Add sops-nix, prepare to add domus host, & update

3 months ago · 9657809bcb
parent b2cf30377e
commit 9657809bcb
5 changed files with 100 additions and 9 deletions
--- a/.sops.yaml
+++ b/.sops.yaml
@ -0,0 +1,7 @@
+keys:
+  - &primary age1jdr0sy4zuej6hag6ttwxun88j8kvuhp26cwuvq6s2fwmzhcvafxsut87rh
+creation_rules:
+  - path_regex: secrets/secrets.yaml$
+    key_groups:
+    - age:
+      - *primary
--- a/configuration.nix
+++ b/configuration.nix
@ -1,7 +1,16 @@
-{ config, pkgs, ... }:
+{ config, pkgs, inputs, ... }:

 {
-  imports = [ ./hardware-configuration.nix ];
+  imports =
+  [
+    ./hardware-configuration.nix
+    inputs.sops-nix.nixosModules.sops
+  ];
+
+  # Secrets
+  sops.defaultSopsFile = .secrets/secrets.yaml;
+  sops.defaultSopsFormat = "yaml";
+  sops.age.keyFile = "/home/alexuty/.config/sops/age/keys.txt";

  # Bootloader (UEFI)
  boot.loader.systemd-boot.enable = true;
--- a/flake.lock
+++ b/flake.lock
@ -7,11 +7,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1718141734,
-        "narHash": "sha256-cA+6l8ZCZ7MXGijVuY/1f55+wF/RT4PlTR9+g4bx86w=",
+        "lastModified": 1718243258,
+        "narHash": "sha256-abBpj2VU8p6qlRzTU8o22q68MmOaZ4v8zZ4UlYl5YRU=",
        "owner": "nix-community",
        "repo": "home-manager",
-        "rev": "892f76bd0aa09a0f7f73eb41834b8a904b6d0fad",
+        "rev": "8d5e27b4807d25308dfe369d5a923d87e7dbfda3",
        "type": "github"
      },
      "original": {
@ -22,11 +22,11 @@
    },
    "nixpkgs": {
      "locked": {
-        "lastModified": 1716509168,
-        "narHash": "sha256-4zSIhSRRIoEBwjbPm3YiGtbd8HDWzFxJjw5DYSDy1n8=",
+        "lastModified": 1718318537,
+        "narHash": "sha256-4Zu0RYRcAY/VWuu6awwq4opuiD//ahpc2aFHg2CWqFY=",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "bfb7a882678e518398ce9a31a881538679f6f092",
+        "rev": "e9ee548d90ff586a6471b4ae80ae9cfcbceb3420",
        "type": "github"
      },
      "original": {
@ -36,10 +36,48 @@
        "type": "github"
      }
    },
+    "nixpkgs-stable": {
+      "locked": {
+        "lastModified": 1717880976,
+        "narHash": "sha256-BRvSCsKtDUr83NEtbGfHLUOdDK0Cgbezj2PtcHnz+sQ=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "4913a7c3d8b8d00cb9476a6bd730ff57777f740c",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "ref": "release-23.11",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
    "root": {
      "inputs": {
        "home-manager": "home-manager",
-        "nixpkgs": "nixpkgs"
+        "nixpkgs": "nixpkgs",
+        "sops-nix": "sops-nix"
+      }
+    },
+    "sops-nix": {
+      "inputs": {
+        "nixpkgs": [
+          "nixpkgs"
+        ],
+        "nixpkgs-stable": "nixpkgs-stable"
+      },
+      "locked": {
+        "lastModified": 1718137936,
+        "narHash": "sha256-psA+1Q5fPaK6yI3vzlLINNtb6EeXj111zQWnZYyJS9c=",
+        "owner": "Mic92",
+        "repo": "sops-nix",
+        "rev": "c279dec105dd53df13a5e57525da97905cc0f0d6",
+        "type": "github"
+      },
+      "original": {
+        "owner": "Mic92",
+        "repo": "sops-nix",
+        "type": "github"
      }
    }
  },
--- a/flake.nix
+++ b/flake.nix
@ -5,11 +5,14 @@
    nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable";
    home-manager.url = "github:nix-community/home-manager";
    home-manager.inputs.nixpkgs.follows = "nixpkgs";
+    sops-nix.url = "github:Mic92/sops-nix";
+    sops-nix.inputs.nixpkgs.follows = "nixpkgs";
  };

