From 08125869421c6a0ab6016c57069504be18f788b7 Mon Sep 17 00:00:00 2001 From: Pim Kunis Date: Thu, 21 Nov 2024 22:27:29 +0100 Subject: [PATCH] Create helper option for deploying sops keys Update public key of sue-root because I lost the private key --- .sops.yaml | 2 +- machines/gamepc/configuration.nix | 26 ++++--------------- machines/gamepc/nixos.sops.yaml | 32 +++++++++++------------ machines/gamepc/pim.sops.yaml | 42 +++++++++++++++---------------- machines/sue/configuration.nix | 34 +++++++------------------ machines/sue/nixos.sops.yaml | 24 +++++++++--------- machines/sue/pim.sops.yaml | 22 ++++++++-------- nixos/default.nix | 27 ++++++++++++++++++++ 8 files changed, 102 insertions(+), 107 deletions(-) diff --git a/.sops.yaml b/.sops.yaml index c92ef52..9c0a3f9 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -1,6 +1,6 @@ # Public keys are combination of host + user keys: - - &sue_root age1nhh8v0z758te7ggg4p73mz5p00kum03zwnjr6czeh367xjzvm9dst3ufle + - &sue_root age1w99m9klvc7m5qtmtmu3l0jx8ksdzp5c4p9rkvh5fdullfc6afemqv5py2q - &sue_pim age189laethzry4ylnd790dmpuc4xjjuwqxruc76caj3ceqhqug4g9qs0upuvw - &gamepc_root age1y5wgcxmn37drmjtpgld3xc76mw8dckhred8hecusywjlvdyfedfse8y60u - &gamepc_pim age1qlldg2c6kptvnmvlkpf9pae3wnczk6eklcmwdvnzyvvnur3aqdcq3c3trt diff --git a/machines/gamepc/configuration.nix b/machines/gamepc/configuration.nix index b5a2146..c34b262 100644 --- a/machines/gamepc/configuration.nix +++ b/machines/gamepc/configuration.nix @@ -1,15 +1,15 @@ { - self, - pkgs, config, lib, ... -}: let - sops = lib.getExe pkgs.sops; -in { +}: { config = { pim = { cinnamon.enable = true; + sopsKeys = { + root = ./nixos.sops.yaml; + pim = ./pim.sops.yaml; + }; }; facter.reportPath = ./facter.json; @@ -30,22 +30,6 @@ in { targetHost = "gamepc"; targetUser = "root"; tags = ["desktop"]; - - keys = { - root-sops-age-key = { - keyCommand = ["sudo" sops "--extract" "[\"sops_age_key\"]" "-d" "${self}/machines/gamepc/nixos.sops.yaml"]; - name = "keys.txt"; - destDir = "/root/.config/sops/age"; - }; - - pim-sops-age-key = { - keyCommand = [sops "--extract" "[\"sops_age_key\"]" "-d" "${self}/machines/gamepc/pim.sops.yaml"]; - name = "keys.txt"; - destDir = "/home/pim/.config/sops/age"; - user = "pim"; - group = "users"; - }; - }; }; services = { diff --git a/machines/gamepc/nixos.sops.yaml b/machines/gamepc/nixos.sops.yaml