diff --git a/.sops.yaml b/.sops.yaml new file mode 100644 index 0000000..ff1eaee --- /dev/null +++ b/.sops.yaml @@ -0,0 +1,2 @@ +creation_rules: + - age: age189laethzry4ylnd790dmpuc4xjjuwqxruc76caj3ceqhqug4g9qs0upuvw diff --git a/configuration.nix b/configuration.nix index 74f36cf..8e7e38e 100644 --- a/configuration.nix +++ b/configuration.nix @@ -1,8 +1,8 @@ { pkgs, config, lib, inputs, flake, system, ... }: { imports = [ inputs.stylix.nixosModules.stylix - inputs.agenix.nixosModules.default inputs.home-manager.nixosModules.home-manager + inputs.sops-nix.nixosModules.sops "${flake}/modules/nixos/lanzaboote.nix" ]; @@ -133,28 +133,18 @@ }; }; - age = { - identityPaths = [ "/home/pim/.ssh/age_ed25519" ]; - - secrets = { - wg-quick-home-privkey.file = ./secrets/wg-quick-home-privkey.age; - wg-quick-home-preshared-key.file = - ./secrets/wg-quick-home-preshared-key.age; - }; - }; - networking = { useDHCP = lib.mkDefault true; wg-quick.interfaces = { home = { - privateKeyFile = config.age.secrets.wg-quick-home-privkey.path; + privateKeyFile = config.sops.secrets."wireguard/home/privateKey".path; address = [ "10.225.191.4/24" "fd11:5ee:bad:c0de::4/128" ]; dns = [ "192.168.30.131" ]; autostart = false; mtu = 1412; peers = [{ - presharedKeyFile = config.age.secrets.wg-quick-home-preshared-key.path; + presharedKeyFile = config.sops.secrets."wireguard/home/presharedKey".path; endpoint = "wg.kun.is:51820"; publicKey = "fa3mQ7ximJbH7cu2ZbWidto5xBGxEEfWvCCiUDk00Hg="; allowedIPs = [ "0.0.0.0/0" "::/0" ]; @@ -162,13 +152,13 @@ }; home-no-pihole = { - privateKeyFile = config.age.secrets.wg-quick-home-privkey.path; + privateKeyFile = config.sops.secrets."wireguard/home/privateKey".path; address = [ "10.225.191.4/24" "fd11:5ee:bad:c0de::4/128" ]; dns = [ "192.168.10.1" ]; autostart = false; mtu = 1412; peers = [{ - presharedKeyFile = config.age.secrets.wg-quick-home-preshared-key.path; + presharedKeyFile = config.sops.secrets."wireguard/home/presharedKey".path; endpoint = "wg.kun.is:51820"; publicKey = "fa3mQ7ximJbH7cu2ZbWidto5xBGxEEfWvCCiUDk00Hg="; allowedIPs = [ "0.0.0.0/0" "::/0" ]; @@ -262,4 +252,11 @@ inputs.homeage.homeManagerModules.homeage ]; }; + + sops = { + age.keyFile = "/home/pim/.config/sops/age/keys.txt"; + defaultSopsFile = ./secrets/secrets.yaml; + secrets."wireguard/home/presharedKey" = { }; + secrets."wireguard/home/privateKey" = { }; + }; } diff --git a/flake.lock b/flake.lock index ef22032..8642368 100644 --- a/flake.lock +++ b/flake.lock @@ -1,30 +1,5 @@ { "nodes": { - "agenix": { - "inputs": { - "darwin": "darwin", - "home-manager": [ - "home-manager" - ], - "nixpkgs": [ - "nixpkgs" - ], - "systems": "systems" - }, - "locked": { - "lastModified": 1716561646, - "narHash": "sha256-UIGtLO89RxKt7RF2iEgPikSdU53r6v/6WYB0RW3k89I=", - "owner": "ryantm", - "repo": "agenix", - "rev": "c2fc0762bbe8feb06a2e59a364fa81b3a57671c9", - "type": "github" - }, - "original": { - "owner": "ryantm", - "repo": "agenix", - "type": "github" - } - }, "base16": { "inputs": { "fromYaml": "fromYaml" @@ -172,28 +147,6 @@ "type": "github" } }, - "darwin": { - "inputs": { - "nixpkgs": [ - "agenix", - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1700795494, - "narHash": "sha256-gzGLZSiOhf155FW7262kdHo2YDeugp3VuIFb4/GGng0=", - "owner": "lnl7", - "repo": "nix-darwin", - "rev": "4b9b83d5a92e8c1fbfd8eb27eda375908c11ec4d", - "type": "github" - }, - "original": { - "owner": "lnl7", - "ref": "master", - "repo": "nix-darwin", - "type": "github" - } - }, "disko": { "inputs": { "nixpkgs": [ @@ -269,7 +222,7 @@ }, "flake-utils": { "inputs": { - "systems": "systems_2" + "systems": "systems" }, "locked": { "lastModified": 1681202837, @@ -493,6 +446,22 @@ "type": "github" } }, + "nixpkgs-stable_2": { + "locked": { + "lastModified": 1717880976, + "narHash": "sha256-BRvSCsKtDUr83NEtbGfHLUOdDK0Cgbezj2PtcHnz+sQ=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "4913a7c3d8b8d00cb9476a6bd730ff57777f740c", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "release-23.11", + "repo": "nixpkgs", + "type": "github" + } + }, "nixpkgs-unstable": { "locked": { "lastModified": 1717868076, @@ -573,7 +542,6 @@ }, "root": { "inputs": { - "agenix": "agenix", "disko": "disko", "home-manager": "home-manager", "homeage": "homeage", @@ -583,6 +551,7 @@ "nixpkgs": "nixpkgs", "nixpkgs-unstable": "nixpkgs-unstable", "nur": "nur", + "sops-nix": "sops-nix", "stylix": "stylix" } }, @@ -611,6 +580,27 @@ "type": "github" } }, + "sops-nix": { + "inputs": { + "nixpkgs": [ + "nixpkgs" + ], + "nixpkgs-stable": "nixpkgs-stable_2" + }, + "locked": { + "lastModified": 1718137936, + "narHash": "sha256-psA+1Q5fPaK6yI3vzlLINNtb6EeXj111zQWnZYyJS9c=", + "owner": "Mic92", + "repo": "sops-nix", + "rev": "c279dec105dd53df13a5e57525da97905cc0f0d6", + "type": "github" + }, + "original": { + "owner": "Mic92", + "repo": "sops-nix", + "type": "github" + } + }, "stylix": { "inputs": { "base16": "base16", @@ -653,21 +643,6 @@ "repo": "default", "type": "github" } - }, - "systems_2": { - "locked": { - "lastModified": 1681028828, - "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", - "owner": "nix-systems", - "repo": "default", - "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", - "type": "github" - }, - "original": { - "owner": "nix-systems", - "repo": "default", - "type": "github" - } } }, "root": "root", diff --git a/flake.nix b/flake.nix index a505d34..6e66778 100644 --- a/flake.nix +++ b/flake.nix @@ -18,12 +18,6 @@ inputs.nixpkgs.follows = "nixpkgs"; }; - agenix = { - url = "github:ryantm/agenix"; - inputs.nixpkgs.follows = "nixpkgs"; - inputs.home-manager.follows = "home-manager"; - }; - lanzaboote = { url = "github:nix-community/lanzaboote/v0.3.0"; inputs.nixpkgs.follows = "nixpkgs"; @@ -39,6 +33,11 @@ url = "https://github.com/NixOS/nixos-artwork.git"; flake = false; }; + + sops-nix = { + url = "github:Mic92/sops-nix"; + inputs.nixpkgs.follows = "nixpkgs"; + }; }; outputs = diff --git a/secrets/secrets.yaml b/secrets/secrets.yaml new file mode 100644 index 0000000..8b7c18d --- /dev/null +++ b/secrets/secrets.yaml @@ -0,0 +1,25 @@ +testje: ENC[AES256_GCM,data:kMnaocttth1O6g==,iv:mV9gEMdomVhmOTBUWIFz3o23TBb7DLM2rXI/Tb81bSg=,tag:qj6TlvW5sY6Ek9M0GIqB3A==,type:str] +wireguard: + home: + presharedKey: ENC[AES256_GCM,data:H+oCRsg2ikN9KyVacEFasYmx5XE1zrnjBthkL5OitOXHTr4Ls0zwoF5StXs=,iv:N63wO4TKagbweStqf7wL3YZ0njxDNvrISErPao5wf7o=,tag:67kZcNaCzv3RI41XmA+UFQ==,type:str] + privateKey: ENC[AES256_GCM,data:WcPVrLiy2JJvzIh7sUpHMnt1MNx5rw5bI+xGmkitC9nEiNytMG71wmlC4d0=,iv:sl8gZgCzaW10UH0GLycvQVHqBlDVq7BUgoIEl41lc20=,tag:7oLlVjulxuEsW+pS8sZ+Ew==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age189laethzry4ylnd790dmpuc4xjjuwqxruc76caj3ceqhqug4g9qs0upuvw + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBWL1dlTjFNTXRPd0ppbE1i + THlsMzB1K041eUdTemRseGk5dkVwUDk2TFIwCnR1WE9iYXhHWHprZCtlSFExakhs + R0FtcEc0VTJ4WFBORFluYTdBTFh1NzAKLS0tIGtrYkVPSEVXV1dnb1J4V1pkQktW + VjNXUkpmVmxyNDNsT0ZjQjhOYklEbW8KV86AD+8QE14BZxWb7TVolwlcy1eFKxks + rOpqcXBqtUPaBC10IhVV434DGFIZMtRuYEQ4G/sdCsc3qiNxO3Cl4A== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-06-15T14:04:18Z" + mac: ENC[AES256_GCM,data:6YKdfUk4ltXQ6U7FHs9ehGDUVzfZo1cKnSJMp+zYBEBnhmz7LdCBZycBpJ9syJn4WW1jZ8Bz7+lIxDsXm35AhjI+Mia20BqcWotcCaoHUslK+QV/YRIw8wxP7pvOKNeTa9UMhrcpXBVJxdQvKEBZPWziD4Xk3RGomvGEjB3xXKY=,iv:Tvgo/tlxnNk31C/cqCAKIGRdYEug9DdqeIUdJgQj4yE=,tag:z/tWTyiYmUmc2zVc3mQq0Q==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.8.1