  outputs = { self, nixpkgs, home-manager, ... }@inputs: {
    nixosConfigurations.primus = nixpkgs.lib.nixosSystem {
      system = "x86_64-linux";
+      specialArgs = { inherit inputs; };
      modules = [
        ./configuration.nix
        home-manager.nixosModules.home-manager
@ -20,5 +23,12 @@
          }
      ];
    };
+    /*nixosConfigurations.domus = nixpkgs.lib.nixosSystem {
+      system = "x86_64-linux";
+      specialArgs = { inherit inputs; };
+      modules = [
+        ./configuration.nix
+      ];
+    };*/
  };
 }
--- a/secrets/secrets.yaml
+++ b/secrets/secrets.yaml
@ -0,0 +1,27 @@
+#ENC[AES256_GCM,data:zIEPR+f3oNUXscmJluVGimhCJOJvmt4nYVo9caX3KT7aMY19zRw=,iv:JFllfIsq4ZMPT0gPD3rM/JwCRqBWbreuwJBwh+wmEPM=,tag:q78Noz55Gfv9Fre/lHfazw==,type:comment]
+example-key: ENC[AES256_GCM,data:5HXexUlRXZ7HfCatGQ==,iv:g5KJXFp86qiDVNY0J0t8LNXpsPGWmUtD6Q57d2y8JaI=,tag:ukraiWf9XP4IB2ifvWIYug==,type:str]
+#ENC[AES256_GCM,data:WS0ermQh41FOlTMABa8DbChF/GJVbj+LyPj7tona/5KHv2WBOJr0pNFPn8KD1Npb+4HO6F7aZww=,iv:5KeTKsmZ0Is1LwxnBGHUGQI0Gw9Hh39DZLssQmFdspQ=,tag:eOK2gx2NCzeN7MiD9u1bHw==,type:comment]
+#ENC[AES256_GCM,data:shS5kFqwZM0/l9vspnERZV5dDXe7urjLnWzmxH9cOzT2RtebdtgmPaxUf3F8aIyQwbMPw3WF0hgkxvVGVOL42gQyExSw1gQz,iv:6EB/jMdkiRakBFcF80zhd7+hWxhdCLkObAAGnn5ujtU=,tag:R0hPptbYewzhYr3N6ivExA==,type:comment]
+myservice:
+    my_subdir:
+        my_secret: ENC[AES256_GCM,data:mb/6LYdrwCGR,iv:m/HiZboE03tu+rJtBppkgBN4aP1x5HHnA5EA+QkuwzE=,tag:5XmIK+7IOnyVHobeZSTFUQ==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1jdr0sy4zuej6hag6ttwxun88j8kvuhp26cwuvq6s2fwmzhcvafxsut87rh
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB4ZTZvSVN1T294aHhGL2NE
+            dGRuVEg1YU5CU2ZWcE1mMGV3MEg5R3NDNWdrCjNxWHFXQWNYazgrZlRvSG16bnpu
+            NEtVL0wwT05DLzFoaWJ3QUJ4YkFOTE0KLS0tIFpwSHd0NFRXV2tIc2l5RGpuaW9v
+            YkVSMHNhYXdjelZYTmFkbGZ5dG96UDAKi1mA1QUMBwBe7uulOG5ey9Ou2ZTqlk1I
+            8DSWRgW8MoKl4G0e2ZfERpKFRKdEhbM/hrUV1fdVmfdWOH3aSCniYQ==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2024-06-15T10:53:14Z"
+    mac: ENC[AES256_GCM,data:pippyfZPl83wHDmWRi9uabtTqpmNUJW2sp9Mm3bDFdkYp6u/GWLpj3nS97qBP+O+ecuMJBthvMwplBOHkHakv10sFJ90MrjnoVV6SW+YUoJpGAl0sgDoPFx0SD6Kzt3rTDJ1jBKmtY4sB4IBT5AZ9h4kXCOVGn4D1kYU0ZXATaY=,iv:Q6ZP4sQOBlaePRmLSsp70qiE2nIDPwg5g2X3Yk1h2ww=,tag:NXbjBLRkbSMDjOZczBivWQ==,type:str]
+    pgp: []
+    unencrypted_suffix: _unencrypted
+    version: 3.8.1