This commit is contained in:
xqtc161 2024-07-03 17:52:10 +02:00
parent baf4534b74
commit 52a63b9b71
16 changed files with 181 additions and 32 deletions

14
.sops.yaml Normal file
View file

@ -0,0 +1,14 @@
keys:
- &users:
- &xqtc age1jmqdy4ntgmunnh485qcvxg9yvc2rcvrwf8nq0jg8n4c5al7sza2qq3c80d
- &hosts:
- &asmodeus age1lznc3dadzpc7vllpvnpdf8samadleep7sxfg0dnpzwl0nngzdv7suu73rh
- &beleth age1xf86ak2hu5efux42au4x7wlxqpxqpuld7kd6nnr2qzhl662wy3vq940d4p
creation_rules:
- path_regex: secrets.yaml$
key_groups:
- age:
- *xqtc
- *asmodeus
- *beleth

View file

@ -5,7 +5,10 @@
pkgs, pkgs,
... ...
}: { }: {
imports = [./syncthing.nix]; imports = [
./syncthing.nix
./sops.nix
];
#nixpkgs.config.permittedInsecurePackages = ["electron-25.9.0" "electron-24.8.6"]; #nixpkgs.config.permittedInsecurePackages = ["electron-25.9.0" "electron-24.8.6"];
# networking.hosts = { # networking.hosts = {
# "192.168.178.35" = ["jellyfin.fritz.box" "grafana.fritz.box"]; # "192.168.178.35" = ["jellyfin.fritz.box" "grafana.fritz.box"];

21
common/sops.nix Normal file
View file

@ -0,0 +1,21 @@
{
inputs,
config,
lib,
...
}: {
imports = [
inputs.sops-nix.nixosModules.sops
];
sops = {
defaultSopsFile = ../secrets.yaml;
validateSopsFiles = false;
age = {
sshKeyPaths = ["/etc/ssh/ssh_host_ed25519_key"];
keyFile = "/var/lib/sops/age/keys.txt";
generateKey = true;
};
};
}

View file

@ -462,6 +462,22 @@
"type": "github" "type": "github"
} }
}, },
"nixpkgs-stable": {
"locked": {
"lastModified": 1719663039,
"narHash": "sha256-tXlrgAQygNIy49LDVFuPXlWD2zTQV9/F8pfoqwwPJyo=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "4a1e673523344f6ccc84b37f4413ad74ea19a119",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "release-23.11",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs_2": { "nixpkgs_2": {
"locked": { "locked": {
"lastModified": 1627814220, "lastModified": 1627814220,
@ -582,6 +598,7 @@
"nixpkgs": "nixpkgs_5", "nixpkgs": "nixpkgs_5",
"nixpkgs-master": "nixpkgs-master", "nixpkgs-master": "nixpkgs-master",
"nixvim": "nixvim", "nixvim": "nixvim",
"sops-nix": "sops-nix",
"spicetify-nix": "spicetify-nix" "spicetify-nix": "spicetify-nix"
} }
}, },
@ -601,6 +618,27 @@
"type": "github" "type": "github"
} }
}, },
"sops-nix": {
"inputs": {
"nixpkgs": [
"nixpkgs"
],
"nixpkgs-stable": "nixpkgs-stable"
},
"locked": {
"lastModified": 1719873517,
"narHash": "sha256-D1dxZmXf6M2h5lNE1m6orojuUawVPjogbGRsqSBX+1g=",
"owner": "Mic92",
"repo": "sops-nix",
"rev": "a11224af8d824935f363928074b4717ca2e280db",
"type": "github"
},
"original": {
"owner": "Mic92",
"repo": "sops-nix",
"type": "github"
}
},
"spicetify-nix": { "spicetify-nix": {
"inputs": { "inputs": {
"flake-utils": "flake-utils_5", "flake-utils": "flake-utils_5",

