From 52a63b9b7107a0b02f4046545909fd7862c14f0a Mon Sep 17 00:00:00 2001 From: xqtc161 Date: Wed, 3 Jul 2024 17:52:10 +0200 Subject: [PATCH] sops-nix --- .sops.yaml | 14 ++++++++ common/default.nix | 5 ++- common/sops.nix | 21 +++++++++++ flake.lock | 38 ++++++++++++++++++++ flake.nix | 23 ++++++++----- home/modules/default.nix | 3 +- home/modules/sops.nix | 17 +++++++++ home/modules/ssh.nix | 22 +++++------- home/secrets/secrets.nix | 6 ---- home/secrets/xqtc_id_ed25519.age | Bin 611 -> 0 bytes home/secrets/xqtc_id_ed25519_pub.age | Bin 306 -> 0 bytes hosts/x86_64-linux/asmodeus/default.nix | 3 ++ hosts/x86_64-linux/beleth/nextcloud.nix | 6 ++++ hosts/x86_64-linux/beleth/paperless.nix | 5 +++ modules/home-manager.nix | 6 ++-- secrets.yaml | 44 ++++++++++++++++++++++++ 16 files changed, 181 insertions(+), 32 deletions(-) create mode 100644 .sops.yaml create mode 100644 common/sops.nix create mode 100644 home/modules/sops.nix delete mode 100644 home/secrets/secrets.nix delete mode 100644 home/secrets/xqtc_id_ed25519.age delete mode 100644 home/secrets/xqtc_id_ed25519_pub.age create mode 100644 secrets.yaml diff --git a/.sops.yaml b/.sops.yaml new file mode 100644 index 0000000..7c247e5 --- /dev/null +++ b/.sops.yaml @@ -0,0 +1,14 @@ +keys: + - &users: + - &xqtc age1jmqdy4ntgmunnh485qcvxg9yvc2rcvrwf8nq0jg8n4c5al7sza2qq3c80d + - &hosts: + - &asmodeus age1lznc3dadzpc7vllpvnpdf8samadleep7sxfg0dnpzwl0nngzdv7suu73rh + - &beleth age1xf86ak2hu5efux42au4x7wlxqpxqpuld7kd6nnr2qzhl662wy3vq940d4p + +creation_rules: + - path_regex: secrets.yaml$ + key_groups: + - age: + - *xqtc + - *asmodeus + - *beleth diff --git a/common/default.nix b/common/default.nix index 49cabcf..cefc27f 100644 --- a/common/default.nix +++ b/common/default.nix @@ -5,7 +5,10 @@ pkgs, ... }: { - imports = [./syncthing.nix]; + imports = [ + ./syncthing.nix + ./sops.nix + ]; #nixpkgs.config.permittedInsecurePackages = ["electron-25.9.0" "electron-24.8.6"]; # networking.hosts = { # "192.168.178.35" = ["jellyfin.fritz.box" "grafana.fritz.box"]; diff --git a/common/sops.nix b/common/sops.nix new file mode 100644 index 0000000..e4d9c26 --- /dev/null +++ b/common/sops.nix @@ -0,0 +1,21 @@ +{ + inputs, + config, + lib, + ... +}: { + imports = [ + inputs.sops-nix.nixosModules.sops + ]; + + sops = { + defaultSopsFile = ../secrets.yaml; + validateSopsFiles = false; + + age = { + sshKeyPaths = ["/etc/ssh/ssh_host_ed25519_key"]; + keyFile = "/var/lib/sops/age/keys.txt"; + generateKey = true; + }; + }; +} diff --git a/flake.lock b/flake.lock index a6f671d..c206eff 100644 --- a/flake.lock +++ b/flake.lock @@ -462,6 +462,22 @@ "type": "github" } }, + "nixpkgs-stable": { + "locked": { + "lastModified": 1719663039, + "narHash": "sha256-tXlrgAQygNIy49LDVFuPXlWD2zTQV9/F8pfoqwwPJyo=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "4a1e673523344f6ccc84b37f4413ad74ea19a119", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "release-23.11", + "repo": "nixpkgs", + "type": "github" + } + }, "nixpkgs_2": { "locked": { "lastModified": 1627814220, @@ -582,6 +598,7 @@ "nixpkgs": "nixpkgs_5", "nixpkgs-master": "nixpkgs-master", "nixvim": "nixvim", + "sops-nix": "sops-nix", "spicetify-nix": "spicetify-nix" } }, @@ -601,6 +618,27 @@ "type": "github" } }, + "sops-nix": { + "inputs": { + "nixpkgs": [ + "nixpkgs" + ], + "nixpkgs-stable": "nixpkgs-stable" + }, + "locked": { + "lastModified": 1719873517, + "narHash": "sha256-D1dxZmXf6M2h5lNE1m6orojuUawVPjogbGRsqSBX+1g=", + "owner": "Mic92", + "repo": "sops-nix", + "rev": "a11224af8d824935f363928074b4717ca2e280db", + "type": "github" + }, + "original": { + "owner": "Mic92", + "repo": "sops-nix", + "type": "github" + } + }, "spicetify-nix": { "inputs": { "flake-utils": "flake-utils_5", diff --git a/flake.nix b/flake.nix index c4aeab8..db311bd 100644 --- a/flake.nix +++ b/flake.nix @@ -9,23 +9,27 @@ url = "github:nix-community/home-manager/master"; inputs.nixpkgs.follows = "nixpkgs"; }; + sops-nix = { + url = "github:Mic92/sops-nix"; + inputs.nixpkgs.follows = "nixpkgs"; + }; spicetify-nix.url = "github:the-argus/spicetify-nix"; nh.url = "github:/viperML/nh"; lix-module = { url = "https://git.lix.systems/lix-project/nixos-module/archive/2.90.0-rc1.tar.gz"; inputs.nixpkgs.follows = "nixpkgs"; }; + firefox-addons.url = "gitlab:rycee/nur-expressions?dir=pkgs/firefox-addons"; + nixos-hardware.url = "github:NixOS/nixos-hardware/master"; + nixvim = { + # If you are not running an unstable channel of nixpkgs, select the corresponding branch of nixvim. + #url = "github:nix-community/nixvim/22b587f3dc5c040eb1916aa2a67868f1918d9d17"; + url = "github:nix-community/nixvim"; + + inputs.nixpkgs.follows = "nixpkgs"; + }; }; #inputs.agenix.url = "github:ryantm/agenix"; - inputs.firefox-addons.url = "gitlab:rycee/nur-expressions?dir=pkgs/firefox-addons"; - inputs.nixos-hardware.url = "github:NixOS/nixos-hardware/master"; - inputs.nixvim = { - # If you are not running an unstable channel of nixpkgs, select the corresponding branch of nixvim. - #url = "github:nix-community/nixvim/22b587f3dc5c040eb1916aa2a67868f1918d9d17"; - url = "github:nix-community/nixvim"; - - inputs.nixpkgs.follows = "nixpkgs"; - }; outputs = inputs @ { self, @@ -37,6 +41,7 @@ nixvim, nh, lix-module, + sops-nix, ... }: let lib = nixpkgs.lib; diff --git