cleanup secrets

move secrets out of the repo move secrets cleanup secrets
2024-06-16 21:57:31 +05:30 · 2024-06-16 21:57:31 +05:30 · dcb5d76ff0
commit dcb5d76ff0
parent efea526d87
8 changed files with 31 additions and 28 deletions
--- a/common/default.nix
+++ b/common/default.nix
@ -1,3 +1,3 @@
 { ... }: {
-  imports = [ ./nix.nix ./secrets.nix ./users.nix ];
+  imports = [ ./nix.nix ./sops.nix ./users.nix ];
 }
--- a/common/secrets.nix
+++ b/common/secrets.nix
--- a/common/sops.nix
+++ b/common/sops.nix
@ -0,0 +1,23 @@
+{ config, ... }: {
+  sops = {
+    defaultSopsFile = ./secrets.yaml;
+    age = {
+      keyFile = "/persist/sops/age/keys.txt";
+      sshKeyPaths = [ "/persist/system/etc/ssh/keys/ssh_host_ed25519_key" ];
+    };
+    secrets = {
+      "passwd/root" = {
+        mode = "400";
+        owner = config.users.users.root.name;
+        group = config.users.users.root.group;
+        neededForUsers = true;
+      };
+      "passwd/adtya" = {
+        mode = "400";
+        owner = config.users.users.root.name;
+        group = config.users.users.root.group;
+        neededForUsers = true;
+      };
+    };
+  };
+}
--- a/common/users.nix
+++ b/common/users.nix
@ -7,7 +7,7 @@
    adtya = {
      uid = 1000;
      hashedPasswordFile = config.sops.secrets."passwd/adtya".path;
-      description = "Adithya";
+      description = "Adithya Nair";
      isNormalUser = true;
      extraGroups = [ "docker" "libvirtd" "networkmanager" "tss" "wheel" ];
      shell = pkgs.zsh;
--- a/home/programs/git.nix
+++ b/home/programs/git.nix
@ -1,8 +1,4 @@
-{ secrets, ... }:
-let
-  user = secrets.users;
-in
-{
+{ osConfig, ... }: {
  programs.git = {
    enable = true;
    delta = {
@ -12,10 +8,10 @@ in
        syntax-theme = "Dracula";
      };
    };
-    userEmail = user.primary.emailAddress;
-    userName = user.primary.realName;
+    userEmail = "adtya@adtya.xyz";
+    userName = osConfig.users.users.adtya.description;
    signing = {
-      key = user.primary.pgpFingerprint;
+      key = "51E4F5AB1B82BE45B4229CC243A5E25AA5A27849";
      signByDefault = true;
    };
    extraConfig = {
--- a/hosts/skipper/services/default.nix
+++ b/hosts/skipper/services/default.nix
@ -1,8 +1,4 @@
-{ secrets, ... }:
-let
-  user = secrets.users;
-in
-{
+{ config, ... }: {
  imports = [
    ./btrfs.nix
    ./dbus.nix
@ -15,7 +11,7 @@ in
    cpupower-gui.enable = true;
    fstrim.enable = true;
    fwupd.enable = true;
-    getty.autologinUser = user.primary.userName;
+    getty.autologinUser = config.users.users.adtya.name;
    gnome.gnome-keyring.enable = true;
    gvfs.enable = true;
    irqbalance.enable = true;
--- a/secrets.nix
+++ b/secrets.nix
--- a/secrets.nix.example
+++ b/secrets.nix.example
@ -4,16 +4,4 @@
    endpoint = "<endpoint>:<port>";
    publicKey = "<public key>";
  };
-  users = {
-    root.hashedPassword = "<password hash of root user>";
-    primary = {
-      userName = "<primary non-root username>";
-      realName = "<primary user's full name>";
-      hashedPassword = "<password hash of primary user>";
-      pgpFingerprint = "<primary user's pgp fingerprint>";
-      emailAddress = "<primary user's email>";
-      sshPublicKey = "<ssh public key>";
-    };
-  };
-  phone.sshPublicKey = "<ssh public key from phone>";
 }