added sops-nix

2024-12-08 17:13:15 +01:00 · 2024-12-08 17:13:15 +01:00 · d6754f73f6
commit d6754f73f6
parent b1e609f8f4
7 changed files with 80 additions and 7 deletions
--- a/.sops.yaml
+++ b/.sops.yaml
@ -0,0 +1,7 @@
+keys:
+  - &primary age1m0nml3zhfwgxsywcctlmcxda3hywnn3u4630cddf9k24aulwsv0qva3yl6
+creation_rules:
+  - path_regex: secrets/secrets.yaml$
+    key_groups:
+    - age:
+      - *primary
--- a/flake.lock
+++ b/flake.lock
@ -542,10 +542,31 @@
        "nixos-hardware": "nixos-hardware",
        "nixpkgs": "nixpkgs",
        "nixvim": "nixvim",
+        "sops-nix": "sops-nix",
        "stylix": "stylix",
        "zen": "zen"
      }
    },
+    "sops-nix": {
+      "inputs": {
+        "nixpkgs": [
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1733128155,
+        "narHash": "sha256-m6/qwJAJYcidGMEdLqjKzRIjapK4nUfMq7rDCTmZajc=",
+        "owner": "mic92",
+        "repo": "sops-nix",
+        "rev": "c6134b6fff6bda95a1ac872a2a9d5f32e3c37856",
+        "type": "github"
+      },
+      "original": {
+        "owner": "mic92",
+        "repo": "sops-nix",
+        "type": "github"
+      }
+    },
    "stylix": {
      "inputs": {
        "base16": "base16",
--- a/flake.nix
+++ b/flake.nix
@ -36,11 +36,11 @@
      inputs.nixpkgs.follows = "nixpkgs";
    };

-#    # Secrets management. See ./docs/secretsmgmt.md
-#    sops-nix = {
-#      url = "github:mic92/sops-nix";
-#      inputs.nixpkgs.follows = "nixpkgs";
-#    };
+    # Secrets management. See ./docs/secretsmgmt.md
+    sops-nix = {
+      url = "github:mic92/sops-nix";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };

  };

--- a/hosts/common/default.nix
+++ b/hosts/common/default.nix
@ -6,6 +6,7 @@
    ./keyd.nix
    ./mimetype.nix
    ./optimise.nix
+    ./sops.nix
  ];

