freya/dotfiles-nix
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

use sops-nix for secrets

Browse source
This commit is contained in:
Murphy 2025-01-24 13:06:22 -05:00
parent b923532fac
commit d999d4d0e6
Signed by: freya
GPG key ID: 9FBC6FFD6D2DBF17
16 changed files with 185 additions and 23 deletions

1
.gitignore vendored
View file

@ -1 +0,0 @@
secrets

16
.sops.yaml Normal file
View file

@ -0,0 +1,16 @@
keys:
# Users
- &users:
- &freya D9AF0A4209B7C2DE11A884BFACBC553660D9993D
# Hosts
- &hosts:
- &shinji 2A8A27879715447AEEC59D0C18DCCBE353963394
creation_rules:
- path_regex: ^secrets.yaml$
key_groups:
- pgp:
- *freya
- path_regex: hosts/shinji/secrets.yaml$
key_groups:
- pgp:
- *shinji

0
files/keys/freya-gpg.pub → files/keys/freya.asc
View file

13
files/keys/shinji.asc Normal file
View file

@ -0,0 +1,13 @@
-----BEGIN PGP PUBLIC KEY BLOCK-----
mDMEZ5PEshYJKwYBBAHaRw8BAQdA9+xyytloOTF23lyqyXuwQLxzEayOnMTg8/4Z
WkQZQva0M0ZyZXlhIE11cnBoeSAoU2hpbmppIGtleSBwYWlyKSA8ZnJleWFAZnJl
eWFjYXQub3JnPoiOBBMWCgA2FiEEKoonh5cVRHruxZ0MGNzL41OWM5QFAmeTxLIC
GwMECwkIBwQVCgkIBRYCAwEAAh4FAheAAAoJEBjcy+NTljOUONwBAJxKRllAFMp9
gDxjNrYIChZdz4OssLuCTwRdJDaDPYkaAQD0QyWMTAOyEAmDOfAbVKEOvjBT1OKC
AuizXs8lxEdlBrg4BGeTxLISCisGAQQBl1UBBQEBB0AqLq6bMlO77JHu0pEluBHf
nURLnx2C1c2V+DEEbRyNVAMBCAeIeAQYFgoAIBYhBCqKJ4eXFUR67sWdDBjcy+NT
ljOUBQJnk8SyAhsMAAoJEBjcy+NTljOUU1gA+gOG/xzRisgItWABqBEfRk/v80cx
ztPaticmGWdSaBKIAQD1VI0iqy/BI0etk6xKPWfsLLsCOvy+4qfDliYL0oelBA==
=cXeC
-----END PGP PUBLIC KEY BLOCK-----

23
flake.lock
View file

@ -478,7 +478,28 @@
"hy3": "hy3",
"hyprland": "hyprland",
"hyprland-plugins": "hyprland-plugins",
"nixpkgs": "nixpkgs_2"
"nixpkgs": "nixpkgs_2",
"sops-nix": "sops-nix"
}
},
"sops-nix": {
"inputs": {
"nixpkgs": [
"nixpkgs"
]
},
"locked": {
"lastModified": 1737411508,
"narHash": "sha256-j9IdflJwRtqo9WpM0OfAZml47eBblUHGNQTe62OUqTw=",
"owner": "Mic92",
"repo": "sops-nix",
"rev": "015d461c16678fc02a2f405eb453abb509d4e1d4",
"type": "github"
},
"original": {
"owner": "Mic92",
"repo": "sops-nix",
"type": "github"
}
},
"systems": {

5
flake.nix
View file

@ -16,6 +16,9 @@
# hyprland hy3
hy3.url = "github:outfoxxed/hy3";
hy3.inputs.hyprland.follows = "hyprland";
# sops
sops-nix.url = "github:Mic92/sops-nix";
sops-nix.inputs.nixpkgs.follows = "nixpkgs";
};
outputs = { nixpkgs, ... }@inputs:
@ -23,7 +26,7 @@
options = import ./options.nix;
in rec {
nixosConfigurations = {
shinji = import ./hosts/shinji.nix { inherit inputs options; };
shinji = import ./hosts/shinji { inherit inputs options; };
};
homeConfigurations = {

7
hosts/shinji.nix → hosts/shinji/default.nix
View file

@ -12,10 +12,10 @@ inputs.nixpkgs.lib.nixosSystem rec {
specialArgs = { inherit inputs; };
modules = [
options
inputs.home-manager.nixosModules.home-manager
../nix
../../nix
{
# options
hostName = "shinji";
monitors = [{
name = "eDP-1";
scale = 1.25;
@ -33,9 +33,6 @@ inputs.nixpkgs.lib.nixosSystem rec {
efiSysMountPoint = "/boot/efi";
};
# hostname
networking.hostName = "shinji";
# kernel modules
boot.initrd.availableKernelModules = [
"nvme"

