Replace agenix with sops-nix
This commit is contained in:
parent
80530d6290
commit
03608f96d7
5 changed files with 83 additions and 85 deletions
2
.sops.yaml
Normal file
2
.sops.yaml
Normal file
|
|
@ -0,0 +1,2 @@
|
||||||
|
creation_rules:
|
||||||
|
- age: age189laethzry4ylnd790dmpuc4xjjuwqxruc76caj3ceqhqug4g9qs0upuvw
|
||||||
|
|
@ -1,8 +1,8 @@
|
||||||
{ pkgs, config, lib, inputs, flake, system, ... }: {
|
{ pkgs, config, lib, inputs, flake, system, ... }: {
|
||||||
imports = [
|
imports = [
|
||||||
inputs.stylix.nixosModules.stylix
|
inputs.stylix.nixosModules.stylix
|
||||||
inputs.agenix.nixosModules.default
|
|
||||||
inputs.home-manager.nixosModules.home-manager
|
inputs.home-manager.nixosModules.home-manager
|
||||||
|
inputs.sops-nix.nixosModules.sops
|
||||||
"${flake}/modules/nixos/lanzaboote.nix"
|
"${flake}/modules/nixos/lanzaboote.nix"
|
||||||
];
|
];
|
||||||
|
|
||||||
|
|
@ -133,28 +133,18 @@
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
age = {
|
|
||||||
identityPaths = [ "/home/pim/.ssh/age_ed25519" ];
|
|
||||||
|
|
||||||
secrets = {
|
|
||||||
wg-quick-home-privkey.file = ./secrets/wg-quick-home-privkey.age;
|
|
||||||
wg-quick-home-preshared-key.file =
|
|
||||||
./secrets/wg-quick-home-preshared-key.age;
|
|
||||||
};
|
|
||||||
};
|
|
||||||
|
|
||||||
networking = {
|
networking = {
|
||||||
useDHCP = lib.mkDefault true;
|
useDHCP = lib.mkDefault true;
|
||||||
|
|
||||||
wg-quick.interfaces = {
|
wg-quick.interfaces = {
|
||||||
home = {
|
home = {
|
||||||
privateKeyFile = config.age.secrets.wg-quick-home-privkey.path;
|
privateKeyFile = config.sops.secrets."wireguard/home/privateKey".path;
|
||||||
address = [ "10.225.191.4/24" "fd11:5ee:bad:c0de::4/128" ];
|
address = [ "10.225.191.4/24" "fd11:5ee:bad:c0de::4/128" ];
|
||||||
dns = [ "192.168.30.131" ];
|
dns = [ "192.168.30.131" ];
|
||||||
autostart = false;
|
autostart = false;
|
||||||
mtu = 1412;
|
mtu = 1412;
|
||||||
peers = [{
|
peers = [{
|
||||||
presharedKeyFile = config.age.secrets.wg-quick-home-preshared-key.path;
|
presharedKeyFile = config.sops.secrets."wireguard/home/presharedKey".path;
|
||||||
endpoint = "wg.kun.is:51820";
|
endpoint = "wg.kun.is:51820";
|
||||||
publicKey = "fa3mQ7ximJbH7cu2ZbWidto5xBGxEEfWvCCiUDk00Hg=";
|
publicKey = "fa3mQ7ximJbH7cu2ZbWidto5xBGxEEfWvCCiUDk00Hg=";
|
||||||
allowedIPs = [ "0.0.0.0/0" "::/0" ];
|
allowedIPs = [ "0.0.0.0/0" "::/0" ];
|
||||||
|
|
@ -162,13 +152,13 @@
|
||||||
};
|
};
|
||||||
|
|
||||||
home-no-pihole = {
|
home-no-pihole = {
|
||||||
privateKeyFile = config.age.secrets.wg-quick-home-privkey.path;
|
privateKeyFile = config.sops.secrets."wireguard/home/privateKey".path;
|
||||||
address = [ "10.225.191.4/24" "fd11:5ee:bad:c0de::4/128" ];
|
address = [ "10.225.191.4/24" "fd11:5ee:bad:c0de::4/128" ];
|
||||||
dns = [ "192.168.10.1" ];
|
dns = [ "192.168.10.1" ];
|
||||||
autostart = false;
|
autostart = false;
|
||||||
mtu = 1412;
|
mtu = 1412;
|
