willifan/nix-config
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

added sops-nix

Browse source
This commit is contained in:
willifan 2024-12-08 17:13:15 +01:00
parent b1e609f8f4
commit d6754f73f6
7 changed files with 80 additions and 7 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

7
.sops.yaml Normal file
View file

@ -0,0 +1,7 @@
keys:
- &primary age1m0nml3zhfwgxsywcctlmcxda3hywnn3u4630cddf9k24aulwsv0qva3yl6
creation_rules:
- path_regex: secrets/secrets.yaml$
key_groups:
- age:
- *primary

21
flake.lock generated
View file

@ -542,10 +542,31 @@
"nixos-hardware": "nixos-hardware", "nixos-hardware": "nixos-hardware",
"nixpkgs": "nixpkgs", "nixpkgs": "nixpkgs",
"nixvim": "nixvim", "nixvim": "nixvim",
"sops-nix": "sops-nix",
"stylix": "stylix", "stylix": "stylix",
"zen": "zen" "zen": "zen"
} }
}, },
"sops-nix": {
"inputs": {
"nixpkgs": [
"nixpkgs"
]
},
"locked": {
"lastModified": 1733128155,
"narHash": "sha256-m6/qwJAJYcidGMEdLqjKzRIjapK4nUfMq7rDCTmZajc=",
"owner": "mic92",
"repo": "sops-nix",
"rev": "c6134b6fff6bda95a1ac872a2a9d5f32e3c37856",
"type": "github"
},
"original": {
"owner": "mic92",
"repo": "sops-nix",
"type": "github"
}
},
"stylix": { "stylix": {
"inputs": { "inputs": {
"base16": "base16", "base16": "base16",

10
flake.nix
View file

@ -36,11 +36,11 @@
inputs.nixpkgs.follows = "nixpkgs"; inputs.nixpkgs.follows = "nixpkgs";
}; };
# # Secrets management. See ./docs/secretsmgmt.md # Secrets management. See ./docs/secretsmgmt.md
# sops-nix = { sops-nix = {
# url = "github:mic92/sops-nix"; url = "github:mic92/sops-nix";
# inputs.nixpkgs.follows = "nixpkgs"; inputs.nixpkgs.follows = "nixpkgs";
# }; };
}; };

1
hosts/common/default.nix
View file

@ -6,6 +6,7 @@
./keyd.nix ./keyd.nix
./mimetype.nix ./mimetype.nix
./optimise.nix ./optimise.nix
./sops.nix
]; ];
networking = { networking = {

18
hosts/common/sops.nix Normal file
View file

@ -0,0 +1,18 @@
{ attrs, ... }:
{
imports = [
attrs.sops-nix.nixosModules.sops
];
sops.defaultSopsFile = ../../secrets/secrets.yaml;
sops.defaultSopsFormat = "yaml";
sops.age.keyFile = "/home/willifan/.config/sops/age/keys.txt";
sops.secrets."ssh/root/private" = {
owner = "root";
};
sops.secrets."syncthing/password" = {
};
}

