use git-encrypt for secrets

2018-01-26 11:54:50 +01:00 · 2018-01-26 11:54:50 +01:00 · e6a497383d
commit e6a497383d
parent 4cd08b3136
6 changed files with 45 additions and 17 deletions
--- a/.gitattributes
+++ b/.gitattributes
@ -0,0 +1 @@
+*.crypt.* filter=git-crypt diff=git-crypt
--- a/nixos-configuration/common/passwords.crypt.nix
+++ b/nixos-configuration/common/passwords.crypt.nix
--- a/nixos-configuration/common/user/root.nix
+++ b/nixos-configuration/common/user/root.nix
@ -3,11 +3,14 @@
 # and in the NixOS manual (accessible by running ‘nixos-help’).

 { config, pkgs, ... }:
+let 
+  passwords = import ../passwords.crypt.nix;
+in
 {
  users.mutableUsers = false;

  users.extraUsers.root = {
-    hashedPassword = "removed";
+    hashedPassword = passwords.users.root;
    openssh.authorizedKeys.keys = ["ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQD3niN5KcIYikRhXTYZCSehI1ZQs+vvG/dZ7KxNVHslfsS+p1yTycXcZFtDDn5vtG2fAo3yksxCk+G10/AWQ+NMOcFKuAi5qTOYSLbEcHVlZ4ko8sDUe3fF79vrCqY7IWbKKjZ4DH77Qs6SXk5GIlNaIzxut8Dpv8qHnkPiPuFgrJC4oGk60ZKmCPvOEpgg9twcdI6ykIxD4Fg+hHgG1p07uSEcm9EADli8RsU3UJ1UBhXMohMC6HrKVBkBX9wTo+zY+xqXxxem6xGNnkNiZLACfhCnjXv39zh85pgFuNv7R8SzVZQ9iRoCmax/w3JtWdDjqoTGgLfJyhMMjNdjVHOx steveej@steveej-laptop"];
  };
 }
--- a/nixos-configuration/steveej-laptop/user.nix
+++ b/nixos-configuration/steveej-laptop/user.nix
@ -1,16 +1,14 @@
+{ config
+, pkgs
+, ... }:

-{ config, pkgs, ... }:
-{
-  imports =
-    [ 
-        ../common/user/root.nix
-    ];
-
-  users.extraUsers.steveej = {
-    uid = 1000;
+let 
+  passwords = import ../common/passwords.crypt.nix;
+  mkUser = {uid, hashedPassword, ... } @ args: args // {
+    inherit uid hashedPassword;
    isNormalUser = true;
-    home = "/home/steveej";
    extraGroups = [
+      "docker"
      "wheel"
      "libvirtd"
      "networkmanager"
@ -19,9 +17,28 @@
      "input"
      "audio"
      "video"
+      "cdrom"
    ];
-    hashedPassword = "removed";
-    shell = pkgs.zsh;
+  };
+
+in
+{
+  users.mutableUsers = false;
+  users.defaultUserShell = pkgs.zsh;
+
+  users.extraUsers.root = {
+    hashedPassword = passwords.users.root;
+    openssh.authorizedKeys.keys = ["ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQD3niN5KcIYikRhXTYZCSehI1ZQs+vvG/dZ7KxNVHslfsS+p1yTycXcZFtDDn5vtG2fAo3yksxCk+G10/AWQ+NMOcFKuAi5qTOYSLbEcHVlZ4ko8sDUe3fF79vrCqY7IWbKKjZ4DH77Qs6SXk5GIlNaIzxut8Dpv8qHnkPiPuFgrJC4oGk60ZKmCPvOEpgg9twcdI6ykIxD4Fg+hHgG1p07uSEcm9EADli8RsU3UJ1UBhXMohMC6HrKVBkBX9wTo+zY+xqXxxem6xGNnkNiZLACfhCnjXv39zh85pgFuNv7R8SzVZQ9iRoCmax/w3JtWdDjqoTGgLfJyhMMjNdjVHOx steveej@steveej-laptop"];
+  };
+
+  users.extraUsers.steveej = mkUser {
+    uid = 1000;
+    hashedPassword = passwords.users.steveej;
+  };
+
+  users.extraUsers.steveej2 = mkUser {
+    uid = 1001;
+    hashedPassword = passwords.users.steveej2;
  };

  security.pam.enableU2F = true;
--- a/nixos-configuration/steveej-laptop2/configuration.nix
+++ b/nixos-configuration/steveej-laptop2/configuration.nix
@ -4,6 +4,10 @@

