Refactor sops stuff

2024-11-17 21:04:03 +01:00 · 2024-11-17 21:04:03 +01:00 · 85b41d6722
commit 85b41d6722
parent 92514e08c3
11 changed files with 73 additions and 101 deletions
--- a/machines/sue/default.nix
+++ b/machines/sue/default.nix
@ -7,7 +7,6 @@
      stylix.enable = true;
      wireguard.enable = true;
      compliance.enable = true;
-      sops.enable = true;
    };

    services.tailscale.enable = true;
@ -15,6 +14,11 @@
    home-manager.users.pim.imports = [./home.nix];
    networking.hostName = "sue";

+    sops = {
+      age.keyFile = "/home/pim/.config/sops/age/keys.txt";
+      defaultSopsFile = ./nixos.sops.yaml;
+    };
+
    environment.systemPackages = with pkgs; [
      borgbackup
      kubectl
--- a/machines/sue/home.nix
+++ b/machines/sue/home.nix
@ -1,4 +1,8 @@
-{pkgs, ...}: {
+{
+  pkgs,
+  config,
+  ...
+}: {
  config = {
    pim = {
      tidal.enable = true;
@ -7,11 +11,16 @@
      syncthing.enable = true;
      neovim.enable = true;
      firefox.enable = true;
-      sops.enable = true;
    };

    programs.chromium.enable = true;

+    sops = {
+      defaultSopsFile = ./home.sops.yaml;
+      age.keyFile = "${config.xdg.configHome}/sops/age/keys.txt";
+      secrets."keepassxc".path = "${config.xdg.configHome}/keepassxc/keepassxc.ini";
+    };
+
    home.packages =
      (with pkgs; [
        jellyfin-media-player
--- a/machines/sue/home.sops.yaml
+++ b/machines/sue/home.sops.yaml
--- a/machines/sue/nixos.sops.yaml
+++ b/machines/sue/nixos.sops.yaml
@ -0,0 +1,24 @@
+wireguard:
+    home:
+        presharedKey: ENC[AES256_GCM,data:TXCvGNW0iU74TnC2tlYBGhGfiuQmscVq6EPRr8dcRVI23au7nm2xQU5Ubfo=,iv:drGxozD/d0kqxJckJNKo0U7trgjAOMpztCqCxX+IJx8=,tag:liDTEqzrN48UslLMSgn6iQ==,type:str]
+        privateKey: ENC[AES256_GCM,data:YQZvCfXR3Gc21SDFmypBonTaVZztJm9RtO/Aaiy51PV5BfPg4Rgw5+bCuGg=,iv:K6hMqcgmhJPOfT/DGWpDb+5n2CB2nblZrIKxfRZGRek=,tag:UNsrY+WzSnh2Mh6GlY7p0A==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age189laethzry4ylnd790dmpuc4xjjuwqxruc76caj3ceqhqug4g9qs0upuvw
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBSZG5oSDZCdjBPalBOTDVU
+            aDJVaC9lSE9jZ2M3aEVaZTd0YXh3azBQTkdrCjc2QWFUN2U2ZFdRc1VSMXhwRTRu
+            N2VpY0haNElXVmhzVUhoZFNnNXYvc1kKLS0tIFRHRlJzS0J5b1J4a1dTSERmc2hy
+            NGxjNVpvQnU1WVoyQ2xDeE16b2JuWEEKiVqccRZfhp1mQ3ecnogxrIkC6EZq4kUG
+            kLJbBFwf1FkWZQgFq9tKNBf0vykjF0qnSDXn1xpIqht3B9Vtnggjvw==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2024-11-17T18:33:25Z"
+    mac: ENC[AES256_GCM,data:korXgi1xEdCr18DQNFF5XwuFum3GinSLH+L5Mhhy1PHzGJ4S8WuutRONnbX4tw2p16XH/KPszA3u+ypo3IthEEJu8KrmlHhUrZiA2scWpNL3CEaDuNJ6CN9feLgS0FExYxWWQ7qLorTH1JuzRhg0aW3cKoTW32FscrAku/ni3pw=,iv:MskH0LE+xHCNYRvOiBVW173ePQsg22Fm/XUwS7Jzxwk=,tag:MVcDcUVVUtsIKbROWnboGg==,type:str]
+    pgp: []
+    unencrypted_suffix: _unencrypted
+    version: 3.8.1