aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorMark Nipper <nipsy@bitgnome.net>2024-06-14 01:14:12 -0700
committerMark Nipper <nipsy@bitgnome.net>2024-06-14 01:14:12 -0700
commit6648abd0f57e7cd703cca46c303c39bdc27d657c (patch)
treec88dacb4fc6caaf5101063bf00e15c9030f16d16
parente7953e8afc1d0146ab27fe3bacf13d980b496147 (diff)
downloadnix-6648abd0f57e7cd703cca46c303c39bdc27d657c.tar
nix-6648abd0f57e7cd703cca46c303c39bdc27d657c.tar.gz
nix-6648abd0f57e7cd703cca46c303c39bdc27d657c.tar.bz2
nix-6648abd0f57e7cd703cca46c303c39bdc27d657c.tar.lz
nix-6648abd0f57e7cd703cca46c303c39bdc27d657c.tar.xz
nix-6648abd0f57e7cd703cca46c303c39bdc27d657c.tar.zst
nix-6648abd0f57e7cd703cca46c303c39bdc27d657c.zip
Add SSH rules for nftables on ginaz
Diffstat (limited to '')
-rw-r--r--.sops.yaml5
-rw-r--r--hosts/ginaz/default.nix30
-rw-r--r--hosts/secrets/ginaz.yaml31
3 files changed, 66 insertions, 0 deletions
diff --git a/.sops.yaml b/.sops.yaml
index affb283..449e292 100644
--- a/.sops.yaml
+++ b/.sops.yaml
@@ -28,3 +28,8 @@ creation_rules:
- age:
- *darkstar
- *nipsy
+ - path_regex: ^hosts/secrets/ginaz.yaml$
+ key_groups:
+ - age:
+ - *ginaz
+ - *nipsy
diff --git a/hosts/ginaz/default.nix b/hosts/ginaz/default.nix
index 625547d..3812f41 100644
--- a/hosts/ginaz/default.nix
+++ b/hosts/ginaz/default.nix
@@ -46,5 +46,35 @@
services.openssh.settings.X11Forwarding = true;
services.xserver.videoDrivers = [ "amdgpu" ];
+ sops = {
+ age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
+ defaultSopsFile = ../secrets/ginaz.yaml;
+
+ secrets = {
+ "nftables/ssh" = {};
+ };
+ };
+
system.stateVersion = "23.11";
+
+ systemd.services."nftables-extra" = {
+ description = "nftables extra firewall rules";
+ script = ''
+ ${pkgs.nftables}/bin/nft -f ${config.sops.secrets."nftables/ssh".path}
+ '';
+ serviceConfig = {
+ RemainAfterExit = true;
+ Type = "oneshot";
+ };
+ unitConfig = {
+ ConditionPathExists = config.sops.secrets."nftables/ssh".path;
+ };
+ wantedBy = [ "multi-user.target" ];
+ };
+ systemd.paths."nftables-extra" = {
+ pathConfig = {
+ PathExists = config.sops.secrets."nftables/ssh".path;
+ };
+ wantedBy = [ "multi-user.target" ];
+ };
}
