Set up tinc on macbook-nix side

2022-10-17 12:59:22 +02:00 · 2022-10-17 12:59:22 +02:00 · 98fabb1dee
parent 295ffd4f06
commit 98fabb1dee
3 changed files with 63 additions and 3 deletions
--- a/.sops.yaml
+++ b/.sops.yaml
@ -0,0 +1,9 @@
+keys:
+  - &admin_macbook_m1 age169v95f5fqx0sg5mjpp63sumrj9sma9se203ra2c05qa67h2h2drs3tvdph
+  - &machine_macbook_m1 age10dd4t507h3ey68l2alu7z94s5lw0kshjq9lre5sv2vehrm9hg4rqk2let7
+creation_rules:
+  - path_regex: kagami-air-m1/secrets\.yaml$
+    key_groups:
+    - age:
+        - *admin_macbook_m1
+        - *machine_macbook_m1
--- a/kagami-air-m1/configuration.nix
+++ b/kagami-air-m1/configuration.nix
@ -65,8 +65,12 @@

  # Enable the X11 windowing system.
  services.xserver.enable = true;
+  services.xserver.displayManager.sddm.enable = true;
+  services.xserver.displayManager.sddm.enableHidpi = true;
  services.xserver.desktopManager.plasma5.enable = true;

+  services.udev.packages = with pkgs; [ libfido2 ];
+
  # Configure keymap in X11
  # services.xserver.layout = "jp106";
  # services.xserver.xkbOptions = {
@ -99,7 +103,6 @@
    isNormalUser = true;
    extraGroups = [ "wheel" ]; # Enable ‘sudo’ for the user.
    packages = with pkgs; [
-      firefox
      # kakoune
      # thunderbird
    ];
@ -110,6 +113,8 @@
  environment.systemPackages = with pkgs; [
    kakoune # Do not forget to add an editor to edit configuration.nix! The Nano editor is also installed by default.
    wget
+
+    libfido2
  ];

  # Environment variables
@ -141,8 +146,8 @@


  # PAM
-  security.pam.services.lightdm.enableKwallet = true;
-  security.pam.services.lightdm.enableGnomeKeyring = true;
+  security.pam.services.sddm.enableKwallet = true;
+  security.pam.services.sddm.enableGnomeKeyring = true;

  # Some programs need SUID wrappers, can be configured further or are
  # started in user sessions.
@ -151,12 +156,27 @@
  #   enable = true;
  #   enableSSHSupport = true;
  # };
+  programs.kdeconnect.enable = true;

  # List services that you want to enable:

  # Enable the OpenSSH daemon.
  services.openssh.enable = true;

+  # Secrets
+  sops.defaultSopsFile = ./secrets.yaml;
+  sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
+
+  ## tinc
+  sops.secrets."tinc/ed25519-private-key" = { };
+  services.my-tinc = {
+    enable = true;
+    hostName = "macbook-nixos";
+    ed25519PrivateKey = config.sops.secrets."tinc/ed25519-private-key".path;
+    bindPort = 6565;
+  };
+
+
  # Open ports in the firewall.
  # networking.firewall.allowedTCPPorts = [ ... ];
  # networking.firewall.allowedUDPPorts = [ ... ];
--- a/kagami-air-m1/secrets.yaml
+++ b/kagami-air-m1/secrets.yaml
@ -0,0 +1,31 @@
+tinc:
+    ed25519-private-key: ENC[AES256_GCM,data:2/NCyC2QvZ1BRsIxiqTGppuTH55fyMKmHqNiOHJA3QbQ7uVeied1I/3GwRt3UjtvGgLPu9QpXw4+h5qfhq0I2irOMVY6+caw+8xinU/aaWPC6h9oZzW6gskjsmeer7yCeOENqsi2CgL3ICpJ8bxMH4iRUnSp5NsehNwF65dgEDIWuFqdUMJpnzFU2E4bLoqHwzW7Gn65PNTcqE6x2WICPO55cviQzX4mmLJ2tup3L2Z3tu6ZG0XLVAXoj/n6GM9uNRSCDzDeD9o=,iv:VSn8f/roBLV4lKLRvBCKuYzBYm4/ECfFo19Z8V/8ojA=,tag:c3aiFPBk5lToJeZ/jbgMcQ==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age169v95f5fqx0sg5mjpp63sumrj9sma9se203ra2c05qa67h2h2drs3tvdph
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBHQ0ZFampRSm5BbTVpUk9o
+            MUhLenM0czVDM1NUWFFsTGxZUllKMjNOU3pZCm00eUZjRFU3bTZnbnNVR2RnMVl2
+            UEV2c1VXNDRhRklIZmpnN2dLczJPVGcKLS0tIGVlTkkrWXVTbFVJS1h4YnZRKzNn
+            dFJYaEErRWFJZXpnWVY1dk4zbnMxK3cKZ0aiD0ZusCWnjfhEsuVNO8XZrwupDANu
+            GUf03lwpLiOx6OehK2wR0pfMEfmbDOP6+o673Sw9PcreEPvUovh82Q==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age10dd4t507h3ey68l2alu7z94s5lw0kshjq9lre5sv2vehrm9hg4rqk2let7
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAraHhUUXlpb3UvNWdkc3ZP
+            bFdNU0NaaStxR2c4SEY2NFByKzVGa1BkWXpjCmVlMmF3eUdid3RSMjVTUlJOM0hS
+            eHByVGtiUzBEZGRVRjg1TENPQlpPNjQKLS0tIG11cWFUU3JNeFY4cCt3d2ZUWmpl
+            dnZKYUIvM1N2eGFubkgzdUVESEVCYm8KGIEl6MKIc7Xsg9MePOgLovSBWh7b0BX/
+            aUXZm+elav6a7dmPSXqA7/ZSUtxZqD3sYF06YnABEhO+wQ5McArkFg==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2022-10-17T10:54:59Z"
+    mac: ENC[AES256_GCM,data:U7ir+TrO+y6q3VOyMEoUG1hBf+p+r08WhrLx4i8zM2qJ0xu3QdLLP++smC0QgfY5w/IxHHNdU476fDca2qJgxB01D7dlun2nFUsKTkxJNT9oaZcE0hLMP7ngjDcrhXNnUysKRIcM8wRhaouRzY0USPePeueIq3ootQkqnIO4ZcQ=,iv:rKuuFADjdxi5USmm75xBexHzTyxNsl9HchTPMQnfRfU=,tag:YCwU/O3Bj49VzF6wxEsD9g==,type:str]
+    pgp: []
+    unencrypted_suffix: _unencrypted
+    version: 3.7.3