remove ssh private key and add it to sops.

2025-01-08 20:35:26 +08:00 · 2025-01-08 20:35:26 +08:00 · 635f3cec9b
commit 635f3cec9b
parent 914c64e982
10 changed files with 91 additions and 14 deletions
--- a/.sops.yaml
+++ b/.sops.yaml
@ -0,0 +1,7 @@
+keys:
+  - &admin 4FED5D017062C493E685D35AE5481AFB6545CB90
+creation_rules:
+  - path_regex: secrets/[^/]+\.(yaml|json|env|ini)$
+    key_groups:
+    - pgp:
+      - *admin
--- a/flake.lock
+++ b/flake.lock
@ -822,7 +822,8 @@
        "nixos-hardware": "nixos-hardware",
        "nixpkgs": "nixpkgs_4",
        "nur-xddxdd": "nur-xddxdd",
-        "oskars-dotfiles": "oskars-dotfiles"
+        "oskars-dotfiles": "oskars-dotfiles",
+        "sops-nix": "sops-nix"
      }
    },
    "rust-overlay": {
@ -888,6 +889,26 @@
        "type": "github"
      }
    },
+    "sops-nix": {
+      "inputs": {
+        "nixpkgs": [
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1736203741,
+        "narHash": "sha256-eSjkBwBdQk+TZWFlLbclF2rAh4JxbGg8az4w/Lfe7f4=",
+        "owner": "Mic92",
+        "repo": "sops-nix",
+        "rev": "c9c88f08e3ee495e888b8d7c8624a0b2519cb773",
+        "type": "github"
+      },
+      "original": {
+        "owner": "Mic92",
+        "repo": "sops-nix",
+        "type": "github"
+      }
+    },
    "systems": {
      "locked": {
        "lastModified": 1681028828,
--- a/flake.nix
+++ b/flake.nix
@ -56,6 +56,11 @@
      url = "git+https://gitlab.com/rycee/nur-expressions.git?dir=pkgs/firefox-addons&ref=master";
      flake = false;
    };
+
+    sops-nix = {
+      url = "github:Mic92/sops-nix";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
  };
  outputs =
    {
--- a/home/david/configurations/Tytonidae/default.nix
+++ b/home/david/configurations/Tytonidae/default.nix
@ -1,6 +1,7 @@
 {
  pkgs,
  config,
+  rootPath,
  inputs,
  ...
 }:
@ -97,4 +98,14 @@
      uris = [ "qemu:///system" ];
    };
  };
+
+  sops.secrets."ssh-private-key" = {
+    mode = "0600";
+    path = "${config.home.homeDirectory}/.ssh/id_ed25519";
+  };
+
+  sops.gnupg = {
+    home = "${config.home.homeDirectory}/.gnupg";
+  };
+  sops.defaultSopsFile = rootPath + "/secrets/general.yaml";
 }
--- a/home/modules/default.nix
+++ b/home/modules/default.nix
@ -1,6 +1,10 @@
-{ lib, ... }:
+{ inputs, lib, ... }:
 {
-  imports = [
+  imports =
+    (with inputs; [
+      sops-nix.homeManagerModules.sops
+    ])
+    ++ [
      ./nix.nix
    ];

--- a/nixos/configurations/Tytonidae/users/tytonidae
+++ b/nixos/configurations/Tytonidae/users/tytonidae
@ -1,8 +0,0 @@
-----BEGIN OPENSSH PRIVATE KEY-----
-b3BlbnNzaC1rZXktdjEAAAAACmFlczI1Ni1jdHIAAAAGYmNyeXB0AAAAGAAAABC2sRS60d
-BXX14enHHCynC9AAAAGAAAAAEAAAAzAAAAC3NzaC1lZDI1NTE5AAAAIETMs9b4xfFRsgPZ
-UzrVce3J27p0LBKLfZwhNMen0Da9AAAAkC3NVadOCQU0sd6qujTsqGPSbuO6iNaEBOj6hl
-GVPf/VwoGxadvzyQh7sdcOzr/nybcaNgOya7sjAWN0uClekHp/8ZUewU28xlmv2yXxpOXM
-UrDFaUcpWIRegALW8CpJf2ndykI1Y8eY2uwGJSWgWreBoCD81P1V68DSw8i4XVtW2Pad9y
-yYvR8TpNxCvyta2w==
-----END OPENSSH PRIVATE KEY-----
--- a/nixos/modules/default.nix
+++ b/nixos/modules/default.nix
@ -11,10 +11,12 @@
      nixos-cosmic.nixosModules.default
      home-manager.nixosModules.home-manager
      dae.nixosModules.dae
+      sops-nix.nixosModules.sops
    ])
    ++ [
      ./nix.nix
      ./home.nix
+      ./gpg.nix
    ];