||||||
peers = [{
|
peers = [{
|
||||||
presharedKeyFile = config.age.secrets.wg-quick-home-preshared-key.path;
|
presharedKeyFile = config.sops.secrets."wireguard/home/presharedKey".path;
|
||||||
endpoint = "wg.kun.is:51820";
|
endpoint = "wg.kun.is:51820";
|
||||||
publicKey = "fa3mQ7ximJbH7cu2ZbWidto5xBGxEEfWvCCiUDk00Hg=";
|
publicKey = "fa3mQ7ximJbH7cu2ZbWidto5xBGxEEfWvCCiUDk00Hg=";
|
||||||
allowedIPs = [ "0.0.0.0/0" "::/0" ];
|
allowedIPs = [ "0.0.0.0/0" "::/0" ];
|
||||||
|
|
@ -262,4 +252,11 @@
|
||||||
inputs.homeage.homeManagerModules.homeage
|
inputs.homeage.homeManagerModules.homeage
|
||||||
];
|
];
|
||||||
};
|
};
|
||||||
|
|
||||||
|
sops = {
|
||||||
|
age.keyFile = "/home/pim/.config/sops/age/keys.txt";
|
||||||
|
defaultSopsFile = ./secrets/secrets.yaml;
|
||||||
|
secrets."wireguard/home/presharedKey" = { };
|
||||||
|
secrets."wireguard/home/privateKey" = { };
|
||||||
|
};
|
||||||
}
|
}
|
||||||
|
|
|
||||||
103
flake.lock
103
flake.lock
|
|
@ -1,30 +1,5 @@
|
||||||
{
|
{
|
||||||
"nodes": {
|
"nodes": {
|
||||||
"agenix": {
|
|
||||||
"inputs": {
|
|
||||||
"darwin": "darwin",
|
|
||||||
"home-manager": [
|
|
||||||
"home-manager"
|
|
||||||
],
|
|
||||||
"nixpkgs": [
|
|
||||||
"nixpkgs"
|
|
||||||
],
|
|
||||||
"systems": "systems"
|
|
||||||
},
|
|
||||||
"locked": {
|
|
||||||
"lastModified": 1716561646,
|
|
||||||
"narHash": "sha256-UIGtLO89RxKt7RF2iEgPikSdU53r6v/6WYB0RW3k89I=",
|
|
||||||
"owner": "ryantm",
|
|
||||||
"repo": "agenix",
|
|
||||||
"rev": "c2fc0762bbe8feb06a2e59a364fa81b3a57671c9",
|
|
||||||
"type": "github"
|
|
||||||
},
|
|
||||||
"original": {
|
|
||||||
"owner": "ryantm",
|
|
||||||
"repo": "agenix",
|
|
||||||
"type": "github"
|
|
||||||
}
|
|
||||||
},
|
|
||||||
"base16": {
|
"base16": {
|
||||||
"inputs": {
|
"inputs": {
|
||||||
"fromYaml": "fromYaml"
|
"fromYaml": "fromYaml"
|
||||||
|
|
@ -172,28 +147,6 @@
|
||||||
"type": "github"
|
"type": "github"
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
"darwin": {
|
|
||||||
"inputs": {
|
|
||||||
"nixpkgs": [
|
|
||||||
"agenix",
|
|
||||||
"nixpkgs"
|
|
||||||
]
|
|
||||||
},
|
|
||||||
"locked": {
|
|
||||||
"lastModified": 1700795494,
|
|
||||||
"narHash": "sha256-gzGLZSiOhf155FW7262kdHo2YDeugp3VuIFb4/GGng0=",
|
|
||||||
"owner": "lnl7",
|
|
||||||
"repo": "nix-darwin",
|
|
||||||
"rev": "4b9b83d5a92e8c1fbfd8eb27eda375908c11ec4d",
|
|
||||||
"type": "github"
|
|
||||||
},
|
|
||||||
"original": {
|
|
||||||
"owner": "lnl7",
|
|
||||||
"ref": "master",
|
|
||||||
"repo": "nix-darwin",
|
|
||||||
"type": "github"
|
|
||||||
}
|
|
||||||
},
|
|
||||||
"disko": {
|
"disko": {
|
||||||
"inputs": {
|
"inputs": {
|
||||||
"nixpkgs": [
|
"nixpkgs": [
|
||||||
|
|
@ -269,7 +222,7 @@
|
||||||
},
|
},
|
||||||
"flake-utils": {
|
"flake-utils": {
|
||||||
"inputs": {
|
"inputs": {
|
||||||
"systems": "systems_2"
|
"systems": "systems"
|
||||||
},
|
},
|
||||||
"locked": {
|
"locked": {
|
||||||
"lastModified": 1681202837,