View file

@ -9,23 +9,27 @@
url = "github:nix-community/home-manager/master"; url = "github:nix-community/home-manager/master";
inputs.nixpkgs.follows = "nixpkgs"; inputs.nixpkgs.follows = "nixpkgs";
}; };
sops-nix = {
url = "github:Mic92/sops-nix";
inputs.nixpkgs.follows = "nixpkgs";
};
spicetify-nix.url = "github:the-argus/spicetify-nix"; spicetify-nix.url = "github:the-argus/spicetify-nix";
nh.url = "github:/viperML/nh"; nh.url = "github:/viperML/nh";
lix-module = { lix-module = {
url = "https://git.lix.systems/lix-project/nixos-module/archive/2.90.0-rc1.tar.gz"; url = "https://git.lix.systems/lix-project/nixos-module/archive/2.90.0-rc1.tar.gz";
inputs.nixpkgs.follows = "nixpkgs"; inputs.nixpkgs.follows = "nixpkgs";
}; };
}; firefox-addons.url = "gitlab:rycee/nur-expressions?dir=pkgs/firefox-addons";
#inputs.agenix.url = "github:ryantm/agenix"; nixos-hardware.url = "github:NixOS/nixos-hardware/master";
inputs.firefox-addons.url = "gitlab:rycee/nur-expressions?dir=pkgs/firefox-addons"; nixvim = {
inputs.nixos-hardware.url = "github:NixOS/nixos-hardware/master";
inputs.nixvim = {
# If you are not running an unstable channel of nixpkgs, select the corresponding branch of nixvim. # If you are not running an unstable channel of nixpkgs, select the corresponding branch of nixvim.
#url = "github:nix-community/nixvim/22b587f3dc5c040eb1916aa2a67868f1918d9d17"; #url = "github:nix-community/nixvim/22b587f3dc5c040eb1916aa2a67868f1918d9d17";
url = "github:nix-community/nixvim"; url = "github:nix-community/nixvim";
inputs.nixpkgs.follows = "nixpkgs"; inputs.nixpkgs.follows = "nixpkgs";
}; };
};
#inputs.agenix.url = "github:ryantm/agenix";
outputs = inputs @ { outputs = inputs @ {
self, self,
@ -37,6 +41,7 @@
nixvim, nixvim,
nh, nh,
lix-module, lix-module,
sops-nix,
... ...
}: let }: let
lib = nixpkgs.lib; lib = nixpkgs.lib;

View file

@ -18,6 +18,7 @@
./spicetify.nix ./spicetify.nix
./yazi.nix ./yazi.nix
./zoxide.nix ./zoxide.nix
#./ssh.nix ./sops.nix
./ssh.nix
]; ];
} }

17
home/modules/sops.nix Normal file
View file

@ -0,0 +1,17 @@
{
inputs,
config,
lib,
...
}: {
sops = {
defaultSopsFile = ../../secrets.yaml;
validateSopsFiles = false;
age = {
sshKeyPaths = ["/etc/ssh/ssh_host_ed25519_key"];
keyFile = "/home/xqtc/.config/sops/age/keys.txt";
generateKey = true;
};
};
}

View file

@ -5,18 +5,14 @@
pkgs, pkgs,
... ...
}: { }: {
age.identityPaths = ["${config.home.homeDirectory}/.ssh/agenix"]; # Use this key to decrypt sops.secrets = {
home.packages = [ "private_keys/xqtc" = {
inputs.agenix.packages.x86_64-linux.default # Install CLI tool to encrypt path = "/home/xqtc/.ssh/id_ed25519";
];
age.secrets.xqtc_id_ed25519 = {
file = ../secrets/xqtc_id_ed25519.age;
path = "${config.home.homeDirectory}/.ssh/id_ed25519";
mode = "600"; mode = "600";
}; };
age.secrets.xqtc_id_ed25519_pub = { "public_keys/xqtc" = {
file = ../secrets/xqtc_id_ed25519_pub.age; path = "/home/xqtc/.ssh/id_ed25519.pub";
path = "${config.home.homeDirectory}/.ssh/id_ed25519.pub";
mode = "640"; mode = "640";
}; };
};
} }

View file

@ -1,6 +0,0 @@
let
xqtc = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFecbWOhXR4z1wrrI5onn4SFGtu/lfsOblreuRWcbLug";
in {
"xqtc_id_ed25519.age".publicKeys = [xqtc];
"xqtc_id_ed25519_pub.age".publicKeys = [xqtc];
}

Binary file not shown.

