From dcb5d76ff05438be76620dda6cc9a22d629c8c68 Mon Sep 17 00:00:00 2001
From: Adithya Nair <adtya@adtya.xyz>
Date: Sun, 16 Jun 2024 21:57:31 +0530
Subject: [PATCH] cleanup secrets

move secrets out of the repo

move secrets

cleanup secrets
---
 common/default.nix                 |   2 +-
 common/secrets.nix                 | Bin 622 -> 0 bytes
 common/sops.nix                    |  23 +++++++++++++++++++++++
 common/users.nix                   |   2 +-
 home/programs/git.nix              |  12 ++++--------
 hosts/skipper/services/default.nix |   8 ++------
 secrets.nix                        | Bin 887 -> 177 bytes
 secrets.nix.example                |  12 ------------
 8 files changed, 31 insertions(+), 28 deletions(-)
 delete mode 100644 common/secrets.nix
 create mode 100644 common/sops.nix

diff --git a/common/default.nix b/common/default.nix
index b69520c..7947ddc 100644
--- a/common/default.nix
+++ b/common/default.nix
@@ -1,3 +1,3 @@
 { ... }: {
-  imports = [ ./nix.nix ./secrets.nix ./users.nix ];
+  imports = [ ./nix.nix ./sops.nix ./users.nix ];
 }
diff --git a/common/secrets.nix b/common/secrets.nix
deleted file mode 100644
index 0a257be3ce15a6fb0908f3c5b85f8cfb3545ac6b..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001

literal 622
zcmV-!0+IayM@dveQdv+`00X4vO0JRdJ=x|wvH2=lb@dO2$R=&8x0kW3<UUX>e2KN(
zFl`lW1R9sc<wzdu>VF(CmbO3Z?ooo7KboH38O?3Q8b1e0sOCnvP`oX*bkaB8@)pK#
zD}?MesLD}UI!|}d^Y_Y!^!;+Yx$H8<e5b}8pl49&y_qi}MJ-dt8i>Fq?7L8P2mX7j
zw%D{QAMTl)!A@<MrgB$2cYy@7s>Z&Vo6;E5{$ZD2LC%f^=m;Rt!Iji~RL2I-+6CtL
z-?P%ri3GkV(Z+D7TF6)>3p#2EAJ2U;AAW6I4Uur9cK9uP=xYsVl;8i|H||3}0T2Vv
z6{_=V2z49J8yerg>4{suy?n9b$L_v4Q1)?+&Si9S<YuMJfe-3tcO^V#tBM>!3okp6
zV0?kGb=FMDJnF0aCNp#lWbm0MV;4$!2d>V993+=C+Z{p}dVfJJ6mahe9#F>C*j!o9
zw65n|mZe*KHi|YKOR;2iowrL%Ai0Ev;+AHZ$Fu<xIkyr8O?mfp-EY`@kB0JKjsix`
z=E;u3h*?p0J$5nOZ+@QAkN)Zzj#SE2!~ixg<i->b=yFk6@}^*&CE7|#^^RU)!)j%>
z?Ozk;IW<%kDUJp?#HFMHUT%3X(NbVkBvf3u1ar=fvED=@x8;g(eormTeyxblWAX}9
z425<MYUb}SFhjA>vRRxcz$5sHW(kLQ4hEJ8$?gf%v-qb0k2PdKiYIm*@AuX-A(CAy
z9)%O}q^IiA#!$n*T7&pgjFHDb9}?^XHPc!(Sb|G2^ZXD+^B2}26zV~&_Ze5UUkPb>
IDJ^ah-Z=CxasU7T

diff --git a/common/sops.nix b/common/sops.nix
new file mode 100644
index 0000000..d7d0da8
--- /dev/null
+++ b/common/sops.nix
@@ -0,0 +1,23 @@
+{ config, ... }: {
+  sops = {
+    defaultSopsFile = ./secrets.yaml;
+    age = {
+      keyFile = "/persist/sops/age/keys.txt";
+      sshKeyPaths = [ "/persist/system/etc/ssh/keys/ssh_host_ed25519_key" ];
+    };
+    secrets = {
+      "passwd/root" = {
+        mode = "400";
+        owner = config.users.users.root.name;
+        group = config.users.users.root.group;
+        neededForUsers = true;
+      };
+      "passwd/adtya" = {
+        mode = "400";
+        owner = config.users.users.root.name;
+        group = config.users.users.root.group;
+        neededForUsers = true;
+      };
+    };
+  };
+}
diff --git a/common/users.nix b/common/users.nix
index d60f5db..0761331 100644
--- a/common/users.nix
+++ b/common/users.nix
@@ -7,7 +7,7 @@
     adtya = {
       uid = 1000;
       hashedPasswordFile = config.sops.secrets."passwd/adtya".path;
-      description = "Adithya";
+      description = "Adithya Nair";
       isNormalUser = true;
       extraGroups = [ "docker" "libvirtd" "networkmanager" "tss" "wheel" ];
       shell = pkgs.zsh;
diff --git a/home/programs/git.nix b/home/programs/git.nix
index 8f11015..11ef9fb 100644
--- a/home/programs/git.nix
+++ b/home/programs/git.nix
@@ -1,8 +1,4 @@
-{ secrets, ... }:
-let
-  user = secrets.users;
-in
-{
+{ osConfig, ... }: {
   programs.git = {
     enable = true;
     delta = {
@@ -12,10 +8,10 @@ in
         syntax-theme = "Dracula";
       };
     };
-    userEmail = user.primary.emailAddress;
-    userName = user.primary.realName;
+    userEmail = "adtya@adtya.xyz";
+    userName = osConfig.users.users.adtya.description;
     signing = {
-      key = user.primary.pgpFingerprint;
+      key = "51E4F5AB1B82BE45B4229CC243A5E25AA5A27849";
       signByDefault = true;
     };
     extraConfig = {
diff --git a/hosts/skipper/services/default.nix b/hosts/skipper/services/default.nix
index c329aa6..f60c26d 100644
--- a/hosts/skipper/services/default.nix
+++ b/hosts/skipper/services/default.nix
@@ -1,8 +1,4 @@
-{ secrets, ... }:
-let
-  user = secrets.users;
-in
-{
+{ config, ... }: {
   imports = [
     ./btrfs.nix
     ./dbus.nix
@@ -15,7 +11,7 @@ in
     cpupower-gui.enable = true;
     fstrim.enable = true;
     fwupd.enable = true;
-    getty.autologinUser = user.primary.userName;
+    getty.autologinUser = config.users.users.adtya.name;
     gnome.gnome-keyring.enable = true;
     gvfs.enable = true;
     irqbalance.enable = true;
diff --git a/secrets.nix b/secrets.nix
index 9c5a595e1845bf40a87c6190fa332c3e0a0ce8da..e0f0b18321ea07a5957aab69461045e1bfd4fd40 100644
GIT binary patch
literal 177
zcmV;i08ak^M@dveQdv+`02RqAOrKKd<LA$PBvehk5CQP}--*9u7&m2%j$qg8>I4m}
zAg`N%7TcK?D_+X(?EwYI>#VuWwaMaY3tIahUubfY{dO)|8lnFbaxeEoqhc^rvE3)w
zdx9s&OpOS!2e~bzAE?`Gj>t3&2{bsi@>4|CN)ltTN6Z9AxUNzRvQH(~YL%y>FwhRK
fl;9aNxR7K{A?pWOqqZ)v4Tvm=)sUy3bF{5HvdL2Z

