot"; Type = "oneshot";
User = "root";
ExecStart = ExecStart =
let let
script = pkgs.writeTextFile { script = pkgs.writeTextFile {

1
nixos/configurations/Tytonidae/dae/urls.txt
View file

@ -1 +0,0 @@
https://bava8u2znaj6bdzzjnfb.wgetcloud.online/link/df057715-3fa5-38c8-b550-316aa84c22c1?target=v2rayn&list=1&simple=1

4
nixos/configurations/Tytonidae/default.nix
View file

@ -25,6 +25,10 @@
hostName = "Tytonidae"; hostName = "Tytonidae";
}; };
programs.gnupg.agent = {
enable = true;
};
networking.hostName = "Tytonidae"; networking.hostName = "Tytonidae";
time.timeZone = "Asia/Shanghai"; time.timeZone = "Asia/Shanghai";

1
nixos/modules/default.nix
View file

@ -16,6 +16,7 @@
++ [ ++ [
./nix.nix ./nix.nix
./home.nix ./home.nix
./sops.nix
]; ];
config = { config = {

20
nixos/modules/sops.nix Normal file
View file

@ -0,0 +1,20 @@
{
rootPath,
config,
...
}:
{
config = {
sops.defaultSopsFile = rootPath + "/secrets/general.yaml";
sops.age =
let
unixName = config.youthlic.home-manager.unixName;
cfg = config.users.users."${unixName}";
in
{
keyFile = "${cfg.home}/.config/sops/age/keys.txt";
sshKeyPaths = [ ];
generateKey = false;
};
};
}

