mirror of
https://github.com/tuxdotrs/nixos-config.git
synced 2025-07-07 02:06:34 +05:30
move sops to modules
This commit is contained in:
29
.sops.yaml
29
.sops.yaml
@ -1,7 +1,32 @@
|
|||||||
keys:
|
keys:
|
||||||
- &primary age14vktfes95f33vuefwnmuvryas7az04u76dsgyhfvsx73czkvmp2q7njkl4
|
- &users
|
||||||
|
- &tux age14vktfes95f33vuefwnmuvryas7az04u76dsgyhfvsx73czkvmp2q7njkl4
|
||||||
|
|
||||||
|
- &hosts
|
||||||
|
- &canopus age1cc9phftkzcwaey2rw63m74tyxdjxxzanxphsdrhy6vwlwhgehfzq9rh6e4
|
||||||
|
- &controller age1zsl5d4vj6gl3h96y5p53sq5y4vr4vtlwp727h7rp9a4xfkxm53lqrh6r50
|
||||||
|
- &wsl age168lay0z8yfa5hcsmz3aq5yndjhmugrsk3v3x4t3hpw29m20tkcwsaxx2fz
|
||||||
|
|
||||||
creation_rules:
|
creation_rules:
|
||||||
|
- path_regex: hosts/common/secrets.yaml$
|
||||||
|
key_groups:
|
||||||
|
- age:
|
||||||
|
- *tux
|
||||||
|
- *canopus
|
||||||
|
- *controller
|
||||||
|
- *wsl
|
||||||
|
- path_regex: hosts/canopus/secrets.yaml$
|
||||||
|
key_groups:
|
||||||
|
- age:
|
||||||
|
- *tux
|
||||||
|
- *canopus
|
||||||
- path_regex: hosts/controller/secrets.yaml$
|
- path_regex: hosts/controller/secrets.yaml$
|
||||||
key_groups:
|
key_groups:
|
||||||
- age:
|
- age:
|
||||||
- *primary
|
- *tux
|
||||||
|
- *controller
|
||||||
|
- path_regex: hosts/wsl/secrets.yaml$
|
||||||
|
key_groups:
|
||||||
|
- age:
|
||||||
|
- *tux
|
||||||
|
- *wsl
|
||||||
|
|||||||
@ -2,8 +2,18 @@
|
|||||||
pkgs,
|
pkgs,
|
||||||
username,
|
username,
|
||||||
outputs,
|
outputs,
|
||||||
|
config,
|
||||||
...
|
...
|
||||||
}: {
|
}: {
|
||||||
|
imports = [
|
||||||
|
../../modules/nixos/sops.nix
|
||||||
|
];
|
||||||
|
|
||||||
|
sops.secrets.tux-password = {
|
||||||
|
sopsFile = ./secrets.yaml;
|
||||||
|
neededForUsers = true;
|
||||||
|
};
|
||||||
|
|
||||||
nixpkgs = {
|
nixpkgs = {
|
||||||
overlays = [
|
overlays = [
|
||||||
outputs.overlays.additions
|
outputs.overlays.additions
|
||||||
@ -62,9 +72,10 @@
|
|||||||
};
|
};
|
||||||
|
|
||||||
users = {
|
users = {
|
||||||
|
mutableUsers = false;
|
||||||
defaultUserShell = pkgs.zsh;
|
defaultUserShell = pkgs.zsh;
|
||||||
users.${username} = {
|
users.${username} = {
|
||||||
initialPassword = "${username}";
|
hashedPasswordFile = config.sops.secrets.tux-password.path;
|
||||||
isNormalUser = true;
|
isNormalUser = true;
|
||||||
extraGroups = ["networkmanager" "wheel" "storage"];
|
extraGroups = ["networkmanager" "wheel" "storage"];
|
||||||
openssh.authorizedKeys.keys = [
|
openssh.authorizedKeys.keys = [
|
||||||
|
|||||||
48
hosts/common/secrets.yaml
Normal file
48
hosts/common/secrets.yaml
Normal file
@ -0,0 +1,48 @@
|
|||||||
|
tux-password: ENC[AES256_GCM,data:hasmDz1SmPvjxdnt8DZNk33oOpO7VufGyaaEko5grp/FGDnMUO/NDpdannlZMnDBRL5NCsdTEWZqo9zYqv3azRyNJRajdbqpGw==,iv:jpDZuUdUWzccR6s2hX618IG0EzXLgD1IUFkqF8ADtnk=,tag:YT6wFM+r6t2948/4hWgldA==,type:str]
|
||||||
|
sops:
|
||||||
|
kms: []
|
||||||
|
gcp_kms: []
|
||||||
|
azure_kv: []
