mirror of
https://git.gay/xqtc/nixos-config
synced 2024-11-22 09:50:33 +01:00
sops-nix
This commit is contained in:
parent
baf4534b74
commit
52a63b9b71
14
.sops.yaml
Normal file
14
.sops.yaml
Normal file
|
@ -0,0 +1,14 @@
|
||||||
|
keys:
|
||||||
|
- &users:
|
||||||
|
- &xqtc age1jmqdy4ntgmunnh485qcvxg9yvc2rcvrwf8nq0jg8n4c5al7sza2qq3c80d
|
||||||
|
- &hosts:
|
||||||
|
- &asmodeus age1lznc3dadzpc7vllpvnpdf8samadleep7sxfg0dnpzwl0nngzdv7suu73rh
|
||||||
|
- &beleth age1xf86ak2hu5efux42au4x7wlxqpxqpuld7kd6nnr2qzhl662wy3vq940d4p
|
||||||
|
|
||||||
|
creation_rules:
|
||||||
|
- path_regex: secrets.yaml$
|
||||||
|
key_groups:
|
||||||
|
- age:
|
||||||
|
- *xqtc
|
||||||
|
- *asmodeus
|
||||||
|
- *beleth
|
|
@ -5,7 +5,10 @@
|
||||||
pkgs,
|
pkgs,
|
||||||
...
|
...
|
||||||
}: {
|
}: {
|
||||||
imports = [./syncthing.nix];
|
imports = [
|
||||||
|
./syncthing.nix
|
||||||
|
./sops.nix
|
||||||
|
];
|
||||||
#nixpkgs.config.permittedInsecurePackages = ["electron-25.9.0" "electron-24.8.6"];
|
#nixpkgs.config.permittedInsecurePackages = ["electron-25.9.0" "electron-24.8.6"];
|
||||||
# networking.hosts = {
|
# networking.hosts = {
|
||||||
# "192.168.178.35" = ["jellyfin.fritz.box" "grafana.fritz.box"];
|
# "192.168.178.35" = ["jellyfin.fritz.box" "grafana.fritz.box"];
|
||||||
|
|
21
common/sops.nix
Normal file
21
common/sops.nix
Normal file
|
@ -0,0 +1,21 @@
|
||||||
|
{
|
||||||
|
inputs,
|
||||||
|
config,
|
||||||
|
lib,
|
||||||
|
...
|
||||||
|
}: {
|
||||||
|
imports = [
|
||||||
|
inputs.sops-nix.nixosModules.sops
|
||||||
|
];
|
||||||
|
|
||||||
|
sops = {
|
||||||
|
defaultSopsFile = ../secrets.yaml;
|
||||||
|
validateSopsFiles = false;
|
||||||
|
|
||||||
|
age = {
|
||||||
|
sshKeyPaths = ["/etc/ssh/ssh_host_ed25519_key"];
|
||||||
|
keyFile = "/var/lib/sops/age/keys.txt";
|
||||||
|
generateKey = true;
|
||||||
|
};
|
||||||
|
};
|
||||||
|
}
|
38
flake.lock
38
flake.lock
|
@ -462,6 +462,22 @@
|
||||||
"type": "github"
|
"type": "github"
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
|
"nixpkgs-stable": {
|
||||||
|
"locked": {
|
||||||
|
"lastModified": 1719663039,
|
||||||
|
"narHash": "sha256-tXlrgAQygNIy49LDVFuPXlWD2zTQV9/F8pfoqwwPJyo=",
|
||||||
|
"owner": "NixOS",
|
||||||
|
"repo": "nixpkgs",
|
||||||
|
"rev": "4a1e673523344f6ccc84b37f4413ad74ea19a119",
|
||||||
|
"type": "github"
|
||||||
|
},
|
||||||
|
"original": {
|
||||||
|
"owner": "NixOS",
|
||||||
|
"ref": "release-23.11",
|
||||||
|
"repo": "nixpkgs",
|
||||||
|
"type": "github"
|
||||||
|
}
|
||||||
|
},
|
||||||
"nixpkgs_2": {
|
"nixpkgs_2": {
|
||||||
"locked": {
|
"locked": {
|
||||||
"lastModified": 1627814220,
|
"lastModified": 1627814220,
|
||||||
|
@ -582,6 +598,7 @@
|
||||||
"nixpkgs": "nixpkgs_5",
|
"nixpkgs": "nixpkgs_5",
|
||||||
"nixpkgs-master": "nixpkgs-master",
|
"nixpkgs-master": "nixpkgs-master",
|
||||||
"nixvim": "nixvim",
|
"nixvim": "nixvim",
|
||||||
|
"sops-nix": "sops-nix",
|
||||||
"spicetify-nix": "spicetify-nix"
|
"spicetify-nix": "spicetify-nix"
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
|
