From 7281f05669e92e3568f837591912350b32951555 Mon Sep 17 00:00:00 2001 From: Franck Cuny Date: Tue, 30 Dec 2025 10:33:31 -0800 Subject: organize programs in a way that makes sense to me --- home/programs/security/age.nix | 13 ++++++++ home/programs/security/hashi.nix | 54 ++++++++++++++++++++++++++++++++++ home/programs/security/onepassword.nix | 9 ++++++ home/programs/security/sapi.nix | 20 +++++++++++++ home/programs/security/ssh.nix | 48 ++++++++++++++++++++++++++++++ home/programs/security/yubikey.nix | 6 ++++ 6 files changed, 150 insertions(+) create mode 100644 home/programs/security/age.nix create mode 100644 home/programs/security/hashi.nix create mode 100644 home/programs/security/onepassword.nix create mode 100644 home/programs/security/sapi.nix create mode 100644 home/programs/security/ssh.nix create mode 100644 home/programs/security/yubikey.nix (limited to 'home/programs/security') diff --git a/home/programs/security/age.nix b/home/programs/security/age.nix new file mode 100644 index 0000000..e41d0d8 --- /dev/null +++ b/home/programs/security/age.nix @@ -0,0 +1,13 @@ +{ pkgs, config, ... }: +{ + home.packages = with pkgs; [ + age + age-plugin-yubikey + passage + ]; + + home.sessionVariables = { + "PASSAGE_DIR" = "${config.xdg.dataHome}/passage"; + "PASSAGE_IDENTITIES_FILE" = "${config.xdg.dataHome}/passage/identities"; + }; +} diff --git a/home/programs/security/hashi.nix b/home/programs/security/hashi.nix new file mode 100644 index 0000000..c24845e --- /dev/null +++ b/home/programs/security/hashi.nix @@ -0,0 +1,54 @@ +{ pkgs, ... }: +let + nomad-prod = pkgs.writeShellScriptBin "nomad-prod" '' + set -e + + if [ $# -ne 1 ]; then + echo "Usage: nomad-ui CELL_ID" + exit 1 + fi + + CELL_ID=$1 + + echo ">> Fetching cell definition for $CELL_ID from GitHub" + REGION_ID=$(${pkgs.gh}/bin/gh api --hostname github.rbx.com repos/Roblox/cell-lifecycle/contents/definitions/''${CELL_ID}.yaml --jq '.content' | base64 -d | yq -r '.regionId') + + if [ -z "$REGION_ID" ] || [ "$REGION_ID" = "null" ]; then + echo "Error: Could not retrieve regionId for cell $CELL_ID" + exit 1 + fi + + echo ">> Found regionId: $REGION_ID" + + case "$REGION_ID" in + r002) + VAULT_REGION="chi1" + ;; + r003) + VAULT_REGION="ash1" + ;; + *) + echo "Error: Unknown regionId $REGION_ID. Expected r002 or r003." + exit 1 + ;; + esac + + echo ">> Using vault region: $VAULT_REGION" + + echo ">> Login to $VAULT_REGION vault using Okta" + export VAULT_ADDR="https://$VAULT_REGION-vault.simulprod.com:8200" + export VAULT_TOKEN=$(${pkgs.vault}/bin/vault login -field=token -method=oidc username=$USER) + + echo ">> Accessing cell $CELL_ID" + export NOMAD_ADDR="https://$CELL_ID-nomad.simulprod.com" + export NOMAD_TOKEN=$(${pkgs.vault}/bin/vault read -field secret_id ''${CELL_ID}_nomad/creds/management) + + ${pkgs.nomad}/bin/nomad ui --authenticate + ''; +in +{ + home.packages = with pkgs; [ + nomad-prod + hashi + ]; +} diff --git a/home/programs/security/onepassword.nix b/home/programs/security/onepassword.nix new file mode 100644 index 0000000..f364a9e --- /dev/null +++ b/home/programs/security/onepassword.nix @@ -0,0 +1,9 @@ +{ ... }: +{ + programs.onepassword = { + enable = true; + sshKeys = [ + { account = "my.1password.com"; } # All keys from personal account + ]; + }; +} diff --git a/home/programs/security/sapi.nix b/home/programs/security/sapi.nix new file mode 100644 index 0000000..1d90698 --- /dev/null +++ b/home/programs/security/sapi.nix @@ -0,0 +1,20 @@ +{ pkgs, ... }: +{ + home.packages = with pkgs; [ + sapi + ]; + + # the configuration for sapi is generated when we run `sapi jump`, + # there's no need to manage it with nix. + programs.ssh.includes = [ "config_sapi" ]; + + programs.fish.shellAbbrs = { + "sjump-st1-snc2" = "${pkgs.sapi}/bin/sapi jump sitetest1-snc2"; + "sjump-st1-snc3" = "${pkgs.sapi}/bin/sapi jump sitetest3-snc2"; + "sjump-st2-snc2" = "${pkgs.sapi}/bin/sapi jump sitetest2-snc2"; + "sjump-st3" = "${pkgs.sapi}/bin/sapi jump sitetest3"; + "sjump" = "${pkgs.sapi}/bin/sapi jump"; + "ssh-edge" = + "${pkgs.kitty}/bin/kitten ssh -o StrictHostKeyChecking=no -o IdentitiesOnly=yes -J chi1-jumpcontainer-es -i (${pkgs._1password-cli}/bin/op read 'op://Infra-Compute-Edge-rks/ice_ssh-private-key/ice_rsa'|psub)"; + }; +} diff --git a/home/programs/security/ssh.nix b/home/programs/security/ssh.nix new file mode 100644 index 0000000..004b082 --- /dev/null +++ b/home/programs/security/ssh.nix @@ -0,0 +1,48 @@ +{ config, ... }: +{ + programs.ssh = { + enable = true; + enableDefaultConfig = false; + matchBlocks = { + "*" = { + forwardAgent = true; + serverAliveInterval = 60; + controlPersist = "30m"; + controlPath = "${config.home.homeDirectory}/.ssh/sockets/S.%r@%h:%p"; + controlMaster = "auto"; + }; + "rivendell" = { + hostname = "192.168.1.114"; + }; + "riv-unlock" = { + hostname = "192.168.1.114"; + user = "root"; + port = 911; + }; + "nas" = { + hostname = "192.168.1.68"; + }; + "bree" = { + hostname = "192.168.1.50"; + }; + "argonath" = { + hostname = "fcuny.net"; + }; + "github.com" = { + hostname = "github.com"; + user = "git"; + forwardAgent = false; + extraOptions = { + preferredAuthentications = "publickey"; + controlMaster = "no"; + controlPath = "none"; + }; + }; + }; + }; + + home.file = { + # we need this path to be created so that the control path can be used. + ".ssh/sockets/.keep".text = "# Managed by Home Manager"; + }; +} diff --git a/home/programs/security/yubikey.nix b/home/programs/security/yubikey.nix new file mode 100644 index 0000000..8e5c598 --- /dev/null +++ b/home/programs/security/yubikey.nix @@ -0,0 +1,6 @@ +{ pkgs, ... }: +{ + home.packages = with pkgs; [ + yubikey-manager + ]; +} -- cgit v1.2.3