Replace agenix with sops-nix

This commit is contained in:
Pim Kunis 2024-06-15 16:20:03 +02:00
parent 80530d6290
commit 03608f96d7
5 changed files with 83 additions and 85 deletions

2
.sops.yaml Normal file
View file

@ -0,0 +1,2 @@
creation_rules:
- age: age189laethzry4ylnd790dmpuc4xjjuwqxruc76caj3ceqhqug4g9qs0upuvw

View file

@ -1,8 +1,8 @@
{ pkgs, config, lib, inputs, flake, system, ... }: { { pkgs, config, lib, inputs, flake, system, ... }: {
imports = [ imports = [
inputs.stylix.nixosModules.stylix inputs.stylix.nixosModules.stylix
inputs.agenix.nixosModules.default
inputs.home-manager.nixosModules.home-manager inputs.home-manager.nixosModules.home-manager
inputs.sops-nix.nixosModules.sops
"${flake}/modules/nixos/lanzaboote.nix" "${flake}/modules/nixos/lanzaboote.nix"
]; ];
@ -133,28 +133,18 @@
}; };
}; };
age = {
identityPaths = [ "/home/pim/.ssh/age_ed25519" ];
secrets = {
wg-quick-home-privkey.file = ./secrets/wg-quick-home-privkey.age;
wg-quick-home-preshared-key.file =
./secrets/wg-quick-home-preshared-key.age;
};
};
networking = { networking = {
useDHCP = lib.mkDefault true; useDHCP = lib.mkDefault true;
wg-quick.interfaces = { wg-quick.interfaces = {
home = { home = {
privateKeyFile = config.age.secrets.wg-quick-home-privkey.path; privateKeyFile = config.sops.secrets."wireguard/home/privateKey".path;
address = [ "10.225.191.4/24" "fd11:5ee:bad:c0de::4/128" ]; address = [ "10.225.191.4/24" "fd11:5ee:bad:c0de::4/128" ];
dns = [ "192.168.30.131" ]; dns = [ "192.168.30.131" ];
autostart = false; autostart = false;
mtu = 1412; mtu = 1412;
peers = [{ peers = [{
presharedKeyFile = config.age.secrets.wg-quick-home-preshared-key.path; presharedKeyFile = config.sops.secrets."wireguard/home/presharedKey".path;
endpoint = "wg.kun.is:51820"; endpoint = "wg.kun.is:51820";
publicKey = "fa3mQ7ximJbH7cu2ZbWidto5xBGxEEfWvCCiUDk00Hg="; publicKey = "fa3mQ7ximJbH7cu2ZbWidto5xBGxEEfWvCCiUDk00Hg=";
allowedIPs = [ "0.0.0.0/0" "::/0" ]; allowedIPs = [ "0.0.0.0/0" "::/0" ];
@ -162,13 +152,13 @@
}; };
home-no-pihole = { home-no-pihole = {
privateKeyFile = config.age.secrets.wg-quick-home-privkey.path; privateKeyFile = config.sops.secrets."wireguard/home/privateKey".path;
address = [ "10.225.191.4/24" "fd11:5ee:bad:c0de::4/128" ]; address = [ "10.225.191.4/24" "fd11:5ee:bad:c0de::4/128" ];
dns = [ "192.168.10.1" ]; dns = [ "192.168.10.1" ];
autostart = false; autostart = false;
mtu = 1412; mtu = 1412;
peers = [{ peers = [{
presharedKeyFile = config.age.secrets.wg-quick-home-preshared-key.path; presharedKeyFile = config.sops.secrets."wireguard/home/presharedKey".path;
endpoint = "wg.kun.is:51820"; endpoint = "wg.kun.is:51820";
publicKey = "fa3mQ7ximJbH7cu2ZbWidto5xBGxEEfWvCCiUDk00Hg="; publicKey = "fa3mQ7ximJbH7cu2ZbWidto5xBGxEEfWvCCiUDk00Hg=";
allowedIPs = [ "0.0.0.0/0" "::/0" ]; allowedIPs = [ "0.0.0.0/0" "::/0" ];
@ -262,4 +252,11 @@
inputs.homeage.homeManagerModules.homeage inputs.homeage.homeManagerModules.homeage
]; ];
}; };
sops = {
age.keyFile = "/home/pim/.config/sops/age/keys.txt";
defaultSopsFile = ./secrets/secrets.yaml;
secrets."wireguard/home/presharedKey" = { };
secrets."wireguard/home/privateKey" = { };
};
} }

