From 594c1d07e7f647ce8f441c9074377e3ae031eef2 Mon Sep 17 00:00:00 2001 From: tux Date: Thu, 7 May 2026 17:16:30 +0530 Subject: [PATCH] feat: setup sops-nix --- .sops.yaml | 13 +++++++++++++ modules/hosts/sirius/config.nix | 5 +++++ modules/hosts/sirius/secrets.yaml | 25 +++++++++++++++++++++++++ modules/nixos/core/sops.nix | 25 +++++++++++++++++++++++++ modules/nixos/core/users.nix | 3 ++- 5 files changed, 70 insertions(+), 1 deletion(-) create mode 100644 .sops.yaml create mode 100644 modules/hosts/sirius/secrets.yaml create mode 100644 modules/nixos/core/sops.nix diff --git a/.sops.yaml b/.sops.yaml new file mode 100644 index 0000000..ef4ab7e --- /dev/null +++ b/.sops.yaml @@ -0,0 +1,13 @@ +keys: + - &users + - &tux age14vktfes95f33vuefwnmuvryas7az04u76dsgyhfvsx73czkvmp2q7njkl4 + + - &hosts + - &sirius age18hepvvp3nw9ram6usxc8rvpxed2pye0knqx0zutqgxeu35k745vqyxfphz + +creation_rules: + - path_regex: hosts/sirius/secrets.yaml$ + key_groups: + - age: + - *tux + - *sirius diff --git a/modules/hosts/sirius/config.nix b/modules/hosts/sirius/config.nix index c0b5bd5..726200c 100644 --- a/modules/hosts/sirius/config.nix +++ b/modules/hosts/sirius/config.nix @@ -15,6 +15,11 @@ tnix.services.openssh.enable = true; + sops.secrets.tux-password = { + sopsFile = ./secrets.yaml; + neededForUsers = true; + }; + # --- Boot --- boot = { loader = { diff --git a/modules/hosts/sirius/secrets.yaml b/modules/hosts/sirius/secrets.yaml new file mode 100644 index 0000000..94d0f6c --- /dev/null +++ b/modules/hosts/sirius/secrets.yaml @@ -0,0 +1,25 @@ +tux-password: ENC[AES256_GCM,data:EJFFMc0W1YvCLINg4kETlUbqMYSfRTsiRuoB5MybaVwl7bbBXyPFo/MspFFMXpAqSPrzRAPaM8Lxk9ndbjt7gZpSu1dPThq36Q==,iv:zn3UUMOcW09u6KTz87tDr1wfmsLMKIRBDpLfQhg0p14=,tag:AOs7NASXeo98mNKqsYP3Ww==,type:str] +sops: + age: + - recipient: age14vktfes95f33vuefwnmuvryas7az04u76dsgyhfvsx73czkvmp2q7njkl4 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAyblpIWjNqeVBXWnFlSGxw + WXhPYlFDNVV2QktKQ2dKdEgxY0dnR2JuRUdRCk5ZNTc0RGpZOG5SRCtRQ0JsdkZt + ZEZQSWswa1FTRU04Ky9vWDdOTWdZRncKLS0tIFg2SkJFK1JDVk5Uc2VJTzYyWk1h + cFpmZ0h5SGJtd2JJR05CMkJISnBtbmcKLGKreXlu3YU6KsV8lTVnPYyn33BL2D0z + tMpXdTw0hVilpmpZXjwnvV/3OvN6WybXydxaPOjKODBWIKpVxRthBQ== + -----END AGE ENCRYPTED FILE----- + - recipient: age18hepvvp3nw9ram6usxc8rvpxed2pye0knqx0zutqgxeu35k745vqyxfphz + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBWTWQ0OHhnN1p3dTBLeGxp + N05yOUVicnYxU3NETlRQUVgrcWJlMEl3blhZCkl0OGhCN25KTEJaWGNpOVRJUDRX + bENKSDN3Z1Fab3lLLzVNMXlrSm5ZVTgKLS0tIHlycjZJUllsb0xvczFKMVFKaldD + UGpKTHZTT2JZU0xaTHhhRjk2bEhaU1EKutUEk+TMTATHEoM9+MOdkUnIoBMeeDfu + +GGKvInVKkAOtujBtSMj+xM8AEcfaHAFtwTgP/HEk3Hu6v7gp14oew== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2026-05-07T02:30:17Z" + mac: ENC[AES256_GCM,data:tF/Nr1iTuV52xQNxgil6I0TMwCiJ1oyz2OLgb2DVWVjTMfKT0wlOMK/Rm62bTjRvXFZnGtmS0YoVLkIjFzJ3hjt+626P69e7rdRkwpSz0rbZX9Tb+jxvGKfSwqiGocPA/rlMXTy/vPIM9/gg4b8rhjMnTiNH9bkODcKwF5LIjc0=,iv:uWiQrav4scz2iz3ZmuXfgMdg+228wNNmZ/LDtU11D/o=,tag:rhHrbu1a3Ph7pnqLsfm6nQ==,type:str] + unencrypted_suffix: _unencrypted + version: 3.12.2 diff --git a/modules/nixos/core/sops.nix b/modules/nixos/core/sops.nix new file mode 100644 index 0000000..a3cb3f8 --- /dev/null +++ b/modules/nixos/core/sops.nix @@ -0,0 +1,25 @@ +{ inputs, ... }: +{ + flake.modules.nixos.core = + { + config, + pkgs, + ... + }: + let + isEd25519 = k: k.type == "ed25519"; + getKeyPath = k: k.path; + keys = builtins.filter isEd25519 config.services.openssh.hostKeys; + in + { + imports = [ inputs.sops-nix.nixosModules.sops ]; + + sops.age = { + sshKeyPaths = map getKeyPath keys; + keyFile = "/var/lib/sops-nix/key.txt"; + generateKey = true; + }; + + environment.systemPackages = with pkgs; [ sops ]; + }; +} diff --git a/modules/nixos/core/users.nix b/modules/nixos/core/users.nix index 97395b6..d718467 100644 --- a/modules/nixos/core/users.nix +++ b/modules/nixos/core/users.nix @@ -3,6 +3,7 @@ { pkgs, lib, + config, userName, userEmail, ... @@ -30,7 +31,7 @@ mutableUsers = false; defaultUserShell = pkgs.zsh; users.${userName} = { - initialPassword = userName; + hashedPasswordFile = config.sops.secrets.tux-password.path; isNormalUser = true; extraGroups = [ "networkmanager"