  networking = {
--- a/hosts/common/sops.nix
+++ b/hosts/common/sops.nix
@ -0,0 +1,18 @@
+{ attrs, ... }:
+{
+
+  imports = [
+    attrs.sops-nix.nixosModules.sops
+  ];
+
+  sops.defaultSopsFile = ../../secrets/secrets.yaml;
+  sops.defaultSopsFormat = "yaml";
+
+  sops.age.keyFile = "/home/willifan/.config/sops/age/keys.txt";
+
+  sops.secrets."ssh/root/private" = {
+    owner = "root";
+  };
+  sops.secrets."syncthing/password" = {
+  };
+}
--- a/hosts/server/builder.nix
+++ b/hosts/server/builder.nix
@ -2,9 +2,9 @@
 {
  users.users.builder = {
    group = "builder";
-    isSystemUser = true;
+    isNormalUser = true;
    homeMode = "111";
-    openssh.authorizedKeys.keys = [ "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDMRriQfw3pusl04fGhCNVoRRpye71ZwkDXAtKB/FP1DLXA4cYrwjLzv/fG1hXi7lAMp2vLiABAg/UaTE8roGzlt62XsFNwc1TI5M8m67J0kLkCtz3MkIixe/3GOFXr03g80DPncLyoIYPvvNd/TftTBK4yrrZPvMJaRrZhW/QdLPQpdHalcNRZ4bnBOCtCoqQ6RGrRi2EeKaJDYIFNl13b9FxrXEJcXnbSDdr1KI3q7a+vkefI2knUf2Uk7ufOWTQ1aqc0heGtCNlHzwZUzW/dfrpPmoVPq3Fqxqd9uXqxMk1Z3VnOwWcK3VXfzzBXKTsX0MaUgF1EqxibkYs9bDZqLEXoRucBqk3wwMPy8RJXqQOupoqa2xEOoduBf1qDHEEm69coHCpPm2mQVUrwsPrmTHmOjh9ir0mkVBDRgHvhq/ctQTVO5/SE2NCgPdlvUV5s44LLsUyxBp5JWwXZWlVys+7Dhil6mtRDcH4CXceJn0VZ61Zv2jrCTxQjKsroitSkNbpAkKajQ9moLMAblsSwJzl3uvJJ3ydlxjZefwTO/GjyuJMY2sIU2Tu0YbIVgMyq5L782LduVlyWj+RLWoEu19OfMqQvTWhJnQPAbR82qGzlfTGRLUxoY+G5MYipJwgrBQ2TnpWvfpTrZxFrglSfekz0v54lWzNZpW+irImh4w== willifan@proton.me" ];
+    openssh.authorizedKeys.keys = [ "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCRgaPLmdimjvCM7jvlXkRPbw0KOmMdtgTcBahgIWNm8QAFkPX8T42RNDgTb7QG+XqRU4+t4VgM0xt6ldcOTrrcJ2bHW8ybeXM5DU7z2f0aCp3OULosbDHoWiEdxvNmIHcFKgMbL7K/ieVYx5wrPkU+63inK5GrzWIaOOd8O4Q/z7M/XIwOAz2Kb3B4muCG9b9cKAGodOkRT81aJsK0aE84Cy4DbzCgz34FWvfGPWSHQZ/fLNlKrtKI0lCEG5r7r1Tw1wXDAFb7d+enypUwy+KlQDJLkDp0O1dJPEmY0RKXMRL2xFl3jrQ4LgOAyWhXF2ERc2bkky4YaIQfLX3NaMRqVRmUCVpnGRcYqdbn2ulsUOmC0Or/bnJa7/sKFBhFb8aEoxD7/w4h5ugh0xVWMFvwjDb0gymXjNPgvefagAhi8qhxf/6X4AZK4x7y/tcIKpW3QfyrdX7bWQ7itBpMPtYH6WWyoKfypnAGeUtdwcXsb5cwGoJ4s9S/E1CwyZxdC38ydrDYFeRih7+KDHnOqZFnLwBb6yLdpvUhyMkksAzVxh8cvObVgjUFQMAwKvLKVzlv28BLgaWj+K+oFakytRtYZv7CsCneZyL3s/nDKs2ChhYgiXvVicZi+sC8FXZIl6wXWHYj5i/p5A/6ulVFgkfDna051hNewerXuTlyMMbTRw== willifan@pm.me" ];
  };
  users.groups.builder = { };
  nix.settings.trusted-users = [ "builder" "willifan" ];
--- a/secrets/secrets.yaml
+++ b/secrets/secrets.yaml
@ -0,0 +1,26 @@
+example_key: ENC[AES256_GCM,data:mOi5HkCImJBGqQ8IbQ==,iv:Z5AqB7O4VgacbzFU1JKNW6VXEikMcYVXM8P35A5iGlQ=,tag:zy4dg4Upiexbs0+Ni8YwqQ==,type:str]
+ssh:
+    root:
+        private: ENC[AES256_GCM,data:DX6CCw==,iv:d+ju8wDKcuiEb5W2/xKMUu7TtyrLPvfZggrNCjJj/qc=,tag:kwTVpW706rgH9JGXhiu8yg==,type:str]
+syncthing:
+    password: ENC[AES256_GCM,data:LzF/9A==,iv:+w/Fg0hMGAw4FKvY0cnT5bKVNhwLf18EOFV4hnApzbI=,tag:qjGxsCb0m9yMvhEyIn/HJw==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1m0nml3zhfwgxsywcctlmcxda3hywnn3u4630cddf9k24aulwsv0qva3yl6
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBxeU5YQk93U0NVcGRIMHFY
+            a0dpS3F6N21HK0ZFUHlhMkhLOWppMllOSmlJCng4THo0emRBcjVhaU1PTnhTOHdx
+            NXpteWpNSkJuT0JPNTk0OTRzUHFqb3MKLS0tIGRhRXRrazNJSFlpOVR0RHJjTDIr
+            K1NUZDI1SDQ2UVIyVWdkYW5PYWF1TDQKPFPXOdYOsqoh/ivAUl9SgJQeEI4yBJuq
+            vfK/44pf9CcoWG0+J1di2pklliXRKqSrC63bdUgRVKOZwdxZOkQUKw==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2024-12-08T16:40:52Z"
+    mac: ENC[AES256_GCM,data:FjDaDzAYWCWS9SsGKfh0yfofuzjW+p2hbt3tEYQhlWHU+VrEOOopaZXQ/Ut2QfafsEX3NV9TCJAhQsy4WsDs7Jz0XqfoydmDomhyOWMXOz9mpxFR+oKvct2bM5Ai0vibBaEJjPIw8ELFIeDI19V0IPmAFSdGeUgameKMn8Lpc4U=,iv:opqmhUsyYM4mhBqN8Nf1ec0E72rMbfxgD05ffKYDbWo=,tag:X6XR7oVcGg8sMXNGz58K4g==,type:str]
+    pgp: []
+    unencrypted_suffix: _unencrypted
+    version: 3.9.1