@ -601,6 +618,27 @@
|
||||||
"type": "github"
|
"type": "github"
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
|
"sops-nix": {
|
||||||
|
"inputs": {
|
||||||
|
"nixpkgs": [
|
||||||
|
"nixpkgs"
|
||||||
|
],
|
||||||
|
"nixpkgs-stable": "nixpkgs-stable"
|
||||||
|
},
|
||||||
|
"locked": {
|
||||||
|
"lastModified": 1719873517,
|
||||||
|
"narHash": "sha256-D1dxZmXf6M2h5lNE1m6orojuUawVPjogbGRsqSBX+1g=",
|
||||||
|
"owner": "Mic92",
|
||||||
|
"repo": "sops-nix",
|
||||||
|
"rev": "a11224af8d824935f363928074b4717ca2e280db",
|
||||||
|
"type": "github"
|
||||||
|
},
|
||||||
|
"original": {
|
||||||
|
"owner": "Mic92",
|
||||||
|
"repo": "sops-nix",
|
||||||
|
"type": "github"
|
||||||
|
}
|
||||||
|
},
|
||||||
"spicetify-nix": {
|
"spicetify-nix": {
|
||||||
"inputs": {
|
"inputs": {
|
||||||
"flake-utils": "flake-utils_5",
|
"flake-utils": "flake-utils_5",
|
||||||
|
|
15
flake.nix
15
flake.nix
|
@ -9,23 +9,27 @@
|
||||||
url = "github:nix-community/home-manager/master";
|
url = "github:nix-community/home-manager/master";
|
||||||
inputs.nixpkgs.follows = "nixpkgs";
|
inputs.nixpkgs.follows = "nixpkgs";
|
||||||
};
|
};
|
||||||
|
sops-nix = {
|
||||||
|
url = "github:Mic92/sops-nix";
|
||||||
|
inputs.nixpkgs.follows = "nixpkgs";
|
||||||
|
};
|
||||||
spicetify-nix.url = "github:the-argus/spicetify-nix";
|
spicetify-nix.url = "github:the-argus/spicetify-nix";
|
||||||
nh.url = "github:/viperML/nh";
|
nh.url = "github:/viperML/nh";
|
||||||
lix-module = {
|
lix-module = {
|
||||||
url = "https://git.lix.systems/lix-project/nixos-module/archive/2.90.0-rc1.tar.gz";
|
url = "https://git.lix.systems/lix-project/nixos-module/archive/2.90.0-rc1.tar.gz";
|
||||||
inputs.nixpkgs.follows = "nixpkgs";
|
inputs.nixpkgs.follows = "nixpkgs";
|
||||||
};
|
};
|
||||||
};
|
firefox-addons.url = "gitlab:rycee/nur-expressions?dir=pkgs/firefox-addons";
|
||||||
#inputs.agenix.url = "github:ryantm/agenix";
|
nixos-hardware.url = "github:NixOS/nixos-hardware/master";
|
||||||
inputs.firefox-addons.url = "gitlab:rycee/nur-expressions?dir=pkgs/firefox-addons";
|
nixvim = {
|
||||||
inputs.nixos-hardware.url = "github:NixOS/nixos-hardware/master";
|
|
||||||
inputs.nixvim = {
|
|
||||||
# If you are not running an unstable channel of nixpkgs, select the corresponding branch of nixvim.
|
# If you are not running an unstable channel of nixpkgs, select the corresponding branch of nixvim.
|
||||||
#url = "github:nix-community/nixvim/22b587f3dc5c040eb1916aa2a67868f1918d9d17";
|
#url = "github:nix-community/nixvim/22b587f3dc5c040eb1916aa2a67868f1918d9d17";
|
||||||
url = "github:nix-community/nixvim";
|
url = "github:nix-community/nixvim";
|
||||||
|
|
||||||
inputs.nixpkgs.follows = "nixpkgs";
|
inputs.nixpkgs.follows = "nixpkgs";
|
||||||
};
|
};
|
||||||
|
};
|
||||||
|
#inputs.agenix.url = "github:ryantm/agenix";
|
||||||
|
|
||||||
outputs = inputs @ {
|
outputs = inputs @ {
|
||||||
self,
|
self,
|
||||||
|
@ -37,6 +41,7 @@
|
||||||
nixvim,
|
nixvim,
|
||||||
nh,
|
nh,
|
||||||
lix-module,
|
lix-module,
|
||||||
|
sops-nix,
|
||||||
...
