about summary refs log tree commit diff stats
path: root/nix-conf
diff options
context:
space:
mode:
authorDavid Morgan <djm_uk@protonmail.com>2024-09-03 15:19:46 +0000
committerDavid Morgan <djm_uk@protonmail.com>2024-09-03 15:19:46 +0000
commitce9c53858fab4ef08ba3e683f6c29cd86a7be10d (patch)
tree3607287145fe3442058f08a06b0a8824abd4a215 /nix-conf
parent95ed21bec068982547dcedc4efc64d4e1fb56d69 (diff)
downloaddotfiles-ce9c53858fab4ef08ba3e683f6c29cd86a7be10d.tar.gz
Add openiscsi config
Diffstat (limited to 'nix-conf')
-rw-r--r--nix-conf/.sops.yaml5
-rw-r--r--nix-conf/machines/djmuk2/configuration.nix7
-rw-r--r--nix-conf/secrets/djmuk2.yaml21
3 files changed, 33 insertions, 0 deletions
diff --git a/nix-conf/.sops.yaml b/nix-conf/.sops.yaml
index 8c4f2d6..24125e8 100644
--- a/nix-conf/.sops.yaml
+++ b/nix-conf/.sops.yaml
@@ -1,11 +1,16 @@
 keys:
   - &admin_djm age1w7kjp0qdgfyg9cyj5w4qc4fc9qz3w65xw2veazesfgdenqrd3ucqsc5ejv
   - &server_edrahil age1tjfctwnwldmyxnu6qmeufgr9l79vyzmrs7fy58v3d0qj4x4nhqhq2gjmlp
+  - &server_djmuk2 age17j56andser5ddtlfunm35m25xueua4djh9glxlscfcet8865yv9s5aqvla
 creation_rules:
   - path_regex: secrets/edrahil\.(json|yaml)$
     key_groups:
     - age:
       - *server_edrahil
+  - path_regex: secrets/djmuk2\.(json|yaml)$
+    key_groups:
+    - age:
+      - *server_djmuk2
   - path_regex: secrets/[^/]+\.(json|yaml)$
     key_groups:
     - age:
diff --git a/nix-conf/machines/djmuk2/configuration.nix b/nix-conf/machines/djmuk2/configuration.nix
index 14b7562..f332103 100644
--- a/nix-conf/machines/djmuk2/configuration.nix
+++ b/nix-conf/machines/djmuk2/configuration.nix
@@ -35,6 +35,13 @@
     localuser = null;
   };
 
+  # Emulate nix-sops. Technically an anti-pattern, but this isn't a real secret, and this has to be embedded here, as we cannot set a file path to read it from.
+  # Populate/update with:
+  # SOPS_AGE_KEY=$(doas ssh-to-age -private-key -i /etc/ssh/ssh_host_ed25519_key) sops -d --extract '["openiscsi_name"]' secrets/djmuk2.yaml | doas tee /root/.config/secrets/openiscsi_name
+  services.openiscsi.enable = true;
+  services.openiscsi.name = builtins.readFile "/root/.config/secrets/openiscsi_name";
+  #services.openiscsi.enableAutoLoginOut = true;
+
   users.users.djm = {
     isNormalUser = true;
     home = "/home/djm";
diff --git a/nix-conf/secrets/djmuk2.yaml b/nix-conf/secrets/djmuk2.yaml
new file mode 100644
index 0000000..3216fd3
--- /dev/null
+++ b/nix-conf/secrets/djmuk2.yaml
@@ -0,0 +1,21 @@
+openiscsi_name: ENC[AES256_GCM,data:RZtrRGCnYgiAwq1bVnyK8fiYCxCKbtNs5diV3nUmNWAhU8CYRxau6SIAhB9t3f7p1fKgVC1V0fxV0nko6tdK,iv:M7qSnfBdxdTaCIb2/QZfrTUOZGX19IJY69IncTEk68w=,tag:eIo0fSKZTMEakGHh2zi5oQ==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age17j56andser5ddtlfunm35m25xueua4djh9glxlscfcet8865yv9s5aqvla
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA5UFgxckhMa1RWL3hGQkZw
+            M25XN1JkT2dnQk9iVXdyaFJsa3hMM0pVam04CmZSWFdJbnl4RzFpUUpYK2JmRXFO
+            L3ZZbXZ3aHA4NjBuRCtnYlpsNG94ZVkKLS0tIFNIUTVjOUxhS00zZFlyODVuQ1lB
+            bC9sLzdObkpFNTJRcmk3N3Y0TG1xakkKvFbr1YlLFS7c0BfK1MYczTXgjwcaNjxH
+            tHCQWzVyx1VzLID1TCQDGXWApkaaQYxa2d/afTTRxk98w6xJIvLj2g==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2024-09-03T15:08:24Z"
+    mac: ENC[AES256_GCM,data:CtMDdk/tY52HLDuTHIUWF8qV3wdyykWnEKJk0bGMT+feWd/+PAzJRzCOVDuL6AxT1FmtZGx2lFZz6A9vzFbGsn1fawXVo40q+6TWpdcv80tRaicfyh1FTppWGNOJn/bh7DILuX41HRTEP2ngpMHwSr3cbCUfhxrV+r7giguj1do=,iv:uGe15h57SyQr8yi19sqDRPwtC/4WmBAwqvsHI5g5pAc=,tag:2Lv+QZf0CsgusJMay9MyQQ==,type:str]
+    pgp: []
+    unencrypted_suffix: _unencrypted
+    version: 3.8.1