diff --git a/.sops.yaml b/.sops.yaml new file mode 100644 index 0000000..2ce050f --- /dev/null +++ b/.sops.yaml @@ -0,0 +1,7 @@ +keys: + - &admin 4FED5D017062C493E685D35AE5481AFB6545CB90 +creation_rules: + - path_regex: secrets/[^/]+\.(yaml|json|env|ini)$ + key_groups: + - pgp: + - *admin diff --git a/flake.lock b/flake.lock index 1abaa2f..e84d0b2 100644 --- a/flake.lock +++ b/flake.lock @@ -822,7 +822,8 @@ "nixos-hardware": "nixos-hardware", "nixpkgs": "nixpkgs_4", "nur-xddxdd": "nur-xddxdd", - "oskars-dotfiles": "oskars-dotfiles" + "oskars-dotfiles": "oskars-dotfiles", + "sops-nix": "sops-nix" } }, "rust-overlay": { @@ -888,6 +889,26 @@ "type": "github" } }, + "sops-nix": { + "inputs": { + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1736203741, + "narHash": "sha256-eSjkBwBdQk+TZWFlLbclF2rAh4JxbGg8az4w/Lfe7f4=", + "owner": "Mic92", + "repo": "sops-nix", + "rev": "c9c88f08e3ee495e888b8d7c8624a0b2519cb773", + "type": "github" + }, + "original": { + "owner": "Mic92", + "repo": "sops-nix", + "type": "github" + } + }, "systems": { "locked": { "lastModified": 1681028828, diff --git a/flake.nix b/flake.nix index c7af3f4..3a86d88 100644 --- a/flake.nix +++ b/flake.nix @@ -56,6 +56,11 @@ url = "git+https://gitlab.com/rycee/nur-expressions.git?dir=pkgs/firefox-addons&ref=master"; flake = false; }; + + sops-nix = { + url = "github:Mic92/sops-nix"; + inputs.nixpkgs.follows = "nixpkgs"; + }; }; outputs = { diff --git a/home/david/configurations/Tytonidae/default.nix b/home/david/configurations/Tytonidae/default.nix index 4fa4255..dffeeb2 100644 --- a/home/david/configurations/Tytonidae/default.nix +++ b/home/david/configurations/Tytonidae/default.nix @@ -1,6 +1,7 @@ { pkgs, config, + rootPath, inputs, ... }: @@ -97,4 +98,14 @@ uris = [ "qemu:///system" ]; }; }; + + sops.secrets."ssh-private-key" = { + mode = "0600"; + path = "${config.home.homeDirectory}/.ssh/id_ed25519"; + }; + + sops.gnupg = { + home = "${config.home.homeDirectory}/.gnupg"; + }; + sops.defaultSopsFile = rootPath + "/secrets/general.yaml"; } diff --git a/home/modules/default.nix b/home/modules/default.nix index 245a616..767f377 100644 --- a/home/modules/default.nix +++ b/home/modules/default.nix @@ -1,8 +1,12 @@ -{ lib, ... }: +{ inputs, lib, ... }: { - imports = [ - ./nix.nix - ]; + imports = + (with inputs; [ + sops-nix.homeManagerModules.sops + ]) + ++ [ + ./nix.nix + ]; options = { youthlic.nixos.enable = lib.mkOption { diff --git a/nixos/configurations/Tytonidae/users/tytonidae b/nixos/configurations/Tytonidae/users/tytonidae deleted file mode 100644 index 0299edb..0000000 --- a/nixos/configurations/Tytonidae/users/tytonidae +++ /dev/null @@ -1,8 +0,0 @@ ------BEGIN OPENSSH PRIVATE KEY----- -b3BlbnNzaC1rZXktdjEAAAAACmFlczI1Ni1jdHIAAAAGYmNyeXB0AAAAGAAAABC2sRS60d -BXX14enHHCynC9AAAAGAAAAAEAAAAzAAAAC3NzaC1lZDI1NTE5AAAAIETMs9b4xfFRsgPZ -UzrVce3J27p0LBKLfZwhNMen0Da9AAAAkC3NVadOCQU0sd6qujTsqGPSbuO6iNaEBOj6hl -GVPf/VwoGxadvzyQh7sdcOzr/nybcaNgOya7sjAWN0uClekHp/8ZUewU28xlmv2yXxpOXM -UrDFaUcpWIRegALW8CpJf2ndykI1Y8eY2uwGJSWgWreBoCD81P1V68DSw8i4XVtW2Pad9y -yYvR8TpNxCvyta2w== ------END OPENSSH PRIVATE KEY----- diff --git a/nixos/modules/default.nix b/nixos/modules/default.nix index a82744c..0728cb4 100644 --- a/nixos/modules/default.nix +++ b/nixos/modules/default.nix @@ -11,10 +11,12 @@ nixos-cosmic.nixosModules.default home-manager.nixosModules.home-manager dae.nixosModules.dae + sops-nix.nixosModules.sops ]) ++ [ ./nix.nix ./home.nix + ./gpg.nix ]; config = { diff --git a/nixos/modules/gpg.nix b/nixos/modules/gpg.nix new file mode 100644 index 0000000..822b7cf --- /dev/null +++ b/nixos/modules/gpg.nix @@ -0,0 +1,11 @@ +{ ... }: +{ + config = { + programs.gnupg = { + agent = { + enable = true; + enableSSHSupport = true; + }; + }; + }; +} diff --git a/nixos/modules/home.nix b/nixos/modules/home.nix index 71f4e94..644ee18 100644 --- a/nixos/modules/home.nix +++ b/nixos/modules/home.nix @@ -57,7 +57,7 @@ } ); extraSpecialArgs = { - inherit outputs inputs; + inherit outputs inputs rootPath; inherit (cfg) unixName hostName; inherit (pkgs) system; }; diff --git a/secrets/general.yaml b/secrets/general.yaml new file mode 100644 index 0000000..35de878 --- /dev/null +++ b/secrets/general.yaml @@ -0,0 +1,24 @@ +ssh-private-key: ENC[AES256_GCM,data:tG+WYcvaGdMeRiCaAQY6KifoW+xyXKENfx0M6094M9oY/PTnabj1ssakqgn3ujDlckMxf5gZKfGAw0LW7wqWWIKAnVFKFr5fRXWpwROHtHV34BdvQAXtSNsOx9laaw383wWbrrnbblRW6E6GfUQs3YjQa0C+M/6qqpIdDJBbd/AV9OB3B1kiOtBUuHPGBeHvDa5QJUNFLNTO1iJ4rppPZRJ1tG9tTitTuAVRIqlZQZf1hKoz+yB+IakX+AmaXkpnpBOJhfcQWtjdm96Pl/s7pjvVR3f2DAXS8jx+oZT0/7y0xkMi/cvYqGwY/UJZS5w9/2Vk0DQ+I0F17fVZjNsIZKATjl26bRCFaD0Q6Qaw+EwaAaNAhiONbLuQRx3eig3K9KvXhoXKOYVWEnLlgN9gU+dMKD0QOr71u9LScaKkjcI4EpFrOVYET56WeeOP4SEcpkbJ1Qj9GdvGD8cvU281xBRCBxk+nuyazw5PrAmtT+rF16C7+XaHZceeWtMbpALaVL57xFaX+4sab9RVmO6dbtriETUjRHFiVtff1iHln0+aIl2IsSTpHY2v3coBcRMdR9wLeNNUua9b+bu8,iv:tQ6QO0I282jgNaWdc4tuz+ytZ/S4oE/zp5msENc5j5o=,tag:ZHdON06qRJWdl3RUb65jhg==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: [] + lastmodified: "2025-01-08T11:08:01Z" + mac: ENC[AES256_GCM,data:VV5xr8jvj2NiGTGtmFehh7M3iLMe3eKHhmQApCJSo/kMSmnou5+LuMDQfq5zK66Q63bA7MjlDy2vIPLUD1fRr56oHABquIjJdP6g4UjtkinE/a7dISWLXH0u40VOFI0UkSKrcKh+ViXlaOyBVs+uOiZ+WsqUEBVZ3KZi3iFkKmQ=,iv:KzFscpU0Po/mOpzprUpN3UHlIvPS5+stBbR1gsihwWY=,tag:rkIWTlKWIqhcgSEenzn6gQ==,type:str] + pgp: + - created_at: "2025-01-08T11:06:18Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hF4DBSHyuNl/MZkSAQdAiSuiDDZWC7qVMB+UOkOCPfQxtTVfmJCRnXz1dJJNvEsw + /CFsMzi5HevKMcTXhmRp9eNxJMo/kJsAjjlwMUzxxtcbwCN/uukLjnfYFmhCXa4u + 1GgBCQIQgWlPc7rngROl+ldoUgffRF8BULgqXgFXn+rXRhyVrIjlLhzRwkY9jAXo + LHKkqi5lKjXX4uUx2oTz352Vu/X6g3qPcRZsjXR/trWhNUkBwwPIKPiyPI/KumQj + g15yhH2tbasKIQ== + =g2ld + -----END PGP MESSAGE----- + fp: 4FED5D017062C493E685D35AE5481AFB6545CB90 + unencrypted_suffix: _unencrypted + version: 3.9.2