34
secrets/general.yaml
View file

@ -1,25 +1,23 @@
ssh-private-key: ENC[AES256_GCM,data:TzcvWxAsQTmoGTR4xMsDIWTKIjr6InWUoqSz3zPnX6cIDyAMHQLN7cNRQcNJ9VAX1IxjlF6+WsTWZahKIZmQ0kfjWr9bsEcx6r4VZp73AGudP7UQ4ntmCYO5cw2iHTiGxbrdIPYYcPf4y7aRjusWxGDeqaPtRB20xGCMigKqazGBN3vsgnQXPj46wcwy7ibsCAtg1DBP1q9c8nspvVOL4bhByxjcLi2p3E54C79fTGOlKRx2HRZh6tFRxH56C6mnuFnDg+TF7I/5t3vw7+EBo7roVJJPypW0tRq+lnbmU4TFFEqf4v+2BaEVKtSBQZd4gb4PRyEgcmmrh2wJjx2JvBi4ansZZWB6d7GRHB1e1Yh16ONJ3Y1XuTjzVNPLbWtPAhPffcg6TDZzWrWxHqES7eI9p+0k8gZZv7vRZM5XpbXlcZpNm1XA2YktJL36asoE1ZjXLzDHNxLAGaq/l1tsxHzx/vZXhIw/dNFEF9xzXH7Jt9oY9I68VbLw/4F4C7epiRJK55Fj/3+ninrsTyMswDlNLfnO6skgpFFcWftTJOAIKhsA2v6a5Wh6jqa9JaxupdYD/ZC+Emp+mivT,iv:3j79GakhiOvvqYUiCc0RaWsD60xl1aRCKnJ0WuEFqt8=,tag:SsUiEzMs/aOwPrv2ZisklQ==,type:str] ssh-private-key: ENC[AES256_GCM,data:hT2/OaZBAXK8eQe0qAxHw8nO6Z9ErzUdGWUgN/0c04NKUz6dyynKXsSEE7sC/P/WfUCOTXVgf7u/SY2/hMBG2tpceEwx2FDVJnUDF6Wi/2U8C1z3TjBitjYY1apku3lMTNYF7GwflUA+lB3xcKJ9dKnJlU/5moPqCf58G5w9DFXM1YJcUfVQ1Cl5MKguJkxpSw4MMm7QxGhruX5C/a84TYIZC/IHll3f1e6qvM+5TEibXIa9LBMcT7pxw4SQ/vhPmAJO54/GHbktTHxkjPbo2keGr3J1Im+TlX9OB81cbNZMxIn++Igw9iffF0LZmudmndLhWFPUK0itpkP8pjMY3rIrI6KsPG/7w4zQMO0p6rNfeGjkLvKp3mj5mYRlBdMaqtiqngAxzelsKaVhXlO+JXR+qdpONico8mRP+f3KSJU6gmGCIw0RNFcBlV/NN2VNUTxBS7/cwYGKF1kkb4Or9h5l5N7Ta1U5m2PEYclrneuclx6fdKXfChLG65E0l86EgpMyC6hHSL1x51e8QJSnHBkbjAMI59Kj9sy4QE8J4/a3q1D/sr/bn2t2Y7W0CckK7iPqyeiA0RSXiIVZ,iv:QVQCQJyc2ZgSzBpJ2MIrjgxBKghpr48k9yGzBUIoffg=,tag:3zo3vzwqWhQkAWB4N4R0NQ==,type:str]
git-credential: ENC[AES256_GCM,data:WTuAE/627ke6Jt2ctTteS9v2Lrtkr2n0NYUHZvfGn8lro/eplTtF8/3SkCmftbT3XsKA9Os=,iv:hpgeqy6NVvxe+5Tsvom/k1qTj0VvRtdwXqmXkROPm2s=,tag:HTwL//8RUgeqod9B97OnIw==,type:str] git-credential: ENC[AES256_GCM,data:Rt6ccMJ+D/Jv1U7Ex51j4zIKp5KIyPFJdWZwJyW6liU5CHxBfrFWeNOJobhT5tFPrhzHRUI=,iv:f2SYFKpAcHoKG3dMsniKRi02EFDzwgzzli5Qzw8CWqo=,tag:hUi0FAZ7+2+mcqUsz5HtbQ==,type:str]
url: ENC[AES256_GCM,data:n152X334cpUJXgm/0D+mbF2xDOSq/xT4xO3rBLjxEkcAexkn7lIm2mHKLaumBO0M7YC6gP/AVZlhOrpC7EtwwyzvxFgZIYBT0u3pKRpp2ifedMXd/7iKq45vu3xltX8blFF5TcMslO4UsXJEc+NxnCMS/PvO,iv:RWFUzHi2t06CqY1fHPTFUJevyW0bXc1xuhsjfZd3UAw=,tag:BWGxxAtfoJ8tbbbKbkzQRw==,type:str]
sops: sops:
kms: [] kms: []
gcp_kms: [] gcp_kms: []
azure_kv: [] azure_kv: []
hc_vault: [] hc_vault: []
age: [] age:
lastmodified: "2025-01-11T14:58:31Z" - recipient: age1smmqun9h3cszaza85ty33yenyaqtat572u9r3we4l5gh85njgvws6q680g
mac: ENC[AES256_GCM,data:exP8VRjXNq0mCDDcS0qvuUXrmJ86IMU6GIXINud9n2T6143B3y/uNPH44UtDsVQ2z7DhJqhvRNQgWTrUz0b/QFqmF74MA28JAbzz8bKEHRKzKlATT/nPesTX87FONf/vmmDpAWMh0kolU+Rj10q8VIRLKhxto9WwoKO4j8HPRhE=,iv:cWhuEHCFngGAfUh6UqiFi4uUKPogE5oYoNJPodtIgxU=,tag:XUlPPLTCiw/kSdHyM8/28w==,type:str] enc: |
pgp: -----BEGIN AGE ENCRYPTED FILE-----
- created_at: "2025-01-10T12:20:32Z" YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBjQ2IrRG90eUJUT1grZEtV
enc: |- N25XNDI0Z0JlZ2RJWU5LN05jbDQwL0hMMkU4Cm5sVHpiVHV5UVdIY24xNFZYTmpm
-----BEGIN PGP MESSAGE----- TUlyZmQ1TTZuaHB3aFpzV2hPZnNNZGcKLS0tIGJrN1lqWUFOU09XcFJ5Mys0WjV6
dTkwcThVQTNYZ0RKWnIwMEgzQ2lYMVEKWs0OsGlPCRfsjZwntyVa6RGhZLye35kX
hF4DNZgse+e4B/gSAQdAeJeXZE+thM6aaFDfs13nnljAvJWXlpBWvGACRVKzUEkw 3PDxZ66jP63OGi5Hai17fp5IvT3/mIRWh6UMq44TFz9OQoUWCymakg==
IzAT4aLTVpRhaKLZ+neZX1Ky3uQJZrosGgbjj4OoJY0yTjPdo3FoEGZ8VXKexxoy -----END AGE ENCRYPTED FILE-----
1GgBCQIQeyJY0eJh38MIpxxLu2/xSpwOXRzdugPLhvMX0ZYRefntC0NXyjTjCN1H lastmodified: "2025-01-12T08:58:47Z"
+/YUlb+K4qNeZNDpKS2JyvZl5u8N2w/pZ98+HDgMpieJrdbv4gkiXmmnUaw8y3Ct mac: ENC[AES256_GCM,data:XXdGGA/S6tg3xlsLwEtRjLHIVRRQHR2MBIeZv+9VtGYG1cBJD64RGZBCAJ5Jaw7WctcqZqj0Q1C9rIgNyv8ZYJTum3ok469WNFfcoDkPCr12nAO7vujvZp5xA5KfOdiP3wrHmorD4hl8qfv2oURm2RDcfzMIL2LWgNiwWndXs+I=,iv:RVHpsunJlOzN3QxxPfQdkUiC+Tf71j4L7SGEeTfDzYM=,tag:BgMqfCz1RG5Kl5PCIf/HdQ==,type:str]
EgBuPA8pkBt+DQ== pgp: []
=h3Bi
-----END PGP MESSAGE-----
fp: C6FCBD7F49E1CBBABD6661F7FC02063F04331A95
unencrypted_suffix: _unencrypted unencrypted_suffix: _unencrypted
version: 3.9.2 version: 3.9.2

