sops-nix

2024-11-21 21:50:32 +01:00 · 2024-07-03 17:52:10 +02:00 · 2024-07-03 17:52:10 +02:00 · 52a63b9b71
parent baf4534b74
commit 52a63b9b71
16 changed files with 181 additions and 32 deletions
--- a/.sops.yaml
+++ b/.sops.yaml
@ -0,0 +1,14 @@
+keys:
+  - &users:
+    - &xqtc age1jmqdy4ntgmunnh485qcvxg9yvc2rcvrwf8nq0jg8n4c5al7sza2qq3c80d
+  - &hosts:
+    - &asmodeus age1lznc3dadzpc7vllpvnpdf8samadleep7sxfg0dnpzwl0nngzdv7suu73rh
+    - &beleth age1xf86ak2hu5efux42au4x7wlxqpxqpuld7kd6nnr2qzhl662wy3vq940d4p
+
+creation_rules:
+  - path_regex: secrets.yaml$
+    key_groups:
+    - age:
+      - *xqtc
+      - *asmodeus
+      - *beleth
--- a/common/default.nix
+++ b/common/default.nix
@ -5,7 +5,10 @@
  pkgs,
  ...
 }: {
-  imports = [./syncthing.nix];
+  imports = [
+    ./syncthing.nix
+    ./sops.nix
+  ];
  #nixpkgs.config.permittedInsecurePackages = ["electron-25.9.0" "electron-24.8.6"];
  # networking.hosts = {
  #   "192.168.178.35" = ["jellyfin.fritz.box" "grafana.fritz.box"];
--- a/common/sops.nix
+++ b/common/sops.nix
@ -0,0 +1,21 @@
+{
+  inputs,
+  config,
+  lib,
+  ...
+}: {
+  imports = [
+    inputs.sops-nix.nixosModules.sops
+  ];
+
+  sops = {
+    defaultSopsFile = ../secrets.yaml;
+    validateSopsFiles = false;
+
+    age = {
+      sshKeyPaths = ["/etc/ssh/ssh_host_ed25519_key"];
+      keyFile = "/var/lib/sops/age/keys.txt";
+      generateKey = true;
+    };
+  };
+}
--- a/flake.lock
+++ b/flake.lock
@ -462,6 +462,22 @@
        "type": "github"
      }
    },
+    "nixpkgs-stable": {
+      "locked": {
+        "lastModified": 1719663039,
+        "narHash": "sha256-tXlrgAQygNIy49LDVFuPXlWD2zTQV9/F8pfoqwwPJyo=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "4a1e673523344f6ccc84b37f4413ad74ea19a119",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "ref": "release-23.11",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
    "nixpkgs_2": {
      "locked": {
        "lastModified": 1627814220,
@ -582,6 +598,7 @@
        "nixpkgs": "nixpkgs_5",
        "nixpkgs-master": "nixpkgs-master",
        "nixvim": "nixvim",
+        "sops-nix": "sops-nix",
        "spicetify-nix": "spicetify-nix"
      }
    },
@ -601,6 +618,27 @@
        "type": "github"
      }
    },
+    "sops-nix": {
+      "inputs": {
+        "nixpkgs": [
+          "nixpkgs"
+        ],
+        "nixpkgs-stable": "nixpkgs-stable"
+      },
+      "locked": {
+        "lastModified": 1719873517,
+        "narHash": "sha256-D1dxZmXf6M2h5lNE1m6orojuUawVPjogbGRsqSBX+1g=",
+        "owner": "Mic92",
+        "repo": "sops-nix",
+        "rev": "a11224af8d824935f363928074b4717ca2e280db",
+        "type": "github"
+      },
+      "original": {
+        "owner": "Mic92",
+        "repo": "sops-nix",
+        "type": "github"
+      }
+    },
    "spicetify-nix": {
      "inputs": {
        "flake-utils": "flake-utils_5",
--- a/flake.nix
+++ b/flake.nix
@ -9,23 +9,27 @@
      url = "github:nix-community/home-manager/master";
      inputs.nixpkgs.follows = "nixpkgs";
    };
+    sops-nix = {
+      url = "github:Mic92/sops-nix";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
    spicetify-nix.url = "github:the-argus/spicetify-nix";
    nh.url = "github:/viperML/nh";
    lix-module = {
      url = "https://git.lix.systems/lix-project/nixos-module/archive/2.90.0-rc1.tar.gz";
      inputs.nixpkgs.follows = "nixpkgs";
    };
+    firefox-addons.url = "gitlab:rycee/nur-expressions?dir=pkgs/firefox-addons";
+    nixos-hardware.url = "github:NixOS/nixos-hardware/master";
+    nixvim = {
+      # If you are not running an unstable channel of nixpkgs, select the corresponding branch of nixvim.
