diff --git a/.sops.yaml b/.sops.yaml new file mode 100644 index 0000000..1d93589 --- /dev/null +++ b/.sops.yaml @@ -0,0 +1,7 @@ +keys: + - &primary age1m0nml3zhfwgxsywcctlmcxda3hywnn3u4630cddf9k24aulwsv0qva3yl6 +creation_rules: + - path_regex: secrets/secrets.yaml$ + key_groups: + - age: + - *primary diff --git a/flake.lock b/flake.lock index 8cdba86..973330f 100644 --- a/flake.lock +++ b/flake.lock @@ -542,10 +542,31 @@ "nixos-hardware": "nixos-hardware", "nixpkgs": "nixpkgs", "nixvim": "nixvim", + "sops-nix": "sops-nix", "stylix": "stylix", "zen": "zen" } }, + "sops-nix": { + "inputs": { + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1733128155, + "narHash": "sha256-m6/qwJAJYcidGMEdLqjKzRIjapK4nUfMq7rDCTmZajc=", + "owner": "mic92", + "repo": "sops-nix", + "rev": "c6134b6fff6bda95a1ac872a2a9d5f32e3c37856", + "type": "github" + }, + "original": { + "owner": "mic92", + "repo": "sops-nix", + "type": "github" + } + }, "stylix": { "inputs": { "base16": "base16", diff --git a/flake.nix b/flake.nix index 224ac9b..0b9c9fd 100644 --- a/flake.nix +++ b/flake.nix @@ -36,11 +36,11 @@ inputs.nixpkgs.follows = "nixpkgs"; }; -# # Secrets management. See ./docs/secretsmgmt.md -# sops-nix = { -# url = "github:mic92/sops-nix"; -# inputs.nixpkgs.follows = "nixpkgs"; -# }; + # Secrets management. See ./docs/secretsmgmt.md + sops-nix = { + url = "github:mic92/sops-nix"; + inputs.nixpkgs.follows = "nixpkgs"; + }; }; diff --git a/hosts/common/default.nix b/hosts/common/default.nix index 9670844..4f736fc 100644 --- a/hosts/common/default.nix +++ b/hosts/common/default.nix @@ -6,6 +6,7 @@ ./keyd.nix ./mimetype.nix ./optimise.nix + ./sops.nix ]; networking = { diff --git a/hosts/common/sops.nix b/hosts/common/sops.nix new file mode 100644 index 0000000..ce4f4d9 --- /dev/null +++ b/hosts/common/sops.nix @@ -0,0 +1,18 @@ +{ attrs, ... }: +{ + + imports = [ + attrs.sops-nix.nixosModules.sops + ]; + + sops.defaultSopsFile = ../../secrets/secrets.yaml; + sops.defaultSopsFormat = "yaml"; + + sops.age.keyFile = "/home/willifan/.config/sops/age/keys.txt"; + + sops.secrets."ssh/root/private" = { + owner = "root"; + }; + sops.secrets."syncthing/password" = { + }; +} diff --git a/hosts/server/builder.nix b/hosts/server/builder.nix index 8cad7d5..402c6e2 100644 --- a/hosts/server/builder.nix +++ b/hosts/server/builder.nix @@ -2,9 +2,9 @@ { users.users.builder = { group = "builder"; - isSystemUser = true; + isNormalUser = true; homeMode = "111"; - openssh.authorizedKeys.keys = [ "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDMRriQfw3pusl04fGhCNVoRRpye71ZwkDXAtKB/FP1DLXA4cYrwjLzv/fG1hXi7lAMp2vLiABAg/UaTE8roGzlt62XsFNwc1TI5M8m67J0kLkCtz3MkIixe/3GOFXr03g80DPncLyoIYPvvNd/TftTBK4yrrZPvMJaRrZhW/QdLPQpdHalcNRZ4bnBOCtCoqQ6RGrRi2EeKaJDYIFNl13b9FxrXEJcXnbSDdr1KI3q7a+vkefI2knUf2Uk7ufOWTQ1aqc0heGtCNlHzwZUzW/dfrpPmoVPq3Fqxqd9uXqxMk1Z3VnOwWcK3VXfzzBXKTsX0MaUgF1EqxibkYs9bDZqLEXoRucBqk3wwMPy8RJXqQOupoqa2xEOoduBf1qDHEEm69coHCpPm2mQVUrwsPrmTHmOjh9ir0mkVBDRgHvhq/ctQTVO5/SE2NCgPdlvUV5s44LLsUyxBp5JWwXZWlVys+7Dhil6mtRDcH4CXceJn0VZ61Zv2jrCTxQjKsroitSkNbpAkKajQ9moLMAblsSwJzl3uvJJ3ydlxjZefwTO/GjyuJMY2sIU2Tu0YbIVgMyq5L782LduVlyWj+RLWoEu19OfMqQvTWhJnQPAbR82qGzlfTGRLUxoY+G5MYipJwgrBQ2TnpWvfpTrZxFrglSfekz0v54lWzNZpW+irImh4w== willifan@proton.me" ]; + openssh.authorizedKeys.keys = [ "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCRgaPLmdimjvCM7jvlXkRPbw0KOmMdtgTcBahgIWNm8QAFkPX8T42RNDgTb7QG+XqRU4+t4VgM0xt6ldcOTrrcJ2bHW8ybeXM5DU7z2f0aCp3OULosbDHoWiEdxvNmIHcFKgMbL7K/ieVYx5wrPkU+63inK5GrzWIaOOd8O4Q/z7M/XIwOAz2Kb3B4muCG9b9cKAGodOkRT81aJsK0aE84Cy4DbzCgz34FWvfGPWSHQZ/fLNlKrtKI0lCEG5r7r1Tw1wXDAFb7d+enypUwy+KlQDJLkDp0O1dJPEmY0RKXMRL2xFl3jrQ4LgOAyWhXF2ERc2bkky4YaIQfLX3NaMRqVRmUCVpnGRcYqdbn2ulsUOmC0Or/bnJa7/sKFBhFb8aEoxD7/w4h5ugh0xVWMFvwjDb0gymXjNPgvefagAhi8qhxf/6X4AZK4x7y/tcIKpW3QfyrdX7bWQ7itBpMPtYH6WWyoKfypnAGeUtdwcXsb5cwGoJ4s9S/E1CwyZxdC38ydrDYFeRih7+KDHnOqZFnLwBb6yLdpvUhyMkksAzVxh8cvObVgjUFQMAwKvLKVzlv28BLgaWj+K+oFakytRtYZv7CsCneZyL3s/nDKs2ChhYgiXvVicZi+sC8FXZIl6wXWHYj5i/p5A/6ulVFgkfDna051hNewerXuTlyMMbTRw== willifan@pm.me" ]; }; users.groups.builder = { }; nix.settings.trusted-users = [ "builder" "willifan" ]; diff --git a/secrets/secrets.yaml b/secrets/secrets.yaml new file mode 100644 index 0000000..3248664 --- /dev/null +++ b/secrets/secrets.yaml @@ -0,0 +1,26 @@ +example_key: ENC[AES256_GCM,data:mOi5HkCImJBGqQ8IbQ==,iv:Z5AqB7O4VgacbzFU1JKNW6VXEikMcYVXM8P35A5iGlQ=,tag:zy4dg4Upiexbs0+Ni8YwqQ==,type:str] +ssh: + root: + private: ENC[AES256_GCM,data:DX6CCw==,iv:d+ju8wDKcuiEb5W2/xKMUu7TtyrLPvfZggrNCjJj/qc=,tag:kwTVpW706rgH9JGXhiu8yg==,type:str] +syncthing: + password: ENC[AES256_GCM,data:LzF/9A==,iv:+w/Fg0hMGAw4FKvY0cnT5bKVNhwLf18EOFV4hnApzbI=,tag:qjGxsCb0m9yMvhEyIn/HJw==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1m0nml3zhfwgxsywcctlmcxda3hywnn3u4630cddf9k24aulwsv0qva3yl6 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBxeU5YQk93U0NVcGRIMHFY + a0dpS3F6N21HK0ZFUHlhMkhLOWppMllOSmlJCng4THo0emRBcjVhaU1PTnhTOHdx + NXpteWpNSkJuT0JPNTk0OTRzUHFqb3MKLS0tIGRhRXRrazNJSFlpOVR0RHJjTDIr + K1NUZDI1SDQ2UVIyVWdkYW5PYWF1TDQKPFPXOdYOsqoh/ivAUl9SgJQeEI4yBJuq + vfK/44pf9CcoWG0+J1di2pklliXRKqSrC63bdUgRVKOZwdxZOkQUKw== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-12-08T16:40:52Z" + mac: ENC[AES256_GCM,data:FjDaDzAYWCWS9SsGKfh0yfofuzjW+p2hbt3tEYQhlWHU+VrEOOopaZXQ/Ut2QfafsEX3NV9TCJAhQsy4WsDs7Jz0XqfoydmDomhyOWMXOz9mpxFR+oKvct2bM5Ai0vibBaEJjPIw8ELFIeDI19V0IPmAFSdGeUgameKMn8Lpc4U=,iv:opqmhUsyYM4mhBqN8Nf1ec0E72rMbfxgD05ffKYDbWo=,tag:X6XR7oVcGg8sMXNGz58K4g==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.9.1