diff --git a/hosts/secrets/ginaz.yaml b/hosts/secrets/ginaz.yaml
new file mode 100644
index 0000000..298fff5
--- /dev/null
+++ b/hosts/secrets/ginaz.yaml
@@ -0,0 +1,31 @@
+nftables:
+ ssh: ENC[AES256_GCM,data:mGh0TM88dWZfymF7+Xt896POHOqoDrcsicncILYFRA5DBw3AjnaaG28Da+qcJ7/VrXGFVIRm4b8L+QeTJ9Uk/h1VEYUpmaPdqY4yaK9CPTDqKmLSLsTgrIvzbUjxJ062+KOx1ovGlLqpZnkiSgHyY2h7uYbxPnq+fvrboPRoxwZiIc8UQTs7KFsQolZPka5It5kXsa6mYdaCKYp36ypTCmD1dCnkneveiYxDg/58O9UJLSbMV7vbB2020B6ga8PsG/5UbFGMzOlktejgqgfr3ZQlU+A8E8Oh4S9uweDEBsg8W+XIDH3pV7qYflkUqCctunzUNdn94RtasAiBkLd5RIV23hiII4NbPnxke3jOtO/OElmU9WxXcIHX/obZ8pPnTZYNeeNxeubkph0KJJE0DKnEKFwetF0J4wnxj90R1hxAFYLXBOYEzVANuC8bVuVw0M0GB6yRzKbxA1uxeUAbq1njBurDfVAZwUh4y551YYTJJxRq+4VPDikkE7X35smRYgRzckxhWnNvg1mggcI+ZUuGkp9XYjHOwifumib1i95xeXAD5aIiS3GTTTFPLajOlbJhdU9RHA/6WY98PEJmU4sybWS1REMkI3LfxjibLACds9B3NQYpbwIrYu4WdLrio5eQp8ifAUv1nMQAfJDYX+Vd1TEAqcv01kWiad2FVrNSy1CVphGfTHHgOfk+P/UpLMnC/OmbvTrc74wgmBVdvnMkOca4JvT94d8VtiriJ8vr8l2xOqA8A0sjph8ucInZ7GXIV91fePwFH50kYHQE7a0sSTtGMvzKjRg2/7VtgubY8tNSUO/u5FNXKbPYBwhYKB8DXI5G1m9otPa9PeobeLsLcovRyqfVhqzAIw0htQYvHHC6RZwkHptAa3RcxeB0+dj4IxB7yzayWCcNVcQHdJ+bSB897hgo5c/k26+TnYhz97STlS+/pf4h0To4JnS/+67nFqHMoRUTlmL70JAxkkwvjg+5T76+pFQFB3cPRZF48fiBo2NhpF0PWiSUB9uEIKjfyq5mwQ9tEHDTjv25V8qxcpQitu4W8ydO7L+5ovln68oPaZC5vSe21m4p7msDtg27Y6GLHTVCdFFSi9CmXgb3JCawLWDXkVMpMch1bFYcsOOumYZjBsmosK0Yi4zCZAreSJ6O8pakyjfG/T81a8wPySEjin6NGLj5rEo04YqXqIEoG5hCNQz1WIIsqfeeVZYMhQ2e5jlxqATbvnq8y4dVfP9riuUA1YAYmmwrwTw3OEnhShxtyl49s5FctmPxCPEoskzpQ1rvv45xDyvKN1QrlInu1O/TXPddpbs1eFRiyPBV+rzAwW5ULlsxy5letfqkQZiKMZ0bVIdpgJaTeKeCrZeg5khsRpxf7CIWhCRftzrVaesZKM3YGYGmlOO4FALQbg0vXQlJQBCidNVgtG8v0n/b0TCiLl+pmaItlp8GGYUHrKWLg/iNXQ4EDiXwfxF2TdSRtqkOIQQxo8Odz7fxccGGQNOeD/xCAVZuZgwOtcGGtzBaBIz18pttLRLIfzPr4WnCqlycApux1g8UhyK9zPo9kjeFnwHAseMi7sZb5iQwzSPpT6osZF127g9rgi/ck+1AB8EEsB8AOYw4DmKFCHQ8S7OuWMpAgqtphsy2sW0QOBHdp62bqZBlFofYokw1c72+SoW4ZsTwqX5ECc2pcwdDsdse9jyTHSppap/NguvgLtgfv7uz9tVw6T/Mw5Sq5MlwxFY3J0PFIJU1KjxXGmoTowor+QJVds5PxnWFBX5u6jsHs9ifcub7ddaNXuQHPGcqbyNp/T6pH51/NyymnWRq8/RcHE3DFFFYDl2J9/WY9+y1Q35o8fMo7XWJ5FqArogtAyDE42EjxCvujUos3JJKqcSUueKBimO0oJ1TzgpTCrYi4OoP54dVNRFSGVq5dFAkJ9Dmpeh4a/v1Gxuk9ujvxbRZso