a/home/modules/default.nix b/home/modules/default.nix index d4e428b..cfe41d4 100644 --- a/home/modules/default.nix +++ b/home/modules/default.nix @@ -18,6 +18,7 @@ ./spicetify.nix ./yazi.nix ./zoxide.nix - #./ssh.nix + ./sops.nix + ./ssh.nix ]; } diff --git a/home/modules/sops.nix b/home/modules/sops.nix new file mode 100644 index 0000000..868a008 --- /dev/null +++ b/home/modules/sops.nix @@ -0,0 +1,17 @@ +{ + inputs, + config, + lib, + ... +}: { + sops = { + defaultSopsFile = ../../secrets.yaml; + validateSopsFiles = false; + + age = { + sshKeyPaths = ["/etc/ssh/ssh_host_ed25519_key"]; + keyFile = "/home/xqtc/.config/sops/age/keys.txt"; + generateKey = true; + }; + }; +} diff --git a/home/modules/ssh.nix b/home/modules/ssh.nix index fa22692..0635539 100644 --- a/home/modules/ssh.nix +++ b/home/modules/ssh.nix @@ -5,18 +5,14 @@ pkgs, ... }: { - age.identityPaths = ["${config.home.homeDirectory}/.ssh/agenix"]; # Use this key to decrypt - home.packages = [ - inputs.agenix.packages.x86_64-linux.default # Install CLI tool to encrypt - ]; - age.secrets.xqtc_id_ed25519 = { - file = ../secrets/xqtc_id_ed25519.age; - path = "${config.home.homeDirectory}/.ssh/id_ed25519"; - mode = "600"; - }; - age.secrets.xqtc_id_ed25519_pub = { - file = ../secrets/xqtc_id_ed25519_pub.age; - path = "${config.home.homeDirectory}/.ssh/id_ed25519.pub"; - mode = "640"; + sops.secrets = { + "private_keys/xqtc" = { + path = "/home/xqtc/.ssh/id_ed25519"; + mode = "600"; + }; + "public_keys/xqtc" = { + path = "/home/xqtc/.ssh/id_ed25519.pub"; + mode = "640"; + }; }; } diff --git a/home/secrets/secrets.nix b/home/secrets/secrets.nix deleted file mode 100644 index 030c814..0000000 --- a/home/secrets/secrets.nix +++ /dev/null @@ -1,6 +0,0 @@ -let - xqtc = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFecbWOhXR4z1wrrI5onn4SFGtu/lfsOblreuRWcbLug"; -in { - "xqtc_id_ed25519.age".publicKeys = [xqtc]; - "xqtc_id_ed25519_pub.age".publicKeys = [xqtc]; -} diff --git a/home/secrets/xqtc_id_ed25519.age b/home/secrets/xqtc_id_ed25519.age deleted file mode 100644 index 656b45427eb7e7918a3149f5b06710b6b3e1022f..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 611 zcmV-p0-XI}XJsvAZewzJaCB*JZZ2%a+|+sXbeb6+*o-j zZ!1InHl%Cv)-Aw9Y~JM5eJ%PolVW}C>xhE|TGKe~7^JZs8vSLCDm|slOm?dr!e7uk zgrKpdy;1VJ%K=bfNdCc7itQErMt)|qE0&wm$3)DTt+CPw2mKKuLwi};UYhL~&2h*W z@@`bHH+mjV7-cl}vymm9)`@0WC#u}IjMEtNX9Au}mJ3$;OI(;>0xtqSp<;KuPo~DhCvbWEL4|L50 xDJ%@wX?HAW8w%{XZ#-Y$0F0ENwR+sim!pQ=H_%S5EK4pU;YlT<)gkD;Ch_jt7Rmqs diff --git a/home/secrets/xqtc_id_ed25519_pub.age b/home/secrets/xqtc_id_ed25519_pub.age deleted file mode 100644 index 09db773fdbd245023a0b903552a33968a217bd4b..