23
hosts/shinji/secrets.yaml Normal file
View file

@ -0,0 +1,23 @@
freyanetWg: ENC[AES256_GCM,data:TlaDyx3E6Gez8HHiihFGIGfVedLx9xXSzBNEPmZYC3rqWEHHTfsMh6xL5l8=,iv:qdygQeUQkpVCWOYJ9BLsBtN/F0sYU4fTKz+/Az1QyOg=,tag:88yeDqXtcHshVRiinn2Bsg==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age: []
lastmodified: "2025-01-24T17:54:22Z"
mac: ENC[AES256_GCM,data:IfPObEnZ46RUXjHwK4ibIlfwveqYaOHPtKgIhLjBuuElPHfvhSqgeN4KEwTDPnk38F39qRiyDA3TlEZjIvC856t+a5FG7UkdQRkOkotcqMPwtmEHz5YXw0gqMny7y4+iFMvog0NQL94ptodD0kD/OoJKt/2tGmm9Jv3yBO/qqwo=,iv:BGBONzCHiWLhS0AX9Xa3Rt8dZTzDEGWS0jr72GAx4bc=,tag:SIJyE/xWuxf2U2x2+1cX4w==,type:str]
pgp:
- created_at: "2025-01-24T17:54:22Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hF4D/YCJcy0T0DkSAQdAxr7yRTBbTqekdXYr4apLlMvUa00t07itX1tUfrQcQjsw
spxEodkxhj5ZiD/ohAQRBzhwMN+xhqo69b+yfRPYke1IXc8CqeQAJHGXZKxhlOPO
0l4B7AD9YlNgegBsUhFm/7ll5t1oTy3xXzgVKpWhpqAnyMqzyKx7gZcZagjaRaDn
aMITJxTBRU8cmuZazUvu5O2lUKqFCj9Au/wP42eUWQphzsxKkGeYsnqr1z417N83
=qn+4
-----END PGP MESSAGE-----
fp: 2A8A27879715447AEEC59D0C18DCCBE353963394
unencrypted_suffix: _unencrypted
version: 3.9.3

16
nix/default.nix
View file

@ -142,6 +142,14 @@ in
options = {
#
# System information
#
hostName = mkOption {
type = types.str;
description = "Hostname of the system.";
};
#
# Primary user of the system
#
@ -158,14 +166,14 @@ in
description = "Primary email of the user";
};
homePath = mkOption {
type = types.str;
type = types.path;
description = "Home directory path of the user";
default = "/home/${config.user}";
default = builtins.toPath "/home/${config.user}";
};
dotfilesPath = mkOption {
type = types.str;
type = types.path;
description = "Dotfiles path inside the users home dir";
default = "${config.homePath}/.config/nix";
default = builtins.toPath "${config.homePath}/.config/nix";
};
#

6
nix/home/default.nix
View file

@ -1,6 +1,10 @@
{ config, pkgs, ... }:
{ config, pkgs, inputs, ... }:
{
imports = [
inputs.home-manager.nixosModules.home-manager
];
home-manager.users.${config.user} = {
home.username = config.user;

1
nix/programs/default.nix
View file

@ -9,6 +9,7 @@
./kitty
./mako
./neovim
./sops
./ssh
./starship
./waybar

27
nix/programs/gpg/default.nix
View file

@ -1,24 +1,35 @@
{ config, lib, pkgs, ... }:
let
keysDir = ../../../files/keys;
keys = lib.attrsets.mapAttrsToList (name: type: "${keysDir}/${name}") (builtins.readDir keysDir);
in
{
home-manager.users.${config.user} = {
# install keys into gpg keyring
programs.gpg = {
enable = true;
publicKeys = [
{
source = ../../../files/keys/freya-gpg.pub;
trust = 5;
}
];
publicKeys = map (file: { source = file; trust = 5; }) keys;
};
# global gpg agent
services.gpg-agent = {
enable = true;
enableExtraSocket = true;
enableSshSupport = true;
#updateStartupTty = true;
pinentryPackage = pkgs.pinentry-curses;
};
};
# yubikey support
services = {
pcscd.enable = true;
udev.packages = with pkgs; [
yubikey-personalization
];
};
}

