diff --git a/.sops.yaml b/.sops.yaml new file mode 100644 index 0000000..ccad854 --- /dev/null +++ b/.sops.yaml @@ -0,0 +1,9 @@ +keys: + - &age_key age1w5rvr4nl8xvjjxpct4e2a2eajvm79v4r9nyxrcn40fm8d7h9l9cqkk0jtt + - &skipper_host_ed25519 age1mhks8qmhjrtc2u5ufvp3pv2hn7tkadvmscnp7wd0ywmnse0szctqsnpy0a +creation_rules: + - path_regex: secrets.yaml + key_groups: + - age: + - *age_key + - *skipper_host_ed25519 diff --git a/common/default.nix b/common/default.nix index d01f589..7c65678 100644 --- a/common/default.nix +++ b/common/default.nix @@ -1,3 +1,3 @@ { ... }: { - imports = [ ./nix.nix ./users ]; + imports = [ ./nix.nix ./users ./secrets.nix ]; } diff --git a/common/secrets.nix b/common/secrets.nix new file mode 100644 index 0000000..0a257be Binary files /dev/null and b/common/secrets.nix differ diff --git a/flake.lock b/flake.lock index 54f455a..b92ea51 100644 --- a/flake.lock +++ b/flake.lock @@ -395,6 +395,22 @@ "type": "github" } }, + "nixpkgs-stable_2": { + "locked": { + "lastModified": 1718478900, + "narHash": "sha256-v43N1gZLcGkhg3PdcrKUNIZ1L0FBzB2JqhIYEyKAHEs=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "c884223af91820615a6146af1ae1fea25c107005", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "release-23.11", + "repo": "nixpkgs", + "type": "github" + } + }, "nixpkgs_2": { "locked": { "lastModified": 1718149104, @@ -428,6 +444,22 @@ } }, "nixpkgs_4": { + "locked": { + "lastModified": 1718276985, + "narHash": "sha256-u1fA0DYQYdeG+5kDm1bOoGcHtX0rtC7qs2YA2N1X++I=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "3f84a279f1a6290ce154c5531378acc827836fbb", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixpkgs-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs_5": { "locked": { "lastModified": 1716220750, "narHash": "sha256-Lhhrd1ZBNXCbUupWGq6gRPIy1qMKEdcAXcjnwgVqe/U=", @@ -478,6 +510,7 @@ "lanzaboote": "lanzaboote", "neovim-nightly": "neovim-nightly", "nixpkgs": "nixpkgs_3", + "sops-nix": "sops-nix", "varnam-nix": "varnam-nix" } }, @@ -506,6 +539,26 @@ "type": "github" } }, + "sops-nix": { + "inputs": { + "nixpkgs": "nixpkgs_4", + "nixpkgs-stable": "nixpkgs-stable_2" + }, + "locked": { + "lastModified": 1718506969, + "narHash": "sha256-Pm9I/BMQHbsucdWf6y9G3xBZh3TMlThGo4KBbeoeczg=", + "owner": "Mic92", + "repo": "sops-nix", + "rev": "797ce4c1f45a85df6dd3d9abdc53f2691bea9251", + "type": "github" + }, + "original": { + "owner": "Mic92", + "ref": "master", + "repo": "sops-nix", + "type": "github" + } + }, "systems": { "locked": { "lastModified": 1681028828, @@ -538,7 +591,7 @@ }, "varnam-nix": { "inputs": { - "nixpkgs": "nixpkgs_4" + "nixpkgs": "nixpkgs_5" }, "locked": { "lastModified": 1716722955, diff --git a/flake.nix b/flake.nix index 8b6069e..e7e8627 100644 --- a/flake.nix +++ b/flake.nix @@ -18,9 +18,10 @@ url = "github:nix-community/home-manager?ref=master"; inputs.nixpkgs.follows = "nixpkgs"; }; - flake-utils.url = "github:numtide/flake-utils"; impermanence.url = "github:nix-community/impermanence?ref=master"; lanzaboote.url = "github:nix-community/lanzaboote?ref=master"; + sops-nix.url = "github:Mic92/sops-nix?ref=master"; + flake-utils.url = "github:numtide/flake-utils"; neovim-nightly.url = "github:nix-community/neovim-nightly-overlay?ref=master"; varnam-nix.url = "github:adtya/varnam-nix?ref=main"; }; @@ -32,6 +33,7 @@ , home-manager , impermanence , lanzaboote + , sops-nix , neovim-nightly , varnam-nix , @@ -57,10 +59,10 @@ { system.configurationRevision = nixpkgs.lib.mkIf (self ? rev) self.rev; } - home-manager.nixosModules.home-manager impermanence.nixosModules.impermanence lanzaboote.nixosModules.lanzaboote + sops-nix.nixosModules.sops ./common ./hosts/skipper @@ -95,6 +97,8 @@ git git-crypt statix + sops + age ]; }; packages.getpaper = (import ./extra-packages pkgs).getpaper; diff --git a/home/default.nix b/home/default.nix index b763133..1ef2a8d 100644 --- a/home/default.nix +++ b/home/default.nix @@ -1,5 +1,5 @@ _: { - imports = [ ./programs ./services ./wm ./gtk.nix ./qt.nix ./persistence.nix ]; + imports = [ ./programs ./services ./wm ./gtk.nix ./persistence.nix ./qt.nix ./secrets.nix ]; home.stateVersion = "23.11"; diff --git a/home/secrets.nix b/home/secrets.nix new file mode 100644 index 0000000..91e9ebe Binary files /dev/null and b/home/secrets.nix differ diff --git a/secrets.yaml b/secrets.yaml new file mode 100644 index 0000000..771df70 --- /dev/null +++ b/secrets.yaml @@ -0,0 +1,32 @@ +passwd: + root: ENC[AES256_GCM,data:fEAYZXid9Im/TJrBXj9IOUCdqHT3NZ8GZvouX+RN/1PplH+imoGvjiMc+7AWxUwH28RYpKlFmrILrBSCFEvypX/IXuwx0Zq/uoTLEiP+NiDvSl+e1kvTbI5q19iSajmxU/mN67zTTmUbzA==,iv:MtX/dAEIsQFJc4KahJPbj+dELowLF0caea55/HZ3WWA=,tag:bkfqmLU+dCW+KNJ7RFoeFQ==,type:str] + adtya: ENC[AES256_GCM,data:ryjjreVHyt/oY4tJcJHZ8ZQNk/hq9UJFECwo65Pd/GTWw/V/0QxwhoPsuFrgrVRwZxmK+m52ZtGstarn6kSK0oqT7rqzu4u0UwgxzRiPOAzyGPCl9PbiMWUQyeh779q133E+GRw5hEih7A==,iv:o1C+5PSKYmXU61k1TOJWIw3dPWbGBQNwB+pa2X5m9ik=,tag:WSKUXPJmMudschBaYJsSrg==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1w5rvr4nl8xvjjxpct4e2a2eajvm79v4r9nyxrcn40fm8d7h9l9cqkk0jtt + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB1bzR4NWVIdEZ3UTNCRGNj + UldLTlVVSlZLRFVWUlhtNkJvaDk2azhDb0c0Cm5XQzhSQ29sb3lxZFMzVlY5bXJ3 + VGZhZHd0NjBHVjJVZHV4ZHZGVmJqTkEKLS0tIEYxTWJuU3VhTG0xQUw2VTBUZ0FY + MWZqR2Q3VVFyWk1kL09XS1hNVHlqTkEKRg5M6TZ9OAQGNzVfE7VKlHb7vpYxP/bg + Ptv8vSeXOk1Jx2fAe+akxB1GXLaCwx+YgrZc11+A7Xdt70FRLcB/pA== + -----END AGE ENCRYPTED FILE----- + - recipient: age1mhks8qmhjrtc2u5ufvp3pv2hn7tkadvmscnp7wd0ywmnse0szctqsnpy0a + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBUcE1NY05vUVFSZXBNQ0xn + aE82WUd6ZHJzN1lZcXFKbWdReEdmTUl0TFdJCnJYSGJxVmFHZHpXbXBJQ0k5N0ZV + djVNYk1EVktwckpEdlYyeXROMHZpRWMKLS0tIFhpKzMyeSsxYS9iY3RvKzFJM0FK + MTdMRzR6anF4RzVBbnI5cnFPQmRpWmcKCiFOU74esinQsdc55Zwny5/VVNN2r3rq + 19ZYyCVNuyTeOXxuvUvjPJeW2X+v9H6bvbg1sXMxb761Pm0VGYor+g== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-06-16T15:30:46Z" + mac: ENC[AES256_GCM,data:/D317rlcTmlmRA23umgXQzdNi5ZN0BEvyZX9YgmJBRUOMI5wredwqOiH3pqfcy1Aj4EeD9LqNP2BtQy7iRevD4A5/1W5K0rynbBpWknpr6w+VNUdB5b8NVgYBVbDsc/OogaV/33oN9wIe5crnD/UlvG+uv1zNCRr3BXai0yX+Ns=,iv:qf+8SHnt28nNbA1wB6fzkLvzN7JGaRvTlYiCT8Yt9AQ=,tag:N0t1umV+VkOXH2cKilQ75A==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.8.1