Browse Source

secrets: use a multi-key setup with strong auth for multi device conf

master
parent
commit
dfa54c0edc
Signed by: govanify GPG Key ID: DE62E1E2A6145556
42 changed files with 32 additions and 26 deletions
  1. +3
    -1
      .gitattributes
  2. +6
    -3
      bootstrap/bootstrap.sh
  3. +1
    -1
      default.nix
  4. +1
    -16
      profiles/default.nix
  5. +21
    -5
      profiles/headfull.nix
  6. BIN
      secrets/assets/canary
  7. BIN
      secrets/assets/emet-selch.md
  8. BIN
      secrets/assets/gpg/gpg-trust.txt
  9. BIN
      secrets/assets/ssh/navi.pub
  10. BIN
      secrets/common/assets/canary
  11. BIN
      secrets/common/assets/ssh/navi.pub
  12. BIN
      secrets/default.nix
  13. BIN
      secrets/emet-selch/assets/canary
  14. BIN
      secrets/emet-selch/assets/emet-selch-pub.gpg
  15. BIN
      secrets/emet-selch/assets/emet-selch.md
  16. BIN
      secrets/emet-selch/assets/gpg/gpg-trust.txt
  17. BIN
      secrets/emet-selch/assets/gpg/key.gpg
  18. BIN
      secrets/emet-selch/default.nix
  19. BIN
      secrets/emet-selch/infrastructure/default.nix
  20. BIN
      secrets/emet-selch/infrastructure/emet-selch/amaurot.nix
  21. BIN
      secrets/emet-selch/infrastructure/emet-selch/default.nix
  22. BIN
      secrets/headfull/assets/canary
  23. +0
    -0
      secrets/headfull/assets/gpg/key.gpg
  24. +0
    -0
      secrets/headfull/assets/shadow/main
  25. +0
    -0
      secrets/headfull/assets/shadow/root
  26. +0
    -0
      secrets/headfull/assets/ssh/distbuild
  27. +0
    -0
      secrets/headfull/assets/ssh/distbuild.pub
  28. +0
    -0
      secrets/headfull/assets/ssh/navi
  29. +0
    -0
      secrets/headfull/components/default.nix
  30. +0
    -0
      secrets/headfull/components/deployment.nix
  31. +0
    -0
      secrets/headfull/components/mail-accounts.nix
  32. +0
    -0
      secrets/headfull/components/wifi-hp.nix
  33. BIN
      secrets/headfull/default.nix
  34. +0
    -0
      secrets/headfull/infrastructure/alastor/cache.nix
  35. +0
    -0
      secrets/headfull/infrastructure/alastor/default.nix
  36. BIN
      secrets/headfull/infrastructure/default.nix
  37. +0
    -0
      secrets/headfull/infrastructure/xanadu/boot-dm.nix
  38. +0
    -0
      secrets/headfull/infrastructure/xanadu/cache.nix
  39. +0
    -0
      secrets/headfull/infrastructure/xanadu/default.nix
  40. BIN
      secrets/infrastructure/default.nix
  41. BIN
      secrets/infrastructure/emet-selch/amaurot.nix
  42. BIN
      secrets/infrastructure/emet-selch/default.nix

+ 3
- 1
.gitattributes View File

@ -1 +1,3 @@
secrets/** filter=git-crypt diff=git-crypt
secrets/headfull/** filter=git-crypt diff=git-crypt
secrets/emet-selch/** filter=git-crypt-emet-selch diff=git-crypt-emet-selch
secrets/common/** filter=git-crypt-common diff=git-crypt-common

