toph/dot.nix
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
dot.nix/lib/public/secrets.example.nix

262 lines
6.2 KiB
Nix
Raw Blame History

# Secret data implementation
# This file should be encrypted with git-crypt
{
pkgs,
config,
lib,
...
}:
let
## SSH Keys ##
server = {
priv = ''
-----BEGIN OPENSSH PRIVATE KEY-----
[... example private key content ...]
-----END OPENSSH PRIVATE KEY-----
'';
pub = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIExample123ServerKey456 server";
};
git = {
priv = ''
-----BEGIN OPENSSH PRIVATE KEY-----
[... example private key content ...]
-----END OPENSSH PRIVATE KEY-----
'';
pub = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIExample123GitKey456 git";
};
# Default SSH config for main user
sshConfig = pkgs.writeText "ssh-config" ''
Host git.example.com
IdentityFile "${config.hostSpec.home}/.ssh/git"
Host *
ForwardAgent no
AddKeysToAgent yes
Compression no
ServerAliveInterval 5
ServerAliveCountMax 3
HashKnownHosts no
UserKnownHostsFile ~/.ssh/known_hosts
ControlMaster no
ControlPath ~/.ssh/master-%r@%n:%p
ControlPersist no
IdentityFile "${config.hostSpec.home}/.ssh/server"
UpdateHostKeys ask
'';
# Alternative SSH config for secondary user
sshConfig-alt = pkgs.writeText "ssh-config" ''
Host git.example.com
IdentityFile "${config.hostSpec.home}/.ssh/git"
Host *
ForwardAgent no
AddKeysToAgent yes
Compression no
ServerAliveInterval 5
ServerAliveCountMax 3
HashKnownHosts no
UserKnownHostsFile ~/.ssh/known_hosts
ControlMaster no
ControlPath ~/.ssh/master-%r@%n:%p
ControlPersist no
UpdateHostKeys ask
'';
## GPG Keys, WIP ##
mainUser = {
priv = ''
-----BEGIN PGP PRIVATE KEY BLOCK-----
[... example GPG private key content ...]
-----END PGP PRIVATE KEY BLOCK-----
'';
pub = ''
-----BEGIN PGP PUBLIC KEY BLOCK-----
[... example GPG public key content ...]
-----END PGP PUBLIC KEY BLOCK-----
'';
trust = ''
IyBFeGFtcGxlIHRydXN0IGRhdGEgZm9yIEdQRyBrZXkKRXhhbXBsZUtleUZpbmdlcnByaW50OjY6Cg==
'';
};
in
{
secretsSpec = {
# User account information
users = {
admin = {
# SMTP Only, not a login user
smtp = {
host = "smtp.example.com";
user = "admin@example.com";
password = "example_smtp_password_123";
port = 587;
from = "admin@example.com";
};
};
alice = {
hashedPassword = ''$6$rounds=656000$ExampleSalt123$ExampleHashedPasswordHere123''; # example_password
email = "alice@example.com";
handle = "alice123";
fullName = "Alice Smith";
smtp = {
host = "smtp.example.com";
user = "alice@example.com";
password = "alice_smtp_password_456";
port = 587;
from = "alice@example.com";
};
ssh = {
publicKeys = [
server.pub
];
privateKeyContents = {
server = server.priv;
git = git.priv;
};
config = sshConfig;
};
gpg = {
publicKey = mainUser.pub;
privateKeyContents = mainUser.priv;
trust = mainUser.trust;
};
};
bob = {
hashedPassword = ''$6$rounds=656000$AnotherSalt456$AnotherExampleHashedPassword789''; # another_password
email = "bob@example.com";
handle = "bobuser";
fullName = "Bob Johnson";
ssh = {
publicKeys = [
server.pub
];
privateKeyContents = {
server = server.priv;
git = git.priv;
};
config = sshConfig;
};
};
charlie = {
hashedPassword = ''$6$rounds=656000$ThirdSalt789$ThirdExampleHashedPassword012''; # third_password
email = "charlie@example.com";
handle = "charlie_dev";
fullName = "Charlie Wilson";
ssh = {
publicKeys = [
server.pub
];
config = sshConfig-alt;
};
};
};
# Firewall configurations by host
firewall = {
webserver = {
allowedTCPPorts = [
22 # SSH
80 # HTTP
443 # HTTPS
3000 # Application
5432 # PostgreSQL
];
allowedUDPPorts = [
53 # DNS
];
};
appserver = {
allowedTCPPorts = [
22 # SSH
80 # HTTP
443 # HTTPS
3001 # Grafana
8080 # Application
9000 # Admin panel
];
allowedTCPPortRanges = [
{
from = 3000;
to = 3010;
}
];
allowedUDPPorts = [
8089 # Monitoring
];
};
database = {
allowedTCPPorts = [
22 # SSH
5432 # PostgreSQL
3306 # MySQL
];
};
};
# API secrets for various services
api = {
cloudflare = "example_cloudflare_api_token_123456";
github = "ghp_example_github_token_123456789";
discord = "example_discord_bot_token_987654321";
};
# Docker environment variables for services
docker = {
app_auth = {
DATABASE_URL = "postgresql://app_user:example_db_password@database:5432/app_db";
JWT_SECRET = "example_jwt_secret_key_very_long_and_secure";
SMTP_HOST = "smtp.example.com";
SMTP_USER = "app@example.com";
SMTP_PASSWORD = "example_app_smtp_password";
SMTP_PORT = "587";
REDIS_URL = "redis://redis:6379";
SESSION_SECRET = "example_session_secret_also_very_long";
};
database = {
POSTGRES_DB = "app_db";
POSTGRES_USER = "app_user";
POSTGRES_PASSWORD = "example_db_password";
MYSQL_ROOT_PASSWORD = "example_mysql_root_password";
};
monitoring = {
GRAFANA_ADMIN_PASSWORD = "example_grafana_admin_password";
PROMETHEUS_RETENTION = "15d";
ALERTMANAGER_WEBHOOK_URL = "https://hooks.example.com/webhook";
};
backup = {
BORG_PASSPHRASE = "example_borg_backup_passphrase_123";
S3_ACCESS_KEY = "example_s3_access_key";
S3_SECRET_KEY = "example_s3_secret_key";
S3_BUCKET = "example-backup-bucket";
};
};
};
}
Reference in a new issue View git blame Copy permalink