View file

@ -1,30 +1,5 @@
{ {
"nodes": { "nodes": {
"agenix": {
"inputs": {
"darwin": "darwin",
"home-manager": [
"home-manager"
],
"nixpkgs": [
"nixpkgs"
],
"systems": "systems"
},
"locked": {
"lastModified": 1716561646,
"narHash": "sha256-UIGtLO89RxKt7RF2iEgPikSdU53r6v/6WYB0RW3k89I=",
"owner": "ryantm",
"repo": "agenix",
"rev": "c2fc0762bbe8feb06a2e59a364fa81b3a57671c9",
"type": "github"
},
"original": {
"owner": "ryantm",
"repo": "agenix",
"type": "github"
}
},
"base16": { "base16": {
"inputs": { "inputs": {
"fromYaml": "fromYaml" "fromYaml": "fromYaml"
@ -172,28 +147,6 @@
"type": "github" "type": "github"
} }
}, },
"darwin": {
"inputs": {
"nixpkgs": [
"agenix",
"nixpkgs"
]
},
"locked": {
"lastModified": 1700795494,
"narHash": "sha256-gzGLZSiOhf155FW7262kdHo2YDeugp3VuIFb4/GGng0=",
"owner": "lnl7",
"repo": "nix-darwin",
"rev": "4b9b83d5a92e8c1fbfd8eb27eda375908c11ec4d",
"type": "github"
},
"original": {
"owner": "lnl7",
"ref": "master",
"repo": "nix-darwin",
"type": "github"
}
},
"disko": { "disko": {
"inputs": { "inputs": {
"nixpkgs": [ "nixpkgs": [
@ -269,7 +222,7 @@
}, },
"flake-utils": { "flake-utils": {
"inputs": { "inputs": {
"systems": "systems_2" "systems": "systems"
}, },
"locked": { "locked": {
"lastModified": 1681202837, "lastModified": 1681202837,
@ -493,6 +446,22 @@
"type": "github" "type": "github"
} }
}, },
"nixpkgs-stable_2": {
"locked": {
"lastModified": 1717880976,
"narHash": "sha256-BRvSCsKtDUr83NEtbGfHLUOdDK0Cgbezj2PtcHnz+sQ=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "4913a7c3d8b8d00cb9476a6bd730ff57777f740c",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "release-23.11",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs-unstable": { "nixpkgs-unstable": {
"locked": { "locked": {
"lastModified": 1717868076, "lastModified": 1717868076,
@ -573,7 +542,6 @@
}, },
"root": { "root": {
"inputs": { "inputs": {
"agenix": "agenix",
"disko": "disko", "disko": "disko",
"home-manager": "home-manager", "home-manager": "home-manager",
"homeage": "homeage", "homeage": "homeage",
@ -583,6 +551,7 @@
"nixpkgs": "nixpkgs", "nixpkgs": "nixpkgs",
"nixpkgs-unstable": "nixpkgs-unstable", "nixpkgs-unstable": "nixpkgs-unstable",
"nur": "nur", "nur": "nur",
"sops-nix": "sops-nix",
"stylix": "stylix" "stylix": "stylix"
} }
}, },
@ -611,6 +580,27 @@
"type": "github" "type": "github"
} }
}, },
"sops-nix": {
"inputs": {
"nixpkgs": [
"nixpkgs"
],
"nixpkgs-stable": "nixpkgs-stable_2"
},
"locked": {
"lastModified": 1718137936,
"narHash": "sha256-psA+1Q5fPaK6yI3vzlLINNtb6EeXj111zQWnZYyJS9c=",
"owner": "Mic92",
"repo": "sops-nix",
"rev": "c279dec105dd53df13a5e57525da97905cc0f0d6",
"type": "github"
},
"original": {
"owner": "Mic92",
"repo": "sops-nix",
"type": "github"
}
},
"stylix": { "stylix": {
"inputs": { "inputs": {
"base16": "base16", "base16": "base16",
@ -653,21 +643,6 @@
"repo": "default", "repo": "default",
"type": "github" "type": "github"
} }
},
"systems_2": {
"locked": {
"lastModified": 1681028828,
"narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
"owner": "nix-systems",
"repo": "default",
"rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
"type": "github"
},
"original": {
"owner": "nix-systems",
"repo": "default",
"type": "github"
}
} }
}, },
"root": "root", "root": "root",

