diff --git a/.gitignore b/.gitignore
deleted file mode 100644
index db2fc0d..0000000
--- a/.gitignore
+++ /dev/null
@@ -1 +0,0 @@
-secrets
diff --git a/.sops.yaml b/.sops.yaml
new file mode 100644
index 0000000..64573f3
--- /dev/null
+++ b/.sops.yaml
@@ -0,0 +1,16 @@
+keys:
+ # Users
+ - &users:
+ - &freya D9AF0A4209B7C2DE11A884BFACBC553660D9993D
+ # Hosts
+ - &hosts:
+ - &shinji 2A8A27879715447AEEC59D0C18DCCBE353963394
+creation_rules:
+ - path_regex: ^secrets.yaml$
+ key_groups:
+ - pgp:
+ - *freya
+ - path_regex: hosts/shinji/secrets.yaml$
+ key_groups:
+ - pgp:
+ - *shinji
diff --git a/files/keys/freya-gpg.pub b/files/keys/freya.asc
similarity index 100%
rename from files/keys/freya-gpg.pub
rename to files/keys/freya.asc
diff --git a/files/keys/shinji.asc b/files/keys/shinji.asc
new file mode 100644
index 0000000..a54127f
--- /dev/null
+++ b/files/keys/shinji.asc
@@ -0,0 +1,13 @@
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+
+mDMEZ5PEshYJKwYBBAHaRw8BAQdA9+xyytloOTF23lyqyXuwQLxzEayOnMTg8/4Z
+WkQZQva0M0ZyZXlhIE11cnBoeSAoU2hpbmppIGtleSBwYWlyKSA8ZnJleWFAZnJl
+eWFjYXQub3JnPoiOBBMWCgA2FiEEKoonh5cVRHruxZ0MGNzL41OWM5QFAmeTxLIC
+GwMECwkIBwQVCgkIBRYCAwEAAh4FAheAAAoJEBjcy+NTljOUONwBAJxKRllAFMp9
+gDxjNrYIChZdz4OssLuCTwRdJDaDPYkaAQD0QyWMTAOyEAmDOfAbVKEOvjBT1OKC
+AuizXs8lxEdlBrg4BGeTxLISCisGAQQBl1UBBQEBB0AqLq6bMlO77JHu0pEluBHf
+nURLnx2C1c2V+DEEbRyNVAMBCAeIeAQYFgoAIBYhBCqKJ4eXFUR67sWdDBjcy+NT
+ljOUBQJnk8SyAhsMAAoJEBjcy+NTljOUU1gA+gOG/xzRisgItWABqBEfRk/v80cx
+ztPaticmGWdSaBKIAQD1VI0iqy/BI0etk6xKPWfsLLsCOvy+4qfDliYL0oelBA==
+=cXeC
+-----END PGP PUBLIC KEY BLOCK-----
diff --git a/flake.lock b/flake.lock
index 5739a55..9b59e19 100644
--- a/flake.lock
+++ b/flake.lock
@@ -478,7 +478,28 @@
"hy3": "hy3",
"hyprland": "hyprland",
"hyprland-plugins": "hyprland-plugins",
- "nixpkgs": "nixpkgs_2"
+ "nixpkgs": "nixpkgs_2",
+ "sops-nix": "sops-nix"
+ }
+ },
+ "sops-nix": {
+ "inputs": {
+ "nixpkgs": [
+ "nixpkgs"
+ ]
+ },
+ "locked": {
+ "lastModified": 1737411508,
+ "narHash": "sha256-j9IdflJwRtqo9WpM0OfAZml47eBblUHGNQTe62OUqTw=",
+ "owner": "Mic92",
+ "repo": "sops-nix",
+ "rev": "015d461c16678fc02a2f405eb453abb509d4e1d4",
+ "type": "github"
+ },
+ "original": {
+ "owner": "Mic92",
+ "repo": "sops-nix",
+ "type": "github"
}
},
"systems": {
diff --git a/flake.nix b/flake.nix
index b24500b..58cdb6c 100644
--- a/flake.nix
+++ b/flake.nix
@@ -16,6 +16,9 @@
# hyprland hy3
hy3.url = "github:outfoxxed/hy3";
hy3.inputs.hyprland.follows = "hyprland";
+ # sops
+ sops-nix.url = "github:Mic92/sops-nix";
+ sops-nix.inputs.nixpkgs.follows = "nixpkgs";
};
outputs = { nixpkgs, ... }@inputs:
@@ -23,7 +26,7 @@
options = import ./options.nix;
