diff --git a/.sops.yaml b/.sops.yaml new file mode 100644 index 0000000..7c247e5 --- /dev/null +++ b/.sops.yaml @@ -0,0 +1,14 @@ +keys: + - &users: + - &xqtc age1jmqdy4ntgmunnh485qcvxg9yvc2rcvrwf8nq0jg8n4c5al7sza2qq3c80d + - &hosts: + - &asmodeus age1lznc3dadzpc7vllpvnpdf8samadleep7sxfg0dnpzwl0nngzdv7suu73rh + - &beleth age1xf86ak2hu5efux42au4x7wlxqpxqpuld7kd6nnr2qzhl662wy3vq940d4p + +creation_rules: + - path_regex: secrets.yaml$ + key_groups: + - age: + - *xqtc + - *asmodeus + - *beleth diff --git a/common/default.nix b/common/default.nix index 49cabcf..cefc27f 100644 --- a/common/default.nix +++ b/common/default.nix @@ -5,7 +5,10 @@ pkgs, ... }: { - imports = [./syncthing.nix]; + imports = [ + ./syncthing.nix + ./sops.nix + ]; #nixpkgs.config.permittedInsecurePackages = ["electron-25.9.0" "electron-24.8.6"]; # networking.hosts = { # "192.168.178.35" = ["jellyfin.fritz.box" "grafana.fritz.box"]; diff --git a/common/sops.nix b/common/sops.nix new file mode 100644 index 0000000..e4d9c26 --- /dev/null +++ b/common/sops.nix @@ -0,0 +1,21 @@ +{ + inputs, + config, + lib, + ... +}: { + imports = [ + inputs.sops-nix.nixosModules.sops + ]; + + sops = { + defaultSopsFile = ../secrets.yaml; + validateSopsFiles = false; + + age = { + sshKeyPaths = ["/etc/ssh/ssh_host_ed25519_key"]; + keyFile = "/var/lib/sops/age/keys.txt"; + generateKey = true; + }; + }; +} diff --git a/flake.lock b/flake.lock index a6f671d..c206eff 100644 --- a/flake.lock +++ b/flake.lock @@ -462,6 +462,22 @@ "type": "github" } }, + "nixpkgs-stable": { + "locked": { + "lastModified": 1719663039, + "narHash": "sha256-tXlrgAQygNIy49LDVFuPXlWD2zTQV9/F8pfoqwwPJyo=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "4a1e673523344f6ccc84b37f4413ad74ea19a119", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "release-23.11", + "repo": "nixpkgs", + "type": "github" + } + }, "nixpkgs_2": { "locked": { "lastModified": 1627814220, @@ -582,6 +598,7 @@ "nixpkgs": "nixpkgs_5", "nixpkgs-master": "nixpkgs-master", "nixvim": "nixvim", + "sops-nix": "sops-nix", "spicetify-nix": "spicetify-nix" } }, @@ -601,6 +618,27 @@ "type": "github" } }, + "sops-nix": { + "inputs": { + "nixpkgs": [ + "nixpkgs" + ], + "nixpkgs-stable": "nixpkgs-stable" + }, + "locked": { + "lastModified": 1719873517, + "narHash": "sha256-D1dxZmXf6M2h5lNE1m6orojuUawVPjogbGRsqSBX+1g=", + "owner": "Mic92", + "repo": "sops-nix", + "rev": "a11224af8d824935f363928074b4717ca2e280db", + "type": "github" + }, + "original": { + "owner": "Mic92", + "repo": "sops-nix", + "type": "github" + } + }, "spicetify-nix": { "inputs": { "flake-utils": "flake-utils_5", diff --git a/flake.nix b/flake.nix index c4aeab8..db311bd 100644 --- a/flake.nix +++ b/flake.nix @@ -9,23 +9,27 @@ url = "github:nix-community/home-manager/master"; inputs.nixpkgs.follows = "nixpkgs"; }; + sops-nix = { + url = "github:Mic92/sops-nix"; + inputs.nixpkgs.follows = "nixpkgs"; + }; spicetify-nix.url = "github:the-argus/spicetify-nix"; nh.url = "github:/viperML/nh"; lix-module = { url = "https://git.lix.systems/lix-project/nixos-module/archive/2.90.0-rc1.tar.gz"; inputs.nixpkgs.follows = "nixpkgs"; }; + firefox-addons.url = "gitlab:rycee/nur-expressions?dir=pkgs/firefox-addons"; + nixos-hardware.url = "github:NixOS/nixos-hardware/master"; + nixvim = { + # If you are not running an unstable channel of nixpkgs, select the corresponding branch of nixvim. + #url = "github:nix-community/nixvim/22b587f3dc5c040eb1916aa2a67868f1918d9d17"; + url = "github:nix-community/nixvim"; + + inputs.nixpkgs.follows = "nixpkgs"; + }; }; #inputs.agenix.url = "github:ryantm/agenix"; - inputs.firefox-addons.url = "gitlab:rycee/nur-expressions?dir=pkgs/firefox-addons"; - inputs.nixos-hardware.url = "github:NixOS/nixos-hardware/master"; - inputs.nixvim = { - # If you are not running an unstable channel of nixpkgs, select the corresponding branch of nixvim. - #url = "github:nix-community/nixvim/22b587f3dc5c040eb1916aa2a67868f1918d9d17"; - url = "github:nix-community/nixvim"; - - inputs.nixpkgs.follows = "nixpkgs"; - }; outputs = inputs @ { self, @@ -37,6 +41,7 @@ nixvim, nh, lix-module, + sops-nix, ... }: let lib = nixpkgs.lib; diff --git a/home/modules/default.nix b/home/modules/default.nix index d4e428b..cfe41d4 100644 --- a/home/modules/default.nix +++ b/home/modules/default.nix @@ -18,6 +18,7 @@ ./spicetify.nix ./yazi.nix ./zoxide.nix - #./ssh.nix + ./sops.nix + ./ssh.nix ]; } diff --git a/home/modules/sops.nix b/home/modules/sops.nix new file mode 100644 index 0000000..868a008 --- /dev/null +++ b/home/modules/sops.nix @@ -0,0 +1,17 @@ +{ + inputs, + config, + lib, + ... +}: { + sops = { + defaultSopsFile = ../../secrets.yaml; + validateSopsFiles = false; + + age = { + sshKeyPaths = ["/etc/ssh/ssh_host_ed25519_key"]; + keyFile = "/home/xqtc/.config/sops/age/keys.txt"; + generateKey = true; + }; + }; +} diff --git a/home/modules/ssh.nix b/home/modules/ssh.nix index fa22692..0635539 100644 --- a/home/modules/ssh.nix +++ b/home/modules/ssh.nix @@ -5,18 +5,14 @@ pkgs, ... }: { - age.identityPaths = ["${config.home.homeDirectory}/.ssh/agenix"]; # Use this key to decrypt - home.packages = [ - inputs.agenix.packages.x86_64-linux.default # Install CLI tool to encrypt - ]; - age.secrets.xqtc_id_ed25519 = { - file = ../secrets/xqtc_id_ed25519.age; - path = "${config.home.homeDirectory}/.ssh/id_ed25519"; - mode = "600"; - }; - age.secrets.xqtc_id_ed25519_pub = { - file = ../secrets/xqtc_id_ed25519_pub.age; - path = "${config.home.homeDirectory}/.ssh/id_ed25519.pub"; - mode = "640"; + sops.secrets = { + "private_keys/xqtc" = { + path = "/home/xqtc/.ssh/id_ed25519"; + mode = "600"; + }; + "public_keys/xqtc" = { + path = "/home/xqtc/.ssh/id_ed25519.pub"; + mode = "640"; + }; }; } diff --git a/home/secrets/secrets.nix b/home/secrets/secrets.nix deleted file mode 