fw/nix
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

bitwarden and fleet

Browse source
This commit is contained in:
fwastring 2026-03-17 16:29:27 +01:00
parent a37f81751e
commit 0843a7a737
4 changed files with 45 additions and 2 deletions
Download patch file Download diff file Expand all files Collapse all files

38
maskiner/core/configuration.nix
View file

@ -56,6 +56,11 @@ in
sops.secrets.build-service = { }; sops.secrets.build-service = { };
sops.secrets.fredrik-wastring = { }; sops.secrets.fredrik-wastring = { };
sops.secrets.fw-qemu = { }; sops.secrets.fw-qemu = { };
sops.secrets.fleet-enroll-secret = {
owner = "root";
group = "root";
mode = "0400";
};
sops.secrets.github_token = { sops.secrets.github_token = {
owner = "fw"; owner = "fw";
group = "users"; group = "users";
@ -69,6 +74,39 @@ in
environment.systemPackages = [ pkgs.cifs-utils ]; environment.systemPackages = [ pkgs.cifs-utils ];
systemd.services.fleet-osquery = {
description = "osquery enrolled to Fleet";
wantedBy = [ "multi-user.target" ];
after = [ "network-online.target" ];
wants = [ "network-online.target" ];
serviceConfig = {
Restart = "always";
RestartSec = "5s";
StateDirectory = "osquery";
RuntimeDirectory = "osquery";
ExecStart = ''
${pkgs.osquery}/bin/osqueryd \
--host_identifier=uuid \
--pidfile=/run/osquery/osqueryd.pid \
--extensions_socket=/run/osquery/osquery.em \
--database_path=/var/lib/osquery/osquery.db \
--enroll_tls_endpoint=/api/osquery/enroll \
--config_plugin=tls \
--config_tls_endpoint=/api/osquery/config \
--logger_plugin=tls \
--logger_tls_endpoint=/api/osquery/log \
--distributed_plugin=tls \
--distributed_tls_read_endpoint=/api/osquery/distributed/read \
--distributed_tls_write_endpoint=/api/osquery/distributed/write \
--tls_hostname=fleet.internalifacts.se:443 \
--enroll_secret_path=${config.sops.secrets.fleet-enroll-secret.path} \
--tls_server_certs=/etc/ssl/certs/ca-certificates.crt
'';
};
};
fileSystems."/mnt/testweb/C" = { fileSystems."/mnt/testweb/C" = {
device = "//192.168.0.226/C$"; device = "//192.168.0.226/C$";
fsType = "cifs"; fsType = "cifs";

2
moduler/fish.nix
View file

@ -118,9 +118,11 @@ in
set -gx PATH $PATH $HOME/scripts set -gx PATH $PATH $HOME/scripts
set -gx PATH $PATH $HOME/.krew/bin set -gx PATH $PATH $HOME/.krew/bin
if not set -q SSH_AUTH_SOCK if not set -q SSH_AUTH_SOCK
eval (ssh-agent -c) eval (ssh-agent -c)
ssh-add ~/.ssh/id_ed25519 >/dev/null 2>&1 ssh-add ~/.ssh/id_ed25519 >/dev/null 2>&1
set SSH_AUTH_SOCK /home/fw/.bitwarden-ssh-agent.sock
end end
set -Ux FZF_DEFAULT_OPTS "${fzfOpts}" set -Ux FZF_DEFAULT_OPTS "${fzfOpts}"

2
moduler/programs.nix
View file

@ -77,6 +77,8 @@
go-passbolt-cli go-passbolt-cli
wf-recorder wf-recorder
slurp slurp
bitwarden-desktop
bitwarden-cli
dbeaver-bin dbeaver-bin