+ 6
- 3
bootstrap/bootstrap.sh View File

@ -1,8 +1,11 @@
#!/bin/sh
# THIS IS A HEADFULL ONLY BOOTSTRAPPER! I NEED TO MAKE ONE FOR OTHER DEVICES TOO
# AAAAAAA
echo "Welcome to navi's bootstrapper!"
cat icon.motd
echo "4d16330208714286d397e2cf7d8a977ac2771ac9fa0311226afc0df06e00b4d6 ../secrets/assets/canary" \
echo "4d16330208714286d397e2cf7d8a977ac2771ac9fa0311226afc0df06e00b4d6 ../secrets/common/assets/canary" \
| sha256sum --check --status &> /dev/null
if [ "$?" -ne 0 ]; then
@ -52,8 +55,8 @@ old_gpg_home=$GNUPGHOME
export GNUPGHOME="$3/home/$2/.config/gnupg"
find $3/home/$2/.config/gnupg -type f -exec chmod 600 {} \;
find $3/home/$2/.config/gnupg -type d -exec chmod 700 {} \;
gpg --import ../secrets/assets/gpg/key.gpg
gpg --import-ownertrust ../secrets/assets/gpg/gpg-trust.txt
gpg --import ../secrets/headfull/assets/gpg/key.gpg
gpg --import-ownertrust ../secrets/headfull/assets/gpg/gpg-trust.txt
mkdir -p $3/home/$2/.local/share/mail/ &> /dev/null
mkdir -p $3/home/$2/.cache/mutt/ &> /dev/null
mkdir -p $3/home/$2/.local/share/wineprefixes/ &> /dev/null


+ 1
- 1
default.nix View File

@ -1,6 +1,6 @@
let
canary =
if (builtins.hashFile "sha256" ./secrets/assets/canary) != "4d16330208714286d397e2cf7d8a977ac2771ac9fa0311226afc0df06e00b4d6"
if (builtins.hashFile "sha256" ./secrets/common/assets/canary) != "4d16330208714286d397e2cf7d8a977ac2771ac9fa0311226afc0df06e00b4d6"
then
abort
"Incorrect secrets. Please be sure to run ./bootstrap.sh if this


+ 1
- 16
profiles/default.nix View File

@ -63,25 +63,10 @@ with lib;
};
# define our main users
# TODO, XXX, TOFIX: the shadows are probably written in the nix store, do we
# care about that?
users.users.${config.navi.username} = {
isNormalUser = true;
hashedPassword = fileContents ./../secrets/assets/shadow/main;
openssh.authorizedKeys.keyFiles = [ ./../secrets/assets/ssh/navi.pub ];
openssh.authorizedKeys.keyFiles = [ ./../secrets/common/assets/ssh/navi.pub ];
};
users.users.root.hashedPassword = fileContents ./../secrets/assets/shadow/root;
# setup the distbuild account; while this might look like a backdoor for
# lesser privilege devices the distbuild access key is only given to at
# least headfull devices, thus headless devices cannot ssh into headfull.
# same goes for the main account.
users.users.distbuild = {
isSystemUser = true;
shell = pkgs.bash;
openssh.authorizedKeys.keyFiles = [ ./../secrets/assets/ssh/distbuild.pub ];
};
nix.trustedUsers = [ "distbuild" ];
# automatic updates & cleanup
system.autoUpgrade.enable = true;


+ 21
- 5
profiles/headfull.nix View File

@ -45,10 +45,10 @@ with lib;
# we setup the personal ssh and gpg key of our headfull user
home-manager.users.${config.navi.username} = {
home.file.".config/gnupg/key.gpg".source = ./../secrets/assets/gpg/key.gpg;
home.file.".config/gnupg/trust.txt".source = ./../secrets/assets/gpg/gpg-trust.txt;
home.file.".config/ssh/id_ed25519".source = ./../secrets/assets/ssh/navi;
home.file.".config/ssh/id_ed25519.pub".source = ./../secrets/assets/ssh/navi.pub;
home.file.".config/gnupg/key.gpg".source = ./../secrets/headfull/assets/gpg/key.gpg;
home.file.".config/gnupg/trust.txt".source = ./../secrets/headfull/assets/gpg/gpg-trust.txt;
home.file.".config/ssh/id_ed25519".source = ./../secrets/headfull/assets/ssh/navi;
home.file.".config/ssh/id_ed25519.pub".source = ./../secrets/headfull/assets/ssh/navi.pub;
# try to auto retrieve gpg keys when using emails, using hkp on port 80 to
# bypass tor restrictions -- PROBABLY A VERY BAD IDEA SECURITY WISE, TOFIX,
@ -61,12 +61,28 @@ with lib;
# store our distbuild key so we can login to our infra
environment.etc."distbuild_ssh" = {
text = builtins.readFile ./../secrets/assets/ssh/distbuild;
text = builtins.readFile ./../secrets/headfull/assets/ssh/distbuild;
mode = "0400";
uid = 0;
gid = 0;
};
# setup the distbuild account; while this might look like a backdoor for
# lesser privilege devices the distbuild access key is only given to at
# least headfull devices, thus headless devices cannot ssh into headfull.
# same goes for the main account.
users.users.distbuild = {
isSystemUser = true;
shell = pkgs.bash;
openssh.authorizedKeys.keyFiles = [ ./../secrets/headfull/assets/ssh/distbuild.pub ];
};
nix.trustedUsers = [ "distbuild" ];
# TODO, XXX, TOFIX: the shadows are probably written in the nix store, do we
# care about that?
users.users.${config.navi.username}.hashedPassword = fileContents ./../secrets/headfull/assets/shadow/main;
users.users.root.hashedPassword = fileContents ./../secrets/headfull/assets/shadow/root;
# locking kernel modules has a horrendous UX for headfull devices and is
# mostly useless for those, as they're deemed to restart frequently. A restart
# allows you to replace the currently running kernel by your own and thus