  config = {
--- a/nixos/modules/gpg.nix
+++ b/nixos/modules/gpg.nix
@ -0,0 +1,11 @@
+{ ... }:
+{
+  config = {
+    programs.gnupg = {
+      agent = {
+        enable = true;
+        enableSSHSupport = true;
+      };
+    };
+  };
+}
--- a/nixos/modules/home.nix
+++ b/nixos/modules/home.nix
@ -57,7 +57,7 @@
          }
        );
        extraSpecialArgs = {
-          inherit outputs inputs;
+          inherit outputs inputs rootPath;
          inherit (cfg) unixName hostName;
          inherit (pkgs) system;
        };
--- a/secrets/general.yaml
+++ b/secrets/general.yaml
@ -0,0 +1,24 @@
+ssh-private-key: ENC[AES256_GCM,data:tG+WYcvaGdMeRiCaAQY6KifoW+xyXKENfx0M6094M9oY/PTnabj1ssakqgn3ujDlckMxf5gZKfGAw0LW7wqWWIKAnVFKFr5fRXWpwROHtHV34BdvQAXtSNsOx9laaw383wWbrrnbblRW6E6GfUQs3YjQa0C+M/6qqpIdDJBbd/AV9OB3B1kiOtBUuHPGBeHvDa5QJUNFLNTO1iJ4rppPZRJ1tG9tTitTuAVRIqlZQZf1hKoz+yB+IakX+AmaXkpnpBOJhfcQWtjdm96Pl/s7pjvVR3f2DAXS8jx+oZT0/7y0xkMi/cvYqGwY/UJZS5w9/2Vk0DQ+I0F17fVZjNsIZKATjl26bRCFaD0Q6Qaw+EwaAaNAhiONbLuQRx3eig3K9KvXhoXKOYVWEnLlgN9gU+dMKD0QOr71u9LScaKkjcI4EpFrOVYET56WeeOP4SEcpkbJ1Qj9GdvGD8cvU281xBRCBxk+nuyazw5PrAmtT+rF16C7+XaHZceeWtMbpALaVL57xFaX+4sab9RVmO6dbtriETUjRHFiVtff1iHln0+aIl2IsSTpHY2v3coBcRMdR9wLeNNUua9b+bu8,iv:tQ6QO0I282jgNaWdc4tuz+ytZ/S4oE/zp5msENc5j5o=,tag:ZHdON06qRJWdl3RUb65jhg==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age: []
+    lastmodified: "2025-01-08T11:08:01Z"
+    mac: ENC[AES256_GCM,data:VV5xr8jvj2NiGTGtmFehh7M3iLMe3eKHhmQApCJSo/kMSmnou5+LuMDQfq5zK66Q63bA7MjlDy2vIPLUD1fRr56oHABquIjJdP6g4UjtkinE/a7dISWLXH0u40VOFI0UkSKrcKh+ViXlaOyBVs+uOiZ+WsqUEBVZ3KZi3iFkKmQ=,iv:KzFscpU0Po/mOpzprUpN3UHlIvPS5+stBbR1gsihwWY=,tag:rkIWTlKWIqhcgSEenzn6gQ==,type:str]
+    pgp:
+        - created_at: "2025-01-08T11:06:18Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hF4DBSHyuNl/MZkSAQdAiSuiDDZWC7qVMB+UOkOCPfQxtTVfmJCRnXz1dJJNvEsw
+            /CFsMzi5HevKMcTXhmRp9eNxJMo/kJsAjjlwMUzxxtcbwCN/uukLjnfYFmhCXa4u
+            1GgBCQIQgWlPc7rngROl+ldoUgffRF8BULgqXgFXn+rXRhyVrIjlLhzRwkY9jAXo
+            LHKkqi5lKjXX4uUx2oTz352Vu/X6g3qPcRZsjXR/trWhNUkBwwPIKPiyPI/KumQj
+            g15yhH2tbasKIQ==
+            =g2ld
+            -----END PGP MESSAGE-----
+          fp: 4FED5D017062C493E685D35AE5481AFB6545CB90
+    unencrypted_suffix: _unencrypted
+    version: 3.9.2