literal 887
zcmV--1Bm<pM@dveQdv+`0I?pj+aswm2Ika>(QUvgzW?)wtSa1C-+MX@MRjPk35Ih{
zU9KV?APCqj)BHv(<pI5!cD|JFEU5Mjm)+oc>vN_8;W2kA7dO_1iP1B8ftq+eG0uum
zP<wBVIrBPKO_dPbFoz~+oF9(@o}(Qi<LI#eMC70v(a4pH=M8#I6Ezxs!Oy86hboue
zWzyaRNR%5@*?^1D9P_<6JR4Er7u27svoaoL_5b(=@TF0!p<bKvxfp9vI|gkjNC{cp
zP5IVPL<**7o*)ruMlMq2gnw&YU|2W~N*H=x0|LTjXs^BJ=dXc+kLp^(NtgNfUuJF_
zTwoO>e9o87_X_B<ug$Zd96~h;O2(??@UCjd+ySMS7yoHAOLKpT$R(Es6f~}sRjq;c
z*D$Q@2al*1ucYye<719A<4F+1-^>q`L(|q0JCJwhm5u4T8d02Br8&iqTRXHSqW*j%
z@k;H!_fcD~O#NIE2FVWrKlDDvxZusjPuZe<?h|em$5P=v+k02<l6K`pbT0JE?Fgn&
zKSF}%VpbL}gLB7V%5)3_$rU+VH-&f9>gQb?FX42#SaF$y<wZuq%*dJGxJ0lDDA<bh
z!M|xGhzR8=^gO00%dYC$*t(aA;}9WdbTABt{EH(-6X-915Ek4kaZ!~yv8}u#3H?8m
zE^IKq#4qya`^b<lAp^SB32vEzSqooz<70}W)uW&)<M00hEC)15I`Wgld(A7sq$?fG
z^dl@BQ#~<vh4ktX=x39r)<dNWmq}Tm`|qL_Q%(PtT*ude)yzHfut%!C?i1~a8;om0
zry_N2waEgmo(G=G(Ur2ktBDz=f0pPmmOVYN0L}Ny#1X^_huy1WfC^E4)DIM<-du^A
zx0fM%ejkek-5ZeS6&f)1R+(syFEYR5lMsJN%_*d`oST~r3r@umT}hJ5rq|7~xUQs5
zDy?Z`U*_OCJ6P3*Brbrt%vgRwGOZNIqXTb4W*m2vy_>>m&Lo+5%%UV-A@fwRUcmwv
z|NbldQ;H9oIC!Wt^|6u*s*k8`*97SA;WuSX(>t=yFC4B>HIp~(s&>R=`Dq*DeO6jz
zB)TNav^V84*vsY{Sqy~AD$o$*^udJ%y|vETq0_$De^FU_HN~LQzox=`xgjZV^R$uB
NtLOt|LCw*#)=md+y6OM`

diff --git a/secrets.nix.example b/secrets.nix.example
index 33b7ac9..72fc95c 100644
--- a/secrets.nix.example
+++ b/secrets.nix.example
@@ -4,16 +4,4 @@
     endpoint = "<endpoint>:<port>";
     publicKey = "<public key>";
   };
-  users = {
-    root.hashedPassword = "<password hash of root user>";
-    primary = {
-      userName = "<primary non-root username>";
-      realName = "<primary user's full name>";
-      hashedPassword = "<password hash of primary user>";
-      pgpFingerprint = "<primary user's pgp fingerprint>";
-      emailAddress = "<primary user's email>";
-      sshPublicKey = "<ssh public key>";
-    };
-  };
-  phone.sshPublicKey = "<ssh public key from phone>";
 }