100644 index 030c814..0000000 --- a/home/secrets/secrets.nix +++ /dev/null @@ -1,6 +0,0 @@ -let - xqtc = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFecbWOhXR4z1wrrI5onn4SFGtu/lfsOblreuRWcbLug"; -in { - "xqtc_id_ed25519.age".publicKeys = [xqtc]; - "xqtc_id_ed25519_pub.age".publicKeys = [xqtc]; -} diff --git a/home/secrets/xqtc_id_ed25519.age b/home/secrets/xqtc_id_ed25519.age deleted file mode 100644 index 656b454..0000000 Binary files a/home/secrets/xqtc_id_ed25519.age and /dev/null differ diff --git a/home/secrets/xqtc_id_ed25519_pub.age b/home/secrets/xqtc_id_ed25519_pub.age deleted file mode 100644 index 09db773..0000000 Binary files a/home/secrets/xqtc_id_ed25519_pub.age and /dev/null differ diff --git a/hosts/x86_64-linux/asmodeus/default.nix b/hosts/x86_64-linux/asmodeus/default.nix index 8eb0295..718bdf3 100644 --- a/hosts/x86_64-linux/asmodeus/default.nix +++ b/hosts/x86_64-linux/asmodeus/default.nix @@ -41,6 +41,9 @@ ../../gc.nix ]; + sops.secrets."nextcloud_password" = { + path = "/etc/nx_pass"; + }; nixpkgs.config.allowUnfree = true; boot.binfmt.emulatedSystems = ["aarch64-linux"]; diff --git a/hosts/x86_64-linux/beleth/nextcloud.nix b/hosts/x86_64-linux/beleth/nextcloud.nix index 99d5699..9265c18 100644 --- a/hosts/x86_64-linux/beleth/nextcloud.nix +++ b/hosts/x86_64-linux/beleth/nextcloud.nix @@ -10,6 +10,12 @@ sha256 = "0gzd0276b8da3ykapgqks2zhsqdv4jjvbv97dsxg0hgrhb74z0fs"; }}/nextcloud-extras.nix" ]; + + sops.secrets."nextcloud_password" = { + path = "/etc/nx_pass"; + owner = "nextcloud"; + group = "nextcloud"; + }; services.nextcloud = { webserver = "caddy"; diff --git a/hosts/x86_64-linux/beleth/paperless.nix b/hosts/x86_64-linux/beleth/paperless.nix index 8da0f29..ed6f5cb 100644 --- a/hosts/x86_64-linux/beleth/paperless.nix +++ b/hosts/x86_64-linux/beleth/paperless.nix @@ -4,6 +4,11 @@ inputs, ... }: { + sops.secrets."paperless_password" = { + path = "/etc/paperless_sc"; + owner = "paperless"; + group = "paperless"; + }; services.paperless = { enable = true; passwordFile = "/etc/paperless_sc"; diff --git a/modules/home-manager.nix b/modules/home-manager.nix index 4fc169e..7ef29db 100644 --- a/modules/home-manager.nix +++ b/modules/home-manager.nix @@ -3,7 +3,9 @@ inputs, ... }: { - imports = [inputs.home-manager.nixosModules.home-manager]; + imports = [ + inputs.home-manager.nixosModules.home-manager + ]; config = { home-manager.useGlobalPkgs = true; home-manager.useUserPackages = true; @@ -13,7 +15,7 @@ imports = [ ../home inputs.nixvim.homeManagerModules.nixvim - #inputs.agenix.homeManagerModules.default + inputs.sops-nix.homeManagerModules.sops ]; }; }; diff --git a/secrets.yaml b/secrets.yaml new file mode 100644 index 0000000..c952c42 --- /dev/null +++ b/secrets.yaml @@ -0,0 +1,44 @@ +private_keys: + xqtc: ENC[AES256_GCM,data:rpdj0jpEL+oI83ML+uVzTIr0zcc7vCrV5jFLUks+tjpR5cGkp3TxJ287ijRAEF17PqDK90t1Sql/Wt/VDriiF8FdwSMZRHIXtuQ2JoxZ7ZF0gI1O5f+RYI7f9YhRWwXWdGi7syhDHOIYuqNv2C3tmeM7vsGn2A7e+k68Dfj2SnP6EbQr3xaEr155YWTdN5VwiWUNRGa0AgKXEnNFjtxZd1rjKvcKSiWeDMoq4kYswpPcIjdcGSgIuh/W9RxaQls79wQ6EB958jwiU0mTRK2quyq4yDAbxocxExdy4ZRdqCj1FfZYtHN4hUwzif+pVihDxspyKu2PG0a+mDZPjG88STUqUSHd1rAVet3TxaHCAXMUNnALzLxV6uXaTZJOCpK5U/hIyRYKcm7NnUzkfrluEPAK1IDP3TiiVZEPHjx2cTxhWuMGc5qtWz7YCzTXP/m2XoLRhgaoP4WkYDdg/X4iMXqU3yTO+WClKJPrqvFzIwdvuioiL1hEJ/sKl3O+XtcipKM89PqL1Jrga+yiEZsS,iv:YZSCbv3+qerH9I1L10OkaId0b25p7Tz/fw0mimjGQ70=,tag:slAoYzANbap1ghkAkGcLIg==,type:str] +public_keys: + xqtc: ENC[AES256_GCM,data:bQ39+TS67ww01qfkhv//AfE3h4od4QgOUMATwKoeI7D7JHzCpM38jZudNlJixbyR8bLOKsBohqB3Pad6Q27dnXLCyZ/XtyZMLyhZuaOBVkx8+4ow1SWEyDxHM/N3WPZxjgM=,iv:FKHKaOknTYKzel3R6AUOb4RvXH04rQd4bHospGrsrUA=,tag:yCtxIdfWdIFjPiFbrFuPKg==,type:str] +nextcloud_password: ENC[AES256_GCM,data:lwqQio1I1xTv07bLRyrvig1HRyCxcueSPgDpPRhXBqCi8d42OJt7rA==,iv:R0JxpCJz9zycph9p7Ewwt4QTEXQxaxJ691aWCXfEsFE=,tag:Qz3dD2cOkmneEWP7tI54Dg==,type:str] +paperless_password: ENC[AES256_GCM,data:OCrc00vUb+lgel8TmFm+9Ee4QJZZV7W6+Jl9+R7AfjfDh6v590ibvw==,iv:emM7g0JRcEH4xuYdvZN64drOhduXyQy6HwF1xByaLvE=,tag:D2O1qAeKtYWGf+Zd3RuBTQ==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1jmqdy4ntgmunnh485qcvxg9yvc2rcvrwf8nq0jg8n4c5al7sza2qq3c80d + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB1UXN2bWFuL1oyUWY2aEMx + NkVJK0VZRHVZYVBzRDZQdFloWTFDbWJTdW4wCkkvdGozT2VzRTJjVnE5MExPRERR + eHVzazQxajg0Nm9DYWFMcWhiYXRqcmMKLS0tIDhGZWxsTEdlbnQ5TmE0V2gwVTlC + U3ZRUXo2SlBSZitENnUwdFQxRzczczQKixuIzUUzWvr/587c2ALWqc+eb0tmwOGN + RTSBTCn5YM7RhoXqwvSWwb8Jkwa5gEajNo9c/yTKz14/TJFB3tJD/w== + -----END AGE ENCRYPTED FILE----- + - recipient: age1lznc3dadzpc7vllpvnpdf8samadleep7sxfg0dnpzwl0nngzdv7suu73rh + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBvZ3lBUDdrZWR5Qi91d2hQ + bzVSOStwTVVMeHhrZitmN2MvM0lWLyszMVVvCllwS0g3Z3NlMGN5Qy92eGdpMEND + NUczRDJWSGpYa3ljZkd5SmF2K3BDSlkKLS0tIGkrdkdHNXVUNEcxK0lqQzM2UFRX + YWZYMUVlTEN0WGFrYm8xbEx1d3VwNUUKj7uYjZlxrzr3rtkKuhljgC2YRZFmAxzS + Jtv5WN8xnTGCLPQ3Pq7BfReDz5hVypBFtEc2xy/zBVgl+RQbs3oidg== + -----END AGE ENCRYPTED FILE----- + - recipient: age1xf86ak2hu5efux42au4x7wlxqpxqpuld7kd6nnr2qzhl662wy3vq940d4p + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA5UVQxUmd4Z3A0ZTVGMS9x + M0ZYV3RCN3hTenArZVZ3RHV4cGRGZEdCdUN3CjdyNDRDY0d3WmEycXNkb2F5OENu + NGNVV2N2b3d3VmltMjd4M0NTWVhvQUUKLS0tIE1NWFFOcGV4YnBwcGNZSTkvNnFs + N2lwWWwxZFZkNzRRTXMxSDRNczZ3cEUKMC8rkGm0f0//n6yFaDTRpaFL8OE+4wEc + zcpC9E/3rzB+DC8H/CB9DIa7/LO+RQzR0THjGjc4EtooX0/PTxvn4g== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-07-03T14:48:29Z" + mac: ENC[AES256_GCM,data:LHH3qUI92p9PFkheFlHV4EwfMebLnHyrEr6iyMCOPWLh+vyai039gFHP/qZuKO51qgQdWiNYagwTNGwh/wCPUsXqmrT6/zyUVRzY+qM8ei0mTsyATPT2N/nFurb0HUueSO1rNzkYFbb6Io+5KdkQQbgbXoKxVV3xaWPB0FvB5cg=,iv:YmO2DvOP+5XUFs+r2ywn3mS8igxwhdoMB4VmtFsxVDU=,tag:udN3POCZVJvh2MircwckKQ==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.8.1