 { config, pkgs, ... }:

+let
+  passwords = import ../common/passwords.crypt.nix;
+
+in
 {
  nixpkgs.config.allowUnfree = true;

@ -121,7 +125,7 @@

  users.mutableUsers = false;
  users.extraUsers.root = {
-    hashedPassword = "removed";
+    hashedPassword = passwords.users.root;
    openssh.authorizedKeys.keys = ["ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQD3niN5KcIYikRhXTYZCSehI1ZQs+vvG/dZ7KxNVHslfsS+p1yTycXcZFtDDn5vtG2fAo3yksxCk+G10/AWQ+NMOcFKuAi5qTOYSLbEcHVlZ4ko8sDUe3fF79vrCqY7IWbKKjZ4DH77Qs6SXk5GIlNaIzxut8Dpv8qHnkPiPuFgrJC4oGk60ZKmCPvOEpgg9twcdI6ykIxD4Fg+hHgG1p07uSEcm9EADli8RsU3UJ1UBhXMohMC6HrKVBkBX9wTo+zY+xqXxxem6xGNnkNiZLACfhCnjXv39zh85pgFuNv7R8SzVZQ9iRoCmax/w3JtWdDjqoTGgLfJyhMMjNdjVHOx steveej@steveej-laptop"];
  };
  users.extraUsers.steveej = {
@ -129,7 +133,7 @@
    isNormalUser = true;
    home = "/home/steveej";
    extraGroups = [ "wheel" "libvirtd" "networkmanager" "vboxusers" ];
-    hashedPassword = "removed";
+    hashedPassword = passwords.users.steveej;
  };

  services.gpm.enable = true;
--- a/nixos-configuration/steveej-utilitepro/configuration.nix
+++ b/nixos-configuration/steveej-utilitepro/configuration.nix
@ -4,6 +4,9 @@

 { config, pkgs, ... }:

+let
+  passwords = import ../common/passwords.crypt.nix;
+in
 {
  # The NixOS release to be compatible with for stateful data such as databases.
  system.stateVersion = "16.03";
@ -259,7 +262,7 @@

  users.mutableUsers = false;
  users.extraUsers.root = {
-    hashedPassword = "removed";
+    hashedPassword = passwords.users.root;
    openssh.authorizedKeys.keys = ["ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQD3niN5KcIYikRhXTYZCSehI1ZQs+vvG/dZ7KxNVHslfsS+p1yTycXcZFtDDn5vtG2fAo3yksxCk+G10/AWQ+NMOcFKuAi5qTOYSLbEcHVlZ4ko8sDUe3fF79vrCqY7IWbKKjZ4DH77Qs6SXk5GIlNaIzxut8Dpv8qHnkPiPuFgrJC4oGk60ZKmCPvOEpgg9twcdI6ykIxD4Fg+hHgG1p07uSEcm9EADli8RsU3UJ1UBhXMohMC6HrKVBkBX9wTo+zY+xqXxxem6xGNnkNiZLACfhCnjXv39zh85pgFuNv7R8SzVZQ9iRoCmax/w3JtWdDjqoTGgLfJyhMMjNdjVHOx steveej@steveej-laptop"];
  };
  users.extraUsers.steveej = {
@ -267,7 +270,7 @@
    isNormalUser = true;
    home = "/home/steveej";
    extraGroups = [ "wheel" "libvirtd" ];
-    hashedPassword = "removed";
+    hashedPassword = passwords.users.steveej;
    openssh.authorizedKeys.keys = ["ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQD3niN5KcIYikRhXTYZCSehI1ZQs+vvG/dZ7KxNVHslfsS+p1yTycXcZFtDDn5vtG2fAo3yksxCk+G10/AWQ+NMOcFKuAi5qTOYSLbEcHVlZ4ko8sDUe3fF79vrCqY7IWbKKjZ4DH77Qs6SXk5GIlNaIzxut8Dpv8qHnkPiPuFgrJC4oGk60ZKmCPvOEpgg9twcdI6ykIxD4Fg+hHgG1p07uSEcm9EADli8RsU3UJ1UBhXMohMC6HrKVBkBX9wTo+zY+xqXxxem6xGNnkNiZLACfhCnjXv39zh85pgFuNv7R8SzVZQ9iRoCmax/w3JtWdDjqoTGgLfJyhMMjNdjVHOx steveej@steveej-laptop"];
  };