View file

@ -18,12 +18,6 @@
inputs.nixpkgs.follows = "nixpkgs"; inputs.nixpkgs.follows = "nixpkgs";
}; };
agenix = {
url = "github:ryantm/agenix";
inputs.nixpkgs.follows = "nixpkgs";
inputs.home-manager.follows = "home-manager";
};
lanzaboote = { lanzaboote = {
url = "github:nix-community/lanzaboote/v0.3.0"; url = "github:nix-community/lanzaboote/v0.3.0";
inputs.nixpkgs.follows = "nixpkgs"; inputs.nixpkgs.follows = "nixpkgs";
@ -39,6 +33,11 @@
url = "https://github.com/NixOS/nixos-artwork.git"; url = "https://github.com/NixOS/nixos-artwork.git";
flake = false; flake = false;
}; };
sops-nix = {
url = "github:Mic92/sops-nix";
inputs.nixpkgs.follows = "nixpkgs";
};
}; };
outputs = outputs =

25
secrets/secrets.yaml Normal file
View file

@ -0,0 +1,25 @@
testje: ENC[AES256_GCM,data:kMnaocttth1O6g==,iv:mV9gEMdomVhmOTBUWIFz3o23TBb7DLM2rXI/Tb81bSg=,tag:qj6TlvW5sY6Ek9M0GIqB3A==,type:str]
wireguard:
home:
presharedKey: ENC[AES256_GCM,data:H+oCRsg2ikN9KyVacEFasYmx5XE1zrnjBthkL5OitOXHTr4Ls0zwoF5StXs=,iv:N63wO4TKagbweStqf7wL3YZ0njxDNvrISErPao5wf7o=,tag:67kZcNaCzv3RI41XmA+UFQ==,type:str]
privateKey: ENC[AES256_GCM,data:WcPVrLiy2JJvzIh7sUpHMnt1MNx5rw5bI+xGmkitC9nEiNytMG71wmlC4d0=,iv:sl8gZgCzaW10UH0GLycvQVHqBlDVq7BUgoIEl41lc20=,tag:7oLlVjulxuEsW+pS8sZ+Ew==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age189laethzry4ylnd790dmpuc4xjjuwqxruc76caj3ceqhqug4g9qs0upuvw
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBWL1dlTjFNTXRPd0ppbE1i
THlsMzB1K041eUdTemRseGk5dkVwUDk2TFIwCnR1WE9iYXhHWHprZCtlSFExakhs
R0FtcEc0VTJ4WFBORFluYTdBTFh1NzAKLS0tIGtrYkVPSEVXV1dnb1J4V1pkQktW
VjNXUkpmVmxyNDNsT0ZjQjhOYklEbW8KV86AD+8QE14BZxWb7TVolwlcy1eFKxks
rOpqcXBqtUPaBC10IhVV434DGFIZMtRuYEQ4G/sdCsc3qiNxO3Cl4A==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2024-06-15T14:04:18Z"
mac: ENC[AES256_GCM,data:6YKdfUk4ltXQ6U7FHs9ehGDUVzfZo1cKnSJMp+zYBEBnhmz7LdCBZycBpJ9syJn4WW1jZ8Bz7+lIxDsXm35AhjI+Mia20BqcWotcCaoHUslK+QV/YRIw8wxP7pvOKNeTa9UMhrcpXBVJxdQvKEBZPWziD4Xk3RGomvGEjB3xXKY=,iv:Tvgo/tlxnNk31C/cqCAKIGRdYEug9DdqeIUdJgQj4yE=,tag:z/tWTyiYmUmc2zVc3mQq0Q==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.8.1