|
"lastModified": 1681202837,
|
||||||
|
|
@ -493,6 +446,22 @@
|
||||||
"type": "github"
|
"type": "github"
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
|
"nixpkgs-stable_2": {
|
||||||
|
"locked": {
|
||||||
|
"lastModified": 1717880976,
|
||||||
|
"narHash": "sha256-BRvSCsKtDUr83NEtbGfHLUOdDK0Cgbezj2PtcHnz+sQ=",
|
||||||
|
"owner": "NixOS",
|
||||||
|
"repo": "nixpkgs",
|
||||||
|
"rev": "4913a7c3d8b8d00cb9476a6bd730ff57777f740c",
|
||||||
|
"type": "github"
|
||||||
|
},
|
||||||
|
"original": {
|
||||||
|
"owner": "NixOS",
|
||||||
|
"ref": "release-23.11",
|
||||||
|
"repo": "nixpkgs",
|
||||||
|
"type": "github"
|
||||||
|
}
|
||||||
|
},
|
||||||
"nixpkgs-unstable": {
|
"nixpkgs-unstable": {
|
||||||
"locked": {
|
"locked": {
|
||||||
"lastModified": 1717868076,
|
"lastModified": 1717868076,
|
||||||
|
|
@ -573,7 +542,6 @@
|
||||||
},
|
},
|
||||||
"root": {
|
"root": {
|
||||||
"inputs": {
|
"inputs": {
|
||||||
"agenix": "agenix",
|
|
||||||
"disko": "disko",
|
"disko": "disko",
|
||||||
"home-manager": "home-manager",
|
"home-manager": "home-manager",
|
||||||
"homeage": "homeage",
|
"homeage": "homeage",
|
||||||
|
|
@ -583,6 +551,7 @@
|
||||||
"nixpkgs": "nixpkgs",
|
"nixpkgs": "nixpkgs",
|
||||||
"nixpkgs-unstable": "nixpkgs-unstable",
|
"nixpkgs-unstable": "nixpkgs-unstable",
|
||||||
"nur": "nur",
|
"nur": "nur",
|
||||||
|
"sops-nix": "sops-nix",
|
||||||
"stylix": "stylix"
|
"stylix": "stylix"
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
|
|
@ -611,6 +580,27 @@
|
||||||
"type": "github"
|
"type": "github"
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
|
"sops-nix": {
|
||||||
|
"inputs": {
|
||||||
|
"nixpkgs": [
|
||||||
|
"nixpkgs"
|
||||||
|
],
|
||||||
|
"nixpkgs-stable": "nixpkgs-stable_2"
|
||||||
|
},
|
||||||
|
"locked": {
|
||||||
|
"lastModified": 1718137936,
|
||||||
|
"narHash": "sha256-psA+1Q5fPaK6yI3vzlLINNtb6EeXj111zQWnZYyJS9c=",
|
||||||
|
"owner": "Mic92",
|
||||||
|
"repo": "sops-nix",
|
||||||
|
"rev": "c279dec105dd53df13a5e57525da97905cc0f0d6",
|
||||||
|
"type": "github"
|
||||||
|
},
|
||||||
|
"original": {
|
||||||
|
"owner": "Mic92",
|
||||||
|
"repo": "sops-nix",
|
||||||
|
"type": "github"
|
||||||
|
}
|
||||||
|
},
|
||||||
"stylix": {
|
"stylix": {
|
||||||
"inputs": {
|
"inputs": {
|
||||||
"base16": "base16",
|
"base16": "base16",
|
||||||
|
|
@ -653,21 +643,6 @@
|
||||||
"repo": "default",
|
"repo": "default",
|
||||||
"type": "github"
|
"type": "github"
|
||||||
}
|
}
|
||||||
},
|
|
||||||
"systems_2": {
|
|
||||||
"locked": {
|
|
||||||
"lastModified": 1681028828,
|
|
||||||
"narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
|
|
||||||
"owner": "nix-systems",
|
|
||||||
"repo": "default",
|
|
||||||
"rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
|
|
||||||
"type": "github"
|
|
||||||
},
|
|
||||||
"original": {
|
|
||||||
"owner": "nix-systems",
|
|
||||||
"repo": "default",
|
|
||||||
"type": "github"
