Remove all git-crypt

.git-crypt/.gitattributes

@@ -1,4 +0,0 @@
-# Do not edit this file.  To specify the files to encrypt, create your own
-# .gitattributes file in the directory where your files are.
-* !filter !diff
-*.gpg binary

.gitattributes

@@ -1,4 +0,0 @@
-# To add a new file:
-# /secret/file filter=git-crypt diff=git-crypt
-**/*.secret.nix filter=git-crypt diff=git-crypt
-**/secret.nix filter=git-crypt diff=git-crypt

README.md

@@ -2,19 +2,11 @@
 
 ## Secrets
 
-There are two types of secrets in this repository. Secret secrets, and
-secret configuration.
-
-Secret secrets should never be world-readable, even to users who are
+Secrets should never be world-readable, even to users who are
 logged in to one of the hosts managed by this configuration. These are
 generally managed by agenix, allowing them to still be put in the nix
 store.
 
-Secret configuration is generally more security through obscurity
-(e.g. some services that I run that I don't want the whole world to
-know what ports they run on). These are managed with git-crypt and are
-files that end in `secret.nix`.
-
 ## Setting up a new dev environment
 
 * Create a new `*.nix` file in the shells directory that describes the environment (this is the hard part).

flake.nix

@@ -65,15 +65,17 @@
         lasting-integrity.modules = [ ./machines/lasting-integrity ];
         urithiru.modules = [ ./machines/urithiru ];
       };
-      outputsBuilder = channels: let pkgs = channels.nixpkgs; in {
-        packages = customPackages pkgs.callPackage;
-        devShell = pkgs.mkShell {
-          buildInputs = [
-            pkgs.nixpkgs-fmt
-            (pkgs.writeShellScriptBin "fetchpatch" "curl -L https://github.com/NixOS/nixpkgs/pull/$1.patch -o patches/$1.patch")
-            agenix.defaultPackage.x86_64-linux
-          ];
+      outputsBuilder = channels:
+        let pkgs = channels.nixpkgs; in
+        {
+          packages = customPackages pkgs.callPackage;
+          devShell = pkgs.mkShell {
+            buildInputs = [
+              pkgs.nixpkgs-fmt
+              (pkgs.writeShellScriptBin "fetchpatch" "curl -L https://github.com/NixOS/nixpkgs/pull/$1.patch -o patches/$1.patch")
+              agenix.defaultPackage.x86_64-linux
+            ];
+          };
         };
-      };
     };
 }

machines/lasting-integrity/default.nix

@@ -1,10 +1,7 @@
 { pkgs, ... }:
 
 {
-  imports = [
-    ./hardware.nix
-    ./secret.nix
-  ];
+  imports = [ ./hardware.nix ];
 
   time.timeZone = "Europe/Berlin";
 
@@ -68,11 +65,12 @@
                   client_max_body_size 10M;
                   proxy_set_header X-Forwarded-Ssl on;
                 '';
-              }; in {
-                "/_matrix" = matrixRedirect;
-                "/.well-known/matrix" = matrixRedirect;
-                "/".return = "307 https://www.vanpetegem.me$request_uri";
-              };
+              }; in
+                {
+                  "/_matrix" = matrixRedirect;
+                  "/.well-known/matrix" = matrixRedirect;
+                  "/".return = "307 https://www.vanpetegem.me$request_uri";
+                };
             };
           }
           { fqdn = "www.vanpetegem.me"; }

machines/urithiru/default.nix

@@ -1,10 +1,7 @@
 { lib, pkgs, nixosConfigurations, ... }:
 
 {
-  imports = [
-    ./hardware.nix
-    ./secret.nix
-  ];
+  imports = [ ./hardware.nix ];
 
   time.timeZone = "Europe/Berlin";
 

modules/services/data-access/config.nix

@@ -7,7 +7,9 @@
     description = "Data Access";
     uid = 1000;
     group = "users";
+    passwordFile = "/run/secrets/password_file";
   };
+  environment.systemPackages = [ pkgs.rsync pkgs.mktorrent (pkgs.writeShellScriptBin "create_torrent" ". /run/secrets/create_torrent") ];
   security.sudo.enable = false;
   services.openssh = {
     enable = true;
@@ -16,5 +18,6 @@
       { bits = 4096; path = "/run/secrets/ssh_host_rsa_key"; type = "rsa"; }
       { path = "/run/secrets/ssh_host_ed25519_key"; type = "ed25519"; }
     ];
+    authorizedKeysFiles = [ "/run/secrets/authorized_keys" ];
   };
 }

modules/services/data-access/default.nix

@@ -1,8 +1,6 @@
 { config, lib, ... }:
 