in rec {
nixosConfigurations = {
- shinji = import ./hosts/shinji.nix { inherit inputs options; };
+ shinji = import ./hosts/shinji { inherit inputs options; };
};
homeConfigurations = {
diff --git a/hosts/shinji.nix b/hosts/shinji/default.nix
similarity index 93%
rename from hosts/shinji.nix
rename to hosts/shinji/default.nix
index 756cfe1..d1a02a8 100644
--- a/hosts/shinji.nix
+++ b/hosts/shinji/default.nix
@@ -12,10 +12,10 @@ inputs.nixpkgs.lib.nixosSystem rec {
specialArgs = { inherit inputs; };
modules = [
options
- inputs.home-manager.nixosModules.home-manager
- ../nix
+ ../../nix
{
# options
+ hostName = "shinji";
monitors = [{
name = "eDP-1";
scale = 1.25;
@@ -33,9 +33,6 @@ inputs.nixpkgs.lib.nixosSystem rec {
efiSysMountPoint = "/boot/efi";
};
- # hostname
- networking.hostName = "shinji";
-
# kernel modules
boot.initrd.availableKernelModules = [
"nvme"
diff --git a/hosts/shinji/secrets.yaml b/hosts/shinji/secrets.yaml
new file mode 100644
index 0000000..5bb89cf
--- /dev/null
+++ b/hosts/shinji/secrets.yaml
@@ -0,0 +1,23 @@
+freyanetWg: ENC[AES256_GCM,data:TlaDyx3E6Gez8HHiihFGIGfVedLx9xXSzBNEPmZYC3rqWEHHTfsMh6xL5l8=,iv:qdygQeUQkpVCWOYJ9BLsBtN/F0sYU4fTKz+/Az1QyOg=,tag:88yeDqXtcHshVRiinn2Bsg==,type:str]
+sops:
+ kms: []
+ gcp_kms: []
+ azure_kv: []
+ hc_vault: []
+ age: []
+ lastmodified: "2025-01-24T17:54:22Z"
+ mac: ENC[AES256_GCM,data:IfPObEnZ46RUXjHwK4ibIlfwveqYaOHPtKgIhLjBuuElPHfvhSqgeN4KEwTDPnk38F39qRiyDA3TlEZjIvC856t+a5FG7UkdQRkOkotcqMPwtmEHz5YXw0gqMny7y4+iFMvog0NQL94ptodD0kD/OoJKt/2tGmm9Jv3yBO/qqwo=,iv:BGBONzCHiWLhS0AX9Xa3Rt8dZTzDEGWS0jr72GAx4bc=,tag:SIJyE/xWuxf2U2x2+1cX4w==,type:str]
+ pgp:
+ - created_at: "2025-01-24T17:54:22Z"
+ enc: |-
+ -----BEGIN PGP MESSAGE-----
+
+ hF4D/YCJcy0T0DkSAQdAxr7yRTBbTqekdXYr4apLlMvUa00t07itX1tUfrQcQjsw
+ spxEodkxhj5ZiD/ohAQRBzhwMN+xhqo69b+yfRPYke1IXc8CqeQAJHGXZKxhlOPO
+ 0l4B7AD9YlNgegBsUhFm/7ll5t1oTy3xXzgVKpWhpqAnyMqzyKx7gZcZagjaRaDn
+ aMITJxTBRU8cmuZazUvu5O2lUKqFCj9Au/wP42eUWQphzsxKkGeYsnqr1z417N83
+ =qn+4
+ -----END PGP MESSAGE-----
+ fp: 2A8A27879715447AEEC59D0C18DCCBE353963394
+ unencrypted_suffix: _unencrypted
+ version: 3.9.3
diff --git a/nix/default.nix b/nix/default.nix
index 3cda7fe..d6e36ec 100644
--- a/nix/default.nix
+++ b/nix/default.nix
@@ -142,6 +142,14 @@ in
options = {
+ #
+ # System information
+ #
+ hostName = mkOption {
+ type = types.str;
+ description = "Hostname of the system.";
+ };
+
#
# Primary user of the system
#
@@ -158,14 +166,14 @@ in
description = "Primary email of the user";
};
homePath = mkOption {
- type = types.str;
+ type = types.path;
description = "Home directory path of the user";
- default = "/home/${config.user}";
