From 407160b01214856dfc96d6569abd1f1124131195 Mon Sep 17 00:00:00 2001 From: Chris Kruining Date: Sun, 9 Mar 2025 18:50:02 +0100 Subject: [PATCH] start of secrets --- default.nix | 10 +++++++++- flake.lock | 41 ++++++++++++++++++++++++++++++++++++++--- flake.nix | 2 ++ modules/options.nix | 8 ++++---- secrets/secrets.yml | 27 +++++++++++++++++++++++++++ 5 files changed, 80 insertions(+), 8 deletions(-) create mode 100644 secrets/secrets.yml diff --git a/default.nix b/default.nix index 1776ab3..84e8f62 100644 --- a/default.nix +++ b/default.nix @@ -11,6 +11,7 @@ in inputs.nixvim.nixosModules.nixvim inputs.stylix.nixosModules.stylix inputs.nix-minecraft.nixosModules.minecraft-servers + inputs.sops-nix.nixosModules.sops (mkAliasOptionModule ["hm"] ["home-manager" "users" config.user.name]) (mkAliasOptionModule ["home"] ["hm" "home"]) (mkAliasOptionModule ["create" "configFile"] ["hm" "xdg" "configFile"]) @@ -28,7 +29,14 @@ in environment.variables = { SNEEUWVLOK = config.sneeuwvlok.dir; NIXPKGS_ALLOW_UNFREE = "1"; - }; + }; + + sops = { + defaultSopsFile = ./secrets/secrets.yml; + defaultSopsFormat = "yml"; + + age.keyFile = "/home/"; + }; system = { stateVersion = "23.11"; diff --git a/flake.lock b/flake.lock index bb9c0b5..b91fda1 100644 --- a/flake.lock +++ b/flake.lock @@ -625,6 +625,22 @@ } }, "nixpkgs_5": { + "locked": { + "lastModified": 1731763621, + "narHash": "sha256-ddcX4lQL0X05AYkrkV2LMFgGdRvgap7Ho8kgon3iWZk=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "c69a9bffbecde46b4b939465422ddc59493d3e4d", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixpkgs-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs_6": { "locked": { "lastModified": 1740367490, "narHash": "sha256-WGaHVAjcrv+Cun7zPlI41SerRtfknGQap281+AakSAw=", @@ -640,7 +656,7 @@ "type": "github" } }, - "nixpkgs_6": { + "nixpkgs_7": { "locked": { "lastModified": 1727348695, "narHash": "sha256-J+PeFKSDV+pHL7ukkfpVzCOO7mBSrrpJ3svwBFABbhI=", @@ -758,6 +774,7 @@ "nixpkgs-unstable": "nixpkgs-unstable", "nixvim": "nixvim", "plasma-manager": "plasma-manager", + "sops-nix": "sops-nix", "stylix": "stylix", "zen-browser": "zen-browser" } @@ -779,6 +796,24 @@ "type": "github" } }, + "sops-nix": { + "inputs": { + "nixpkgs": "nixpkgs_5" + }, + "locked": { + "lastModified": 1741043164, + "narHash": "sha256-9lfmSZLz6eq9Ygr6cCmvQiiBEaPb54pUBcjvbEMPORc=", + "owner": "Mic92", + "repo": "sops-nix", + "rev": "3f2412536eeece783f0d0ad3861417f347219f4d", + "type": "github" + }, + "original": { + "owner": "Mic92", + "repo": "sops-nix", + "type": "github" + } + }, "stylix": { "inputs": { "base16": "base16", @@ -791,7 +826,7 @@ "git-hooks": "git-hooks", "gnome-shell": "gnome-shell", "home-manager": "home-manager_2", - "nixpkgs": "nixpkgs_5", + "nixpkgs": "nixpkgs_6", "nur": "nur", "systems": "systems_4", "tinted-foot": "tinted-foot", @@ -980,7 +1015,7 @@ }, "zen-browser": { "inputs": { - "nixpkgs": "nixpkgs_6" + "nixpkgs": "nixpkgs_7" }, "locked": { "lastModified": 1727721329, diff --git a/flake.nix b/flake.nix index a6ed04f..5834d70 100644 --- a/flake.nix +++ b/flake.nix @@ -34,6 +34,8 @@ nix-minecraft.url = "github:Infinidoge/nix-minecraft"; flux.url = "github:IogaMaster/flux"; + + sops-nix.url = "github:Mic92/sops-nix"; }; outputs = inputs @ { self, nixpkgs, nixpkgs-unstable, ... }: diff --git a/modules/options.nix b/modules/options.nix index 73c4509..8aff7da 100644 --- a/modules/options.nix +++ b/modules/options.nix @@ -15,10 +15,6 @@ in { user = mkOpt attrs {}; - environment.systemPackages = [ - pkgs.sops - ]; - sneeuwvlok = { dir = mkOpt path (findFirst pathExists (toString ../.) [ "${config.user.home}/Github/.files" @@ -31,6 +27,10 @@ in }; config = { + environment.systemPackages = [ + pkgs.sops + ]; + user = let user = builtins.getEnv "USER"; name = diff --git a/secrets/secrets.yml b/secrets/secrets.yml new file mode 100644 index 0000000..3912b73 --- /dev/null +++ b/secrets/secrets.yml @@ -0,0 +1,27 @@ +#ENC[AES256_GCM,data:jozDiJTPaF427kVL4MDV8VOVhft52sOS9YIfj0n8WUJmQzVoiNY=,iv:8kyaDw0l82KZfYKkfKDj0wvcIkY6zas5e8puubEr1mA=,tag:LvuVGvU195BihU8TbPN1xg==,type:comment] +example_key: ENC[AES256_GCM,data:9jefDfjJLP8Ha135Lg==,iv:9SUpjO1t65gA3LiwYN6nMj7icwInxTCQz7JsNEfQ2XA=,tag:Y8BBSLwUQem8wSXAlvnEXg==,type:str] +#ENC[AES256_GCM,data:IU1T4k/+44s8qFnjnreDMihjQRmMd5qSTtfA/ung5/1f1JmBXGP7EwYJBFF9BSBkBqBfv24A9Ok=,iv:tHzL3pW/qsNdWGT3c+ni0uTlkBMWOu/SsraymCuAkqs=,tag:nWZgWdPNiKQ0j/t9Z/5l5g==,type:comment] +#ENC[AES256_GCM,data:BhUTbsJB5voz4m1w8u1Y/MI8kR5lpRW8RpZO65IyGg232uNSoBLXB2QSl1GseyTC8bZHPiCF2gnttPD+76kqVlfzhhDu4EKU,iv:Ic8ZpR2QBBGhF2++S/TR/DRutkTghpMiby+yvNy0CSE=,tag:Z1JEtowycGDNWuznlkId8A==,type:comment] +example: + my_subdir: + my_secret: ENC[AES256_GCM,data:hccfc6uU4tGT,iv:HYjmo9kAVCcXSpDKWGku3vaJVvZHzYB3l079xXw5OEQ=,tag:c2b8BSqlL1LTcDf1nSPfVA==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age10c5hmykkduvy75yvqfnchm5lcesr5puarhkwp4l7xdwpykdm397q6xdxuy + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBpeHZXWkZ2andYSytmYWpR + ckttNVJZaWxDK2ZwME1iY2wrWFNwR0hzWUNFCjVSaWpmTHkzdHpPNjhueTQ5ZUEz + YW1BcnIwU1hsb2lodk1QcHJvTUdrVVUKLS0tIFNpWlBqb2pOWDVLV0FvU1FUODJB + dTg0QXZuSkJXV3ZRSUlKcktDNElia28KKZ62gTVpeiz1CfK7awURrPZ7zAYx9vfR + Ajxk0cw1gleE6EU2iIlLOWtmyZbcNk1X32a+otXijlH8fDGtoxA97Q== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2025-03-09T11:37:49Z" + mac: ENC[AES256_GCM,data:ZEqJc6slPb3YMR9kn/jFImjkQQIT3KyUK3qE3JMty+IAAr9GT8r+rHOwku4TOwL6YzON6L5vkUQFFKnOz9GiJuGkStc6AbML4SfOlRDsaFU4kwO+27UvDBYRqi6iHtJ2pu/uD4wELVhdbElxHvFlCjtgqBWaWmlXw3ATjkiZnik=,iv:zJNM/TqNfBO/mr8ZK/I/FfXwknyn9YpJ0eo4EpHSJvQ=,tag:G4FLx/Hwknq5hYEb8SWQLg==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.9.4