Binary file not shown.

View file

@ -41,6 +41,9 @@
../../gc.nix ../../gc.nix
]; ];
sops.secrets."nextcloud_password" = {
path = "/etc/nx_pass";
};
nixpkgs.config.allowUnfree = true; nixpkgs.config.allowUnfree = true;
boot.binfmt.emulatedSystems = ["aarch64-linux"]; boot.binfmt.emulatedSystems = ["aarch64-linux"];

View file

@ -11,6 +11,12 @@
}}/nextcloud-extras.nix" }}/nextcloud-extras.nix"
]; ];
sops.secrets."nextcloud_password" = {
path = "/etc/nx_pass";
owner = "nextcloud";
group = "nextcloud";
};
services.nextcloud = { services.nextcloud = {
webserver = "caddy"; webserver = "caddy";
}; };

View file

@ -4,6 +4,11 @@
inputs, inputs,
... ...
}: { }: {
sops.secrets."paperless_password" = {
path = "/etc/paperless_sc";
owner = "paperless";
group = "paperless";
};
services.paperless = { services.paperless = {
enable = true; enable = true;
passwordFile = "/etc/paperless_sc"; passwordFile = "/etc/paperless_sc";

View file

@ -3,7 +3,9 @@
inputs, inputs,
... ...
}: { }: {
imports = [inputs.home-manager.nixosModules.home-manager]; imports = [
inputs.home-manager.nixosModules.home-manager
];
config = { config = {
home-manager.useGlobalPkgs = true; home-manager.useGlobalPkgs = true;
home-manager.useUserPackages = true; home-manager.useUserPackages = true;
@ -13,7 +15,7 @@
imports = [ imports = [
../home ../home
inputs.nixvim.homeManagerModules.nixvim inputs.nixvim.homeManagerModules.nixvim
#inputs.agenix.homeManagerModules.default inputs.sops-nix.homeManagerModules.sops
]; ];
}; };
}; };