4
hosts/server/builder.nix
View file

@ -2,9 +2,9 @@
{ {
users.users.builder = { users.users.builder = {
group = "builder"; group = "builder";
isSystemUser = true; isNormalUser = true;
homeMode = "111"; homeMode = "111";
openssh.authorizedKeys.keys = [ "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDMRriQfw3pusl04fGhCNVoRRpye71ZwkDXAtKB/FP1DLXA4cYrwjLzv/fG1hXi7lAMp2vLiABAg/UaTE8roGzlt62XsFNwc1TI5M8m67J0kLkCtz3MkIixe/3GOFXr03g80DPncLyoIYPvvNd/TftTBK4yrrZPvMJaRrZhW/QdLPQpdHalcNRZ4bnBOCtCoqQ6RGrRi2EeKaJDYIFNl13b9FxrXEJcXnbSDdr1KI3q7a+vkefI2knUf2Uk7ufOWTQ1aqc0heGtCNlHzwZUzW/dfrpPmoVPq3Fqxqd9uXqxMk1Z3VnOwWcK3VXfzzBXKTsX0MaUgF1EqxibkYs9bDZqLEXoRucBqk3wwMPy8RJXqQOupoqa2xEOoduBf1qDHEEm69coHCpPm2mQVUrwsPrmTHmOjh9ir0mkVBDRgHvhq/ctQTVO5/SE2NCgPdlvUV5s44LLsUyxBp5JWwXZWlVys+7Dhil6mtRDcH4CXceJn0VZ61Zv2jrCTxQjKsroitSkNbpAkKajQ9moLMAblsSwJzl3uvJJ3ydlxjZefwTO/GjyuJMY2sIU2Tu0YbIVgMyq5L782LduVlyWj+RLWoEu19OfMqQvTWhJnQPAbR82qGzlfTGRLUxoY+G5MYipJwgrBQ2TnpWvfpTrZxFrglSfekz0v54lWzNZpW+irImh4w== willifan@proton.me" ]; openssh.authorizedKeys.keys = [ "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCRgaPLmdimjvCM7jvlXkRPbw0KOmMdtgTcBahgIWNm8QAFkPX8T42RNDgTb7QG+XqRU4+t4VgM0xt6ldcOTrrcJ2bHW8ybeXM5DU7z2f0aCp3OULosbDHoWiEdxvNmIHcFKgMbL7K/ieVYx5wrPkU+63inK5GrzWIaOOd8O4Q/z7M/XIwOAz2Kb3B4muCG9b9cKAGodOkRT81aJsK0aE84Cy4DbzCgz34FWvfGPWSHQZ/fLNlKrtKI0lCEG5r7r1Tw1wXDAFb7d+enypUwy+KlQDJLkDp0O1dJPEmY0RKXMRL2xFl3jrQ4LgOAyWhXF2ERc2bkky4YaIQfLX3NaMRqVRmUCVpnGRcYqdbn2ulsUOmC0Or/bnJa7/sKFBhFb8aEoxD7/w4h5ugh0xVWMFvwjDb0gymXjNPgvefagAhi8qhxf/6X4AZK4x7y/tcIKpW3QfyrdX7bWQ7itBpMPtYH6WWyoKfypnAGeUtdwcXsb5cwGoJ4s9S/E1CwyZxdC38ydrDYFeRih7+KDHnOqZFnLwBb6yLdpvUhyMkksAzVxh8cvObVgjUFQMAwKvLKVzlv28BLgaWj+K+oFakytRtYZv7CsCneZyL3s/nDKs2ChhYgiXvVicZi+sC8FXZIl6wXWHYj5i/p5A/6ulVFgkfDna051hNewerXuTlyMMbTRw== willifan@pm.me" ];
}; };
users.groups.builder = { }; users.groups.builder = { };
nix.settings.trusted-users = [ "builder" "willifan" ]; nix.settings.trusted-users = [ "builder" "willifan" ];

26
secrets/secrets.yaml Normal file
View file

@ -0,0 +1,26 @@
example_key: ENC[AES256_GCM,data:mOi5HkCImJBGqQ8IbQ==,iv:Z5AqB7O4VgacbzFU1JKNW6VXEikMcYVXM8P35A5iGlQ=,tag:zy4dg4Upiexbs0+Ni8YwqQ==,type:str]
ssh:
root:
private: ENC[AES256_GCM,data:DX6CCw==,iv:d+ju8wDKcuiEb5W2/xKMUu7TtyrLPvfZggrNCjJj/qc=,tag:kwTVpW706rgH9JGXhiu8yg==,type:str]
syncthing:
password: ENC[AES256_GCM,data:LzF/9A==,iv:+w/Fg0hMGAw4FKvY0cnT5bKVNhwLf18EOFV4hnApzbI=,tag:qjGxsCb0m9yMvhEyIn/HJw==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1m0nml3zhfwgxsywcctlmcxda3hywnn3u4630cddf9k24aulwsv0qva3yl6
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBxeU5YQk93U0NVcGRIMHFY
a0dpS3F6N21HK0ZFUHlhMkhLOWppMllOSmlJCng4THo0emRBcjVhaU1PTnhTOHdx
NXpteWpNSkJuT0JPNTk0OTRzUHFqb3MKLS0tIGRhRXRrazNJSFlpOVR0RHJjTDIr
K1NUZDI1SDQ2UVIyVWdkYW5PYWF1TDQKPFPXOdYOsqoh/ivAUl9SgJQeEI4yBJuq
vfK/44pf9CcoWG0+J1di2pklliXRKqSrC63bdUgRVKOZwdxZOkQUKw==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2024-12-08T16:40:52Z"
mac: ENC[AES256_GCM,data:FjDaDzAYWCWS9SsGKfh0yfofuzjW+p2hbt3tEYQhlWHU+VrEOOopaZXQ/Ut2QfafsEX3NV9TCJAhQsy4WsDs7Jz0XqfoydmDomhyOWMXOz9mpxFR+oKvct2bM5Ai0vibBaEJjPIw8ELFIeDI19V0IPmAFSdGeUgameKMn8Lpc4U=,iv:opqmhUsyYM4mhBqN8Nf1ec0E72rMbfxgD05ffKYDbWo=,tag:X6XR7oVcGg8sMXNGz58K4g==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.9.1