From 9657809bcbf67de29af54ee264f44c607b84bade Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=C3=81lex=20Santiago?= Date: Sat, 15 Jun 2024 08:26:51 -0400 Subject: [PATCH] Add sops-nix, prepare to add domus host, & update --- .sops.yaml | 7 ++++++ configuration.nix | 13 +++++++++-- flake.lock | 52 ++++++++++++++++++++++++++++++++++++++------ flake.nix | 10 +++++++++ secrets/secrets.yaml | 27 +++++++++++++++++++++++ 5 files changed, 100 insertions(+), 9 deletions(-) create mode 100644 .sops.yaml create mode 100644 secrets/secrets.yaml diff --git a/.sops.yaml b/.sops.yaml new file mode 100644 index 0000000..f0c2471 --- /dev/null +++ b/.sops.yaml @@ -0,0 +1,7 @@ +keys: + - &primary age1jdr0sy4zuej6hag6ttwxun88j8kvuhp26cwuvq6s2fwmzhcvafxsut87rh +creation_rules: + - path_regex: secrets/secrets.yaml$ + key_groups: + - age: + - *primary diff --git a/configuration.nix b/configuration.nix index 599c243..7a51303 100644 --- a/configuration.nix +++ b/configuration.nix @@ -1,7 +1,16 @@ -{ config, pkgs, ... }: +{ config, pkgs, inputs, ... }: { - imports = [ ./hardware-configuration.nix ]; + imports = + [ + ./hardware-configuration.nix + inputs.sops-nix.nixosModules.sops + ]; + + # Secrets + sops.defaultSopsFile = .secrets/secrets.yaml; + sops.defaultSopsFormat = "yaml"; + sops.age.keyFile = "/home/alexuty/.config/sops/age/keys.txt"; # Bootloader (UEFI) boot.loader.systemd-boot.enable = true; diff --git a/flake.lock b/flake.lock index 7333ce0..e5a8cea 100644 --- a/flake.lock +++ b/flake.lock @@ -7,11 +7,11 @@ ] }, "locked": { - "lastModified": 1718141734, - "narHash": "sha256-cA+6l8ZCZ7MXGijVuY/1f55+wF/RT4PlTR9+g4bx86w=", + "lastModified": 1718243258, + "narHash": "sha256-abBpj2VU8p6qlRzTU8o22q68MmOaZ4v8zZ4UlYl5YRU=", "owner": "nix-community", "repo": "home-manager", - "rev": "892f76bd0aa09a0f7f73eb41834b8a904b6d0fad", + "rev": "8d5e27b4807d25308dfe369d5a923d87e7dbfda3", "type": "github" }, "original": { @@ -22,11 +22,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1716509168, - "narHash": "sha256-4zSIhSRRIoEBwjbPm3YiGtbd8HDWzFxJjw5DYSDy1n8=", + "lastModified": 1718318537, + "narHash": "sha256-4Zu0RYRcAY/VWuu6awwq4opuiD//ahpc2aFHg2CWqFY=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "bfb7a882678e518398ce9a31a881538679f6f092", + "rev": "e9ee548d90ff586a6471b4ae80ae9cfcbceb3420", "type": "github" }, "original": { @@ -36,10 +36,48 @@ "type": "github" } }, + "nixpkgs-stable": { + "locked": { + "lastModified": 1717880976, + "narHash": "sha256-BRvSCsKtDUr83NEtbGfHLUOdDK0Cgbezj2PtcHnz+sQ=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "4913a7c3d8b8d00cb9476a6bd730ff57777f740c", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "release-23.11", + "repo": "nixpkgs", + "type": "github" + } + }, "root": { "inputs": { "home-manager": "home-manager", - "nixpkgs": "nixpkgs" + "nixpkgs": "nixpkgs", + "sops-nix": "sops-nix" + } + }, + "sops-nix": { + "inputs": { + "nixpkgs": [ + "nixpkgs" + ], + "nixpkgs-stable": "nixpkgs-stable" + }, + "locked": { + "lastModified": 