index 931f2ec..7145f77 100644 --- a/machines/gamepc/nixos.sops.yaml +++ b/machines/gamepc/nixos.sops.yaml @@ -8,29 +8,29 @@ sops: - recipient: age189laethzry4ylnd790dmpuc4xjjuwqxruc76caj3ceqhqug4g9qs0upuvw enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBwTFlYWjZSQkZPczV2cllX - a3RBL3FSbHZGaW5vUFdKVTdSNUJmSEQwdlc4ClBScDZBVk1qYTc4UzFpc3k4Z3N6 - VzkwYXVBWVFCYUFqSHAyZjhUck8xY0kKLS0tIDdQdENRaDVKVTRUQ0dLWUNUL0tk - cjJMNG9vU1N4V2dqZWZjN21OMFJUZTAKzunMmG+NR2sFbVsl8qzdv1HEg4Ph5TFw - oIr5WWQ6RTzXTy6CwlTucnok/jwZHUloCTUeXECcSJUadeKE6MZyLA== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBKMkRLNHNYTm55TjA4YWhF + SENVSlVVYWRQUVZNU29iWmk4dVgvSHk3Z1RNClFqcTlUcTlqNjZrMFdUTGQyU2hO + ZktIWXh5VVVsR3d2dUhDQ296RXBJSGsKLS0tIGtWQ1Jwd3U5VmxyMjExMXlQVVZ4 + aTNmRFhEaE9nbGduK2tLallTcFBSWVEKMhULgc6jkA+qJ9LrYtxcUO2k78L4LxHl + 7Okpr5UJlTVn96swt/aFEEfA1gnzGgPWU6Oir5uETBiqTVVytW16wQ== -----END AGE ENCRYPTED FILE----- - - recipient: age1nhh8v0z758te7ggg4p73mz5p00kum03zwnjr6czeh367xjzvm9dst3ufle + - recipient: age1w99m9klvc7m5qtmtmu3l0jx8ksdzp5c4p9rkvh5fdullfc6afemqv5py2q enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBaWG0remtrVHloU25PNFVw - eWxMZ3pmUG1YSFVZZ0MzNEFweTJNbDVSUUQ0CklBT1NheGtmZDZkMUo4RTlHM0ow - TTdITzVJbFFQcGNLM0xxUS91K056VTAKLS0tIEpWOTZJQjN2REV0RTB5YWpjWDZa - UUxiazdLa1ZZbTcraWsvYTBsTUNQbmcKKkQnPOkD3vifcQpwzgP9wvNaYtuUZpLE - mbILfB24Ox7dmLmI9ONVDIMM12HfE2lx4cj/xndk0//izPVZgrBTdQ== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBHbHp6WkhjdDRkeWpTeTBN + ejRXMUwrSkFTTUlGMC9LNTRwemcxWXVzN1FBCkZlazlBbVM4RlJuTUtZQ1hoWkd3 + SUs5RS9Ba2k2cjhsOGkxaUt5TzF5cjQKLS0tIHFRcWFIL1EvcURURmR3a2FSSjRW + OUpUcFJ1N003OUJlMDJha09nQ1l0OWsKuxMX8dZbn75yUs5E5/hu+LjHRslcUldL + YmQl7phWnWMfgwphERpOhdMn2pczVGygriG7c0LOe6SiEiXxnUHiWw== -----END AGE ENCRYPTED FILE----- - recipient: age1y5wgcxmn37drmjtpgld3xc76mw8dckhred8hecusywjlvdyfedfse8y60u enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA5SDFMS293SUZqTXZtZlRT - Q0JHWmZrSHZVZmlPeUFDRG8wakdSWDF2b3pRCm83NFV1STlqQXdQMTR0Vm52ZEgy - eVlROWt0ZDE0TW1reElGQnplUENZclEKLS0tIG9ITTZiSEE4cDNxdnBQRW5tVFJk - bU9rLzRjVzBObkxocGp4UEJYMGVnckkKDQhr3qLLDrQkXa1Ei9c43irQh3suRNCK - mZPtRJc+kaUmhmF8HxVAHG4S4a5sN6sBHBFGbIGXtQzBajQreg/pYQ== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSArc1pmV1cwTmt1RnFBb1VO + Yzd4OHNwbVBORHU1ZVRpVFpsMHlYM3BSaVhnCm5vbURWZ1kzbVZIdE9FY01Qc2tI + cVFtQTY4WnpNOEI2T1BTYkp4OWQydm8KLS0tIFE0eXpJMWxCMC9yOGNRdGNKUmll + S3I4UmRYZzRBUk5jcGtoUzFjcWdGeEEKGYB4kTpjNaAZWuu/wnBNYcSFwFEtX+pu + zzt9Nd2ahPnTMdcSLz/mwOHxyiAgBDUGsNm60EitKxl+LgmR7mBjnw== -----END AGE ENCRYPTED FILE----- lastmodified: "2024-11-17T21:42:29Z" mac: ENC[AES256_GCM,data:dFwV6VpyoXRkhfL+uSiiH2EcetAb0qV3AbED2XzNwvbE+TbItcoQ6JQ/2+lItZ4iULxGOxMvD8n0ZO/aASC8fDlqsNMwf2KmNFwjl4sVJBtTLKH4Z1/5rZmECwdiTMKOf/oTv3VNgbzkcrAuKEZywl+c4iXd5w4YaJgA0M6aSWI=,iv:Zxvr8vBcDZavSbAL8Ar+Du546H1Dhp/ZXRtsjcik2RE=,tag:Od08FmjlhNYPEpMC4rQR8A==,type:str] diff --git a/machines/gamepc/pim.sops.yaml b/machines/gamepc/pim.sops.yaml index f8d7b6e..15e151f 100644 --- a/machines/gamepc/pim.sops.yaml +++ b/machines/gamepc/pim.sops.yaml @@ -8,38 +8,38 @@ sops: - recipient: age189laethzry4ylnd790dmpuc4xjjuwqxruc76caj3ceqhqug4g9qs0upuvw enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAyTTAxNUVSS1BRUTlYc2xm - TFFHRkVHZkwvMS9xOE9GY1BHaXorTHpNWkdJCmlKVzdvb21VYUpwcUZ0SExKbTRj - MkpPcG4rd2I2ZWlsc0VvVDNxNm82TjgKLS0tIDdCNXlMYklNc0EyMmpST1JFSTVy - aW04VUpta2JMKzlRSmVHeUg1ejNrdW8KGsBSzeMkHE2y2TfzTTBdJJ73IankxnR0 - dfZmtQyxejH4W1+v2wGTOc9EZ8R4dJX1ZdqncshWJWl2Uq36YMjuZg== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBYWlpYcTV2TEw3TmwyaHhZ + M3hJY3VOT2NwaVZUU1cvNnRHVnhOZFRCd1cwCi8zM09icUZEUlIwTy9jVE9Takhr + T1ZuWWtkOHBGVGpHeU1VdXpvV2RRSE0KLS0tIDNyL24vWmZhRzBBRW5iMW1tSXhs + ZDhDVTcyVzk1bzVOcjJ1aDlOWEt4RzAKCuuSJ/aLZldfysSFhmUNNZULcSiBrNe9 + hTRra+FLCbNqsNt2iuImkOQwINqdlUIaC36TtXUucV3C2SyDdLo1rA== -----END AGE ENCRYPTED FILE----- - - recipient: age1nhh8v0z758te7ggg4p73mz5p00kum03zwnjr6czeh367xjzvm9dst3ufle + - recipient: age1w99m9klvc7m5qtmtmu3l0jx8ksdzp5c4p9rkvh5fdullfc6afemqv5py2q enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBQOGUvQ3VWRnBsZ0syTXFh - Nm5TUC8vYkMvdDZ0SjErMjZwOHUrVy9vT1RvCndMa1V4bTJMKy9qMjY3M2FaWWMw - d2RrVDY2UWNLRjVQNTRMdU96TEFmNmMKLS0tIFFTbmhzS3UrS2crTGxlSmczcGUz - QlZQa0R5NHBLMzdVcC9WeEtBUm1tbVUK07gb5E1YyN5Sck1DWeUHQ8oB4CQOFaES - AJ8F+IrGdJ+0nsvm8d9VJ9UiluO74egettQPGDgEt4wdqFnHucmYzA== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBxZXkyN1FxMzFiSzlVYjV4 + U0E0TWNkb3VFMjJZYUdxM0QzZmg1cUxuMWxVCnFZNkM0SmFDRFE4aHJuQnNzOHNW + ZVc2MTBMWENYeFpYT3dPZERiMHpRUVEKLS0tIHhFL0JjdURYcldTbVNUYkNKN3VR + aUQ2ckVrb3k0L2hnSUdTb3ZzeE54SkEKzh55hsegd28yvwI93xQUYCFBHz7LFQ60 + mrkrWHDBjzxH0VnKT/59YFI1QitLgxI2db6PGQl5i5LYzeBVzG58LQ== -----END