|
||||||
|
hc_vault: []
|
||||||
|
age:
|
||||||
|
- recipient: age14vktfes95f33vuefwnmuvryas7az04u76dsgyhfvsx73czkvmp2q7njkl4
|
||||||
|
enc: |
|
||||||
|
-----BEGIN AGE ENCRYPTED FILE-----
|
||||||
|
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA4UEg4OGhOQzNMcXZzZGZX
|
||||||
|
clIrbExuSDl2dW53NGQrd05jTldaRVZEQlVzCkVBdkNEUGVzclBwVDlObUFPNnRy
|
||||||
|
K2p1Yjl4d3FKTnZJbTl6ZTl2R0Y3QW8KLS0tIFErRjl6YUxENUhTWFBFL0JpSU1H
|
||||||
|
VGNWUmxLMDR0OUZCeFlndGtMSGZqYkUKSmEEqdgIJLQrQ8WM10NvffnNvlVBeSMV
|
||||||
|
0H5V9kEzNja41N0Lwe3ULBh5q6u3DXOPMJWwBU89xMgDlPWypaHjoQ==
|
||||||
|
-----END AGE ENCRYPTED FILE-----
|
||||||
|
- recipient: age1cc9phftkzcwaey2rw63m74tyxdjxxzanxphsdrhy6vwlwhgehfzq9rh6e4
|
||||||
|
enc: |
|
||||||
|
-----BEGIN AGE ENCRYPTED FILE-----
|
||||||
|
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB5V2gxUnh5cDFGYmExaE0w
|
||||||
|
ZEZUK3ZKVEpWTGRjejhHWVhEcVhMTFFtYkNJClFQSlBHMU80V2lEa1BzaVhxMDdo
|
||||||
|
eVJTM0Z1TDNHR0dhdVhaODlaS3pVajAKLS0tIGZucUtBYjk4WTUwRjJDd1dpRXZk
|
||||||
|
cTQzdDFNZFM0TnkzTkhhZ09OMS92SWsKaTe4W/HA7kDfszc5UpPNQY2VzFh6LBws
|
||||||
|
uxoJNi49bAaSOEF0A25cYUjBphnTNxMxQwVs4ImnulfDC8yZqD1G1A==
|
||||||
|
-----END AGE ENCRYPTED FILE-----
|
||||||
|
- recipient: age1zsl5d4vj6gl3h96y5p53sq5y4vr4vtlwp727h7rp9a4xfkxm53lqrh6r50
|
||||||
|
enc: |
|
||||||
|
-----BEGIN AGE ENCRYPTED FILE-----
|
||||||
|
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBaVG5SMXJUdjNsRVdoZzkx
|
||||||
|
SGV3WEI4M1lHL3YyQ0FkdTEzQkhtUEJNS1F3ClR5Rzc3N1h1bk84eTc3WkRTRGE2
|
||||||
|
MlB3Qk8zTzNlRG5ucmpsYXFnRDVZMlEKLS0tIHJWaW5vSlh5RithV1hrc3Z3ZTR4
|
||||||
|
cWxCZW1HRmNwb0pmTHVhaTVmMzVwVDAKFS0hPOmb09knNPq85Z+YN7qFmy3aU8Xe
|
||||||
|
AItiuBhxVaJJ/VnI5ycLv9P+20AmXwauvdudSAnTtb1tIsQjbcDW7A==
|
||||||
|
-----END AGE ENCRYPTED FILE-----
|
||||||
|
- recipient: age168lay0z8yfa5hcsmz3aq5yndjhmugrsk3v3x4t3hpw29m20tkcwsaxx2fz
|
||||||
|
enc: |
|
||||||
|
-----BEGIN AGE ENCRYPTED FILE-----
|
||||||
|
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAxY3gzbEU5ZEh1WFZuR0VP
|
||||||
|
Sm56bEdlV0M3S2t6WEVZRlI4eGtKUzdUdGxBCkNFanBrVHJ2bWhSWGF2RFdiN3dL
|
||||||
|
aHo3ZXZkUkRiVzRrWGo2dHV3WGQyWGcKLS0tIGVVeDBVdit1RFdjcEpnbkJuU2Yv
|
||||||
|
M1MzSzdaOWF1WGJJVnRLUG1Bb2xPZFEKqidChAq8EjAjMgufUj/MvIofhYgIpxzt
|
||||||
|
l8GrLXbJMHcYU23trW+Ggx/QlCYsGtrbucLKOlhcbUM/ztprRSKLuA==
|
||||||
|
-----END AGE ENCRYPTED FILE-----
|
||||||
|
lastmodified: "2024-08-08T08:27:44Z"
|
||||||
|
mac: ENC[AES256_GCM,data:Zsy6ucuh6cY0bbB4ik5cjuvL9JLQg3nn6ipyhFSHZMNsSyo09dC/XtlrWpPaHQhW7Zb3xBCVJnrKa8Re3CN3BqPOVdKLABq3ZesD7f+9fJumGzKgtpw7QdD7RVD59jsVhM14VdeZv41ymgbOiU67v6b98kpA2Z8UMxECO2g5aHY=,iv:32Ug389IYjP9NM5HYODU01n++KWLGTS5CFlLoqobNbs=,tag:X0E5YcL0KhPOrWmyGzE3XQ==,type:str]
|
||||||
|
pgp: []
|
||||||
|
unencrypted_suffix: _unencrypted
|
||||||
|
version: 3.9.0
|
||||||
@ -1,12 +1,10 @@
|
|||||||
{
|
{
|
||||||
pkgs,
|
pkgs,
|
||||||
inputs,
|
|
||||||
username,
|
username,
|
||||||
config,
|
config,
|
||||||
...