 {
-  imports = [ ./secret.nix ];
-
   options.chvp.services.data-access.enable = lib.mkOption {
     default = false;
     example = true;
@@ -32,6 +30,8 @@
       ];
     };
 
+    networking.firewall.allowedTCPPorts = [ 2002 ];
+
     containers.data-access = {
       ephemeral = true;
       autoStart = true;
@@ -45,13 +45,18 @@
           isReadOnly = true;
         };
       };
+      forwardPorts = [{
+        containerPort = 22;
+        hostPort = 2002;
+        protocol = "tcp";
+      }];
       privateNetwork = true;
       hostAddress = "192.168.100.10";
       hostAddress6 = "fc00::1";
       localAddress = "192.168.100.11";
       localAddress6 = "fc00::2";
       config = { ... }: {
-        imports = [ ./config.nix ./config.secret.nix ];
+        imports = [ ./config.nix ];
       };
     };
 
@@ -59,6 +64,15 @@
     age.secrets."data-access/ssh_host_rsa_key.pub".file = ../../../secrets/data-access/ssh_host_rsa_key.pub.age;
     age.secrets."data-access/ssh_host_ed25519_key".file = ../../../secrets/data-access/ssh_host_ed25519_key.age;
     age.secrets."data-access/ssh_host_ed25519_key.pub".file = ../../../secrets/data-access/ssh_host_ed25519_key.pub.age;
+    age.secrets."data-access/password_file".file = ../../../secrets/data-access/password_file.age;
+    age.secrets."data-access/authorized_keys" = {
+      file = ../../../secrets/data-access/authorized_keys.age;
+      owner = "charlotte";
+    };
+    age.secrets."data-access/create_torrent" = {
+      file = ../../../secrets/data-access/create_torrent.age;
+      owner = "charlotte";
+    };
     age.secrets."passwords/services/data-basic-auth" = {
       file = ../../../secrets/passwords/services/data-basic-auth.age;
       owner = "nginx";

modules/work/vpn/default.nix

@@ -1,10 +1,6 @@
 { config, lib, pkgs, ... }:
 
 {
-  imports = [
-    ./secret.nix
-  ];
-
   options = {
     chvp.work.vpn.enable = lib.mkOption {
       default = false;
@@ -17,10 +13,16 @@
       ugent-global-vpn = {
         after = [ "network.target" ];
         conflicts = [ "ugent-local-vpn.service" ];
+        path = [ pkgs.sshuttle pkgs.openssh pkgs.bash ];
+        environment = { PASSWORD_FILE = config.age.secrets."passwords/ugent-vpn".path; };
+        serviceConfig.ExecStart = config.age.secrets."files/programs/vpn/global".path;
       };
       ugent-local-vpn = {
         after = [ "network.target" ];
         conflicts = [ "ugent-global-vpn.service" ];
+        path = [ pkgs.sshuttle pkgs.openssh pkgs.bash ];
+        environment = { PASSWORD_FILE = config.age.secrets."passwords/ugent-vpn".path; };
+        serviceConfig.ExecStart = config.age.secrets."files/programs/vpn/local".path;
       };
     };
     security.polkit.extraConfig = ''
@@ -34,5 +36,13 @@
       });
     '';
     age.secrets."passwords/ugent-vpn".file = ../../../secrets/passwords/ugent-vpn.age;
+    age.secrets."files/programs/vpn/local" = {
+      file = ../../../secrets/files/programs/vpn/local.age;
+      mode = "0500";
+    };
+    age.secrets."files/programs/vpn/global" = {
+      file = ../../../secrets/files/programs/vpn/global.age;
+      mode = "0500";
+    };
   };
 }

secrets.nix

@@ -33,6 +33,8 @@ in
 
   "secrets/passwords/ugent-mount-credentials.age".publicKeys = laptops ++ users;
   "secrets/passwords/ugent-vpn.age".publicKeys = laptops ++ users;
+  "secrets/files/programs/vpn/local.age".publicKeys = laptops ++ users;
+  "secrets/files/programs/vpn/global.age".publicKeys = laptops ++ users;
 
   "secrets/passwords/services/accentor.age".publicKeys = [ urithiru ] ++ users;
 
@@ -47,7 +49,7 @@ in
   "secrets/passwords/services/data-basic-auth.age".publicKeys = [ urithiru ] ++ users;
 