30
nix/programs/sops/default.nix Normal file
View file

@ -0,0 +1,30 @@
{ config, pkgs, inputs, ... }:
let
isEd25519 = k: k.type == "ed25519";
getKeyPath = k: k.path;
keys = builtins.filter isEd25519 config.services.openssh.hostKeys;
in
{
imports = [
inputs.sops-nix.nixosModules.sops
];
environment.systemPackages = with pkgs; [
sops
];
sops = {
defaultSopsFile = config.dotfilesPath + "/hosts/${config.hostName}/secrets.yaml";
validateSopsFiles = false;
gnupg.home = config.homePath + "/.gnupg";
gnupg.sshKeyPaths = [];
secrets = {
freyanetWg = {};
};
};
}

2
nix/programs/wireguard/default.nix
View file

@ -9,7 +9,7 @@
freyanet = {
address = [ "10.2.0.2/32" "fd:cafe:dead:bee::2/128" "fe80::2/128" ];
dns = [ "10.2.2.2" ];
privateKeyFile = "${config.dotfilesPath}/secrets/freyanet.key";
privateKeyFile = config.sops.secrets.freyanetWg.path;
peers = [{
publicKey = "x0ykwakpYCvI/pG+nR83lNUyeOE9m54thnX3bvZ+FUk=";

4
nix/system/default.nix
View file

@ -4,6 +4,9 @@
# allow flakes
nix.settings.experimental-features = [ "nix-command" "flakes" ];
# hostname
networking.hostName = config.hostName;
# common system packages
environment.systemPackages = with pkgs; [
# editor
@ -42,7 +45,6 @@
networking.networkmanager.enable = true;
services.fwupd.enable = true;
services.libinput.enable = true;
services.pcscd.enable = true;
services.printing.enable = true;
services.pipewire = {
enable = true;

34
secrets.yaml Normal file
View file

@ -0,0 +1,34 @@
freyanetWg: ENC[AES256_GCM,data:xRM6yS/p2PrntO33TCIUrv3giPAdtKapkK/cQoNmraAKQCNOkwccmn4kXY0=,iv:OHnIVZVDZ7mTHM9pNFPiEKLUl02C9I1yQtSp3JbSstk=,tag:LFlLKGYe0HcU/GvOVFrVbg==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age: []
lastmodified: "2025-01-24T17:44:07Z"
mac: ENC[AES256_GCM,data:KIRtBWMriL3LWC67RyJrKwcZtt5lYifHZJ3SgJf424CbRbTZtmPmQBCAiLy1Mctwjg8774by0e+mGMPRzI17GqIX26FSh8QWdTaW6o/p9YIIkjjQX8XDtASshZMYgqy/psEBA6NJ68vmAUFHaDpc7UYfy4nZ7jDu6NNVTXI9AsA=,iv:20n+SDE6EWaL+HKWSPY6a1NSa195gFIuMFiv6gccDRc=,tag:P/URXcSJcaogxmw+MXlh/Q==,type:str]
pgp:
- created_at: "2025-01-24T17:44:07Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hF4D0Q846mnV8HYSAQdAa2X6kxQtkBLjRtRbK26TGpr28mJWV8lTz6AxgYCsuQAw
23kWYwg2wVdnTKCRcVcTYZcyqXx41Cl9tW/GAQRrUdZqDPKAqrNVI7W+/lNdgygz
0l4B9zbWc86uX/2uTgTU08mNV5qedoSa0myxUhXDYcSaHT1UNWutIxcxyMjRimIR
pHmAnVaBmiDlCwq7TM4zSrg/N4mtbeRbWn0OVeaUPU8jZ6XmKaFFKLp262GC1Vn0
=GiBI
-----END PGP MESSAGE-----
fp: D9AF0A4209B7C2DE11A884BFACBC553660D9993D
- created_at: "2025-01-24T17:44:07Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hF4D/YCJcy0T0DkSAQdAzsg6F1Y2KECBBychHLVefYwOOg3Lv7kgVK6rU4mH80sw
Cm4WOEkHJdloDSZRCXYs2maIYVDQoFM9pL4sLCr9Tpw050L9vSdI0IuWS7I8G9RR
0l4B3mZM3R58dyyZw0p7br/oPXPavRguwFiTs5sa6EeDonclDvXjMhq2c1jVYWw8
iC77SDpZ0X9wz/Mq4Fptd56ywFqg9Zx2Odu171eqH5W7majQyiBIaSJGBEnVX8LX
=OiC0
-----END PGP MESSAGE-----
fp: 2A8A27879715447AEEC59D0C18DCCBE353963394
unencrypted_suffix: _unencrypted
version: 3.9.3