8GfM7gnr2FIK3hinipT7F8RHVx07YnJehM93Ul9m237OwJl5hpBBsFRy+yIuBoxd5DEeN3nPuztEOovW5lR+Sj0RB6ipJc5kaHTVx0bZm2SwPVr9RaWeHBq4j2b3HP5+frgR/vnPo3q6RQJLKamLh30mAxtzTV4F77N6LEXp9JFhs9ytv5y9MYwotHIjO6sN6pop1vcIpm/b4tKeYyUDJ6JDVuy/oroS8uAtf378gTRlT/P/ekDLRymyySvwWQ/TVtm5iF0vjt3lUdpwNOoY3J5TJZejCLbDOcShE7PDfKtf0QKGNBmxNh3gqtqDQ5YWoQirTLUv9B2Q7JkRpYZ+gLnkXMe0eu7QFcrjUMGeJwe7F4EOjBd7Xy6Wh72BVi54sYuuWWIgCOAFCjMDqMiLGdu2itnMJN33epOnnj3Dn2liqTDubSRpRaYE5/thVeRXKs+myuiU70R8mKtxol5/0i1HGrolT1Sq5k4O3t4Ibj/rhjqpmQU036T/211YS3DH9MMsP2YlOOv4NXBfptwJ+hKY3R2IoXI/FVHF1q0/8b24+kVefCZ4tOlKViPVLnYlYuxw72ztzhheKsSLMJy/UzMJMV4p250IsPAO8locfPIw==,iv:zHwrBGfdoz2j/5Qko5QNDkh/kkJ/bD/aHvEL5DACmKI=,tag:9YELKHujgP4p5yO5vAwZog==,type:str]
+sops:
+ kms: []
+ gcp_kms: []
+ azure_kv: []
+ hc_vault: []
+ age:
+ - recipient: age1900zc5caephklavvjxp0g4qqvyqlzg3sux69y9p092g3d3qck3kqz62reh
+ enc: |
+ -----BEGIN AGE ENCRYPTED FILE-----
+ YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA1b0xleWZJc1I0V2Zqelh5
+ M2Z3Sk9LNXNFRFN5UUZ2ZTdNZWlmdnhTb1FZCno0ZlMxUVJTcWpvd25sUDlncjcw
+ dHlkWDVYVjZFeE5lOWEvWDhMZmNodWsKLS0tIElLeFlWL05ObGd1d2hFZWlqaklQ
+ UTVUK2xWOWZUbEtpS2tGSS85QytFNjgKUjRSciB365SpJodAQKx/eVJeCAbLynoh
+ +xLINlNopXvc902vJLoWWJotck8DwaV3NafjvL5HVmNDWW/nKtagQg==
+ -----END AGE ENCRYPTED FILE-----
+ - recipient: age1a9gp70y8576pkvklz2arz6h9ecnrjeue2vvh9mvvk92z4ymqrg4qdqm9va
+ enc: |
+ -----BEGIN AGE ENCRYPTED FILE-----
+ YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAvd3RhelRvTjJRR2luMGoz
+ aXN5V1VtQUdNNGQxajJlQjdKWmlOZTR5QnhZClV6U1FNYkthWUVFd2ZnRTladHVM
+ T1U3R3ZORUk5OUh2eHkvd3BFdEtZTlkKLS0tIGl6R25RZWFpd2x3R0VibGhrZG9n
+ Nmp5TTVkNFNqd29PRVlRZ2lZWDhaQVEKQ5dnzV8gqd21v6AlUfpOrBTyzvpEC2kr
+ VF7UR0f3VOvnaJ5fDB4nrcHthYbQtxuzhV2wuvZFh+fBle5xRgGRIg==
+ -----END AGE ENCRYPTED FILE-----
+ lastmodified: "2024-06-14T08:07:02Z"
+ mac: ENC[AES256_GCM,data:6lS4XVKaz+nfr15WygUrbgLw7F9oxMzfEPPMPH+q6Qlf6RtgE5/MGsogiG9FPXiCNcpt0Pn3Fbbc65XcDw40LlrtCp4NV16Yqsh5owTwmpiMxo7Lq/sksWeanqd9+4bC1G2wbELdZyTZ8NhEIEdilnSDraCd1FiP6BeaPfWPsZ0=,iv:ZymgsABe8sHpgsaUOWuAfwZe6D+GTK/soRU1T4RKvn0=,tag:Z3XKuOzm4f7srdX7hiklrA==,type:str]
+ pgp: []
+ unencrypted_suffix: _unencrypted
+ version: 3.8.1