   "secrets/files/programs/ssh/host_configuration.age".publicKeys = hosts ++ users;
-  
+
   "secrets/files/services/matrix-appservice-slack/config.yml.age".publicKeys = [ lasting-integrity ] ++ users;
   "secrets/files/services/matrix-appservice-slack/registration.yml.age".publicKeys = [ lasting-integrity ] ++ users;
   "secrets/files/services/matrix-synapse/config.yml.age".publicKeys = [ lasting-integrity ] ++ users;
@@ -58,4 +60,7 @@ in
   "secrets/data-access/ssh_host_rsa_key.pub.age".publicKeys = [ urithiru ] ++ users;
   "secrets/data-access/ssh_host_ed25519_key.age".publicKeys = [ urithiru ] ++ users;
   "secrets/data-access/ssh_host_ed25519_key.pub.age".publicKeys = [ urithiru ] ++ users;
+  "secrets/data-access/authorized_keys.age".publicKeys = [ urithiru ] ++ users;
+  "secrets/data-access/password_file.age".publicKeys = [ urithiru ] ++ users;
+  "secrets/data-access/create_torrent.age".publicKeys = [ urithiru ] ++ users;
 }

secrets/data-access/password_file.age

@@ -0,0 +1,13 @@
+age-encryption.org/v1
+-> ssh-ed25519 9PfEBQ Vq16b9bDymjNwwJlPiHBthxD50YeprXBPrRy9wNd2AA
+FjiyQbWTcNNVQk8E9iXP2TC8TuSXTfoFYzF3Y72ry5k
+-> ssh-ed25519 s9rb8g 7puH9ds24smZcxJECsBGEC8IZ5q9EurHi6lV2oNxFAE
+eXG6/lgAfHBzY7Rm19aHl6zf2HanjoaFV7YezclJQhE
+-> ssh-ed25519 yad4VQ F5YiA+LSeCA9qPjstZrPXgllKs3IxDsA/ha+ZvNTXTc
+po/JNstnZ6ukqR3T3djXgVYJqSGFEeDwOkbQqbluPx0
+-> R>xz]Mg-grease
+nYwGW+ZzUW4N4tKNwB3kkTXO8CAvmlNLIE79LLUzHkRt04ovwgS9G22MqpoUYn6N
+rY9IAdecPENYkqIqVd7OJRtTcrmb311NXcds8G6f+x/r6dcu8lexERE8k1Q
+--- uP24/LXQHQSwdFDEyBVMpTMVoFasQGHRz1XEAWyUZ4I
+ze™à§/Mó„YTê%ýà~Á«FÑ`X¯Ý!v·*Þî@AG‚ï¤@iÜQäan˜Õ‹|p<>`2¿"ÿÀÄ%7xr›iÈx¸ÞQêÉÛǣÕÜnµÊ¤u@gúÏ"
+*Þ]Ãñ<C383>Æ?z>õÏ<C3B5>l¤%7§öµ•w4f„§¡TO㌇.RŠœÝ“

secrets/files/programs/vpn/global.age

@@ -0,0 +1,13 @@
+age-encryption.org/v1
+-> ssh-ed25519 umFZoA Zbf1eXyTxHEkOCJfYVt08sQcrHPmH7xzbgbNSJlefyw
+GhUZ8pv+W4iJDu1o8fHVbCgAT6uUytDAktVTZJeUMBY
+-> ssh-ed25519 aUd9Ng xr+E/JROUvOZ4d+GDThxzMke+XcfgNUqDxCrDa7zGnU
+JrWtA/U1VAKPdHRyIw5EZ98zJnlWfEqml/aPD22//sM
+-> ssh-ed25519 s9rb8g CtPl56xLOHRL6mLCXfiSrHQ/TnzTNxwCybW8i10sbHI
+g2XUxE1H/MOXzqcadXEBXAh+eQVxOi60aZq0Bvwm0jk
+-> ssh-ed25519 yad4VQ YeECur+U3OXUYXv7iLcDSGLhssoY05oQXNSJlyR9KGk
+BbLCcjImDO8jEMYJtYttlUJr6yY2P+RyRsqIGGrZXwA
+-> @h@-grease FW*P0 u<XH 5nQ?~L-+
+Kjje
+--- 8eyLL52J/N5nLpkribbLWoyjvxF3PRdVQkPd0deL8aQ
+¸
fʼnƒ3&#c:…~ÍšGú¿ñ\ìáTý%Å÷'nŸúRÛþ?%ÔÕz úP_è±e׊gèùM<C3B9>a	å]¾í6ü·š¶!²O?%ŠÜ½™'ÂØ`MHRi|áÉÀëoôÂô÷M¿ÏJ¯_TÍðQͺŒ¥ÚÊ·