AGE ENCRYPTED FILE----- - recipient: age1y5wgcxmn37drmjtpgld3xc76mw8dckhred8hecusywjlvdyfedfse8y60u enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBDS1dkMUFiSlc2ZzVzRWts - ZGxIejgwZkd2NHd1elhGL1p5ZDF0OWpuRkV3ClpNRkhuQ2dNazh3dG9lSUVCVTBz - RU9yaFhTc1dmMVg3bUlhMXNLU1RDTncKLS0tIHdVNUxTOEh2Mmk0eHFFNnQ5dU1l - S1pXZDVDbm5Za3dPUWR2SnlGekNuYkkKHvcAOL6khPmcAQYj+15lVHepLUnFQdAp - UyhJ12OohAuqfFTG6QxytdA1u648IaAZyj5qcm7z2bpV/F7Oy7i8WQ== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBiUTR2enVtK3hEcExSL0lL + VWVHQ290WTB1cmlWbFB4TTRQaVdPRjQ2bGlRClNWeWtWMSsvL2NMbE54aDNTMmhJ + aWNSazdMMlJUaE5teDh1SWlBMFFMbVkKLS0tIG5QaktGZitaem1DaU5mL2hDZUUr + RW5RNXhpQklCQ3B5K0VoRUFZK3JEQUkKRCGn35rQOpgwxxUSvpWVxJG3gMu+aTnW + B3a/0I0QqAgcPZ3Lj/HIUDN5GUDxdmZhuMdBRKtm5uHMPzDDOXJOKA== -----END AGE ENCRYPTED FILE----- - recipient: age1qlldg2c6kptvnmvlkpf9pae3wnczk6eklcmwdvnzyvvnur3aqdcq3c3trt enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBYWS9IeFVBVEVqcWZBNDlz - QUpGSGs2Q01CVXZmQ3N0VCtFNW5RT0JTaG5nCnJFQzg0Z2VHN25GYlRXVllYRDd2 - bFZ4L202cjRyWlpLbUxMTDJyaTQ4ajgKLS0tIGF2UUY5MVFsbG1RL3drbERKeFd2 - dnhVMXBnYjlxWWxYcm03N094a0cxWm8KDsLFtfF8ZVels+3Dnb8x6DuUBmckRkhe - t3PWOci4IzNbMBCnrUCDrBPPi6Lm/k+gp0i/U1hvPyHvbPujztT/RQ== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBYSzhDb29pUmNvZ2Q5a3hO + R09lRThlNFpTd1FiZjdFajNMekxvQ3gvekQ0Cnd0SytUVi9JZUcvZGt4YjU3MENX + RWxMcUlRR3ZiUnVacGhBUTVseTQ4dkUKLS0tIDFabnNQbDlUcHRjUVRTVTFkTkJE + SURWUVdNYVdNRXpXYVpBVDZRS204ZVUK9DcgnwXI4cBcnl2xZWrJ1uLY8GHqL6HG + 1cGGG6WEI/EyRH0x80/Djj1d3mEUs7H66uVjbNgid6vOjLi4qTS83g== -----END AGE ENCRYPTED FILE----- lastmodified: "2024-11-17T21:42:43Z" mac: ENC[AES256_GCM,data:0qHov3SY7SM0+kp4HqPi/AxnI2k2oDDmRkqFTEsqe7pJ793ldu/io027GOlmg9ZHs+aZflSl6tzMKXWAb0FR3ZCUi4pap5ZLANTYbnHN+X5/dhxoUwCwJxdhyFYntmfaFjxhPiPbhRfs/CGDhij8KyQASA/G1C2rFdH7xCYJIOA=,iv:AjnOkA9/d5+/X1Z0+if/jUBBnqFnK9by58C99VghI9I=,tag:u6EDtD2NK6dvFs6FIbur1Q==,type:str] diff --git a/machines/sue/configuration.nix b/machines/sue/configuration.nix index 20485cb..888160a 100644 --- a/machines/sue/configuration.nix +++ b/machines/sue/configuration.nix @@ -1,11 +1,4 @@ -{ - self, - pkgs, - lib, - ... -}: let - sops = lib.getExe pkgs.sops; -in { +{pkgs, ...