diff options
Diffstat (limited to 'home/programs/security')
| -rw-r--r-- | home/programs/security/age.nix | 13 | ||||
| -rw-r--r-- | home/programs/security/hashi.nix | 101 | ||||
| -rw-r--r-- | home/programs/security/onepassword.nix | 9 | ||||
| -rw-r--r-- | home/programs/security/sapi.nix | 20 | ||||
| -rw-r--r-- | home/programs/security/ssh.nix | 48 | ||||
| -rw-r--r-- | home/programs/security/yubikey.nix | 6 |
6 files changed, 0 insertions, 197 deletions
diff --git a/home/programs/security/age.nix b/home/programs/security/age.nix deleted file mode 100644 index e41d0d8..0000000 --- a/home/programs/security/age.nix +++ /dev/null @@ -1,13 +0,0 @@ -{ pkgs, config, ... }: -{ - home.packages = with pkgs; [ - age - age-plugin-yubikey - passage - ]; - - home.sessionVariables = { - "PASSAGE_DIR" = "${config.xdg.dataHome}/passage"; - "PASSAGE_IDENTITIES_FILE" = "${config.xdg.dataHome}/passage/identities"; - }; -} diff --git a/home/programs/security/hashi.nix b/home/programs/security/hashi.nix deleted file mode 100644 index 424c7b3..0000000 --- a/home/programs/security/hashi.nix +++ /dev/null @@ -1,101 +0,0 @@ -{ config, pkgs, ... }: -let - nomad-prod = pkgs.writeShellScriptBin "nomad-prod" '' - set -e - - if [ $# -ne 1 ]; then - echo "Usage: nomad-ui CELL_ID" - exit 1 - fi - - CELL_ID=$1 - - echo ">> Fetching cell definition for $CELL_ID from GitHub" - REGION_ID=$(${pkgs.gh}/bin/gh api --hostname github.rbx.com repos/Roblox/cell-lifecycle/contents/definitions/''${CELL_ID}.yaml --jq '.content' | base64 -d | yq -r '.regionId') - - if [ -z "$REGION_ID" ] || [ "$REGION_ID" = "null" ]; then - echo "Error: Could not retrieve regionId for cell $CELL_ID" - exit 1 - fi - - echo ">> Found regionId: $REGION_ID" - - case "$REGION_ID" in - r002) - VAULT_REGION="chi1" - ;; - r003) - VAULT_REGION="ash1" - ;; - *) - echo "Error: Unknown regionId $REGION_ID. Expected r002 or r003." - exit 1 - ;; - esac - - echo ">> Using vault region: $VAULT_REGION" - - echo ">> Login to $VAULT_REGION vault using Okta" - export VAULT_ADDR="https://$VAULT_REGION-vault.simulprod.com:8200" - export VAULT_TOKEN=$(${pkgs.vault}/bin/vault login -field=token -method=oidc username=$USER) - - echo ">> Accessing cell $CELL_ID" - export NOMAD_ADDR="https://$CELL_ID-nomad.simulprod.com" - export NOMAD_TOKEN=$(${pkgs.vault}/bin/vault read -field secret_id ''${CELL_ID}_nomad/creds/management) - - ${pkgs.nomad}/bin/nomad ui --authenticate - ''; -in -{ - home.packages = with pkgs; [ - nomad-prod - hashi - ]; - - programs.fish = { - shellAbbrs = - let - environments = [ - { - name = "chi1"; - alias = "chi1"; - jumpHost = "chi1-jumpcontainer-es"; - } - { - name = "ash1"; - alias = "ash1"; - jumpHost = "chi1-jumpcontainer-es"; - } - { - name = "sitetest3"; - alias = "st3"; - jumpHost = "st3-jumpcontainer-es"; - } - { - name = "sitetest2-snc2"; - alias = "st2-snc2"; - jumpHost = "st2-snc2-jumpcontainer-es"; - } - ]; - - # Generate all environment-specific aliases - envAliases = builtins.listToAttrs ( - builtins.concatMap (env: [ - { - name = "ssh-sign-${env.alias}"; - value = "${pkgs.hashi}/bin/hashi -e ${env.name} sign --output-path=${config.home.homeDirectory}/.ssh/${env.alias}-cert.pub --key=(${pkgs._1password-cli}/bin/op read 'op://employee/default rbx ssh key/public key'|psub) key"; - } - { - name = "hashi-${env.alias}"; - value = "${pkgs.hashi}/bin/hashi -e ${env.name} show v"; - } - { - name = "ssh-${env.alias}"; - value = "${pkgs.kitty}/bin/kitten ssh -o StrictHostKeyChecking=no -J ${env.jumpHost} -o 'CertificateFile=~/.ssh/${env.alias}-cert.pub'"; - } - ]) environments - ); - in - envAliases; - }; -} diff --git a/home/programs/security/onepassword.nix b/home/programs/security/onepassword.nix deleted file mode 100644 index f364a9e..0000000 --- a/home/programs/security/onepassword.nix +++ /dev/null @@ -1,9 +0,0 @@ -{ ... }: -{ - programs.onepassword = { - enable = true; - sshKeys = [ - { account = "my.1password.com"; } # All keys from personal account - ]; - }; -} diff --git a/home/programs/security/sapi.nix b/home/programs/security/sapi.nix deleted file mode 100644 index 1d90698..0000000 --- a/home/programs/security/sapi.nix +++ /dev/null @@ -1,20 +0,0 @@ -{ pkgs, ... }: -{ - home.packages = with pkgs; [ - sapi - ]; - - # the configuration for sapi is generated when we run `sapi jump`, - # there's no need to manage it with nix. - programs.ssh.includes = [ "config_sapi" ]; - - programs.fish.shellAbbrs = { - "sjump-st1-snc2" = "${pkgs.sapi}/bin/sapi jump sitetest1-snc2"; - "sjump-st1-snc3" = "${pkgs.sapi}/bin/sapi jump sitetest3-snc2"; - "sjump-st2-snc2" = "${pkgs.sapi}/bin/sapi jump sitetest2-snc2"; - "sjump-st3" = "${pkgs.sapi}/bin/sapi jump sitetest3"; - "sjump" = "${pkgs.sapi}/bin/sapi jump"; - "ssh-edge" = - "${pkgs.kitty}/bin/kitten ssh -o StrictHostKeyChecking=no -o IdentitiesOnly=yes -J chi1-jumpcontainer-es -i (${pkgs._1password-cli}/bin/op read 'op://Infra-Compute-Edge-rks/ice_ssh-private-key/ice_rsa'|psub)"; - }; -} diff --git a/home/programs/security/ssh.nix b/home/programs/security/ssh.nix deleted file mode 100644 index 004b082..0000000 --- a/home/programs/security/ssh.nix +++ /dev/null @@ -1,48 +0,0 @@ -{ config, ... }: -{ - programs.ssh = { - enable = true; - enableDefaultConfig = false; - matchBlocks = { - "*" = { - forwardAgent = true; - serverAliveInterval = 60; - controlPersist = "30m"; - controlPath = "${config.home.homeDirectory}/.ssh/sockets/S.%r@%h:%p"; - controlMaster = "auto"; - }; - "rivendell" = { - hostname = "192.168.1.114"; - }; - "riv-unlock" = { - hostname = "192.168.1.114"; - user = "root"; - port = 911; - }; - "nas" = { - hostname = "192.168.1.68"; - }; - "bree" = { - hostname = "192.168.1.50"; - }; - "argonath" = { - hostname = "fcuny.net"; - }; - "github.com" = { - hostname = "github.com"; - user = "git"; - forwardAgent = false; - extraOptions = { - preferredAuthentications = "publickey"; - controlMaster = "no"; - controlPath = "none"; - }; - }; - }; - }; - - home.file = { - # we need this path to be created so that the control path can be used. - ".ssh/sockets/.keep".text = "# Managed by Home Manager"; - }; -} diff --git a/home/programs/security/yubikey.nix b/home/programs/security/yubikey.nix deleted file mode 100644 index 8e5c598..0000000 --- a/home/programs/security/yubikey.nix +++ /dev/null @@ -1,6 +0,0 @@ -{ pkgs, ... }: -{ - home.packages = with pkgs; [ - yubikey-manager - ]; -} |