add sops-nix

This commit is contained in:
Adithya 2024-06-16 18:43:46 +05:30
parent 36115e0470
commit 4bf3901e28
Signed by: adtya
GPG key ID: B8857BFBA2C47B9C
8 changed files with 103 additions and 5 deletions

9
.sops.yaml Normal file
View file

@ -0,0 +1,9 @@
keys:
- &age_key age1w5rvr4nl8xvjjxpct4e2a2eajvm79v4r9nyxrcn40fm8d7h9l9cqkk0jtt
- &skipper_host_ed25519 age1mhks8qmhjrtc2u5ufvp3pv2hn7tkadvmscnp7wd0ywmnse0szctqsnpy0a
creation_rules:
- path_regex: secrets.yaml
key_groups:
- age:
- *age_key
- *skipper_host_ed25519

View file

@ -1,3 +1,3 @@
{ ... }: {
imports = [ ./nix.nix ./users ];
imports = [ ./nix.nix ./users ./secrets.nix ];
}

BIN
common/secrets.nix Normal file

Binary file not shown.

View file

@ -395,6 +395,22 @@
"type": "github"
}
},
"nixpkgs-stable_2": {
"locked": {
"lastModified": 1718478900,
"narHash": "sha256-v43N1gZLcGkhg3PdcrKUNIZ1L0FBzB2JqhIYEyKAHEs=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "c884223af91820615a6146af1ae1fea25c107005",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "release-23.11",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs_2": {
"locked": {
"lastModified": 1718149104,
@ -428,6 +444,22 @@
}
},
"nixpkgs_4": {
"locked": {
"lastModified": 1718276985,
"narHash": "sha256-u1fA0DYQYdeG+5kDm1bOoGcHtX0rtC7qs2YA2N1X++I=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "3f84a279f1a6290ce154c5531378acc827836fbb",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "nixpkgs-unstable",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs_5": {
"locked": {
"lastModified": 1716220750,
"narHash": "sha256-Lhhrd1ZBNXCbUupWGq6gRPIy1qMKEdcAXcjnwgVqe/U=",
@ -478,6 +510,7 @@
"lanzaboote": "lanzaboote",
"neovim-nightly": "neovim-nightly",
"nixpkgs": "nixpkgs_3",
"sops-nix": "sops-nix",
"varnam-nix": "varnam-nix"
}
},
@ -506,6 +539,26 @@
"type": "github"
}
},
"sops-nix": {
"inputs": {
"nixpkgs": "nixpkgs_4",
"nixpkgs-stable": "nixpkgs-stable_2"
},
"locked": {
"lastModified": 1718506969,
"narHash": "sha256-Pm9I/BMQHbsucdWf6y9G3xBZh3TMlThGo4KBbeoeczg=",
"owner": "Mic92",
"repo": "sops-nix",
"rev": "797ce4c1f45a85df6dd3d9abdc53f2691bea9251",
"type": "github"
},
"original": {
"owner": "Mic92",
"ref": "master",
"repo": "sops-nix",
"type": "github"
}
},
"systems": {
"locked": {
"lastModified": 1681028828,
@ -538,7 +591,7 @@
},
"varnam-nix": {
"inputs": {
"nixpkgs": "nixpkgs_4"
"nixpkgs": "nixpkgs_5"
},
"locked": {
"lastModified": 1716722955,

View file

@ -18,9 +18,10 @@
url = "github:nix-community/home-manager?ref=master";
inputs.nixpkgs.follows = "nixpkgs";
};
flake-utils.url = "github:numtide/flake-utils";
impermanence.url = "github:nix-community/impermanence?ref=master";
lanzaboote.url = "github:nix-community/lanzaboote?ref=master";
sops-nix.url = "github:Mic92/sops-nix?ref=master";
flake-utils.url = "github:numtide/flake-utils";
neovim-nightly.url = "github:nix-community/neovim-nightly-overlay?ref=master";
varnam-nix.url = "github:adtya/varnam-nix?ref=main";
};
@ -32,6 +33,7 @@
, home-manager
, impermanence
, lanzaboote
, sops-nix
, neovim-nightly
, varnam-nix
,
@ -57,10 +59,10 @@
{
system.configurationRevision = nixpkgs.lib.mkIf (self ? rev) self.rev;
}
home-manager.nixosModules.home-manager
impermanence.nixosModules.impermanence
lanzaboote.nixosModules.lanzaboote
sops-nix.nixosModules.sops
./common
./hosts/skipper
@ -95,6 +97,8 @@
git
git-crypt
statix
sops
age
];
};
packages.getpaper = (import ./extra-packages pkgs).getpaper;

