tux/nix-config
1
0
Fork 0
mirror of https://github.com/tuxdotrs/nix-config.git synced 2026-06-17 10:16:31 +05:30
Code Issues Actions Packages Projects Releases Wiki Activity

feat: setup sops-nix

Browse Source
This commit is contained in:
tux
2026-05-07 17:16:30 +05:30
parent 3115bd6d0e
commit 594c1d07e7
5 changed files with 70 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

13
.sops.yaml Normal file
View File

@@ -0,0 +1,13 @@
keys:
- &users
- &tux age14vktfes95f33vuefwnmuvryas7az04u76dsgyhfvsx73czkvmp2q7njkl4
- &hosts
- &sirius age18hepvvp3nw9ram6usxc8rvpxed2pye0knqx0zutqgxeu35k745vqyxfphz
creation_rules:
- path_regex: hosts/sirius/secrets.yaml$
key_groups:
- age:
- *tux
- *sirius

5
modules/hosts/sirius/config.nix
View File

@@ -15,6 +15,11 @@
tnix.services.openssh.enable = true; tnix.services.openssh.enable = true;
sops.secrets.tux-password = {
sopsFile = ./secrets.yaml;
neededForUsers = true;
};
# --- Boot --- # --- Boot ---
boot = { boot = {
loader = { loader = {

25
modules/hosts/sirius/secrets.yaml Normal file
View File

@@ -0,0 +1,25 @@
tux-password: ENC[AES256_GCM,data:EJFFMc0W1YvCLINg4kETlUbqMYSfRTsiRuoB5MybaVwl7bbBXyPFo/MspFFMXpAqSPrzRAPaM8Lxk9ndbjt7gZpSu1dPThq36Q==,iv:zn3UUMOcW09u6KTz87tDr1wfmsLMKIRBDpLfQhg0p14=,tag:AOs7NASXeo98mNKqsYP3Ww==,type:str]
sops:
age:
- recipient: age14vktfes95f33vuefwnmuvryas7az04u76dsgyhfvsx73czkvmp2q7njkl4
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAyblpIWjNqeVBXWnFlSGxw
WXhPYlFDNVV2QktKQ2dKdEgxY0dnR2JuRUdRCk5ZNTc0RGpZOG5SRCtRQ0JsdkZt
ZEZQSWswa1FTRU04Ky9vWDdOTWdZRncKLS0tIFg2SkJFK1JDVk5Uc2VJTzYyWk1h
cFpmZ0h5SGJtd2JJR05CMkJISnBtbmcKLGKreXlu3YU6KsV8lTVnPYyn33BL2D0z
tMpXdTw0hVilpmpZXjwnvV/3OvN6WybXydxaPOjKODBWIKpVxRthBQ==
-----END AGE ENCRYPTED FILE-----
- recipient: age18hepvvp3nw9ram6usxc8rvpxed2pye0knqx0zutqgxeu35k745vqyxfphz
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBWTWQ0OHhnN1p3dTBLeGxp
N05yOUVicnYxU3NETlRQUVgrcWJlMEl3blhZCkl0OGhCN25KTEJaWGNpOVRJUDRX
bENKSDN3Z1Fab3lLLzVNMXlrSm5ZVTgKLS0tIHlycjZJUllsb0xvczFKMVFKaldD
UGpKTHZTT2JZU0xaTHhhRjk2bEhaU1EKutUEk+TMTATHEoM9+MOdkUnIoBMeeDfu
+GGKvInVKkAOtujBtSMj+xM8AEcfaHAFtwTgP/HEk3Hu6v7gp14oew==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2026-05-07T02:30:17Z"
mac: ENC[AES256_GCM,data:tF/Nr1iTuV52xQNxgil6I0TMwCiJ1oyz2OLgb2DVWVjTMfKT0wlOMK/Rm62bTjRvXFZnGtmS0YoVLkIjFzJ3hjt+626P69e7rdRkwpSz0rbZX9Tb+jxvGKfSwqiGocPA/rlMXTy/vPIM9/gg4b8rhjMnTiNH9bkODcKwF5LIjc0=,iv:uWiQrav4scz2iz3ZmuXfgMdg+228wNNmZ/LDtU11D/o=,tag:rhHrbu1a3Ph7pnqLsfm6nQ==,type:str]
unencrypted_suffix: _unencrypted
version: 3.12.2

25
modules/nixos/core/sops.nix Normal file
View File

@@ -0,0 +1,25 @@
{ inputs, ... }:
{
flake.modules.nixos.core =
{
config,
pkgs,
...
}:
let
isEd25519 = k: k.type == "ed25519";
getKeyPath = k: k.path;
keys = builtins.filter isEd25519 config.services.openssh.hostKeys;
in
{
imports = [ inputs.sops-nix.nixosModules.sops ];
sops.age = {
sshKeyPaths = map getKeyPath keys;
keyFile = "/var/lib/sops-nix/key.txt";
generateKey = true;
};
environment.systemPackages = with pkgs; [ sops ];
};
}

3
modules/nixos/core/users.nix
View File

@@ -3,6 +3,7 @@
{ {
pkgs, pkgs,
lib, lib,
config,
userName, userName,
userEmail, userEmail,
... ...
@@ -30,7 +31,7 @@
mutableUsers = false; mutableUsers = false;
defaultUserShell = pkgs.zsh; defaultUserShell = pkgs.zsh;
users.${userName} = { users.${userName} = {
initialPassword = userName; hashedPasswordFile = config.sops.secrets.tux-password.path;
isNormalUser = true; isNormalUser = true;
extraGroups = [ extraGroups = [
"networkmanager" "networkmanager"