pim/nixos-configs
1
0
Fork 0
Code Issues 1 Pull requests Projects Releases Packages Wiki Activity

Refactor sops stuff

Browse source
This commit is contained in:
Pim Kunis 2024-11-17 21:04:03 +01:00
parent 92514e08c3
commit 85b41d6722
11 changed files with 73 additions and 101 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

8
.sops.yaml
View file

@ -1,2 +1,8 @@
keys:
- &admin_pim age189laethzry4ylnd790dmpuc4xjjuwqxruc76caj3ceqhqug4g9qs0upuvw
creation_rules: creation_rules:
- age: age189laethzry4ylnd790dmpuc4xjjuwqxruc76caj3ceqhqug4g9qs0upuvw - path_regex: machines/sue/.*\.sops\.yaml
key_groups:
- age:
- *admin_pim

3
home-manager/default.nix
View file

@ -2,7 +2,6 @@
lib, lib,
config, config,
inputs, inputs,
self,
... ...
}: { }: {
imports = [ imports = [
@ -12,8 +11,8 @@
./gnome.nix ./gnome.nix
./syncthing.nix ./syncthing.nix
./vscode.nix ./vscode.nix
./sops.nix
inputs.nix-index-database.hmModules.nix-index inputs.nix-index-database.hmModules.nix-index
inputs.sops-nix.homeManagerModules.sops
]; ];
xsession.enable = true; xsession.enable = true;

23
home-manager/sops.nix
View file

@ -1,23 +0,0 @@
{
self,
config,
inputs,
lib,
...
}: let
cfg = config.pim.sops;
in {
imports = [inputs.sops-nix.homeManagerModules.sops];
options.pim.sops.enable = lib.mkEnableOption "sops";
config = lib.mkIf cfg.enable {
sops = {
age.keyFile = "${config.xdg.configHome}/sops/age/keys.txt";
defaultSopsFile = "${self}/secrets/pim.yaml";
secrets = {
"keepassxc".path = "${config.xdg.configHome}/keepassxc/keepassxc.ini";
};
};
};
}

6
machines/sue/default.nix
View file

@ -7,7 +7,6 @@
stylix.enable = true; stylix.enable = true;
wireguard.enable = true; wireguard.enable = true;
compliance.enable = true; compliance.enable = true;
sops.enable = true;
}; };
services.tailscale.enable = true; services.tailscale.enable = true;
@ -15,6 +14,11 @@
home-manager.users.pim.imports = [./home.nix]; home-manager.users.pim.imports = [./home.nix];
networking.hostName = "sue"; networking.hostName = "sue";
sops = {
age.keyFile = "/home/pim/.config/sops/age/keys.txt";
defaultSopsFile = ./nixos.sops.yaml;
};
environment.systemPackages = with pkgs; [ environment.systemPackages = with pkgs; [
borgbackup borgbackup
kubectl kubectl

13
machines/sue/home.nix
View file

@ -1,4 +1,8 @@
{pkgs, ...}: { {
pkgs,
config,
...
}: {
config = { config = {
pim = { pim = {
tidal.enable = true; tidal.enable = true;
@ -7,11 +11,16 @@
syncthing.enable = true; syncthing.enable = true;
neovim.enable = true; neovim.enable = true;
firefox.enable = true; firefox.enable = true;
sops.enable = true;
}; };
programs.chromium.enable = true; programs.chromium.enable = true;
sops = {
defaultSopsFile = ./home.sops.yaml;
age.keyFile = "${config.xdg.configHome}/sops/age/keys.txt";
secrets."keepassxc".path = "${config.xdg.configHome}/keepassxc/keepassxc.ini";
};
home.packages = home.packages =
(with pkgs; [ (with pkgs; [
jellyfin-media-player jellyfin-media-player