}: { config = { pim = { lanzaboote.enable = true; @@ -14,6 +7,14 @@ in { stylix.enable = true; wireguard.enable = true; compliance.enable = true; + + sopsKeys = { + # This is the root of our secret system. + # Don't deploy this though; if it fails, + # the key will be wiped. + # root = ./nixos.sops.yaml; + pim = ./pim.sops.yaml; + }; }; users.users.pim = { @@ -25,23 +26,6 @@ in { allowLocalDeployment = true; targetHost = null; tags = ["desktop"]; - - keys = { - # TODO: Create macro for this - root-sops-age-key = { - keyCommand = ["sudo" sops "--extract" "[\"sops_age_key\"]" "-d" "${self}/machines/sue/nixos.sops.yaml"]; - name = "keys.txt"; - destDir = "/root/.config/sops/age"; - }; - - pim-sops-age-key = { - keyCommand = [sops "--extract" "[\"sops_age_key\"]" "-d" "${self}/machines/sue/pim.sops.yaml"]; - name = "keys.txt"; - destDir = "/home/pim/.config/sops/age"; - user = "pim"; - group = "users"; - }; - }; }; services.tailscale.enable = true; diff --git a/machines/sue/nixos.sops.yaml b/machines/sue/nixos.sops.yaml index 71ac1d9..b0df14d 100644 --- a/machines/sue/nixos.sops.yaml +++ b/machines/sue/nixos.sops.yaml @@ -1,25 +1,25 @@ -sops_age_key: ENC[AES256_GCM,data:3PebFyNHLlycKPN0L/MAL5NpKWqUiEFxivqnPtuavnET13NEEgPvyD9ZyuSYlQRefgKNHuKaAgaMNULOyL+mWF+AV+YYiVyrp14=,iv:gvxb6BK+i270b4Pr/dwRpwno+vqVplyyWdxEQIEVjmc=,tag:5LJ609yQOBkLCCwluI3AUg==,type:str] +sops_age_key: ENC[AES256_GCM,data:xKGTAF5cVgysZPbcDgs0QF92Bw6wW78n9fm2RMdeLtywn0ga4qBO8YlrIQWCc2SfFQOTZUlz0e7QWsnbZpxN4p03XF1zusU0ceM=,iv:cDjqDYR3PKx3AbLQL5QbeFK26+Cnsk2m74mHPHIozNs=,tag:C2MzZLR2cQY/gHQNTId8UA==,type:str] wireguard: home: - presharedKey: ENC[AES256_GCM,data:TXCvGNW0iU74TnC2tlYBGhGfiuQmscVq6EPRr8dcRVI23au7nm2xQU5Ubfo=,iv:drGxozD/d0kqxJckJNKo0U7trgjAOMpztCqCxX+IJx8=,tag:liDTEqzrN48UslLMSgn6iQ==,type:str] - privateKey: ENC[AES256_GCM,data:YQZvCfXR3Gc21SDFmypBonTaVZztJm9RtO/Aaiy51PV5BfPg4Rgw5+bCuGg=,iv:K6hMqcgmhJPOfT/DGWpDb+5n2CB2nblZrIKxfRZGRek=,tag:UNsrY+WzSnh2Mh6GlY7p0A==,type:str] + presharedKey: ENC[AES256_GCM,data:nFOqWcdo8zG83v1ceod8Uy4wX3w2LHmDPp2PaAAJ/lUexU4DhY9RZ4wtgC8=,iv:UvzQSZZ62I+QVFHMkHczC2KPeqX8z+DodS7nxLmXr4U=,tag:otwdNc2636DJdkzg22puqQ==,type:str] + privateKey: ENC[AES256_GCM,data:RCQ3hvrnxCerTmKYfZFV7c9smMj5tbP+iFWouo1oxfhbec5K3uXipkL+KSg=,iv:zKSPvtDH3WcuxVpQydGScX6m0isZzLKk/F+/Wlpt/YQ=,tag:BDag2DSoHQDzg8xTS3SX3A==,type:str] sops: kms: [] gcp_kms: [] azure_kv: [] hc_vault: [] age: - - recipient: age1nhh8v0z758te7ggg4p73mz5p00kum03zwnjr6czeh367xjzvm9dst3ufle + - recipient: age1w99m9klvc7m5qtmtmu3l0jx8ksdzp5c4p9rkvh5fdullfc6afemqv5py2q enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB2bDRqNDNqYnRDZno2QnFo - MjlvNWpZNjhabDBFV2VJSGFCaWlvd21Ybmc4ClhOS3VRQ1VySFJYZWZ5ZHV4RUFs - NVo4WlFrai9CTi9uTWJGUExKWnpGN2cKLS0tIFc0UStVRGpHR3hsQUR3elFIK3Nu - ekZEZEZVTzJJYXRIT2k0OVJmZUhzN1EKVK307/rhSMQA89hHUD0MH/vhzKnmWF7K - QoTpJ20WxzLfNuGqqv9IpdRTKOrxCDbj3MUEv6d6k+X4sSEaOGVQ1A== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBoWEc5K3p3QytpZ1pxeEJy + TUtENXdnT3ZJUGNXaHo0ZktwK21OMVJmNzA4CjdlMUtWY2hBc3U1UVZQZEllK2xC + NGZSK2VyQVdBRmZYejBWM0FIeFE5K2MKLS0tIEQ3MHhOcW92dlo4NUdBdFlKdEM0 + N1Rab3RNZ00vd0xPOVBYRHphaldWU1EKNKnKPWO1l8NwWXG2e15Y3td9I0rN9Wwn + QdoeVf2+cPJOO5g9stZpl2DBF3QxJojt+dQhwjuEbP9nQtlVQPAlMQ== -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-11-17T21:25:05Z" - mac: ENC[AES256_GCM,data:qgPbH0i6difL063Nmy9EIAdkv9mq/ztGk8S8OAahDTddoUbJkC3EQUgS6lsd3KHbFBGopn1yMpuWkkOgNFc7nGy4QP0Mm8DpRaawA4vq5+QOh91CRTvQDujDw4EXEHqa27iR5dnbscU5zYMmta4Dl5FnK3ujraifdp67H1RCH0I=,iv:IZvXt93K54xshv5YcXur5MeDGPq+ROTxuFSC/B7eheM=,tag:ZFhh/yMfEMFqlerQNvMhCg==,type:str] + lastmodified: "2024-11-21T21:16:17Z" + mac: ENC[AES256_GCM,data:Z2mYTek91FLKgMpAFdRl8s2eE6r/03f9/E/XDvkwJZutI40qN6tFrDmhdPIb1U96oPGekcK9WkShIQekQIK6CiDhOAr048x2kSXvrHMZ1hg1hwO7H6jBJiFSRxM1BVBAlbcvZp5IW7e3CqfibVOgXOQvMl0CDS41ucQWV7odO6Y=,iv:7rb/VemE+cFhJ+8XUeLyp+K7FmY0XdAbgs6XWHLrV7M=,tag:vmPRTB9+EYjPLgX4qiFlXw==,type:str] pgp: [] unencrypted_suffix: _unencrypted - version: 3.9.1 + version: 3.8.1 diff --git a/machines/sue/pim.sops.yaml b/machines/sue/pim.sops.yaml index e32b0ac..42f63e0 100644 --- a/machines/sue/pim.sops.yaml +++ b/machines/sue/pim.sops.yaml @@ -12,20 +12,20 @@ sops: - recipient: age189laethzry4ylnd790dmpuc4xjjuwqxruc76caj3ceqhqug4g9qs0upuvw enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBPTENnd2J2VXFoeHhWZE5Q - MEU2Mi9hM1p3SWpRbzZNY2Zja2tFN0ZVTkVRCnVIckx3Qlo5c3M0alJPVjZaa1Y3 - RW5mamV6bmdIZ2pJZzB5KzBLTGtuUlEKLS0tIFFtT2JmZDI5V0RsL0ZxenlpWGlr - dmdiRmlxMWdmTmZUUTM1alRrMGdzYTAKbViJnEFIO3dpHYWyJxqXRkWqqpDCKV/L - jwNbatnwksT2RW6ecHUF6R/kL7YQJ5Vv3iTdCHfpcW7qRQvl0ZJEzQ== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBMSDNyUW9aSmVIcWdnSWFw + cWdwekVzQkdjcTVRVGRzWVpHT00vZHFjRVY4Ck1OREhEN3FMQXdrQ0pjUXR3ZllY + ekhpQVJCbnZCVUNBeGVscEZPTFFqQTQKLS0tIFVVaTdOa2dxbHVGSzUyblpneXd0 + MUd4RGczTkIwRVZ6WVRQVFJSQ250SnMKhCjTAatvqkVBNcAE5lBERReKkFqlOfEG + UHzOOM+gJ6khu3Pe2+PAZbLMxkm4a+ZHruPRIl4qxzDSwQmlih1P3Q== -----END AGE ENCRYPTED FILE----- - - recipient: age1nhh8v0z758te7ggg4p73mz5p00kum03zwnjr6czeh367xjzvm9dst3ufle + - recipient: age1w99m9klvc7m5qtmtmu3l0jx8ksdzp5c4p9rkvh5fdullfc6afemqv5py2q enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA5MTlnM2VyeDhPR0lkUGtB - d0hJSHdEYUptTjBySUhUYUpVOU00QWh5ams0CkJrYWRNMFZDRkZZUGFWbnlFcXdH - dzhwZGdNU1BYWnJLUFpodzBWcHJZV1UKLS0tICtiUVVqY0loQlpTYjUzRk5YR2Vo - RkVRSHQ2cVJRdWNpZzZCd2laL1R2NjgKhaY90NYGLTuYs4hJs1so24WFvFhquD4V - KwVKoyFdni0jWOaULvA0+xausV2Hx4C1xk7b4SsuT3YkDZdOT41gHA== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA2UzgycnJEMTcrYXcxSXMy + VnViVFZSbVZVNnN0V3AwVXBtRW1CT2hvTDBNCkQ1MUtPRmYvWmtTRVBiWGtaMWxM + TTN3U3ZFMDRJZmtvQW5ONmsyNTlSWjgKLS0tIG1RRWI1aGpYR1hTUEd0K0JtYk5Z + TFdneXZpaVZKdUsrWnludHpCQW9Mc2cKElhSussywXB3XAEN5cE6QVqXpQsebMqF + t4CmpKyxzi+JSX1S5Jy2RgHCSHafW4WFeQTt9qseBKQOQPVdwGWVhQ== -----END AGE ENCRYPTED FILE----- lastmodified: "2024-11-17T21:12:25Z" mac: ENC[AES256_GCM,data:m9TJL1G7D0l5f6ZIC6NfKvRDuHY1l0cp9hFbsFy9f2f/ixCRM2JFuAZ4muL6eyvZqAiGgB76u26hFU+yO/E3vtnAYSrLCk1JaRe3rajZIpu+Dwe4zht7ysJ/NeybWB7KzetS8BijDjp8YDHDcX35xwT8ScWBVqj/hjxls4JRe/c=,iv:Z3tRizJNpVHyErL2iFo6ALGO97IarZPiKzyBDPm7sQA=,tag:1sH+wHJoAHfsIju+OWMTHQ==,type:str] diff --git a/nixos/default.nix b/nixos/default.nix index 111a096..07543c5 100644 --- a/nixos/default.nix +++ b/nixos/default.nix @@ -22,11 +22,38 @@ ./desktop.nix ]; + options = { + pim.sopsKeys = lib.mkOption { + type = lib.types.attrsOf lib.types.path; + default = {}; + }; + }; + config = { time.timeZone = "Europe/Amsterdam"; i18n.defaultLocale = "en_US.UTF-8"; hardware.pulseaudio.enable = false; + deployment.keys = + lib.mapAttrs' (user: sopsFile: let + homeDirectory = + if user == "root" + then "/root" + else "/home/${user}"; + maybeSudo = lib.optional (user == "root") "sudo"; + sops = lib.getExe pkgs.sops; + in { + name = "${user}-sops-age-key"; + value = { + keyCommand = maybeSudo ++ [sops "--extract" "[\"sops_age_key\"]" "-d" (builtins.toString sopsFile)]; + name = "keys.txt"; + destDir = "${homeDirectory}/.config/sops/age"; + inherit user; + group = "users"; + }; + }) + config.pim.sopsKeys; + systemd = { services.NetworkManager-wait-online.enable = lib.mkForce false; network.wait-online.enable = lib.mkForce false;