+ default = builtins.toPath "/home/${config.user}";
};
dotfilesPath = mkOption {
- type = types.str;
+ type = types.path;
description = "Dotfiles path inside the users home dir";
- default = "${config.homePath}/.config/nix";
+ default = builtins.toPath "${config.homePath}/.config/nix";
};
#
diff --git a/nix/home/default.nix b/nix/home/default.nix
index 86cbfe6..66510fc 100644
--- a/nix/home/default.nix
+++ b/nix/home/default.nix
@@ -1,6 +1,10 @@
-{ config, pkgs, ... }:
+{ config, pkgs, inputs, ... }:
{
+ imports = [
+ inputs.home-manager.nixosModules.home-manager
+ ];
+
home-manager.users.${config.user} = {
home.username = config.user;
diff --git a/nix/programs/default.nix b/nix/programs/default.nix
index c4a6f61..a6c2996 100644
--- a/nix/programs/default.nix
+++ b/nix/programs/default.nix
@@ -9,6 +9,7 @@
./kitty
./mako
./neovim
+ ./sops
./ssh
./starship
./waybar
diff --git a/nix/programs/gpg/default.nix b/nix/programs/gpg/default.nix
index 92549ff..5629995 100644
--- a/nix/programs/gpg/default.nix
+++ b/nix/programs/gpg/default.nix
@@ -1,24 +1,35 @@
{ config, lib, pkgs, ... }:
+let
+
+ keysDir = ../../../files/keys;
+ keys = lib.attrsets.mapAttrsToList (name: type: "${keysDir}/${name}") (builtins.readDir keysDir);
+
+in
{
home-manager.users.${config.user} = {
+
+ # install keys into gpg keyring
programs.gpg = {
enable = true;
- publicKeys = [
- {
- source = ../../../files/keys/freya-gpg.pub;
- trust = 5;
- }
- ];
+ publicKeys = map (file: { source = file; trust = 5; }) keys;
};
+ # global gpg agent
services.gpg-agent = {
enable = true;
enableExtraSocket = true;
enableSshSupport = true;
- #updateStartupTty = true;
-
pinentryPackage = pkgs.pinentry-curses;
};
+
+ };
+
+ # yubikey support
+ services = {
+ pcscd.enable = true;
+ udev.packages = with pkgs; [
+ yubikey-personalization
+ ];
};
}
diff --git a/nix/programs/sops/default.nix b/nix/programs/sops/default.nix
new file mode 100644
index 0000000..2447935
--- /dev/null
+++ b/nix/programs/sops/default.nix
@@ -0,0 +1,30 @@
+{ config, pkgs, inputs, ... }:
+
+let
+
+ isEd25519 = k: k.type == "ed25519";
+ getKeyPath = k: k.path;
+ keys = builtins.filter isEd25519 config.services.openssh.hostKeys;
+
+in
+{
+ imports = [
+ inputs.sops-nix.nixosModules.sops
+ ];
+
+ environment.systemPackages = with pkgs; [
+ sops
+ ];
+
+ sops = {
+ defaultSopsFile = config.dotfilesPath + "/hosts/${config.hostName}/secrets.yaml";
+ validateSopsFiles = false;
+
+ gnupg.home = config.homePath + "/.gnupg";
+ gnupg.sshKeyPaths = [];
+
+ secrets = {
+ freyanetWg = {};
+ };
+ };
+}
diff --git a/nix/programs/wireguard/default.nix b/nix/programs/wireguard/default.nix