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 306 zcmV-20nPqlXJsvAZewzJaCB*JZZ2$GN zLU}?+LP}L@Q8#K>Lsd*fGipRrVofNH+fl;P`Qx;Ah!n}_Ls#)OwO1fCb35cG+0Kr07_O)9o@wD>lBG2PmQrN EePjo0#Q*>R diff --git a/hosts/x86_64-linux/asmodeus/default.nix b/hosts/x86_64-linux/asmodeus/default.nix index 8eb0295..718bdf3 100644 --- a/hosts/x86_64-linux/asmodeus/default.nix +++ b/hosts/x86_64-linux/asmodeus/default.nix @@ -41,6 +41,9 @@ ../../gc.nix ]; + sops.secrets."nextcloud_password" = { + path = "/etc/nx_pass"; + }; nixpkgs.config.allowUnfree = true; boot.binfmt.emulatedSystems = ["aarch64-linux"]; diff --git a/hosts/x86_64-linux/beleth/nextcloud.nix b/hosts/x86_64-linux/beleth/nextcloud.nix index 99d5699..9265c18 100644 --- a/hosts/x86_64-linux/beleth/nextcloud.nix +++ b/hosts/x86_64-linux/beleth/nextcloud.nix @@ -10,6 +10,12 @@ sha256 = "0gzd0276b8da3ykapgqks2zhsqdv4jjvbv97dsxg0hgrhb74z0fs"; }}/nextcloud-extras.nix" ]; + + sops.secrets."nextcloud_password" = { + path = "/etc/nx_pass"; + owner = "nextcloud"; + group = "nextcloud"; + }; services.nextcloud = { webserver = "caddy"; diff --git a/hosts/x86_64-linux/beleth/paperless.nix b/hosts/x86_64-linux/beleth/paperless.nix index 8da0f29..ed6f5cb 100644 --- a/hosts/x86_64-linux/beleth/paperless.nix +++ b/hosts/x86_64-linux/beleth/paperless.nix @@ -4,6 +4,11 @@ inputs, ... }: { + sops.secrets."paperless_password" = { + path = "/etc/paperless_sc"; + owner = "paperless"; + group = "paperless"; + }; services.paperless = { enable = true; passwordFile = "/etc/paperless_sc"; diff --git a/modules/home-manager.nix b/modules/home-manager.nix index 4fc169e..7ef29db 100644 --- a/modules/home-manager.nix +++ b/modules/home-manager.nix @@ -3,7 +3,9 @@ inputs, ... }: { - imports = [inputs.home-manager.nixosModules.home-manager]; + imports = [ + inputs.home-manager.nixosModules.home-manager + ]; config = { home-manager.useGlobalPkgs = true; home-manager.useUserPackages = true; @@ -13,7 +15,7 @@ imports = [ ../home inputs.nixvim.homeManagerModules.nixvim - #inputs.agenix.homeManagerModules.default + inputs.sops-nix.homeManagerModules.sops ]; }; }; diff --git a/secrets.yaml b/secrets.yaml new file mode 100644 index 0000000..c952c42 --- /dev/null +++ b/secrets.yaml @@ -0,0 +1,44 @@ +private_keys: + xqtc: ENC[AES256_GCM,data:rpdj0jpEL+oI83ML+uVzTIr0zcc7vCrV5jFLUks+tjpR5cGkp3TxJ287ijRAEF17PqDK90t1Sql/Wt/VDriiF8FdwSMZRHIXtuQ2JoxZ7ZF0gI1O5f+RYI7f9YhRWwXWdGi7syhDHOIYuqNv2C3tmeM7vsGn2A7e+k68Dfj2SnP6EbQr3xaEr155YWTdN5VwiWUNRGa0AgKXEnNFjtxZd1rjKvcKSiWeDMoq4kYswpPcIjdcGSgIuh/W9RxaQls79wQ6EB958jwiU0mTRK2quyq4yDAbxocxExdy4ZRdqCj1FfZYtHN4hUwzif+pVihDxspyKu2PG0a+mDZPjG88STUqUSHd1rAVet3TxaHCAXMUNnALzLxV6uXaTZJOCpK5U/hIyRYKcm7NnUzkfrluEPAK1IDP3TiiVZEPHjx2cTxhWuMGc5qtWz7YCzTXP/m2XoLRhgaoP4WkYDdg/X4iMXqU3yTO+WClKJPrqvFzIwdvuioiL1hEJ/sKl3O+XtcipKM89PqL1Jrga+yiEZsS,iv:YZSCbv3+qerH9I1L10OkaId0b25p7Tz/fw0mimjGQ70=,tag:slAoYzANbap1ghkAkGcLIg==,type:str] +public_keys: + xqtc: ENC[AES256_GCM,data:bQ39+TS67ww01qfkhv//AfE3h4od4QgOUMATwKoeI7D7JHzCpM38jZudNlJixbyR8bLOKsBohqB3Pad6Q27dnXLCyZ/XtyZMLyhZuaOBVkx8+4ow1SWEyDxHM/N3WPZxjgM=,iv:FKHKaOknTYKzel3R6AUOb4RvXH04rQd4bHospGrsrUA=,tag:yCtxIdfWdIFjPiFbrFuPKg==,type:str] +nextcloud_password: ENC[AES256_GCM,data:lwqQio1I1xTv07bLRyrvig1HRyCxcueSPgDpPRhXBqCi8d42OJt7rA==,iv:R0JxpCJz9zycph9p7Ewwt4QTEXQxaxJ691aWCXfEsFE=,tag:Qz3dD2cOkmneEWP7tI54Dg==,type:str] +paperless_password: ENC[AES256_GCM,data:OCrc00vUb+lgel8TmFm+9Ee4QJZZV7W6+Jl9+R7AfjfDh6v590ibvw==,iv:emM7g0JRcEH4xuYdvZN64drOhduXyQy6HwF1xByaLvE=,tag:D2O1qAeKtYWGf+Zd3RuBTQ==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1jmqdy4ntgmunnh485qcvxg9yvc2rcvrwf8nq0jg8n4c5al7sza2qq3c80d + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB1UXN2bWFuL1oyUWY2aEMx + NkVJK0VZRHVZYVBzRDZQdFloWTFDbWJTdW4wCkkvdGozT2VzRTJjVnE5MExPRERR + eHVzazQxajg0Nm9DYWFMcWhiYXRqcmMKLS0tIDhGZWxsTEdlbnQ5TmE0V2gwVTlC + U3ZRUXo2SlBSZitENnUwdFQxRzczczQKixuIzUUzWvr/587c2ALWqc+eb0tmwOGN + RTSBTCn5YM7RhoXqwvSWwb8Jkwa5gEajNo9c/yTKz14/TJFB3tJD/w== + -----END AGE ENCRYPTED FILE----- + - recipient: age1lznc3dadzpc7vllpvnpdf8samadleep7sxfg0dnpzwl0nngzdv7suu73rh + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBvZ3lBUDdrZWR5Qi91d2hQ + bzVSOStwTVVMeHhrZitmN2MvM0lWLyszMVVvCllwS0g3Z3NlMGN5Qy92eGdpMEND + NUczRDJWSGpYa3ljZkd5SmF2K3BDSlkKLS0tIGkrdkdHNXVUNEcxK0lqQzM2UFRX + YWZYMUVlTEN0WGFrYm8xbEx1d3VwNUUKj7uYjZlxrzr3rtkKuhljgC2YRZFmAxzS + Jtv5WN8xnTGCLPQ3Pq7BfReDz5hVypBFtEc2xy/zBVgl+RQbs3oidg== + -----END AGE ENCRYPTED FILE----- + - recipient: age1xf86ak2hu5efux42au4x7wlxqpxqpuld7kd6nnr2qzhl662wy3vq940d4p + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA5UVQxUmd4Z3A0ZTVGMS9x + M0ZYV3RCN3hTenArZVZ3RHV4cGRGZEdCdUN3CjdyNDRDY0d3WmEycXNkb2F5OENu + NGNVV2N2b3d3VmltMjd4M0NTWVhvQUUKLS0tIE1NWFFOcGV4YnBwcGNZSTkvNnFs + N2lwWWwxZFZkNzRRTXMxSDRNczZ3cEUKMC8rkGm0f0//n6yFaDTRpaFL8OE+4wEc + zcpC9E/3rzB+DC8H/CB9DIa7/LO+RQzR0THjGjc4EtooX0/PTxvn4g== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-07-03T14:48:29Z" + mac: ENC[AES256_GCM,data:LHH3qUI92p9PFkheFlHV4EwfMebLnHyrEr6iyMCOPWLh+vyai039gFHP/qZuKO51qgQdWiNYagwTNGwh/wCPUsXqmrT6/zyUVRzY+qM8ei0mTsyATPT2N/nFurb0HUueSO1rNzkYFbb6Io+5KdkQQbgbXoKxVV3xaWPB0FvB5cg=,iv:YmO2DvOP+5XUFs+r2ywn3mS8igxwhdoMB4VmtFsxVDU=,tag:udN3POCZVJvh2MircwckKQ==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.8.1