31
secrets/ssh-config.yaml
View file

@ -1,24 +1,21 @@
ssh-config: ENC[AES256_GCM,data:NIYcwDJ9ycS2C/BZA0GFETURDUPcuPlP9Cn1Ku0AZNiWtqI3w+kIhu2G37j9F6k04gSS+BviQ2C5LRJbJb9+blHHeL7+pACgWVJGLBw=,iv:gpE8RdvX4ZWgBrgYKOXbV6aIwFHbLT6mb+plVkRISdU=,tag:GPGn0B0ibPA6ddt/ae68Lg==,type:str] ssh-config: ENC[AES256_GCM,data:kQe12czlvgScrtOae32PpKNrXREh1XP5n7WrFvBb4NcGLRj0j61T490D5v6vgTzppyQnU84tTNVtMBUfdLN6jjdli8cEM71qcKy4eLw=,iv:FaUEI9dYamBt7kI9quCNBXZwDzTosR4ad1JQq6IatBE=,tag:R4TTA6iMrRQPt1ApYBGfEg==,type:str]
sops: sops:
kms: [] kms: []
gcp_kms: [] gcp_kms: []
azure_kv: [] azure_kv: []
hc_vault: [] hc_vault: []
age: [] age:
lastmodified: "2025-01-11T15:33:47Z" - recipient: age1smmqun9h3cszaza85ty33yenyaqtat572u9r3we4l5gh85njgvws6q680g
mac: ENC[AES256_GCM,data:nGi6Z8XV67/VssmOFlAGy9F+nwgO0OwtMl1VSHvHEM8zeOIvdftcCh7jTdLUpRXi/bNY/3eidSLr9HWdNprPed98E8qA37OdFYwb7nousqVjWMWLZlMNCBfGeCbUQxu1+fiJnMzrYKJGQHPfYhWr0rOizOCUT707uOT+6Rs+CJE=,iv:1p9q2m4HQrouf6vymlA1PG2fCZNnRTZruhEqRna+1UY=,tag:uD0a/NwXKsaH5DhPbJ8aWg==,type:str] enc: |
pgp: -----BEGIN AGE ENCRYPTED FILE-----
- created_at: "2025-01-11T14:58:53Z" YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBmWklncVlZbTFXdndXUmJ4
enc: |- bTlyOEkvZE5aUnJHQzRJVjRBK2dja2RmaGpZCnNQRTdJeXJHSTFLaGx3SUpBUUI5
-----BEGIN PGP MESSAGE----- R1p5Y0w3OG1KYmZScDczelVkdFBReDAKLS0tIHZSM2Y5NExYVzArVWppK01vQUtF
K1A5bnBxMjJPV2NyRzNuOXVSY2tkZFUKinl6fL9caEM/bzTfQYk8ZCYLsMdgwmJE
hF4DNZgse+e4B/gSAQdAHHLJHSheWR76VPjKuHzcELWfkfWecafPv29r5TnXGFgw LhNSWMFL9zqxSFFZ5GrrT/hATR+5AckKydD+3uYxQbGKO8TO39HVKQ==
QfAypb7nQT5v01tKI4V6VCtsevDL868voABCwu7Izg6onDOxH26zsRg+m0GvfFwK -----END AGE ENCRYPTED FILE-----
1GYBCQIQH8VmTueJ7KN6CS6vqdEFEVrpuwrmQAa6aS94ir0U5qE3xDXfsgb61ETq lastmodified: "2025-01-12T08:59:41Z"
6ybtGXmNpmd2Gy842DxngHnxgL+v8YG61bJ2L0tB1S/MxOxVGueIkxNs2C5Bg6e/ mac: ENC[AES256_GCM,data:uJ7GrffSlgKCxxmCVrrs1gNTpEEs/B8F9aEHHTdwlSFCTxcueNbIP2RaQVRQmyZO5CDTD/srmCT1dwPwAaxQE49OFUwUDgpn2JMjQdTyLmbK5+JDfvvMNnv/OVNaQUvVPsPoA1CqCqrpKOLh6kfp1FpYkPpZFOoQWByKw/FmSL8=,iv:CX4RJvRJce7wLUxyM1Fi89G1PINte9gxXoBfYMHn4NQ=,tag:12eZ1TZLsdlDpUZa/1HPWA==,type:str]
wCz2U/E31Q4= pgp: []
=cnit
-----END PGP MESSAGE-----
fp: C6FCBD7F49E1CBBABD6661F7FC02063F04331A95
unencrypted_suffix: _unencrypted unencrypted_suffix: _unencrypted
version: 3.9.2 version: 3.9.2