From 9628ebc29c0d3ca5385b6f55649df87469552518 Mon Sep 17 00:00:00 2001 From: Mohammad Rafiq Date: Sun, 6 Apr 2025 16:19:29 +0800 Subject: [PATCH] refactor: move password secrets to subdir --- modules/networking.nix | 6 ++++-- modules/secrets/secrets.yaml | 14 +++++--------- modules/security.nix | 4 ++-- modules/users.nix | 2 +- 4 files changed, 12 insertions(+), 14 deletions(-) diff --git a/modules/networking.nix b/modules/networking.nix index 2d21f1b..9b05123 100644 --- a/modules/networking.nix +++ b/modules/networking.nix @@ -63,8 +63,10 @@ ]; interfaces.enp12s0.wakeOnLan.enable = true; }; - services.openssh.enable = true; - services.openssh.settings.PrintMotd = true; + services.openssh = { + enable = true; + settings.PrintMotd = true; + }; services.tailscale = { enable = true; authKeyFile = config.sops.secrets.ts_auth_key.path; diff --git a/modules/secrets/secrets.yaml b/modules/secrets/secrets.yaml index a804c52..bb36b27 100644 --- a/modules/secrets/secrets.yaml +++ b/modules/secrets/secrets.yaml @@ -1,13 +1,10 @@ -password: ENC[AES256_GCM,data:pbNp9qB92UiLv8S18L1Wr+wbiGahxyNbAsvhrJtZTJfQ9H2yyTH6QgfJNUN/hr/wTJFyEKg7E6c7XXh/a0hU4BhJ8QKIUPbHDw==,iv:0bEUOsXQ1tRPa9wfLGNEF4MeCBzvCMaRCbYWRRab6SY=,tag:EiWFVzxxHcQWtBkCL8cSYw==,type:str] ts_auth_key: ENC[AES256_GCM,data:2/pabfBT8KAGLKDytTMrhSBX8xr/TyJbX0mAsMlzmniyK9GT0xTAq3LsRfNLyCitSVauWIXwPYFia78NCw==,iv:PBDp4+SP9yVRJtmMmvJxUQju6qTOB7cJGSQZIbRSLm8=,tag:ZYDRlMrmmwwvxs71IV3dmQ==,type:str] cwp_jira_link: ENC[AES256_GCM,data:7YwR5ajQDcyZgUGgMonajBV7DG/wlxsbxpiagMaPCBk=,iv:loFSGCV4no/azjIRYxjZHDkrrJmH0nzGlF8t0o0yfo4=,tag:pQYLLq4fu7T8Z03GvrJ+3A==,type:str] cwp_jira_pat: ENC[AES256_GCM,data:+4VnPikwuSPHdPj9xihuFeht1FPYdZHcHxYNjKMwU2MU7VC4cOUA9vpcEgk=,iv:8f8Z/V9LnuTFdCsqJhaa55BL0ibgSW8PUQoW7FxAOZE=,tag:XL/Xf1QaNLiLT2m/dWcrKw==,type:str] gemini_api_key: ENC[AES256_GCM,data:Kh1Kya8O6lqN0MMK1OMn/BHw51XDOAroSrOL3h4K8r6VorAwHTZw,iv:Gxg13mHBID7Gv4du+484IF1q7LFOCvtyzWMHG+IBUVM=,tag:jcjmKveybkET4RFOV4F8PQ==,type:str] +rafiq: + password: ENC[AES256_GCM,data:jzCXis5eIJpbWjsPMDVNZvMCbqp7QCUd7Drya0Al3QO0ExsoE6CNVzrbw4AyvKEgiUd0y9a5rKiwUBwGUoYVwxK0tkrOnB37+g==,iv:SsQIUB8OxgnxvjAyrfZzgEdGbaGGrL7zVwO5Of9D/Xw=,tag:iHNY8+nI9RnuM58SmGrV6Q==,type:str] sops: - kms: [] - gcp_kms: [] - azure_kv: [] - hc_vault: [] age: - recipient: age12l33pas8eptwjc7ewux3d8snyzfzwz0tn9qg5kw8le79fswmjgjqdjgyy6 enc: | @@ -45,8 +42,7 @@ sops: TktUSFpxTXdKMUhFQ1BOMmR1VVFWNVkKwy3T9QCsg6gXZilufMtbls0HB5of38Pr YPzVeadsYlglg3/gBtDP4WyKBwYOQks2BbMTijqlMXBIl5JP7odVuw== -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-03-29T20:50:17Z" - mac: ENC[AES256_GCM,data:fJ0UbSeQQzDAScXAOpYDD5aiOLNVLBhuAmJE3gwmT1Lm48UbncWfBKcvBfWElH3CTFaeuXshH7sRnUkKig5PKU0EVrpvWFic5TIjwk2G+fqLvzamuhk5y+4/VjUHA6Y3vXHRBV7XClblXqHa3LWk/l5eCtbiWEF1uNlz9h9JRbU=,iv:CCJMj5eYaTl2u8oq+s6yr9Xd83vIjBMMOfCVD5O54eQ=,tag:NzMDZTi9kVuWLsVSPaedBQ==,type:str] - pgp: [] + lastmodified: "2025-04-06T08:16:09Z" + mac: ENC[AES256_GCM,data:yQKGknVO8HEfYqmbINBro7gXePyjInx7jGhLTbsAoXLyxJuUQHAbieswAeLkTLgBqyfeAQHjYHro+s9eDPDitEi+/5fP/uLHK1HqyqZC9cAH35+8Th70hKxP7GAie9FQGkgcHYZYGe9nqFKHWwqu//l3UmdIdsnnxgC5dxnX2PI=,iv:E2a4GHVfXI6aGEsmkU9p7LRktPPJRUnYBgM9Qd3VayE=,tag:ot1AgSR+wzSD1orOnhROQQ==,type:str] unencrypted_suffix: _unencrypted - version: 3.9.4 + version: 3.10.1 diff --git a/modules/security.nix b/modules/security.nix index 2e557f9..94b22c2 100644 --- a/modules/security.nix +++ b/modules/security.nix @@ -6,9 +6,9 @@ sops = { defaultSopsFile = ./secrets/secrets.yaml; - age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ]; + age.sshKeyPaths = [ "/home/rafiq/.ssh/id_ed25519" ]; secrets = { - password.neededForUsers = true; + "rafiq/password".neededForUsers = true; ts_auth_key = { }; cwp_jira_link = { }; cwp_jira_pat = { }; diff --git a/modules/users.nix b/modules/users.nix index 07d849f..3d91a8c 100644 --- a/modules/users.nix +++ b/modules/users.nix @@ -29,7 +29,7 @@ users.rafiq = { isNormalUser = true; description = "rafiq"; - hashedPasswordFile = config.sops.secrets.password.path; + hashedPasswordFile = config.sops.secrets."rafiq/password".path; uid = 1000; extraGroups = [ "networkmanager"