From 4bf3901e28b8dc2f6780f53c42c25cc608a94166 Mon Sep 17 00:00:00 2001 From: Adithya Nair Date: Sun, 16 Jun 2024 18:43:46 +0530 Subject: [PATCH] add sops-nix --- .sops.yaml | 9 ++++++++ common/default.nix | 2 +- common/secrets.nix | Bin 0 -> 622 bytes flake.lock | 55 ++++++++++++++++++++++++++++++++++++++++++++- flake.nix | 8 +++++-- home/default.nix | 2 +- home/secrets.nix | Bin 0 -> 155 bytes secrets.yaml | 32 ++++++++++++++++++++++++++ 8 files changed, 103 insertions(+), 5 deletions(-) create mode 100644 .sops.yaml create mode 100644 common/secrets.nix create mode 100644 home/secrets.nix create mode 100644 secrets.yaml diff --git a/.sops.yaml b/.sops.yaml new file mode 100644 index 0000000..ccad854 --- /dev/null +++ b/.sops.yaml @@ -0,0 +1,9 @@ +keys: + - &age_key age1w5rvr4nl8xvjjxpct4e2a2eajvm79v4r9nyxrcn40fm8d7h9l9cqkk0jtt + - &skipper_host_ed25519 age1mhks8qmhjrtc2u5ufvp3pv2hn7tkadvmscnp7wd0ywmnse0szctqsnpy0a +creation_rules: + - path_regex: secrets.yaml + key_groups: + - age: + - *age_key + - *skipper_host_ed25519 diff --git a/common/default.nix b/common/default.nix index d01f589..7c65678 100644 --- a/common/default.nix +++ b/common/default.nix @@ -1,3 +1,3 @@ { ... }: { - imports = [ ./nix.nix ./users ]; + imports = [ ./nix.nix ./users ./secrets.nix ]; } diff --git a/common/secrets.nix b/common/secrets.nix new file mode 100644 index 0000000000000000000000000000000000000000..0a257be3ce15a6fb0908f3c5b85f8cfb3545ac6b GIT binary patch literal 622 zcmV-!0+IayM@dveQdv+`00X4vO0JRdJ=x|wvH2=lb@dO2$R=&8x0kW3e2KN( zFl`lW1R9scVF(CmbO3Z?ooo7KboH38O?3Q8b1e0sOCnvP`oX*bkaB8@)pK# zD}?MesLD}UI!|}d^Y_Y!^!;+Yx$H8Fq?7L8P2mX7j zw%D{QAMTl)!A@Z&Vo6;E5{$ZD2LC%f^=m;Rt!Iji~RL2I-+6CtL z-?P%ri3GkV(Z+D7TF6)>3p#2EAJ2U;AAW6I4Uur9cK9uP=xYsVl;8i|H||3}0T2Vv z6{_=V2z49J8yerg>4{suy?n9b$L_v4Q1)?+&Si9S!3okp6 zV0?kGb=FMDJnF0aCNp#lWbm0MV;4$!2d>V993+=C+Z{p}dVfJJ6mahe9#F>C*j!o9 zw65n|mZe*KHi|YKOR;2iowrL%Ai0Ev;+AHZ$Fub=yFk6@}^*&CE7|#^^RU)!)j%> z?Ozk;IW<%kDUJp?#HFMHUT%3X(NbVkBvf3u1ar=fvED=@x8;g(eormTeyxblWAX}9 z425vRRxcz$5sHW(kLQ4hEJ8$?gf%v-qb0k2PdKiYIm*@AuX-A(CAy z9)%O}q^IiA#!$n*T7&pgjFHDb9}?^XHPc!(Sb|G2^ZXD+^B2}26zV~&_Ze5UUkPb> IDJ^ah-Z=CxasU7T literal 0 HcmV?d00001 diff --git a/flake.lock b/flake.lock index 54f455a..b92ea51 100644 --- a/flake.lock +++ b/flake.lock @@ -395,6 +395,22 @@ "type": "github" } }, + "nixpkgs-stable_2": { + "locked": { + "lastModified": 1718478900, + "narHash": "sha256-v43N1gZLcGkhg3PdcrKUNIZ1L0FBzB2JqhIYEyKAHEs=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "c884223af91820615a6146af1ae1fea25c107005", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "release-23.11", + "repo": "nixpkgs", + "type": "github" + } + }, "nixpkgs_2": { "locked": { "lastModified": 