secrets: use a multi-key setup with strong auth for multi device conf

Author: GovanifY

.gitattributes

@@ -1 +1,3 @@
-secrets/** filter=git-crypt diff=git-crypt
+secrets/headfull/** filter=git-crypt diff=git-crypt
+secrets/emet-selch/** filter=git-crypt-emet-selch diff=git-crypt-emet-selch
+secrets/common/** filter=git-crypt-common diff=git-crypt-common

bootstrap/bootstrap.sh

@@ -1,8 +1,11 @@
 #!/bin/sh
+# THIS IS A HEADFULL ONLY BOOTSTRAPPER! I NEED TO MAKE ONE FOR OTHER DEVICES TOO
+# AAAAAAA
+
 echo "Welcome to navi's bootstrapper!"
 cat icon.motd
 
-echo "4d16330208714286d397e2cf7d8a977ac2771ac9fa0311226afc0df06e00b4d6 ../secrets/assets/canary" \
+echo "4d16330208714286d397e2cf7d8a977ac2771ac9fa0311226afc0df06e00b4d6 ../secrets/common/assets/canary" \
     | sha256sum --check --status &> /dev/null
 
 if [ "$?" -ne 0 ]; then
@@ -52,8 +55,8 @@ old_gpg_home=$GNUPGHOME
 export GNUPGHOME="$3/home/$2/.config/gnupg"
 find $3/home/$2/.config/gnupg -type f -exec chmod 600 {} \;
 find $3/home/$2/.config/gnupg -type d -exec chmod 700 {} \;
-gpg --import ../secrets/assets/gpg/key.gpg 
-gpg --import-ownertrust ../secrets/assets/gpg/gpg-trust.txt 
+gpg --import ../secrets/headfull/assets/gpg/key.gpg 
+gpg --import-ownertrust ../secrets/headfull/assets/gpg/gpg-trust.txt 
 mkdir -p $3/home/$2/.local/share/mail/ &> /dev/null
 mkdir -p $3/home/$2/.cache/mutt/ &> /dev/null
 mkdir -p $3/home/$2/.local/share/wineprefixes/ &> /dev/null

default.nix

@@ -1,6 +1,6 @@
 let
   canary =
-    if (builtins.hashFile "sha256" ./secrets/assets/canary) != "4d16330208714286d397e2cf7d8a977ac2771ac9fa0311226afc0df06e00b4d6"
+    if (builtins.hashFile "sha256" ./secrets/common/assets/canary) != "4d16330208714286d397e2cf7d8a977ac2771ac9fa0311226afc0df06e00b4d6"
     then
       abort
         "Incorrect secrets. Please be sure to run ./bootstrap.sh if this

profiles/default.nix

@@ -63,25 +63,10 @@ with lib;
     };
 
     # define our main users
-    # TODO, XXX, TOFIX: the shadows are probably written in the nix store, do we
-    # care about that?
     users.users.${config.navi.username} = {
       isNormalUser = true;
-      hashedPassword = fileContents ./../secrets/assets/shadow/main;
-      openssh.authorizedKeys.keyFiles = [ ./../secrets/assets/ssh/navi.pub ];
+      openssh.authorizedKeys.keyFiles = [ ./../secrets/common/assets/ssh/navi.pub ];
     };
-    users.users.root.hashedPassword = fileContents ./../secrets/assets/shadow/root;
-
-    # setup the distbuild account; while this might look like a backdoor for
-    # lesser privilege devices the distbuild access key is only given to at
-    # least headfull devices, thus headless devices cannot ssh into headfull.
-    # same goes for the main account.
-    users.users.distbuild = {
-      isSystemUser = true;
-      shell = pkgs.bash;
-      openssh.authorizedKeys.keyFiles = [ ./../secrets/assets/ssh/distbuild.pub ];
-    };
-    nix.trustedUsers = [ "distbuild" ];
 
     # automatic updates & cleanup
     system.autoUpgrade.enable = true;

profiles/headfull.nix

@@ -45,10 +45,10 @@ with lib;
 
     # we setup the personal ssh and gpg key of our headfull user
     home-manager.users.${config.navi.username} = {
-      home.file.".config/gnupg/key.gpg".source = ./../secrets/assets/gpg/key.gpg;
-      home.file.".config/gnupg/trust.txt".source = ./../secrets/assets/gpg/gpg-trust.txt;
-      home.file.".config/ssh/id_ed25519".source = ./../secrets/assets/ssh/navi;
-      home.file.".config/ssh/id_ed25519.pub".source = ./../secrets/assets/ssh/navi.pub;
+      home.file.".config/gnupg/key.gpg".source = ./../secrets/headfull/assets/gpg/key.gpg;
+      home.file.".config/gnupg/trust.txt".source = ./../secrets/headfull/assets/gpg/gpg-trust.txt;
+      home.file.".config/ssh/id_ed25519".source = ./../secrets/headfull/assets/ssh/navi;
+      home.file.".config/ssh/id_ed25519.pub".source = ./../secrets/headfull/assets/ssh/navi.pub;
 
       # try to auto retrieve gpg keys when using emails, using hkp on port 80 to
       # bypass tor restrictions -- PROBABLY A VERY BAD IDEA SECURITY WISE, TOFIX,
@@ -61,12 +61,28 @@ with lib;
 
     # store our distbuild key so we can login to our infra
     environment.etc."distbuild_ssh" = {
-      text = builtins.readFile ./../secrets/assets/ssh/distbuild;
+      text = builtins.readFile ./../secrets/headfull/assets/ssh/distbuild;
       mode = "0400";
       uid = 0;
       gid = 0;
     };
 
+    # setup the distbuild account; while this might look like a backdoor for
+    # lesser privilege devices the distbuild access key is only given to at
+    # least headfull devices, thus headless devices cannot ssh into headfull.
+    # same goes for the main account.
+    users.users.distbuild = {
+      isSystemUser = true;
+      shell = pkgs.bash;
+      openssh.authorizedKeys.keyFiles = [ ./../secrets/headfull/assets/ssh/distbuild.pub ];
+    };
+    nix.trustedUsers = [ "distbuild" ];
+
+    # TODO, XXX, TOFIX: the shadows are probably written in the nix store, do we
+    # care about that?
+    users.users.${config.navi.username}.hashedPassword = fileContents ./../secrets/headfull/assets/shadow/main;
+    users.users.root.hashedPassword = fileContents ./../secrets/headfull/assets/shadow/root;
+
     # locking kernel modules has a horrendous UX for headfull devices and is
     # mostly useless for those, as they're deemed to restart frequently. A restart
     # allows you to replace the currently running kernel by your own and thus