+      #url = "github:nix-community/nixvim/22b587f3dc5c040eb1916aa2a67868f1918d9d17";
+      url = "github:nix-community/nixvim";
+
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
  };
  #inputs.agenix.url = "github:ryantm/agenix";
-  inputs.firefox-addons.url = "gitlab:rycee/nur-expressions?dir=pkgs/firefox-addons";
-  inputs.nixos-hardware.url = "github:NixOS/nixos-hardware/master";
-  inputs.nixvim = {
-    # If you are not running an unstable channel of nixpkgs, select the corresponding branch of nixvim.
-    #url = "github:nix-community/nixvim/22b587f3dc5c040eb1916aa2a67868f1918d9d17";
-    url = "github:nix-community/nixvim";
-
-    inputs.nixpkgs.follows = "nixpkgs";
-  };

  outputs = inputs @ {
    self,
@ -37,6 +41,7 @@
    nixvim,
    nh,
    lix-module,
+    sops-nix,
    ...
  }: let
    lib = nixpkgs.lib;
--- a/home/modules/default.nix
+++ b/home/modules/default.nix
@ -18,6 +18,7 @@
    ./spicetify.nix
    ./yazi.nix
    ./zoxide.nix
-    #./ssh.nix
+    ./sops.nix
+    ./ssh.nix
  ];
 }
--- a/home/modules/sops.nix
+++ b/home/modules/sops.nix
@ -0,0 +1,17 @@
+{
+  inputs,
+  config,
+  lib,
+  ...
+}: {
+  sops = {
+    defaultSopsFile = ../../secrets.yaml;
+    validateSopsFiles = false;
+
+    age = {
+      sshKeyPaths = ["/etc/ssh/ssh_host_ed25519_key"];
+      keyFile = "/home/xqtc/.config/sops/age/keys.txt";
+      generateKey = true;
+    };
+  };
+}
--- a/home/modules/ssh.nix
+++ b/home/modules/ssh.nix
@ -5,18 +5,14 @@
  pkgs,
  ...
 }: {
-  age.identityPaths = ["${config.home.homeDirectory}/.ssh/agenix"]; # Use this key to decrypt
-  home.packages = [
-    inputs.agenix.packages.x86_64-linux.default # Install CLI tool to encrypt
-  ];
-  age.secrets.xqtc_id_ed25519 = {
-    file = ../secrets/xqtc_id_ed25519.age;
-    path = "${config.home.homeDirectory}/.ssh/id_ed25519";
-    mode = "600";
-  };
-  age.secrets.xqtc_id_ed25519_pub = {
-    file = ../secrets/xqtc_id_ed25519_pub.age;
-    path = "${config.home.homeDirectory}/.ssh/id_ed25519.pub";
-    mode = "640";
+  sops.secrets = {
+    "private_keys/xqtc" = {
+      path = "/home/xqtc/.ssh/id_ed25519";
+      mode = "600";
+    };
+    "public_keys/xqtc" = {
+      path = "/home/xqtc/.ssh/id_ed25519.pub";
+      mode = "640";
+    };
  };
 }
--- a/home/secrets/secrets.nix
+++ b/home/secrets/secrets.nix
@ -1,6 +0,0 @@
-let
-  xqtc = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFecbWOhXR4z1wrrI5onn4SFGtu/lfsOblreuRWcbLug";
-in {
-  "xqtc_id_ed25519.age".publicKeys = [xqtc];