BIN
secrets/assets/canary View File


BIN
secrets/assets/emet-selch.md View File


BIN
secrets/assets/gpg/gpg-trust.txt View File


BIN
secrets/assets/ssh/navi.pub View File


BIN
secrets/common/assets/canary View File


BIN
secrets/common/assets/ssh/navi.pub View File


BIN
secrets/default.nix View File


BIN
secrets/emet-selch/assets/canary View File


BIN
secrets/emet-selch/assets/emet-selch-pub.gpg View File


BIN
secrets/emet-selch/assets/emet-selch.md View File


BIN
secrets/emet-selch/assets/gpg/gpg-trust.txt View File


BIN
secrets/emet-selch/assets/gpg/key.gpg View File


BIN
secrets/emet-selch/default.nix View File


BIN
secrets/emet-selch/infrastructure/default.nix View File


BIN
secrets/emet-selch/infrastructure/emet-selch/amaurot.nix View File


BIN
secrets/emet-selch/infrastructure/emet-selch/default.nix View File


BIN
secrets/headfull/assets/canary View File


secrets/assets/gpg/key.gpg → secrets/headfull/assets/gpg/key.gpg View File


secrets/assets/shadow/main → secrets/headfull/assets/shadow/main View File


secrets/assets/shadow/root → secrets/headfull/assets/shadow/root View File


secrets/assets/ssh/distbuild → secrets/headfull/assets/ssh/distbuild View File


secrets/assets/ssh/distbuild.pub → secrets/headfull/assets/ssh/distbuild.pub View File


secrets/assets/ssh/navi → secrets/headfull/assets/ssh/navi View File


secrets/components/default.nix → secrets/headfull/components/default.nix View File


secrets/components/deployment.nix → secrets/headfull/components/deployment.nix View File


secrets/components/mail-accounts.nix → secrets/headfull/components/mail-accounts.nix View File


secrets/components/wifi-hp.nix → secrets/headfull/components/wifi-hp.nix View File


BIN
secrets/headfull/default.nix View File


secrets/infrastructure/alastor/cache.nix → secrets/headfull/infrastructure/alastor/cache.nix View File


secrets/infrastructure/alastor/default.nix → secrets/headfull/infrastructure/alastor/default.nix View File


BIN
secrets/headfull/infrastructure/default.nix View File


secrets/infrastructure/xanadu/boot-dm.nix → secrets/headfull/infrastructure/xanadu/boot-dm.nix View File


secrets/infrastructure/xanadu/cache.nix → secrets/headfull/infrastructure/xanadu/cache.nix View File


secrets/infrastructure/xanadu/default.nix → secrets/headfull/infrastructure/xanadu/default.nix View File


BIN
secrets/infrastructure/default.nix View File


BIN
secrets/infrastructure/emet-selch/amaurot.nix View File


BIN
secrets/infrastructure/emet-selch/default.nix View File


Loading…
Cancel
Save