|
...
|
||||||
}: let
|
}: let
|
||||||
lib = nixpkgs.lib;
|
lib = nixpkgs.lib;
|
||||||
|
|
|
@ -18,6 +18,7 @@
|
||||||
./spicetify.nix
|
./spicetify.nix
|
||||||
./yazi.nix
|
./yazi.nix
|
||||||
./zoxide.nix
|
./zoxide.nix
|
||||||
#./ssh.nix
|
./sops.nix
|
||||||
|
./ssh.nix
|
||||||
];
|
];
|
||||||
}
|
}
|
||||||
|
|
17
home/modules/sops.nix
Normal file
17
home/modules/sops.nix
Normal file
|
@ -0,0 +1,17 @@
|
||||||
|
{
|
||||||
|
inputs,
|
||||||
|
config,
|
||||||
|
lib,
|
||||||
|
...
|
||||||
|
}: {
|
||||||
|
sops = {
|
||||||
|
defaultSopsFile = ../../secrets.yaml;
|
||||||
|
validateSopsFiles = false;
|
||||||
|
|
||||||
|
age = {
|
||||||
|
sshKeyPaths = ["/etc/ssh/ssh_host_ed25519_key"];
|
||||||
|
keyFile = "/home/xqtc/.config/sops/age/keys.txt";
|
||||||
|
generateKey = true;
|
||||||
|
};
|
||||||
|
};
|
||||||
|
}
|
|
@ -5,18 +5,14 @@
|
||||||
pkgs,
|
pkgs,
|
||||||
...
|
...
|
||||||
}: {
|
}: {
|
||||||
age.identityPaths = ["${config.home.homeDirectory}/.ssh/agenix"]; # Use this key to decrypt
|
sops.secrets = {
|
||||||
home.packages = [
|
"private_keys/xqtc" = {
|
||||||
inputs.agenix.packages.x86_64-linux.default # Install CLI tool to encrypt
|
path = "/home/xqtc/.ssh/id_ed25519";
|
||||||
];
|
|
||||||
age.secrets.xqtc_id_ed25519 = {
|
|
||||||
file = ../secrets/xqtc_id_ed25519.age;
|
|
||||||
path = "${config.home.homeDirectory}/.ssh/id_ed25519";
|
|
||||||
mode = "600";
|
mode = "600";
|
||||||
};
|
};
|
||||||
age.secrets.xqtc_id_ed25519_pub = {
|
"public_keys/xqtc" = {
|
||||||
file = ../secrets/xqtc_id_ed25519_pub.age;
|
path = "/home/xqtc/.ssh/id_ed25519.pub";
|
||||||
path = "${config.home.homeDirectory}/.ssh/id_ed25519.pub";
|
|
||||||
mode = "640";
|
mode = "640";
|
||||||
};
|
};
|
||||||
|
};
|
||||||
}
|
}
|
||||||
|
|
|
@ -1,6 +0,0 @@
|
||||||
let
|
|
||||||
xqtc = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFecbWOhXR4z1wrrI5onn4SFGtu/lfsOblreuRWcbLug";
|
|
||||||
in {
|
|
||||||
"xqtc_id_ed25519.age".publicKeys = [xqtc];
|
|
||||||
"xqtc_id_ed25519_pub.age".publicKeys = [xqtc];
|
|
||||||
}
|
|
Binary file not shown.
Binary file not shown.
|
@ -41,6 +41,9 @@
|
||||||
../../gc.nix
|
../../gc.nix
|
||||||
];
|
];
|
||||||
|
|
||||||
|
sops.secrets."nextcloud_password" = {
|
||||||
|
path = "/etc/nx_pass";
|
||||||
|
};
|
||||||
nixpkgs.config.allowUnfree = true;
|
nixpkgs.config.allowUnfree = true;
|
||||||
|
|
||||||
boot.binfmt.emulatedSystems = ["aarch64-linux"];
|
boot.binfmt.emulatedSystems = ["aarch64-linux"];
|
||||||
|
|
|
@ -11,6 +11,12 @@
|
||||||
}}/nextcloud-extras.nix"
|
}}/nextcloud-extras.nix"
|
||||||
];
|
];
|
||||||
|
|
||||||
|
sops.secrets."nextcloud_password" = {
|
||||||
|
path = "/etc/nx_pass";
|
||||||
|
owner = "nextcloud";
|
||||||
|
group = "nextcloud";
|
||||||
|
};
|
||||||
|
|
||||||
services.nextcloud = {
|
services.nextcloud = {
|
||||||
webserver = "caddy";
|
webserver = "caddy";
|
||||||
};
|
};
|
||||||
|
|
|
@ -4,6 +4,11 @@
|
||||||
inputs,
|
inputs,
|
||||||
...
