diff --git a/.gitattributes b/.gitattributes index 79674dd6..fe992d37 100644 --- a/.gitattributes +++ b/.gitattributes @@ -5,3 +5,4 @@ secret.yaml filter=git-crypt diff=git-crypt secret.yml filter=git-crypt diff=git-crypt ghcr-pull-secrets.yaml filter=git-crypt diff=git-crypt ssh-secrets.yaml filter=git-crypt diff=git-crypt +guix/resources/age-key filter=git-crypt diff=git-crypt diff --git a/guix/.sops.yaml b/guix/.sops.yaml new file mode 100644 index 00000000..97b287c7 --- /dev/null +++ b/guix/.sops.yaml @@ -0,0 +1,10 @@ +keys: + - &user_pydis age1knt932vn0rgunzh9zzjs8cf7yjdx233gy2dt3w3uzm3apkp3g3qsralf2e + - &host_turing age1gtw67lnhtcxnut3dl2keqm684zxy27cydc42xj5fazaq56uclvrslf6vta + +creation_rules: + - path_regex: .*secrets\.yaml$ + key_groups: + - age: + - *user_pydis + - *host_turing diff --git a/guix/README.md b/guix/README.md index 9f5b1c3b..9f2b706d 100644 --- a/guix/README.md +++ b/guix/README.md @@ -16,9 +16,39 @@ as a playground for ideas. --generate-key` as root. - This is needed for the remote Guix instance to accept packages we build locally. +- `sops-guix` configured as a channel. For this, add: + + ```scheme + (cons* (channel + (name 'sops-guix) + (url "https://github.com/fishinthecalculator/sops-guix.git") + (branch "main") + ;; Enable signature verification: + (introduction + (make-channel-introduction + "0bbaf1fdd25266c7df790f65640aaa01e6d2dbc9" + (openpgp-fingerprint + "8D10 60B9 6BB8 292E 829B 7249 AED4 1CC1 93B7 01E2")))) + %default-channels) + ``` + + to your `~/.config/guix/channels.scm`. After adding it, run `guix pull`. +- [`sops`](https://github.com/getsops/sops) installed locally, along with + [`age`](https://github.com/FiloSottile/age). + + +**Host prerequisites** + +One-time setup for Turing: + +- `sudo age-keygen -o /root/pydis.txt` + +Note down the public key and add it to `.sops.yaml`. **Testing** +It is recommended to test building the image locally first to catch errors. + ```sh # Note that you presently need to run this as root, see # https://codeberg.org/guix/guix/issues/4788 diff --git a/guix/machines/turing.scm b/guix/machines/turing.scm index 2373822a..cd679c5f 100644 --- a/guix/machines/turing.scm +++ b/guix/machines/turing.scm @@ -4,6 +4,7 @@ (use-modules (gnu) (guix) (gnu packages databases) + (gnu packages golang-crypto) (gnu packages linux) (gnu packages tmux) (gnu packages vim) @@ -11,7 +12,9 @@ (gnu services certbot) (gnu services databases) (gnu services networking) - (gnu services web)) + (gnu services web) + (sops secrets) + (sops services sops)) (use-service-modules networking ssh) (use-package-modules bootloaders) @@ -29,6 +32,8 @@ (define %guix-dir (dirname (dirname (canonicalize-path (current-filename))))) +(define %secrets-yaml (local-file (string-append %guix-dir "/secrets.yaml"))) + (define (resource path) (local-file (string-append %guix-dir "/resources/" path))) @@ -119,6 +124,17 @@ ; (uri "/.well-known") ; (body (list "root /var/www; ")))))))))) ; + (service sops-secrets-service-type + (sops-service-configuration + (generate-key? #f) + (secrets + (list + (sops-secret + (key '("good")) + (file %secrets-yaml) + (user "root") + (group "root") + (permissions #o400)))))) (service certbot-service-type (certbot-configuration (email "ops@owlcorp.uk") @@ -171,7 +187,7 @@ (home-directory "/home/j") (supplementary-groups '("wheel" "netdev" "audio" "video"))) %base-user-accounts)) - (packages (cons* %base-packages)) + (packages (cons* age %base-packages)) (sudoers-file (plain-file "sudoers" "root ALL=(ALL) ALL %wheel ALL=NOPASSWD: ALL ")) diff --git a/guix/resources/age-key b/guix/resources/age-key new file mode 100644 index 00000000..62ed2653 Binary files /dev/null and b/guix/resources/age-key differ diff --git a/guix/secrets.yaml b/guix/secrets.yaml new file mode 100644 index 00000000..09c3e401 Binary files /dev/null and b/guix/secrets.yaml differ