-  "xqtc_id_ed25519_pub.age".publicKeys = [xqtc];
-}
--- a/home/secrets/xqtc_id_ed25519.age
+++ b/home/secrets/xqtc_id_ed25519.age
--- a/home/secrets/xqtc_id_ed25519_pub.age
+++ b/home/secrets/xqtc_id_ed25519_pub.age
--- a/hosts/x86_64-linux/asmodeus/default.nix
+++ b/hosts/x86_64-linux/asmodeus/default.nix
@ -41,6 +41,9 @@
    ../../gc.nix
  ];

+  sops.secrets."nextcloud_password" = {
+    path = "/etc/nx_pass";
+  };
  nixpkgs.config.allowUnfree = true;

  boot.binfmt.emulatedSystems = ["aarch64-linux"];
--- a/hosts/x86_64-linux/beleth/nextcloud.nix
+++ b/hosts/x86_64-linux/beleth/nextcloud.nix
@ -10,6 +10,12 @@
      sha256 = "0gzd0276b8da3ykapgqks2zhsqdv4jjvbv97dsxg0hgrhb74z0fs";
    }}/nextcloud-extras.nix"
  ];
+  
+  sops.secrets."nextcloud_password" = {
+    path = "/etc/nx_pass";
+    owner = "nextcloud";
+    group = "nextcloud";
+  };

  services.nextcloud = {
    webserver = "caddy";
--- a/hosts/x86_64-linux/beleth/paperless.nix
+++ b/hosts/x86_64-linux/beleth/paperless.nix
@ -4,6 +4,11 @@
  inputs,
  ...
 }: {
+  sops.secrets."paperless_password" = {
+    path = "/etc/paperless_sc";
+    owner = "paperless";
+    group = "paperless";
+  };
  services.paperless = {
    enable = true;
    passwordFile = "/etc/paperless_sc";
--- a/modules/home-manager.nix
+++ b/modules/home-manager.nix
@ -3,7 +3,9 @@
  inputs,
  ...
 }: {
-  imports = [inputs.home-manager.nixosModules.home-manager];
+  imports = [
+    inputs.home-manager.nixosModules.home-manager
+  ];
  config = {
    home-manager.useGlobalPkgs = true;
    home-manager.useUserPackages = true;
@ -13,7 +15,7 @@
      imports = [
        ../home
        inputs.nixvim.homeManagerModules.nixvim
-        #inputs.agenix.homeManagerModules.default
+        inputs.sops-nix.homeManagerModules.sops
      ];
    };
  };
--- a/secrets.yaml
+++ b/secrets.yaml
@ -0,0 +1,44 @@
+private_keys:
+    xqtc: ENC[AES256_GCM,data:rpdj0jpEL+oI83ML+uVzTIr0zcc7vCrV5jFLUks+tjpR5cGkp3TxJ287ijRAEF17PqDK90t1Sql/Wt/VDriiF8FdwSMZRHIXtuQ2JoxZ7ZF0gI1O5f+RYI7f9YhRWwXWdGi7syhDHOIYuqNv2C3tmeM7vsGn2A7e+k68Dfj2SnP6EbQr3xaEr155YWTdN5VwiWUNRGa0AgKXEnNFjtxZd1rjKvcKSiWeDMoq4kYswpPcIjdcGSgIuh/W9RxaQls79wQ6EB958jwiU0mTRK2quyq4yDAbxocxExdy4ZRdqCj1FfZYtHN4hUwzif+pVihDxspyKu2PG0a+mDZPjG88STUqUSHd1rAVet3TxaHCAXMUNnALzLxV6uXaTZJOCpK5U/hIyRYKcm7NnUzkfrluEPAK1IDP3TiiVZEPHjx2cTxhWuMGc5qtWz7YCzTXP/m2XoLRhgaoP4WkYDdg/X4iMXqU3yTO+WClKJPrqvFzIwdvuioiL1hEJ/sKl3O+XtcipKM89PqL1Jrga+yiEZsS,iv:YZSCbv3+qerH9I1L10OkaId0b25p7Tz/fw0mimjGQ70=,tag:slAoYzANbap1ghkAkGcLIg==,type:str]
+public_keys:
+    xqtc: ENC[AES256_GCM,data:bQ39+TS67ww01qfkhv//AfE3h4od4QgOUMATwKoeI7D7JHzCpM38jZudNlJixbyR8bLOKsBohqB3Pad6Q27dnXLCyZ/XtyZMLyhZuaOBVkx8+4ow1SWEyDxHM/N3WPZxjgM=,iv:FKHKaOknTYKzel3R6AUOb4RvXH04rQd4bHospGrsrUA=,tag:yCtxIdfWdIFjPiFbrFuPKg==,type:str]
+nextcloud_password: ENC[AES256_GCM,data:lwqQio1I1xTv07bLRyrvig1HRyCxcueSPgDpPRhXBqCi8d42OJt7rA==,iv:R0JxpCJz9zycph9p7Ewwt4QTEXQxaxJ691aWCXfEsFE=,tag:Qz3dD2cOkmneEWP7tI54Dg==,type:str]
+paperless_password: ENC[AES256_GCM,data:OCrc00vUb+lgel8TmFm+9Ee4QJZZV7W6+Jl9+R7AfjfDh6v590ibvw==,iv:emM7g0JRcEH4xuYdvZN64drOhduXyQy6HwF1xByaLvE=,tag:D2O1qAeKtYWGf+Zd3RuBTQ==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1jmqdy4ntgmunnh485qcvxg9yvc2rcvrwf8nq0jg8n4c5al7sza2qq3c80d
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB1UXN2bWFuL1oyUWY2aEMx
+            NkVJK0VZRHVZYVBzRDZQdFloWTFDbWJTdW4wCkkvdGozT2VzRTJjVnE5MExPRERR
+            eHVzazQxajg0Nm9DYWFMcWhiYXRqcmMKLS0tIDhGZWxsTEdlbnQ5TmE0V2gwVTlC
+            U3ZRUXo2SlBSZitENnUwdFQxRzczczQKixuIzUUzWvr/587c2ALWqc+eb0tmwOGN
+            RTSBTCn5YM7RhoXqwvSWwb8Jkwa5gEajNo9c/yTKz14/TJFB3tJD/w==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1lznc3dadzpc7vllpvnpdf8samadleep7sxfg0dnpzwl0nngzdv7suu73rh
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBvZ3lBUDdrZWR5Qi91d2hQ
+            bzVSOStwTVVMeHhrZitmN2MvM0lWLyszMVVvCllwS0g3Z3NlMGN5Qy92eGdpMEND
+            NUczRDJWSGpYa3ljZkd5SmF2K3BDSlkKLS0tIGkrdkdHNXVUNEcxK0lqQzM2UFRX
+            YWZYMUVlTEN0WGFrYm8xbEx1d3VwNUUKj7uYjZlxrzr3rtkKuhljgC2YRZFmAxzS
+            Jtv5WN8xnTGCLPQ3Pq7BfReDz5hVypBFtEc2xy/zBVgl+RQbs3oidg==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1xf86ak2hu5efux42au4x7wlxqpxqpuld7kd6nnr2qzhl662wy3vq940d4p
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA5UVQxUmd4Z3A0ZTVGMS9x
+            M0ZYV3RCN3hTenArZVZ3RHV4cGRGZEdCdUN3CjdyNDRDY0d3WmEycXNkb2F5OENu
+            NGNVV2N2b3d3VmltMjd4M0NTWVhvQUUKLS0tIE1NWFFOcGV4YnBwcGNZSTkvNnFs
+            N2lwWWwxZFZkNzRRTXMxSDRNczZ3cEUKMC8rkGm0f0//n6yFaDTRpaFL8OE+4wEc
+            zcpC9E/3rzB+DC8H/CB9DIa7/LO+RQzR0THjGjc4EtooX0/PTxvn4g==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2024-07-03T14:48:29Z"
+    mac: ENC[AES256_GCM,data:LHH3qUI92p9PFkheFlHV4EwfMebLnHyrEr6iyMCOPWLh+vyai039gFHP/qZuKO51qgQdWiNYagwTNGwh/wCPUsXqmrT6/zyUVRzY+qM8ei0mTsyATPT2N/nFurb0HUueSO1rNzkYFbb6Io+5KdkQQbgbXoKxVV3xaWPB0FvB5cg=,iv:YmO2DvOP+5XUFs+r2ywn3mS8igxwhdoMB4VmtFsxVDU=,tag:udN3POCZVJvh2MircwckKQ==,type:str]
+    pgp: []
+    unencrypted_suffix: _unencrypted
+    version: 3.8.1