|
...
|
||||||
}: {
|
}: {
|
||||||
imports = [
|
imports = [
|
||||||
inputs.sops-nix.nixosModules.sops
|
|
||||||
./hardware-configuration.nix
|
./hardware-configuration.nix
|
||||||
../common
|
../common
|
||||||
../../modules/nixos/headscale.nix
|
../../modules/nixos/headscale.nix
|
||||||
@ -18,14 +16,9 @@
|
|||||||
../../modules/nixos/monitoring/promtail.nix
|
../../modules/nixos/monitoring/promtail.nix
|
||||||
];
|
];
|
||||||
|
|
||||||
sops = {
|
sops.secrets.borg_encryption_key = {
|
||||||
age.keyFile = "/home/${username}/.config/sops/age/keys.txt";
|
|
||||||
secrets = {
|
|
||||||
borg_encryption_key = {
|
|
||||||
sopsFile = ./secrets.yaml;
|
sopsFile = ./secrets.yaml;
|
||||||
};
|
};
|
||||||
};
|
|
||||||
};
|
|
||||||
|
|
||||||
boot = {
|
boot = {
|
||||||
kernelPackages = pkgs.linuxPackages_zen;
|
kernelPackages = pkgs.linuxPackages_zen;
|
||||||
|
|||||||
@ -1,4 +1,4 @@
|
|||||||
borg_encryption_key: ENC[AES256_GCM,data:42q7OYR5HLqLzbCx0WZwurND8DGUnCw3fA+4ccEmNp4=,iv:GRj9jXnlfqDoxr55hS97gjqLzIP7rjqoYtRHlU5/9Lo=,tag:ybr8V9RumsU94ja0bLnfNA==,type:str]
|
borg_encryption_key: ENC[AES256_GCM,data:7DZQaoS2a5mPjTej25vr1aO1yAAPyXT2tf/VxKrLxF0=,iv:it8JlyEj4r4Z+qDvoEWMQlGkbVh08M/BCkGLVzRCVKQ=,tag:81gRhru8J3hkQhIbgUOgBg==,type:str]
|
||||||
sops:
|
sops:
|
||||||
kms: []
|
kms: []
|
||||||
gcp_kms: []
|
gcp_kms: []
|
||||||
@ -8,14 +8,23 @@ sops:
|
|||||||
- recipient: age14vktfes95f33vuefwnmuvryas7az04u76dsgyhfvsx73czkvmp2q7njkl4
|
- recipient: age14vktfes95f33vuefwnmuvryas7az04u76dsgyhfvsx73czkvmp2q7njkl4
|
||||||
enc: |
|
enc: |
|
||||||
-----BEGIN AGE ENCRYPTED FILE-----
|
-----BEGIN AGE ENCRYPTED FILE-----
|
||||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAwSzNTUzdTYzNpT21DL3gy
|
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB6TGpVMzNDZjNQSkNDQmM3
|
||||||
bjhHcXFWQjI5c0lSRUEwZXR2UmxOeG5jMEI4Ckg1OWx3NzVOWjIzRWtCblp5K2RK
|
eXpvZDRPZW9Kbm81Z2VVUVZIckFNUC9zTEZzCmliUkNWS01YMHVRaUoxTS84VmxQ
|
||||||
b21xL2tBWDFqRXI2ZTloR0xwZkhtclUKLS0tIHFaYzM1dWdyUC95UWlsQU1xWjNV
|
UDZtbkhmZmdZVWVsaHN3djkwSERGQ1kKLS0tIEh0ckhDTkQvcEM0UFI2MUVXVHI5
|
||||||
akhaWXdrbXI0TDNNMlppcGovbjNia1EKNomA6zlZmQKE1DtX6JlurBxEkG9aiwjn
|
WnhEdnRqazdZWmczYXYxNy9BMHdwdEUKYgB34OOezF3iF706pIfDmQ0FJEHXBbGF
|
||||||