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
"root": "root",
|
"root": "root",
|
||||||
|
|
|
||||||
11
flake.nix
11
flake.nix
|
|
@ -18,12 +18,6 @@
|
||||||
inputs.nixpkgs.follows = "nixpkgs";
|
inputs.nixpkgs.follows = "nixpkgs";
|
||||||
};
|
};
|
||||||
|
|
||||||
agenix = {
|
|
||||||
url = "github:ryantm/agenix";
|
|
||||||
inputs.nixpkgs.follows = "nixpkgs";
|
|
||||||
inputs.home-manager.follows = "home-manager";
|
|
||||||
};
|
|
||||||
|
|
||||||
lanzaboote = {
|
lanzaboote = {
|
||||||
url = "github:nix-community/lanzaboote/v0.3.0";
|
url = "github:nix-community/lanzaboote/v0.3.0";
|
||||||
inputs.nixpkgs.follows = "nixpkgs";
|
inputs.nixpkgs.follows = "nixpkgs";
|
||||||
|
|
@ -39,6 +33,11 @@
|
||||||
url = "https://github.com/NixOS/nixos-artwork.git";
|
url = "https://github.com/NixOS/nixos-artwork.git";
|
||||||
flake = false;
|
flake = false;
|
||||||
};
|
};
|
||||||
|
|
||||||
|
sops-nix = {
|
||||||
|
url = "github:Mic92/sops-nix";
|
||||||
|
inputs.nixpkgs.follows = "nixpkgs";
|
||||||
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
outputs =
|
outputs =
|
||||||
|
|
|
||||||
25
secrets/secrets.yaml
Normal file
25
secrets/secrets.yaml
Normal file
|
|
@ -0,0 +1,25 @@
|
||||||
|
testje: ENC[AES256_GCM,data:kMnaocttth1O6g==,iv:mV9gEMdomVhmOTBUWIFz3o23TBb7DLM2rXI/Tb81bSg=,tag:qj6TlvW5sY6Ek9M0GIqB3A==,type:str]
|
||||||
|
wireguard:
|
||||||
|
home:
|
||||||
|
presharedKey: ENC[AES256_GCM,data:H+oCRsg2ikN9KyVacEFasYmx5XE1zrnjBthkL5OitOXHTr4Ls0zwoF5StXs=,iv:N63wO4TKagbweStqf7wL3YZ0njxDNvrISErPao5wf7o=,tag:67kZcNaCzv3RI41XmA+UFQ==,type:str]
|
||||||
|
privateKey: ENC[AES256_GCM,data:WcPVrLiy2JJvzIh7sUpHMnt1MNx5rw5bI+xGmkitC9nEiNytMG71wmlC4d0=,iv:sl8gZgCzaW10UH0GLycvQVHqBlDVq7BUgoIEl41lc20=,tag:7oLlVjulxuEsW+pS8sZ+Ew==,type:str]
|
||||||
|
sops:
|
||||||
|
kms: []
|
||||||
|
gcp_kms: []
|
||||||
|
azure_kv: []
|
||||||
|
hc_vault: []
|
||||||
|
age:
|
||||||
|
- recipient: age189laethzry4ylnd790dmpuc4xjjuwqxruc76caj3ceqhqug4g9qs0upuvw
|
||||||
|
enc: |
|
||||||
|
-----BEGIN AGE ENCRYPTED FILE-----
|
||||||
|
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBWL1dlTjFNTXRPd0ppbE1i
|
||||||
|
THlsMzB1K041eUdTemRseGk5dkVwUDk2TFIwCnR1WE9iYXhHWHprZCtlSFExakhs
|
||||||
|
R0FtcEc0VTJ4WFBORFluYTdBTFh1NzAKLS0tIGtrYkVPSEVXV1dnb1J4V1pkQktW
|
||||||
|
VjNXUkpmVmxyNDNsT0ZjQjhOYklEbW8KV86AD+8QE14BZxWb7TVolwlcy1eFKxks
|
||||||
|
rOpqcXBqtUPaBC10IhVV434DGFIZMtRuYEQ4G/sdCsc3qiNxO3Cl4A==
|
||||||
|
-----END AGE ENCRYPTED FILE-----
|
||||||
|
lastmodified: "2024-06-15T14:04:18Z"
|
||||||
|
mac: ENC[AES256_GCM,data:6YKdfUk4ltXQ6U7FHs9ehGDUVzfZo1cKnSJMp+zYBEBnhmz7LdCBZycBpJ9syJn4WW1jZ8Bz7+lIxDsXm35AhjI+Mia20BqcWotcCaoHUslK+QV/YRIw8wxP7pvOKNeTa9UMhrcpXBVJxdQvKEBZPWziD4Xk3RGomvGEjB3xXKY=,iv:Tvgo/tlxnNk31C/cqCAKIGRdYEug9DdqeIUdJgQj4yE=,tag:z/tWTyiYmUmc2zVc3mQq0Q==,type:str]
|
||||||
|
pgp: []
|
||||||
|
unencrypted_suffix: _unencrypted
|
||||||
|
version: 3.8.1
|
||||||
Loading…
Reference in a new issue