1718149104, @@ -428,6 +444,22 @@ } }, "nixpkgs_4": { + "locked": { + "lastModified": 1718276985, + "narHash": "sha256-u1fA0DYQYdeG+5kDm1bOoGcHtX0rtC7qs2YA2N1X++I=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "3f84a279f1a6290ce154c5531378acc827836fbb", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixpkgs-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs_5": { "locked": { "lastModified": 1716220750, "narHash": "sha256-Lhhrd1ZBNXCbUupWGq6gRPIy1qMKEdcAXcjnwgVqe/U=", @@ -478,6 +510,7 @@ "lanzaboote": "lanzaboote", "neovim-nightly": "neovim-nightly", "nixpkgs": "nixpkgs_3", + "sops-nix": "sops-nix", "varnam-nix": "varnam-nix" } }, @@ -506,6 +539,26 @@ "type": "github" } }, + "sops-nix": { + "inputs": { + "nixpkgs": "nixpkgs_4", + "nixpkgs-stable": "nixpkgs-stable_2" + }, + "locked": { + "lastModified": 1718506969, + "narHash": "sha256-Pm9I/BMQHbsucdWf6y9G3xBZh3TMlThGo4KBbeoeczg=", + "owner": "Mic92", + "repo": "sops-nix", + "rev": "797ce4c1f45a85df6dd3d9abdc53f2691bea9251", + "type": "github" + }, + "original": { + "owner": "Mic92", + "ref": "master", + "repo": "sops-nix", + "type": "github" + } + }, "systems": { "locked": { "lastModified": 1681028828, @@ -538,7 +591,7 @@ }, "varnam-nix": { "inputs": { - "nixpkgs": "nixpkgs_4" + "nixpkgs": "nixpkgs_5" }, "locked": { "lastModified": 1716722955, diff --git a/flake.nix b/flake.nix index 8b6069e..e7e8627 100644 --- a/flake.nix +++ b/flake.nix @@ -18,9 +18,10 @@ url = "github:nix-community/home-manager?ref=master"; inputs.nixpkgs.follows = "nixpkgs"; }; - flake-utils.url = "github:numtide/flake-utils"; impermanence.url = "github:nix-community/impermanence?ref=master"; lanzaboote.url = "github:nix-community/lanzaboote?ref=master"; + sops-nix.url = "github:Mic92/sops-nix?ref=master"; + flake-utils.url = "github:numtide/flake-utils"; neovim-nightly.url = "github:nix-community/neovim-nightly-overlay?ref=master"; varnam-nix.url = "github:adtya/varnam-nix?ref=main"; }; @@ -32,6 +33,7 @@ , home-manager , impermanence , lanzaboote + , sops-nix , neovim-nightly , varnam-nix , @@ -57,10 +59,10 @@ { system.configurationRevision = nixpkgs.lib.mkIf (self ? rev) self.rev; } - home-manager.nixosModules.home-manager impermanence.nixosModules.impermanence lanzaboote.nixosModules.lanzaboote + sops-nix.nixosModules.sops ./common ./hosts/skipper @@ -95,6 +97,8 @@ git git-crypt statix + sops + age ]; }; packages.getpaper = (import ./extra-packages pkgs).getpaper; diff --git a/home/default.nix b/home/default.nix index b763133..1ef2a8d 100644 --- a/home/default.nix +++ b/home/default.nix @@ -1,5 +1,5 @@ _: { - imports = [ ./programs ./services ./wm ./gtk.nix ./qt.nix ./persistence.nix ]; + imports = [ ./programs ./services ./wm ./gtk.nix ./persistence.nix ./qt.nix ./secrets.nix ]; home.stateVersion = "23.11"; diff --git a/home/secrets.nix b/home/secrets.nix new file mode 100644 index 0000000000000000000000000000000000000000..91e9ebe4dd82856e0be73ca199a6245bc898ad22 GIT binary patch literal 155 zcmV;M0A&9FM@dveQdv+`07)^xYW=TV!C?)g(C5GtWKQ>42%fJx_bt z;gcM^ux&K-7y46+NPeX?;ylEY^Wb5f%--vjkJBTqCWb83ZX~30&@0sgUCI5-g20I# zlB4kjF&USlrp2fcsUzvDGQ_bFQY>|a42s56#6&Qb?_9B0Mkf8nwi60gNhj8-=!ZLE JAVjGHWx^5MP167X literal 0 HcmV?d00001 diff --git a/secrets.yaml b/secrets.yaml new file mode 100644 index 0000000..771df70 --- /dev/null +++ b/secrets.yaml @@ -0,0 +1,32 @@ +passwd: + root: ENC[AES256_GCM,data:fEAYZXid9Im/TJrBXj9IOUCdqHT3NZ8GZvouX+RN/1PplH+imoGvjiMc+7AWxUwH28RYpKlFmrILrBSCFEvypX/IXuwx0Zq/uoTLEiP+NiDvSl+e1kvTbI5q19iSajmxU/mN67zTTmUbzA==,iv:MtX/dAEIsQFJc4KahJPbj+dELowLF0caea55/HZ3WWA=,tag:bkfqmLU+dCW+KNJ7RFoeFQ==,type:str] + adtya: ENC[AES256_GCM,data:ryjjreVHyt/oY4tJcJHZ8ZQNk/hq9UJFECwo65Pd/GTWw/V/0QxwhoPsuFrgrVRwZxmK+m52ZtGstarn6kSK0oqT7rqzu4u0UwgxzRiPOAzyGPCl9PbiMWUQyeh779q133E+GRw5hEih7A==,iv:o1C+5PSKYmXU61k1TOJWIw3dPWbGBQNwB+pa2X5m9ik=,tag:WSKUXPJmMudschBaYJsSrg==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1w5rvr4nl8xvjjxpct4e2a2eajvm79v4r9nyxrcn40fm8d7h9l9cqkk0jtt + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB1bzR4NWVIdEZ3UTNCRGNj + UldLTlVVSlZLRFVWUlhtNkJvaDk2azhDb0c0Cm5XQzhSQ29sb3lxZFMzVlY5bXJ3 + VGZhZHd0NjBHVjJVZHV4ZHZGVmJqTkEKLS0tIEYxTWJuU3VhTG0xQUw2VTBUZ0FY + MWZqR2Q3VVFyWk1kL09XS1hNVHlqTkEKRg5M6TZ9OAQGNzVfE7VKlHb7vpYxP/bg + Ptv8vSeXOk1Jx2fAe+akxB1GXLaCwx+YgrZc11+A7Xdt70FRLcB/pA== + -----END AGE ENCRYPTED FILE----- + - recipient: age1mhks8qmhjrtc2u5ufvp3pv2hn7tkadvmscnp7wd0ywmnse0szctqsnpy0a + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBUcE1NY05vUVFSZXBNQ0xn + aE82WUd6ZHJzN1lZcXFKbWdReEdmTUl0TFdJCnJYSGJxVmFHZHpXbXBJQ0k5N0ZV + djVNYk1EVktwckpEdlYyeXROMHZpRWMKLS0tIFhpKzMyeSsxYS9iY3RvKzFJM0FK + MTdMRzR6anF4RzVBbnI5cnFPQmRpWmcKCiFOU74esinQsdc55Zwny5/VVNN2r3rq + 19ZYyCVNuyTeOXxuvUvjPJeW2X+v9H6bvbg1sXMxb761Pm0VGYor+g== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-06-16T15:30:46Z" + mac: ENC[AES256_GCM,data:/D317rlcTmlmRA23umgXQzdNi5ZN0BEvyZX9YgmJBRUOMI5wredwqOiH3pqfcy1Aj4EeD9LqNP2BtQy7iRevD4A5/1W5K0rynbBpWknpr6w+VNUdB5b8NVgYBVbDsc/OogaV/33oN9wIe5crnD/UlvG+uv1zNCRr3BXai0yX+Ns=,iv:qf+8SHnt28nNbA1wB6fzkLvzN7JGaRvTlYiCT8Yt9AQ=,tag:N0t1umV+VkOXH2cKilQ75A==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.8.1