1718137936, + "narHash": "sha256-psA+1Q5fPaK6yI3vzlLINNtb6EeXj111zQWnZYyJS9c=", + "owner": "Mic92", + "repo": "sops-nix", + "rev": "c279dec105dd53df13a5e57525da97905cc0f0d6", + "type": "github" + }, + "original": { + "owner": "Mic92", + "repo": "sops-nix", + "type": "github" } } }, diff --git a/flake.nix b/flake.nix index ddb2c84..c27b1db 100644 --- a/flake.nix +++ b/flake.nix @@ -5,11 +5,14 @@ nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable"; home-manager.url = "github:nix-community/home-manager"; home-manager.inputs.nixpkgs.follows = "nixpkgs"; + sops-nix.url = "github:Mic92/sops-nix"; + sops-nix.inputs.nixpkgs.follows = "nixpkgs"; }; outputs = { self, nixpkgs, home-manager, ... }@inputs: { nixosConfigurations.primus = nixpkgs.lib.nixosSystem { system = "x86_64-linux"; + specialArgs = { inherit inputs; }; modules = [ ./configuration.nix home-manager.nixosModules.home-manager @@ -20,5 +23,12 @@ } ]; }; + /*nixosConfigurations.domus = nixpkgs.lib.nixosSystem { + system = "x86_64-linux"; + specialArgs = { inherit inputs; }; + modules = [ + ./configuration.nix + ]; + };*/ }; } diff --git a/secrets/secrets.yaml b/secrets/secrets.yaml new file mode 100644 index 0000000..f6a86dc --- /dev/null +++ b/secrets/secrets.yaml @@ -0,0 +1,27 @@ +#ENC[AES256_GCM,data:zIEPR+f3oNUXscmJluVGimhCJOJvmt4nYVo9caX3KT7aMY19zRw=,iv:JFllfIsq4ZMPT0gPD3rM/JwCRqBWbreuwJBwh+wmEPM=,tag:q78Noz55Gfv9Fre/lHfazw==,type:comment] +example-key: ENC[AES256_GCM,data:5HXexUlRXZ7HfCatGQ==,iv:g5KJXFp86qiDVNY0J0t8LNXpsPGWmUtD6Q57d2y8JaI=,tag:ukraiWf9XP4IB2ifvWIYug==,type:str] +#ENC[AES256_GCM,data:WS0ermQh41FOlTMABa8DbChF/GJVbj+LyPj7tona/5KHv2WBOJr0pNFPn8KD1Npb+4HO6F7aZww=,iv:5KeTKsmZ0Is1LwxnBGHUGQI0Gw9Hh39DZLssQmFdspQ=,tag:eOK2gx2NCzeN7MiD9u1bHw==,type:comment] +#ENC[AES256_GCM,data:shS5kFqwZM0/l9vspnERZV5dDXe7urjLnWzmxH9cOzT2RtebdtgmPaxUf3F8aIyQwbMPw3WF0hgkxvVGVOL42gQyExSw1gQz,iv:6EB/jMdkiRakBFcF80zhd7+hWxhdCLkObAAGnn5ujtU=,tag:R0hPptbYewzhYr3N6ivExA==,type:comment] +myservice: + my_subdir: + my_secret: ENC[AES256_GCM,data:mb/6LYdrwCGR,iv:m/HiZboE03tu+rJtBppkgBN4aP1x5HHnA5EA+QkuwzE=,tag:5XmIK+7IOnyVHobeZSTFUQ==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1jdr0sy4zuej6hag6ttwxun88j8kvuhp26cwuvq6s2fwmzhcvafxsut87rh + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB4ZTZvSVN1T294aHhGL2NE + dGRuVEg1YU5CU2ZWcE1mMGV3MEg5R3NDNWdrCjNxWHFXQWNYazgrZlRvSG16bnpu + NEtVL0wwT05DLzFoaWJ3QUJ4YkFOTE0KLS0tIFpwSHd0NFRXV2tIc2l5RGpuaW9v + YkVSMHNhYXdjelZYTmFkbGZ5dG96UDAKi1mA1QUMBwBe7uulOG5ey9Ou2ZTqlk1I + 8DSWRgW8MoKl4G0e2ZfERpKFRKdEhbM/hrUV1fdVmfdWOH3aSCniYQ== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-06-15T10:53:14Z" + mac: ENC[AES256_GCM,data:pippyfZPl83wHDmWRi9uabtTqpmNUJW2sp9Mm3bDFdkYp6u/GWLpj3nS97qBP+O+ecuMJBthvMwplBOHkHakv10sFJ90MrjnoVV6SW+YUoJpGAl0sgDoPFx0SD6Kzt3rTDJ1jBKmtY4sB4IBT5AZ9h4kXCOVGn4D1kYU0ZXATaY=,iv:Q6ZP4sQOBlaePRmLSsp70qiE2nIDPwg5g2X3Yk1h2ww=,tag:NXbjBLRkbSMDjOZczBivWQ==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.8.1