24
machines/sue/home.sops.yaml Normal file
View file

File diff suppressed because one or more lines are too long

24
machines/sue/nixos.sops.yaml Normal file
View file

@ -0,0 +1,24 @@
wireguard:
home:
presharedKey: ENC[AES256_GCM,data:TXCvGNW0iU74TnC2tlYBGhGfiuQmscVq6EPRr8dcRVI23au7nm2xQU5Ubfo=,iv:drGxozD/d0kqxJckJNKo0U7trgjAOMpztCqCxX+IJx8=,tag:liDTEqzrN48UslLMSgn6iQ==,type:str]
privateKey: ENC[AES256_GCM,data:YQZvCfXR3Gc21SDFmypBonTaVZztJm9RtO/Aaiy51PV5BfPg4Rgw5+bCuGg=,iv:K6hMqcgmhJPOfT/DGWpDb+5n2CB2nblZrIKxfRZGRek=,tag:UNsrY+WzSnh2Mh6GlY7p0A==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age189laethzry4ylnd790dmpuc4xjjuwqxruc76caj3ceqhqug4g9qs0upuvw
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBSZG5oSDZCdjBPalBOTDVU
aDJVaC9lSE9jZ2M3aEVaZTd0YXh3azBQTkdrCjc2QWFUN2U2ZFdRc1VSMXhwRTRu
N2VpY0haNElXVmhzVUhoZFNnNXYvc1kKLS0tIFRHRlJzS0J5b1J4a1dTSERmc2hy
NGxjNVpvQnU1WVoyQ2xDeE16b2JuWEEKiVqccRZfhp1mQ3ecnogxrIkC6EZq4kUG
kLJbBFwf1FkWZQgFq9tKNBf0vykjF0qnSDXn1xpIqht3B9Vtnggjvw==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2024-11-17T18:33:25Z"
mac: ENC[AES256_GCM,data:korXgi1xEdCr18DQNFF5XwuFum3GinSLH+L5Mhhy1PHzGJ4S8WuutRONnbX4tw2p16XH/KPszA3u+ypo3IthEEJu8KrmlHhUrZiA2scWpNL3CEaDuNJ6CN9feLgS0FExYxWWQ7qLorTH1JuzRhg0aW3cKoTW32FscrAku/ni3pw=,iv:MskH0LE+xHCNYRvOiBVW173ePQsg22Fm/XUwS7Jzxwk=,tag:MVcDcUVVUtsIKbROWnboGg==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.8.1

2
nixos/default.nix
View file

@ -10,9 +10,9 @@
inputs.home-manager.nixosModules.home-manager inputs.home-manager.nixosModules.home-manager
inputs.nixos-facter-modules.nixosModules.facter inputs.nixos-facter-modules.nixosModules.facter
inputs.disko.nixosModules.disko inputs.disko.nixosModules.disko
inputs.sops-nix.nixosModules.sops
./lanzaboote.nix ./lanzaboote.nix
./tidal.nix ./tidal.nix
./sops.nix
./stylix.nix ./stylix.nix
./wireguard.nix ./wireguard.nix
./gnome.nix ./gnome.nix

22
nixos/sops.nix
View file

@ -1,22 +0,0 @@
{
inputs,
pkgs,
self,
config,
lib,
...
}: let
cfg = config.pim.sops;
in {
imports = [inputs.sops-nix.nixosModules.sops];
options.pim.sops.enable = lib.mkEnableOption "sops";
config = lib.mkIf cfg.enable {
environment.systemPackages = [pkgs.sops];
sops = {
age.keyFile = "/home/pim/.config/sops/age/keys.txt";
defaultSopsFile = "${self}/secrets/secrets.yaml";
};
};
}

24
secrets/pim.yaml
View file

File diff suppressed because one or more lines are too long

25
secrets/secrets.yaml
View file

@ -1,25 +0,0 @@
testje: ENC[AES256_GCM,data:kMnaocttth1O6g==,iv:mV9gEMdomVhmOTBUWIFz3o23TBb7DLM2rXI/Tb81bSg=,tag:qj6TlvW5sY6Ek9M0GIqB3A==,type:str]
wireguard:
home:
presharedKey: ENC[AES256_GCM,data:H+oCRsg2ikN9KyVacEFasYmx5XE1zrnjBthkL5OitOXHTr4Ls0zwoF5StXs=,iv:N63wO4TKagbweStqf7wL3YZ0njxDNvrISErPao5wf7o=,tag:67kZcNaCzv3RI41XmA+UFQ==,type:str]
privateKey: ENC[AES256_GCM,data:WcPVrLiy2JJvzIh7sUpHMnt1MNx5rw5bI+xGmkitC9nEiNytMG71wmlC4d0=,iv:sl8gZgCzaW10UH0GLycvQVHqBlDVq7BUgoIEl41lc20=,tag:7oLlVjulxuEsW+pS8sZ+Ew==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age189laethzry4ylnd790dmpuc4xjjuwqxruc76caj3ceqhqug4g9qs0upuvw
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBWL1dlTjFNTXRPd0ppbE1i
THlsMzB1K041eUdTemRseGk5dkVwUDk2TFIwCnR1WE9iYXhHWHprZCtlSFExakhs
R0FtcEc0VTJ4WFBORFluYTdBTFh1NzAKLS0tIGtrYkVPSEVXV1dnb1J4V1pkQktW
VjNXUkpmVmxyNDNsT0ZjQjhOYklEbW8KV86AD+8QE14BZxWb7TVolwlcy1eFKxks
rOpqcXBqtUPaBC10IhVV434DGFIZMtRuYEQ4G/sdCsc3qiNxO3Cl4A==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2024-06-15T14:04:18Z"
mac: ENC[AES256_GCM,data:6YKdfUk4ltXQ6U7FHs9ehGDUVzfZo1cKnSJMp+zYBEBnhmz7LdCBZycBpJ9syJn4WW1jZ8Bz7+lIxDsXm35AhjI+Mia20BqcWotcCaoHUslK+QV/YRIw8wxP7pvOKNeTa9UMhrcpXBVJxdQvKEBZPWziD4Xk3RGomvGEjB3xXKY=,iv:Tvgo/tlxnNk31C/cqCAKIGRdYEug9DdqeIUdJgQj4yE=,tag:z/tWTyiYmUmc2zVc3mQq0Q==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.8.1