index 83c2585..7e4ab7a 100644
--- a/nix/programs/wireguard/default.nix
+++ b/nix/programs/wireguard/default.nix
@@ -9,7 +9,7 @@
freyanet = {
address = [ "10.2.0.2/32" "fd:cafe:dead:bee::2/128" "fe80::2/128" ];
dns = [ "10.2.2.2" ];
- privateKeyFile = "${config.dotfilesPath}/secrets/freyanet.key";
+ privateKeyFile = config.sops.secrets.freyanetWg.path;
peers = [{
publicKey = "x0ykwakpYCvI/pG+nR83lNUyeOE9m54thnX3bvZ+FUk=";
diff --git a/nix/system/default.nix b/nix/system/default.nix
index dbc34f5..65e6b73 100644
--- a/nix/system/default.nix
+++ b/nix/system/default.nix
@@ -4,6 +4,9 @@
# allow flakes
nix.settings.experimental-features = [ "nix-command" "flakes" ];
+ # hostname
+ networking.hostName = config.hostName;
+
# common system packages
environment.systemPackages = with pkgs; [
# editor
@@ -42,7 +45,6 @@
networking.networkmanager.enable = true;
services.fwupd.enable = true;
services.libinput.enable = true;
- services.pcscd.enable = true;
services.printing.enable = true;
services.pipewire = {
enable = true;
diff --git a/secrets.yaml b/secrets.yaml
new file mode 100644
index 0000000..28ca3a6
--- /dev/null
+++ b/secrets.yaml
@@ -0,0 +1,34 @@
+freyanetWg: ENC[AES256_GCM,data:xRM6yS/p2PrntO33TCIUrv3giPAdtKapkK/cQoNmraAKQCNOkwccmn4kXY0=,iv:OHnIVZVDZ7mTHM9pNFPiEKLUl02C9I1yQtSp3JbSstk=,tag:LFlLKGYe0HcU/GvOVFrVbg==,type:str]
+sops:
+ kms: []
+ gcp_kms: []
+ azure_kv: []
+ hc_vault: []
+ age: []
+ lastmodified: "2025-01-24T17:44:07Z"
+ mac: ENC[AES256_GCM,data:KIRtBWMriL3LWC67RyJrKwcZtt5lYifHZJ3SgJf424CbRbTZtmPmQBCAiLy1Mctwjg8774by0e+mGMPRzI17GqIX26FSh8QWdTaW6o/p9YIIkjjQX8XDtASshZMYgqy/psEBA6NJ68vmAUFHaDpc7UYfy4nZ7jDu6NNVTXI9AsA=,iv:20n+SDE6EWaL+HKWSPY6a1NSa195gFIuMFiv6gccDRc=,tag:P/URXcSJcaogxmw+MXlh/Q==,type:str]
+ pgp:
+ - created_at: "2025-01-24T17:44:07Z"
+ enc: |-
+ -----BEGIN PGP MESSAGE-----
+
+ hF4D0Q846mnV8HYSAQdAa2X6kxQtkBLjRtRbK26TGpr28mJWV8lTz6AxgYCsuQAw
+ 23kWYwg2wVdnTKCRcVcTYZcyqXx41Cl9tW/GAQRrUdZqDPKAqrNVI7W+/lNdgygz
+ 0l4B9zbWc86uX/2uTgTU08mNV5qedoSa0myxUhXDYcSaHT1UNWutIxcxyMjRimIR
+ pHmAnVaBmiDlCwq7TM4zSrg/N4mtbeRbWn0OVeaUPU8jZ6XmKaFFKLp262GC1Vn0
+ =GiBI
+ -----END PGP MESSAGE-----
+ fp: D9AF0A4209B7C2DE11A884BFACBC553660D9993D
+ - created_at: "2025-01-24T17:44:07Z"
+ enc: |-
+ -----BEGIN PGP MESSAGE-----
+
+ hF4D/YCJcy0T0DkSAQdAzsg6F1Y2KECBBychHLVefYwOOg3Lv7kgVK6rU4mH80sw
+ Cm4WOEkHJdloDSZRCXYs2maIYVDQoFM9pL4sLCr9Tpw050L9vSdI0IuWS7I8G9RR
+ 0l4B3mZM3R58dyyZw0p7br/oPXPavRguwFiTs5sa6EeDonclDvXjMhq2c1jVYWw8
+ iC77SDpZ0X9wz/Mq4Fptd56ywFqg9Zx2Odu171eqH5W7majQyiBIaSJGBEnVX8LX
+ =OiC0
+ -----END PGP MESSAGE-----
+ fp: 2A8A27879715447AEEC59D0C18DCCBE353963394
+ unencrypted_suffix: _unencrypted
+ version: 3.9.3