RZd5a9XPH8F1XhQF1tcZS+m3hGY00V7Zwiqe68PiiYWpxzZ/sSeR5A==
|
EJRNmA4Zl1AwyzkN3NSlctzvxx201T1GWL4qZeyVafRv5jQ9oSfK7g==
|
||||||
-----END AGE ENCRYPTED FILE-----
|
-----END AGE ENCRYPTED FILE-----
|
||||||
lastmodified: "2024-08-02T22:42:23Z"
|
- recipient: age1zsl5d4vj6gl3h96y5p53sq5y4vr4vtlwp727h7rp9a4xfkxm53lqrh6r50
|
||||||
mac: ENC[AES256_GCM,data:C4ueRlhrqollpi6ZE+126idf2SiAd2GooO7CTWR49ACW/y4q50B8girPtuY7Pgig0y/U0rWIFHFwmOwXyJJ8A6YtzD0VzWhZN7Aeb7HGvu/0o4V5OPjH1ZdQ6bb8YyeMQ5RljnG7/Pa/QasFS6h0pv3jnkKYrCCkbxNmKk/DcLY=,iv:UXi8rBLkdgp/bCxIE+6PvgdPv6xJmKtQX/WUVmoKeKc=,tag:Fpo44OFp0CYVAwDFx5WbWQ==,type:str]
|
enc: |
|
||||||
|
-----BEGIN AGE ENCRYPTED FILE-----
|
||||||
|
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBHeXNrT3c1bENOK0lNZWNT
|
||||||
|
eFBqYm1BRHBhakFQMVVIKzR0SDRDOW9jUXdBCmFIQWZRSnBlOFBralVFakQ2clNY
|
||||||
|
Q1Nma0pRVHh4L3IwQm1GbTdqb1BUcWsKLS0tIFRQOVIxb1FRc29WSVVERWsxSDhq
|
||||||
|
NGprRGVyZ2plWVNrM3drM3JSUjM2L0UKuNk5DqYn2DIfRpY72zDRP5BKoVAXtNv9
|
||||||
|
uLI//8wc7f4I3uBdARQdpRE1fapY1UOJOn3i0yndrZARPEbdohRK1Q==
|
||||||
|
-----END AGE ENCRYPTED FILE-----
|
||||||
|
lastmodified: "2024-08-08T07:50:43Z"
|
||||||
|
mac: ENC[AES256_GCM,data:HjKpSZ1GNp5yUphE0edv9dN45kVTh/jZVQWb+d2Ve46932e+Shadt90DclsLexlxkSFSRqBxWNl1+JqD1OBfuea73Z6zykRpjz5kcRcop8o3KSEG7V/cTvK/SRSglkIHwrO4ALweoUKjixct7ich+OqTHJ06KIxSWNcRpAYlFWQ=,iv:JZ0JX2B2LJcq3+9O9KdKupV9f1ydbMCyDs8bACphOP8=,tag:V4LKBazr4+Dj1UXtoBaWLw==,type:str]
|
||||||
pgp: []
|
pgp: []
|
||||||
unencrypted_suffix: _unencrypted
|
unencrypted_suffix: _unencrypted
|
||||||
version: 3.9.0
|
version: 3.9.0
|
||||||
|
|||||||
17
modules/nixos/sops.nix
Normal file
17
modules/nixos/sops.nix
Normal file
@ -0,0 +1,17 @@
|
|||||||
|
{
|
||||||
|
inputs,
|
||||||
|
config,
|
||||||
|
...
|
||||||
|
}: let
|
||||||
|
isEd25519 = k: k.type == "ed25519";
|
||||||
|
getKeyPath = k: k.path;
|
||||||
|
keys = builtins.filter isEd25519 config.services.openssh.hostKeys;
|
||||||
|
in {
|
||||||
|
imports = [inputs.sops-nix.nixosModules.sops];
|
||||||
|
|
||||||
|
sops.age = {
|
||||||
|
sshKeyPaths = map getKeyPath keys;
|
||||||
|
keyFile = "/var/lib/sops-nix/key.txt";
|
||||||
|
generateKey = true;
|
||||||
|
};
|
||||||
|
}
|
||||||
Reference in New Issue
Block a user