feat: setup sops-nix

2026-06-17 10:16:31 +05:30 · 2026-05-07 17:16:30 +05:30
parent 3115bd6d0e
commit 594c1d07e7
5 changed files with 70 additions and 1 deletions
--- a/.sops.yaml
+++ b/.sops.yaml
@@ -0,0 +1,13 @@
+keys:
+  - &users
+    - &tux age14vktfes95f33vuefwnmuvryas7az04u76dsgyhfvsx73czkvmp2q7njkl4
+
+  - &hosts
+    - &sirius age18hepvvp3nw9ram6usxc8rvpxed2pye0knqx0zutqgxeu35k745vqyxfphz
+
+creation_rules:
+  - path_regex: hosts/sirius/secrets.yaml$
+    key_groups:
+      - age:
+          - *tux
+          - *sirius
--- a/modules/hosts/sirius/config.nix
+++ b/modules/hosts/sirius/config.nix
@@ -15,6 +15,11 @@

      tnix.services.openssh.enable = true;

+      sops.secrets.tux-password = {
+        sopsFile = ./secrets.yaml;
+        neededForUsers = true;
+      };
+
      # --- Boot ---
      boot = {
        loader = {
--- a/modules/hosts/sirius/secrets.yaml
+++ b/modules/hosts/sirius/secrets.yaml
@@ -0,0 +1,25 @@
+tux-password: ENC[AES256_GCM,data:EJFFMc0W1YvCLINg4kETlUbqMYSfRTsiRuoB5MybaVwl7bbBXyPFo/MspFFMXpAqSPrzRAPaM8Lxk9ndbjt7gZpSu1dPThq36Q==,iv:zn3UUMOcW09u6KTz87tDr1wfmsLMKIRBDpLfQhg0p14=,tag:AOs7NASXeo98mNKqsYP3Ww==,type:str]
+sops:
+    age:
+        - recipient: age14vktfes95f33vuefwnmuvryas7az04u76dsgyhfvsx73czkvmp2q7njkl4
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAyblpIWjNqeVBXWnFlSGxw
+            WXhPYlFDNVV2QktKQ2dKdEgxY0dnR2JuRUdRCk5ZNTc0RGpZOG5SRCtRQ0JsdkZt
+            ZEZQSWswa1FTRU04Ky9vWDdOTWdZRncKLS0tIFg2SkJFK1JDVk5Uc2VJTzYyWk1h
+            cFpmZ0h5SGJtd2JJR05CMkJISnBtbmcKLGKreXlu3YU6KsV8lTVnPYyn33BL2D0z
+            tMpXdTw0hVilpmpZXjwnvV/3OvN6WybXydxaPOjKODBWIKpVxRthBQ==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age18hepvvp3nw9ram6usxc8rvpxed2pye0knqx0zutqgxeu35k745vqyxfphz
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBWTWQ0OHhnN1p3dTBLeGxp
+            N05yOUVicnYxU3NETlRQUVgrcWJlMEl3blhZCkl0OGhCN25KTEJaWGNpOVRJUDRX
+            bENKSDN3Z1Fab3lLLzVNMXlrSm5ZVTgKLS0tIHlycjZJUllsb0xvczFKMVFKaldD
+            UGpKTHZTT2JZU0xaTHhhRjk2bEhaU1EKutUEk+TMTATHEoM9+MOdkUnIoBMeeDfu
+            +GGKvInVKkAOtujBtSMj+xM8AEcfaHAFtwTgP/HEk3Hu6v7gp14oew==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2026-05-07T02:30:17Z"
+    mac: ENC[AES256_GCM,data:tF/Nr1iTuV52xQNxgil6I0TMwCiJ1oyz2OLgb2DVWVjTMfKT0wlOMK/Rm62bTjRvXFZnGtmS0YoVLkIjFzJ3hjt+626P69e7rdRkwpSz0rbZX9Tb+jxvGKfSwqiGocPA/rlMXTy/vPIM9/gg4b8rhjMnTiNH9bkODcKwF5LIjc0=,iv:uWiQrav4scz2iz3ZmuXfgMdg+228wNNmZ/LDtU11D/o=,tag:rhHrbu1a3Ph7pnqLsfm6nQ==,type:str]
+    unencrypted_suffix: _unencrypted
+    version: 3.12.2
--- a/modules/nixos/core/sops.nix
+++ b/modules/nixos/core/sops.nix
@@ -0,0 +1,25 @@
+{ inputs, ... }:
+{
+  flake.modules.nixos.core =
+    {
+      config,
+      pkgs,
+      ...
+    }:
+    let
+      isEd25519 = k: k.type == "ed25519";
+      getKeyPath = k: k.path;
+      keys = builtins.filter isEd25519 config.services.openssh.hostKeys;
+    in
+    {
+      imports = [ inputs.sops-nix.nixosModules.sops ];
+
+      sops.age = {
+        sshKeyPaths = map getKeyPath keys;
+        keyFile = "/var/lib/sops-nix/key.txt";
+        generateKey = true;
+      };
+
+      environment.systemPackages = with pkgs; [ sops ];
+    };
+}
--- a/modules/nixos/core/users.nix
+++ b/modules/nixos/core/users.nix
@@ -3,6 +3,7 @@
    {
      pkgs,
      lib,
+      config,
      userName,
      userEmail,
      ...
@@ -30,7 +31,7 @@
        mutableUsers = false;
        defaultUserShell = pkgs.zsh;
        users.${userName} = {
-          initialPassword = userName;
+          hashedPasswordFile = config.sops.secrets.tux-password.path;
          isNormalUser = true;
          extraGroups = [
            "networkmanager"