44
secrets.yaml Normal file
View file

@ -0,0 +1,44 @@
private_keys:
xqtc: ENC[AES256_GCM,data:rpdj0jpEL+oI83ML+uVzTIr0zcc7vCrV5jFLUks+tjpR5cGkp3TxJ287ijRAEF17PqDK90t1Sql/Wt/VDriiF8FdwSMZRHIXtuQ2JoxZ7ZF0gI1O5f+RYI7f9YhRWwXWdGi7syhDHOIYuqNv2C3tmeM7vsGn2A7e+k68Dfj2SnP6EbQr3xaEr155YWTdN5VwiWUNRGa0AgKXEnNFjtxZd1rjKvcKSiWeDMoq4kYswpPcIjdcGSgIuh/W9RxaQls79wQ6EB958jwiU0mTRK2quyq4yDAbxocxExdy4ZRdqCj1FfZYtHN4hUwzif+pVihDxspyKu2PG0a+mDZPjG88STUqUSHd1rAVet3TxaHCAXMUNnALzLxV6uXaTZJOCpK5U/hIyRYKcm7NnUzkfrluEPAK1IDP3TiiVZEPHjx2cTxhWuMGc5qtWz7YCzTXP/m2XoLRhgaoP4WkYDdg/X4iMXqU3yTO+WClKJPrqvFzIwdvuioiL1hEJ/sKl3O+XtcipKM89PqL1Jrga+yiEZsS,iv:YZSCbv3+qerH9I1L10OkaId0b25p7Tz/fw0mimjGQ70=,tag:slAoYzANbap1ghkAkGcLIg==,type:str]
public_keys:
xqtc: ENC[AES256_GCM,data:bQ39+TS67ww01qfkhv//AfE3h4od4QgOUMATwKoeI7D7JHzCpM38jZudNlJixbyR8bLOKsBohqB3Pad6Q27dnXLCyZ/XtyZMLyhZuaOBVkx8+4ow1SWEyDxHM/N3WPZxjgM=,iv:FKHKaOknTYKzel3R6AUOb4RvXH04rQd4bHospGrsrUA=,tag:yCtxIdfWdIFjPiFbrFuPKg==,type:str]
nextcloud_password: ENC[AES256_GCM,data:lwqQio1I1xTv07bLRyrvig1HRyCxcueSPgDpPRhXBqCi8d42OJt7rA==,iv:R0JxpCJz9zycph9p7Ewwt4QTEXQxaxJ691aWCXfEsFE=,tag:Qz3dD2cOkmneEWP7tI54Dg==,type:str]
paperless_password: ENC[AES256_GCM,data:OCrc00vUb+lgel8TmFm+9Ee4QJZZV7W6+Jl9+R7AfjfDh6v590ibvw==,iv:emM7g0JRcEH4xuYdvZN64drOhduXyQy6HwF1xByaLvE=,tag:D2O1qAeKtYWGf+Zd3RuBTQ==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1jmqdy4ntgmunnh485qcvxg9yvc2rcvrwf8nq0jg8n4c5al7sza2qq3c80d
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB1UXN2bWFuL1oyUWY2aEMx
NkVJK0VZRHVZYVBzRDZQdFloWTFDbWJTdW4wCkkvdGozT2VzRTJjVnE5MExPRERR
eHVzazQxajg0Nm9DYWFMcWhiYXRqcmMKLS0tIDhGZWxsTEdlbnQ5TmE0V2gwVTlC
U3ZRUXo2SlBSZitENnUwdFQxRzczczQKixuIzUUzWvr/587c2ALWqc+eb0tmwOGN
RTSBTCn5YM7RhoXqwvSWwb8Jkwa5gEajNo9c/yTKz14/TJFB3tJD/w==
-----END AGE ENCRYPTED FILE-----
- recipient: age1lznc3dadzpc7vllpvnpdf8samadleep7sxfg0dnpzwl0nngzdv7suu73rh
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBvZ3lBUDdrZWR5Qi91d2hQ
bzVSOStwTVVMeHhrZitmN2MvM0lWLyszMVVvCllwS0g3Z3NlMGN5Qy92eGdpMEND
NUczRDJWSGpYa3ljZkd5SmF2K3BDSlkKLS0tIGkrdkdHNXVUNEcxK0lqQzM2UFRX
YWZYMUVlTEN0WGFrYm8xbEx1d3VwNUUKj7uYjZlxrzr3rtkKuhljgC2YRZFmAxzS
Jtv5WN8xnTGCLPQ3Pq7BfReDz5hVypBFtEc2xy/zBVgl+RQbs3oidg==
-----END AGE ENCRYPTED FILE-----
- recipient: age1xf86ak2hu5efux42au4x7wlxqpxqpuld7kd6nnr2qzhl662wy3vq940d4p
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA5UVQxUmd4Z3A0ZTVGMS9x
M0ZYV3RCN3hTenArZVZ3RHV4cGRGZEdCdUN3CjdyNDRDY0d3WmEycXNkb2F5OENu
NGNVV2N2b3d3VmltMjd4M0NTWVhvQUUKLS0tIE1NWFFOcGV4YnBwcGNZSTkvNnFs
N2lwWWwxZFZkNzRRTXMxSDRNczZ3cEUKMC8rkGm0f0//n6yFaDTRpaFL8OE+4wEc
zcpC9E/3rzB+DC8H/CB9DIa7/LO+RQzR0THjGjc4EtooX0/PTxvn4g==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2024-07-03T14:48:29Z"
mac: ENC[AES256_GCM,data:LHH3qUI92p9PFkheFlHV4EwfMebLnHyrEr6iyMCOPWLh+vyai039gFHP/qZuKO51qgQdWiNYagwTNGwh/wCPUsXqmrT6/zyUVRzY+qM8ei0mTsyATPT2N/nFurb0HUueSO1rNzkYFbb6Io+5KdkQQbgbXoKxVV3xaWPB0FvB5cg=,iv:YmO2DvOP+5XUFs+r2ywn3mS8igxwhdoMB4VmtFsxVDU=,tag:udN3POCZVJvh2MircwckKQ==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.8.1