aboutsummaryrefslogtreecommitdiff
path: root/home/programs/security
diff options
context:
space:
mode:
Diffstat (limited to 'home/programs/security')
-rw-r--r--home/programs/security/age.nix13
-rw-r--r--home/programs/security/hashi.nix54
-rw-r--r--home/programs/security/onepassword.nix9
-rw-r--r--home/programs/security/sapi.nix20
-rw-r--r--home/programs/security/ssh.nix48
-rw-r--r--home/programs/security/yubikey.nix6
6 files changed, 150 insertions, 0 deletions
diff --git a/home/programs/security/age.nix b/home/programs/security/age.nix
new file mode 100644
index 0000000..e41d0d8
--- /dev/null
+++ b/home/programs/security/age.nix
@@ -0,0 +1,13 @@
+{ pkgs, config, ... }:
+{
+ home.packages = with pkgs; [
+ age
+ age-plugin-yubikey
+ passage
+ ];
+
+ home.sessionVariables = {
+ "PASSAGE_DIR" = "${config.xdg.dataHome}/passage";
+ "PASSAGE_IDENTITIES_FILE" = "${config.xdg.dataHome}/passage/identities";
+ };
+}
diff --git a/home/programs/security/hashi.nix b/home/programs/security/hashi.nix
new file mode 100644
index 0000000..c24845e
--- /dev/null
+++ b/home/programs/security/hashi.nix
@@ -0,0 +1,54 @@
+{ pkgs, ... }:
+let
+ nomad-prod = pkgs.writeShellScriptBin "nomad-prod" ''
+ set -e
+
+ if [ $# -ne 1 ]; then
+ echo "Usage: nomad-ui CELL_ID"
+ exit 1
+ fi
+
+ CELL_ID=$1
+
+ echo ">> Fetching cell definition for $CELL_ID from GitHub"
+ REGION_ID=$(${pkgs.gh}/bin/gh api --hostname github.rbx.com repos/Roblox/cell-lifecycle/contents/definitions/''${CELL_ID}.yaml --jq '.content' | base64 -d | yq -r '.regionId')
+
+ if [ -z "$REGION_ID" ] || [ "$REGION_ID" = "null" ]; then
+ echo "Error: Could not retrieve regionId for cell $CELL_ID"
+ exit 1
+ fi
+
+ echo ">> Found regionId: $REGION_ID"
+
+ case "$REGION_ID" in
+ r002)
+ VAULT_REGION="chi1"
+ ;;
+ r003)
+ VAULT_REGION="ash1"
+ ;;
+ *)
+ echo "Error: Unknown regionId $REGION_ID. Expected r002 or r003."
+ exit 1
+ ;;
+ esac
+
+ echo ">> Using vault region: $VAULT_REGION"
+
+ echo ">> Login to $VAULT_REGION vault using Okta"
+ export VAULT_ADDR="https://$VAULT_REGION-vault.simulprod.com:8200"
+ export VAULT_TOKEN=$(${pkgs.vault}/bin/vault login -field=token -method=oidc username=$USER)
+
+ echo ">> Accessing cell $CELL_ID"
+ export NOMAD_ADDR="https://$CELL_ID-nomad.simulprod.com"
+ export NOMAD_TOKEN=$(${pkgs.vault}/bin/vault read -field secret_id ''${CELL_ID}_nomad/creds/management)
+
+ ${pkgs.nomad}/bin/nomad ui --authenticate
+ '';
+in
+{
+ home.packages = with pkgs; [
+ nomad-prod
+ hashi
+ ];
+}
diff --git a/home/programs/security/onepassword.nix b/home/programs/security/onepassword.nix
new file mode 100644
index 0000000..f364a9e
--- /dev/null
+++ b/home/programs/security/onepassword.nix
@@ -0,0 +1,9 @@
+{ ... }:
+{
+ programs.onepassword = {
+ enable = true;
+ sshKeys = [
+ { account = "my.1password.com"; } # All keys from personal account
+ ];
+ };
+}
diff --git a/home/programs/security/sapi.nix b/home/programs/security/sapi.nix
new file mode 100644
index 0000000..1d90698
--- /dev/null
+++ b/home/programs/security/sapi.nix
@@ -0,0 +1,20 @@
+{ pkgs, ... }:
+{
+ home.packages = with pkgs; [
+ sapi
+ ];
+
+ # the configuration for sapi is generated when we run `sapi jump`,
+ # there's no need to manage it with nix.
+ programs.ssh.includes = [ "config_sapi" ];
+
+ programs.fish.shellAbbrs = {
+ "sjump-st1-snc2" = "${pkgs.sapi}/bin/sapi jump sitetest1-snc2";
+ "sjump-st1-snc3" = "${pkgs.sapi}/bin/sapi jump sitetest3-snc2";
+ "sjump-st2-snc2" = "${pkgs.sapi}/bin/sapi jump sitetest2-snc2";
+ "sjump-st3" = "${pkgs.sapi}/bin/sapi jump sitetest3";
+ "sjump" = "${pkgs.sapi}/bin/sapi jump";
+ "ssh-edge" =
+ "${pkgs.kitty}/bin/kitten ssh -o StrictHostKeyChecking=no -o IdentitiesOnly=yes -J chi1-jumpcontainer-es -i (${pkgs._1password-cli}/bin/op read 'op://Infra-Compute-Edge-rks/ice_ssh-private-key/ice_rsa'|psub)";
+ };
+}
diff --git a/home/programs/security/ssh.nix b/home/programs/security/ssh.nix
new file mode 100644
index 0000000..004b082
--- /dev/null
+++ b/home/programs/security/ssh.nix
@@ -0,0 +1,48 @@
+{ config, ... }:
+{
+ programs.ssh = {
+ enable = true;
+ enableDefaultConfig = false;
+ matchBlocks = {
+ "*" = {
+ forwardAgent = true;
+ serverAliveInterval = 60;
+ controlPersist = "30m";
+ controlPath = "${config.home.homeDirectory}/.ssh/sockets/S.%r@%h:%p";
+ controlMaster = "auto";
+ };
+ "rivendell" = {
+ hostname = "192.168.1.114";
+ };
+ "riv-unlock" = {
+ hostname = "192.168.1.114";
+ user = "root";
+ port = 911;
+ };
+ "nas" = {
+ hostname = "192.168.1.68";
+ };
+ "bree" = {
+ hostname = "192.168.1.50";
+ };
+ "argonath" = {
+ hostname = "fcuny.net";
+ };
+ "github.com" = {
+ hostname = "github.com";
+ user = "git";
+ forwardAgent = false;
+ extraOptions = {
+ preferredAuthentications = "publickey";
+ controlMaster = "no";
+ controlPath = "none";
+ };
+ };
+ };
+ };
+
+ home.file = {
+ # we need this path to be created so that the control path can be used.
+ ".ssh/sockets/.keep".text = "# Managed by Home Manager";
+ };
+}
diff --git a/home/programs/security/yubikey.nix b/home/programs/security/yubikey.nix
new file mode 100644
index 0000000..8e5c598
--- /dev/null
+++ b/home/programs/security/yubikey.nix
@@ -0,0 +1,6 @@
+{ pkgs, ... }:
+{
+ home.packages = with pkgs; [
+ yubikey-manager
+ ];
+}
generated by cgit v1.2.3 (git 2.25.1) at 2026-01-20 13:30:30 +0000