start of secrets

2025-03-09 18:50:02 +01:00 · 2025-03-09 18:50:02 +01:00 · 407160b012
commit 407160b012
parent 48a38e8e49
5 changed files with 80 additions and 8 deletions
--- a/default.nix
+++ b/default.nix
@ -11,6 +11,7 @@ in
      inputs.nixvim.nixosModules.nixvim
      inputs.stylix.nixosModules.stylix
      inputs.nix-minecraft.nixosModules.minecraft-servers
+      inputs.sops-nix.nixosModules.sops
      (mkAliasOptionModule ["hm"] ["home-manager" "users" config.user.name])
      (mkAliasOptionModule ["home"] ["hm" "home"])
      (mkAliasOptionModule ["create" "configFile"] ["hm" "xdg" "configFile"])
@ -28,7 +29,14 @@ in
  environment.variables = {
    SNEEUWVLOK = config.sneeuwvlok.dir;
    NIXPKGS_ALLOW_UNFREE = "1";
-  };  
+  };
+
+  sops = {
+    defaultSopsFile = ./secrets/secrets.yml;
+    defaultSopsFormat = "yml";
+
+    age.keyFile = "/home/";
+  };

  system = {
    stateVersion = "23.11";
--- a/flake.lock
+++ b/flake.lock
@ -625,6 +625,22 @@
      }
    },
    "nixpkgs_5": {
+      "locked": {
+        "lastModified": 1731763621,
+        "narHash": "sha256-ddcX4lQL0X05AYkrkV2LMFgGdRvgap7Ho8kgon3iWZk=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "c69a9bffbecde46b4b939465422ddc59493d3e4d",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "ref": "nixpkgs-unstable",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
+    "nixpkgs_6": {
      "locked": {
        "lastModified": 1740367490,
        "narHash": "sha256-WGaHVAjcrv+Cun7zPlI41SerRtfknGQap281+AakSAw=",
@ -640,7 +656,7 @@
        "type": "github"
      }
    },
-    "nixpkgs_6": {
+    "nixpkgs_7": {
      "locked": {
        "lastModified": 1727348695,
        "narHash": "sha256-J+PeFKSDV+pHL7ukkfpVzCOO7mBSrrpJ3svwBFABbhI=",
@ -758,6 +774,7 @@
        "nixpkgs-unstable": "nixpkgs-unstable",
        "nixvim": "nixvim",
        "plasma-manager": "plasma-manager",
+        "sops-nix": "sops-nix",
        "stylix": "stylix",
        "zen-browser": "zen-browser"
      }
@ -779,6 +796,24 @@
        "type": "github"
      }
    },
+    "sops-nix": {
+      "inputs": {
+        "nixpkgs": "nixpkgs_5"
+      },
+      "locked": {
+        "lastModified": 1741043164,
+        "narHash": "sha256-9lfmSZLz6eq9Ygr6cCmvQiiBEaPb54pUBcjvbEMPORc=",
+        "owner": "Mic92",
+        "repo": "sops-nix",
+        "rev": "3f2412536eeece783f0d0ad3861417f347219f4d",
+        "type": "github"
+      },
+      "original": {
+        "owner": "Mic92",
+        "repo": "sops-nix",
+        "type": "github"
+      }
+    },
    "stylix": {
      "inputs": {
        "base16": "base16",
@ -791,7 +826,7 @@
        "git-hooks": "git-hooks",
        "gnome-shell": "gnome-shell",
        "home-manager": "home-manager_2",
-        "nixpkgs": "nixpkgs_5",
+        "nixpkgs": "nixpkgs_6",
        "nur": "nur",
        "systems": "systems_4",
        "tinted-foot": "tinted-foot",
@ -980,7 +1015,7 @@
    },
    "zen-browser": {
      "inputs": {
-        "nixpkgs": "nixpkgs_6"
+        "nixpkgs": "nixpkgs_7"
      },
      "locked": {
        "lastModified": 1727721329,
--- a/flake.nix
+++ b/flake.nix
@ -34,6 +34,8 @@

    nix-minecraft.url = "github:Infinidoge/nix-minecraft";
    flux.url = "github:IogaMaster/flux";
+
+    sops-nix.url = "github:Mic92/sops-nix";
  };

  outputs = inputs @ { self, nixpkgs, nixpkgs-unstable, ... }:
--- a/modules/options.nix
+++ b/modules/options.nix
@ -15,10 +15,6 @@ in
  {
    user = mkOpt attrs {};