|
...
|
||||||
}: {
|
}: {
|
||||||
|
sops.secrets."paperless_password" = {
|
||||||
|
path = "/etc/paperless_sc";
|
||||||
|
owner = "paperless";
|
||||||
|
group = "paperless";
|
||||||
|
};
|
||||||
services.paperless = {
|
services.paperless = {
|
||||||
enable = true;
|
enable = true;
|
||||||
passwordFile = "/etc/paperless_sc";
|
passwordFile = "/etc/paperless_sc";
|
||||||
|
|
|
@ -3,7 +3,9 @@
|
||||||
inputs,
|
inputs,
|
||||||
...
|
...
|
||||||
}: {
|
}: {
|
||||||
imports = [inputs.home-manager.nixosModules.home-manager];
|
imports = [
|
||||||
|
inputs.home-manager.nixosModules.home-manager
|
||||||
|
];
|
||||||
config = {
|
config = {
|
||||||
home-manager.useGlobalPkgs = true;
|
home-manager.useGlobalPkgs = true;
|
||||||
home-manager.useUserPackages = true;
|
home-manager.useUserPackages = true;
|
||||||
|
@ -13,7 +15,7 @@
|
||||||
imports = [
|
imports = [
|
||||||
../home
|
../home
|
||||||
inputs.nixvim.homeManagerModules.nixvim
|
inputs.nixvim.homeManagerModules.nixvim
|
||||||
#inputs.agenix.homeManagerModules.default
|
inputs.sops-nix.homeManagerModules.sops
|
||||||
];
|
];
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
44
secrets.yaml
Normal file
44
secrets.yaml
Normal file
|
@ -0,0 +1,44 @@
|
||||||
|
private_keys:
|
||||||
|
xqtc: ENC[AES256_GCM,data:rpdj0jpEL+oI83ML+uVzTIr0zcc7vCrV5jFLUks+tjpR5cGkp3TxJ287ijRAEF17PqDK90t1Sql/Wt/VDriiF8FdwSMZRHIXtuQ2JoxZ7ZF0gI1O5f+RYI7f9YhRWwXWdGi7syhDHOIYuqNv2C3tmeM7vsGn2A7e+k68Dfj2SnP6EbQr3xaEr155YWTdN5VwiWUNRGa0AgKXEnNFjtxZd1rjKvcKSiWeDMoq4kYswpPcIjdcGSgIuh/W9RxaQls79wQ6EB958jwiU0mTRK2quyq4yDAbxocxExdy4ZRdqCj1FfZYtHN4hUwzif+pVihDxspyKu2PG0a+mDZPjG88STUqUSHd1rAVet3TxaHCAXMUNnALzLxV6uXaTZJOCpK5U/hIyRYKcm7NnUzkfrluEPAK1IDP3TiiVZEPHjx2cTxhWuMGc5qtWz7YCzTXP/m2XoLRhgaoP4WkYDdg/X4iMXqU3yTO+WClKJPrqvFzIwdvuioiL1hEJ/sKl3O+XtcipKM89PqL1Jrga+yiEZsS,iv:YZSCbv3+qerH9I1L10OkaId0b25p7Tz/fw0mimjGQ70=,tag:slAoYzANbap1ghkAkGcLIg==,type:str]
|
||||||
|
public_keys:
|
||||||
|
xqtc: ENC[AES256_GCM,data:bQ39+TS67ww01qfkhv//AfE3h4od4QgOUMATwKoeI7D7JHzCpM38jZudNlJixbyR8bLOKsBohqB3Pad6Q27dnXLCyZ/XtyZMLyhZuaOBVkx8+4ow1SWEyDxHM/N3WPZxjgM=,iv:FKHKaOknTYKzel3R6AUOb4RvXH04rQd4bHospGrsrUA=,tag:yCtxIdfWdIFjPiFbrFuPKg==,type:str]
|
||||||
|
nextcloud_password: ENC[AES256_GCM,data:lwqQio1I1xTv07bLRyrvig1HRyCxcueSPgDpPRhXBqCi8d42OJt7rA==,iv:R0JxpCJz9zycph9p7Ewwt4QTEXQxaxJ691aWCXfEsFE=,tag:Qz3dD2cOkmneEWP7tI54Dg==,type:str]
|
||||||
|