View file

@ -1,5 +1,5 @@
_: {
imports = [ ./programs ./services ./wm ./gtk.nix ./qt.nix ./persistence.nix ];
imports = [ ./programs ./services ./wm ./gtk.nix ./persistence.nix ./qt.nix ./secrets.nix ];
home.stateVersion = "23.11";

BIN
home/secrets.nix Normal file

Binary file not shown.

32
secrets.yaml Normal file
View file

@ -0,0 +1,32 @@
passwd:
root: ENC[AES256_GCM,data:fEAYZXid9Im/TJrBXj9IOUCdqHT3NZ8GZvouX+RN/1PplH+imoGvjiMc+7AWxUwH28RYpKlFmrILrBSCFEvypX/IXuwx0Zq/uoTLEiP+NiDvSl+e1kvTbI5q19iSajmxU/mN67zTTmUbzA==,iv:MtX/dAEIsQFJc4KahJPbj+dELowLF0caea55/HZ3WWA=,tag:bkfqmLU+dCW+KNJ7RFoeFQ==,type:str]
adtya: ENC[AES256_GCM,data:ryjjreVHyt/oY4tJcJHZ8ZQNk/hq9UJFECwo65Pd/GTWw/V/0QxwhoPsuFrgrVRwZxmK+m52ZtGstarn6kSK0oqT7rqzu4u0UwgxzRiPOAzyGPCl9PbiMWUQyeh779q133E+GRw5hEih7A==,iv:o1C+5PSKYmXU61k1TOJWIw3dPWbGBQNwB+pa2X5m9ik=,tag:WSKUXPJmMudschBaYJsSrg==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1w5rvr4nl8xvjjxpct4e2a2eajvm79v4r9nyxrcn40fm8d7h9l9cqkk0jtt
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB1bzR4NWVIdEZ3UTNCRGNj
UldLTlVVSlZLRFVWUlhtNkJvaDk2azhDb0c0Cm5XQzhSQ29sb3lxZFMzVlY5bXJ3
VGZhZHd0NjBHVjJVZHV4ZHZGVmJqTkEKLS0tIEYxTWJuU3VhTG0xQUw2VTBUZ0FY
MWZqR2Q3VVFyWk1kL09XS1hNVHlqTkEKRg5M6TZ9OAQGNzVfE7VKlHb7vpYxP/bg
Ptv8vSeXOk1Jx2fAe+akxB1GXLaCwx+YgrZc11+A7Xdt70FRLcB/pA==
-----END AGE ENCRYPTED FILE-----
- recipient: age1mhks8qmhjrtc2u5ufvp3pv2hn7tkadvmscnp7wd0ywmnse0szctqsnpy0a
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBUcE1NY05vUVFSZXBNQ0xn
aE82WUd6ZHJzN1lZcXFKbWdReEdmTUl0TFdJCnJYSGJxVmFHZHpXbXBJQ0k5N0ZV
djVNYk1EVktwckpEdlYyeXROMHZpRWMKLS0tIFhpKzMyeSsxYS9iY3RvKzFJM0FK
MTdMRzR6anF4RzVBbnI5cnFPQmRpWmcKCiFOU74esinQsdc55Zwny5/VVNN2r3rq
19ZYyCVNuyTeOXxuvUvjPJeW2X+v9H6bvbg1sXMxb761Pm0VGYor+g==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2024-06-16T15:30:46Z"
mac: ENC[AES256_GCM,data:/D317rlcTmlmRA23umgXQzdNi5ZN0BEvyZX9YgmJBRUOMI5wredwqOiH3pqfcy1Aj4EeD9LqNP2BtQy7iRevD4A5/1W5K0rynbBpWknpr6w+VNUdB5b8NVgYBVbDsc/OogaV/33oN9wIe5crnD/UlvG+uv1zNCRr3BXai0yX+Ns=,iv:qf+8SHnt28nNbA1wB6fzkLvzN7JGaRvTlYiCT8Yt9AQ=,tag:N0t1umV+VkOXH2cKilQ75A==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.8.1