-    environment.systemPackages = [
-      pkgs.sops
-    ];
-
    sneeuwvlok = {
      dir = mkOpt path (findFirst pathExists (toString ../.) [
        "${config.user.home}/Github/.files"
@ -31,6 +27,10 @@ in
  };

  config = {
+    environment.systemPackages = [
+      pkgs.sops
+    ];
+
    user = let
      user = builtins.getEnv "USER";
      name =
--- a/secrets/secrets.yml
+++ b/secrets/secrets.yml
@ -0,0 +1,27 @@
+#ENC[AES256_GCM,data:jozDiJTPaF427kVL4MDV8VOVhft52sOS9YIfj0n8WUJmQzVoiNY=,iv:8kyaDw0l82KZfYKkfKDj0wvcIkY6zas5e8puubEr1mA=,tag:LvuVGvU195BihU8TbPN1xg==,type:comment]
+example_key: ENC[AES256_GCM,data:9jefDfjJLP8Ha135Lg==,iv:9SUpjO1t65gA3LiwYN6nMj7icwInxTCQz7JsNEfQ2XA=,tag:Y8BBSLwUQem8wSXAlvnEXg==,type:str]
+#ENC[AES256_GCM,data:IU1T4k/+44s8qFnjnreDMihjQRmMd5qSTtfA/ung5/1f1JmBXGP7EwYJBFF9BSBkBqBfv24A9Ok=,iv:tHzL3pW/qsNdWGT3c+ni0uTlkBMWOu/SsraymCuAkqs=,tag:nWZgWdPNiKQ0j/t9Z/5l5g==,type:comment]
+#ENC[AES256_GCM,data:BhUTbsJB5voz4m1w8u1Y/MI8kR5lpRW8RpZO65IyGg232uNSoBLXB2QSl1GseyTC8bZHPiCF2gnttPD+76kqVlfzhhDu4EKU,iv:Ic8ZpR2QBBGhF2++S/TR/DRutkTghpMiby+yvNy0CSE=,tag:Z1JEtowycGDNWuznlkId8A==,type:comment]
+example:
+    my_subdir:
+        my_secret: ENC[AES256_GCM,data:hccfc6uU4tGT,iv:HYjmo9kAVCcXSpDKWGku3vaJVvZHzYB3l079xXw5OEQ=,tag:c2b8BSqlL1LTcDf1nSPfVA==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age10c5hmykkduvy75yvqfnchm5lcesr5puarhkwp4l7xdwpykdm397q6xdxuy
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBpeHZXWkZ2andYSytmYWpR
+            ckttNVJZaWxDK2ZwME1iY2wrWFNwR0hzWUNFCjVSaWpmTHkzdHpPNjhueTQ5ZUEz
+            YW1BcnIwU1hsb2lodk1QcHJvTUdrVVUKLS0tIFNpWlBqb2pOWDVLV0FvU1FUODJB
+            dTg0QXZuSkJXV3ZRSUlKcktDNElia28KKZ62gTVpeiz1CfK7awURrPZ7zAYx9vfR
+            Ajxk0cw1gleE6EU2iIlLOWtmyZbcNk1X32a+otXijlH8fDGtoxA97Q==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2025-03-09T11:37:49Z"
+    mac: ENC[AES256_GCM,data:ZEqJc6slPb3YMR9kn/jFImjkQQIT3KyUK3qE3JMty+IAAr9GT8r+rHOwku4TOwL6YzON6L5vkUQFFKnOz9GiJuGkStc6AbML4SfOlRDsaFU4kwO+27UvDBYRqi6iHtJ2pu/uD4wELVhdbElxHvFlCjtgqBWaWmlXw3ATjkiZnik=,iv:zJNM/TqNfBO/mr8ZK/I/FfXwknyn9YpJ0eo4EpHSJvQ=,tag:G4FLx/Hwknq5hYEb8SWQLg==,type:str]
+    pgp: []
+    unencrypted_suffix: _unencrypted
+    version: 3.9.4