paperless_password: ENC[AES256_GCM,data:OCrc00vUb+lgel8TmFm+9Ee4QJZZV7W6+Jl9+R7AfjfDh6v590ibvw==,iv:emM7g0JRcEH4xuYdvZN64drOhduXyQy6HwF1xByaLvE=,tag:D2O1qAeKtYWGf+Zd3RuBTQ==,type:str]
|
||||||
|
sops:
|
||||||
|
kms: []
|
||||||
|
gcp_kms: []
|
||||||
|
azure_kv: []
|
||||||
|
hc_vault: []
|
||||||
|
age:
|
||||||
|
- recipient: age1jmqdy4ntgmunnh485qcvxg9yvc2rcvrwf8nq0jg8n4c5al7sza2qq3c80d
|
||||||
|
enc: |
|
||||||
|
-----BEGIN AGE ENCRYPTED FILE-----
|
||||||
|
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB1UXN2bWFuL1oyUWY2aEMx
|
||||||
|
NkVJK0VZRHVZYVBzRDZQdFloWTFDbWJTdW4wCkkvdGozT2VzRTJjVnE5MExPRERR
|
||||||
|
eHVzazQxajg0Nm9DYWFMcWhiYXRqcmMKLS0tIDhGZWxsTEdlbnQ5TmE0V2gwVTlC
|
||||||
|
U3ZRUXo2SlBSZitENnUwdFQxRzczczQKixuIzUUzWvr/587c2ALWqc+eb0tmwOGN
|
||||||
|
RTSBTCn5YM7RhoXqwvSWwb8Jkwa5gEajNo9c/yTKz14/TJFB3tJD/w==
|
||||||
|
-----END AGE ENCRYPTED FILE-----
|
||||||
|
- recipient: age1lznc3dadzpc7vllpvnpdf8samadleep7sxfg0dnpzwl0nngzdv7suu73rh
|
||||||
|
enc: |
|
||||||
|
-----BEGIN AGE ENCRYPTED FILE-----
|
||||||
|
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBvZ3lBUDdrZWR5Qi91d2hQ
|
||||||
|
bzVSOStwTVVMeHhrZitmN2MvM0lWLyszMVVvCllwS0g3Z3NlMGN5Qy92eGdpMEND
|
||||||
|
NUczRDJWSGpYa3ljZkd5SmF2K3BDSlkKLS0tIGkrdkdHNXVUNEcxK0lqQzM2UFRX
|
||||||
|
YWZYMUVlTEN0WGFrYm8xbEx1d3VwNUUKj7uYjZlxrzr3rtkKuhljgC2YRZFmAxzS
|
||||||
|
Jtv5WN8xnTGCLPQ3Pq7BfReDz5hVypBFtEc2xy/zBVgl+RQbs3oidg==
|
||||||
|
-----END AGE ENCRYPTED FILE-----
|
||||||
|
- recipient: age1xf86ak2hu5efux42au4x7wlxqpxqpuld7kd6nnr2qzhl662wy3vq940d4p
|
||||||
|
enc: |
|
||||||
|
-----BEGIN AGE ENCRYPTED FILE-----
|
||||||
|
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA5UVQxUmd4Z3A0ZTVGMS9x
|
||||||
|
M0ZYV3RCN3hTenArZVZ3RHV4cGRGZEdCdUN3CjdyNDRDY0d3WmEycXNkb2F5OENu
|
||||||
|
NGNVV2N2b3d3VmltMjd4M0NTWVhvQUUKLS0tIE1NWFFOcGV4YnBwcGNZSTkvNnFs
|
||||||
|
N2lwWWwxZFZkNzRRTXMxSDRNczZ3cEUKMC8rkGm0f0//n6yFaDTRpaFL8OE+4wEc
|
||||||
|
zcpC9E/3rzB+DC8H/CB9DIa7/LO+RQzR0THjGjc4EtooX0/PTxvn4g==
|
||||||
|
-----END AGE ENCRYPTED FILE-----
|
||||||
|
lastmodified: "2024-07-03T14:48:29Z"
|
||||||
|
mac: ENC[AES256_GCM,data:LHH3qUI92p9PFkheFlHV4EwfMebLnHyrEr6iyMCOPWLh+vyai039gFHP/qZuKO51qgQdWiNYagwTNGwh/wCPUsXqmrT6/zyUVRzY+qM8ei0mTsyATPT2N/nFurb0HUueSO1rNzkYFbb6Io+5KdkQQbgbXoKxVV3xaWPB0FvB5cg=,iv:YmO2DvOP+5XUFs+r2ywn3mS8igxwhdoMB4VmtFsxVDU=,tag:udN3POCZVJvh2MircwckKQ==,type:str]
|
||||||
|
pgp: []
|
||||||
|
unencrypted_suffix: _unencrypted
|
||||||
|
version: 3.8.1
|
Loading…
Reference in a new issue