5
secrets/sops.yaml
View file

@ -14,6 +14,7 @@ fredrik-wastring: ENC[AES256_GCM,data:TQSjO/GGErorK1VwTUXU40o+8z8vh3OM01ErmmHnmp
fw-qemu: ENC[AES256_GCM,data:TxbilLf79+gieY3WbAGl175aTUVjIc6rlKfYTy8Usmw=,iv:WCvfZctBVCSPwoCXMDoSroNt+kakGke5r0pFOSAMPgo=,tag:qY0HxicfypO15CozZ2fcoQ==,type:str] fw-qemu: ENC[AES256_GCM,data:TxbilLf79+gieY3WbAGl175aTUVjIc6rlKfYTy8Usmw=,iv:WCvfZctBVCSPwoCXMDoSroNt+kakGke5r0pFOSAMPgo=,tag:qY0HxicfypO15CozZ2fcoQ==,type:str]
github_token: ENC[AES256_GCM,data:E8j5K2U8UvTpZtsWIm55dvvSxmZjDY15lYeXGuKnPuq1fRyb5HolEQ==,iv:tqODZ4Y247D4DhmC3z7XEq/2K2JsU76p1hxYkYiql9E=,tag:iYithxJyO/GKvKwwh4BDlA==,type:str] github_token: ENC[AES256_GCM,data:E8j5K2U8UvTpZtsWIm55dvvSxmZjDY15lYeXGuKnPuq1fRyb5HolEQ==,iv:tqODZ4Y247D4DhmC3z7XEq/2K2JsU76p1hxYkYiql9E=,tag:iYithxJyO/GKvKwwh4BDlA==,type:str]
grafana_token: ENC[AES256_GCM,data:yAUqBV2/IF/wkyutHhf1Ui/xxRIt+SgsUk7QmdcnYa+x5KC8G1ifdcxJjPJvyQ==,iv:dGk6AfadwajDbFzTteCeyNIpwWRwdJbNwjGSlrmhaBU=,tag:svCcQo96PGFXu+MVsmn1HQ==,type:str] grafana_token: ENC[AES256_GCM,data:yAUqBV2/IF/wkyutHhf1Ui/xxRIt+SgsUk7QmdcnYa+x5KC8G1ifdcxJjPJvyQ==,iv:dGk6AfadwajDbFzTteCeyNIpwWRwdJbNwjGSlrmhaBU=,tag:svCcQo96PGFXu+MVsmn1HQ==,type:str]
fleet-enroll-secret: ENC[AES256_GCM,data:2DEmgzsYvWZas65HLE4PaxZ3h7L4Gw8esVirZYrzCik=,iv:9t6ET8QnPLIl0Pnn9r24btF7VUQnRr3ukRH0oVsgIrg=,tag:mQ0yxEhx72L71DB36cfMew==,type:str]
sops: sops:
age: age:
- recipient: age1jeyw96795qu52swmtkjqgr2w3g4vxc43ckc5r4hlwpje23ptnfwsheah0s - recipient: age1jeyw96795qu52swmtkjqgr2w3g4vxc43ckc5r4hlwpje23ptnfwsheah0s
@ -61,7 +62,7 @@ sops:
dFZ3T3VUeHVnVThadHVQaVJCNkdZeDQK99L7CbBbklUUtanyFIOiCzO3hZP1mh3z dFZ3T3VUeHVnVThadHVQaVJCNkdZeDQK99L7CbBbklUUtanyFIOiCzO3hZP1mh3z
ZZhhr6BCcHBbqzLaRLbT27BTCoNuGsXxyzW6tpXYacYuITkcFq9bOQ== ZZhhr6BCcHBbqzLaRLbT27BTCoNuGsXxyzW6tpXYacYuITkcFq9bOQ==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
lastmodified: "2026-03-12T14:47:05Z" lastmodified: "2026-03-17T09:44:56Z"
mac: ENC[AES256_GCM,data:+v483ag0f3VorJB0zd6M+mFt3sM7NtDMmRzvH8aLcaoo78/WIHBWFHPSBYBSaXFsm7LYdfA3TpEkuazOzeaiShSMk4AM+g1OB/j6ulzo0jzKg/milD7VAhHYbVCL85IRUHL1It478AukcHAIkFBItzbz7pUNLyESSY14g165iLQ=,iv:nOi9uiAoSS0O0YgvKCPH1kYG8Jfl8gwqDZEULbnG1Bw=,tag:v3u+Z0EQ4qLNWsjoZYzT/Q==,type:str] mac: ENC[AES256_GCM,data:MX3xARncq/j17K5gtmGRi9E4LEOFDeoinahJ0o0AxECjdQYUndtlIMe+0/BfL2GIemhNaiHsQydjE4TrORgl/RGMcHj/gYy9EvY/m0E7gtSoWpxN5FOdavCQ4jcgRRxYj1mDdTuaS7VksWd+9XZMJh7ScmHlMI8PWdnTessd6Mk=,iv:GxuMN1Vt2fEBs/WrD4BvJlUIiGiHppZfzHU8NRB/4DA=,tag:OnHU8MnyLtclBCWKwribAQ==,type:str]
unencrypted_suffix: _unencrypted unencrypted_suffix: _unencrypted
version: 3.12.0 version: 3.12.0