From 86c49e2ac6f7a2709ef1ee863bbe5ed39459f858 Mon Sep 17 00:00:00 2001 From: Lgmrszd Date: Sun, 21 Jan 2024 21:53:13 +0300 Subject: [PATCH] Add nixPath and sops-nix --- .sops.yaml | 10 ++++++++++ flake.lock | 26 +++++++++++++++++++++++++- flake.nix | 7 +++++++ hosts/laptop/configuration.nix | 19 ++++++++++++++++++- hosts/laptop/home.nix | 1 + secrets/secrets.yaml | 34 ++++++++++++++++++++++++++++++++++ 6 files changed, 95 insertions(+), 2 deletions(-) create mode 100644 .sops.yaml create mode 100644 secrets/secrets.yaml diff --git a/.sops.yaml b/.sops.yaml new file mode 100644 index 0000000..862a376 --- /dev/null +++ b/.sops.yaml @@ -0,0 +1,10 @@ +keys: + - &primary_gpg D3067BE844D3FC49535A47B29396B8BA6FBB14DE + - &vps_ssh_pubkey age1acgqxvyczgsamz53z3v0gmahzfxlg9tscwnrgcxrfndgxhsvn3vs4ss5tk +creation_rules: + - path_regex: secrets/secrets.yaml$ + key_groups: + - pgp: + - *primary_gpg + age: + - *vps_ssh_pubkey \ No newline at end of file diff --git a/flake.lock b/flake.lock index 22a1358..ed1ebbf 100644 --- a/flake.lock +++ b/flake.lock @@ -112,7 +112,31 @@ "nixpkgs": "nixpkgs", "nixpkgs-fresh": "nixpkgs-fresh", "nixpkgs-locked": "nixpkgs-locked", - "nixpkgs-stable": "nixpkgs-stable" + "nixpkgs-stable": "nixpkgs-stable", + "sops-nix": "sops-nix" + } + }, + "sops-nix": { + "inputs": { + "nixpkgs": [ + "nixpkgs" + ], + "nixpkgs-stable": [ + "nixpkgs-stable" + ] + }, + "locked": { + "lastModified": 1705805983, + "narHash": "sha256-HluB9w7l75I4kK25uO4y6baY4fcDm2Rho0WI1DN2Hmc=", + "owner": "Mic92", + "repo": "sops-nix", + "rev": "ae171b54e76ced88d506245249609f8c87305752", + "type": "github" + }, + "original": { + "owner": "Mic92", + "repo": "sops-nix", + "type": "github" } } }, diff --git a/flake.nix b/flake.nix index 2c038e0..e8382fc 100644 --- a/flake.nix +++ b/flake.nix @@ -26,6 +26,11 @@ url = "github:viperML/nh"; inputs.nixpkgs.follows = "nixpkgs"; }; + sops-nix = { + url = "github:Mic92/sops-nix"; + inputs.nixpkgs.follows = "nixpkgs"; + inputs.nixpkgs-stable.follows = "nixpkgs-stable"; + }; }; outputs = inputs@{ @@ -36,6 +41,7 @@ # nix-index-database, # nur, home-manager, + sops-nix, ... }: let @@ -87,6 +93,7 @@ ./hosts/laptop/hardware-configuration.nix ./hosts/laptop/mounts.nix # nix-index-database.nixosModules.nix-index + sops-nix.nixosModules.sops # make home-manager as a module of nixos # so that home-manager configuration will be deployed automatically when executing `nixos-rebuild switch` diff --git a/hosts/laptop/configuration.nix b/hosts/laptop/configuration.nix index 7efc7c4..a9b9f82 100644 --- a/hosts/laptop/configuration.nix +++ b/hosts/laptop/configuration.nix @@ -4,6 +4,10 @@ { config, pkgs, pkgs-stable, ... }: +let + nixPath = "/etc/nixPath"; +in + { # boot.kernelPackages = pkgs.linuxPackages_zen; @@ -274,8 +278,21 @@ nixpkgs.config.allowUnfree = true; + systemd.tmpfiles.rules = [ + "L+ ${nixPath} - - - - ${pkgs.path}" + ]; + nix.settings.experimental-features = [ "nix-command" "flakes" ]; - # nix.nixPath = [] + nix.nixPath = [ "nixpkgs=${nixPath}" ]; + nix.channel.enable = false; + + # Sops + sops = { + defaultSopsFile = ../../secrets/secrets.yaml; + defaultSopsFormat = "yaml"; + secrets.example_key = {}; + gnupg.home = "/home/lgm/.gnupg"; + }; # OnlyKey hardware.onlykey.enable = true; diff --git a/hosts/laptop/home.nix b/hosts/laptop/home.nix index bfb9cc5..7e62018 100644 --- a/hosts/laptop/home.nix +++ b/hosts/laptop/home.nix @@ -124,6 +124,7 @@ # gawk # zstd gnupg + sops # nix related nix-output-monitor diff --git a/secrets/secrets.yaml b/secrets/secrets.yaml new file mode 100644 index 0000000..af3c283 --- /dev/null +++ b/secrets/secrets.yaml @@ -0,0 +1,34 @@ +example_key: ENC[AES256_GCM,data:r6+IirxYwXxv1IaYgw==,iv:ngakIM2iaUMBgug9+QqQ2h6uPM9Xze/3PM2GRm79JV8=,tag:TwmNkg0WqSMqgh8VU238Xg==,type:str] +foo: ENC[AES256_GCM,data:IlVV,iv:uK2Zkxo39WYw5Q9xnmVV/JhSRejQA9sGnYasX3CtSog=,tag:e1tYkCVVmyTpiCPAnQp6ng==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1acgqxvyczgsamz53z3v0gmahzfxlg9tscwnrgcxrfndgxhsvn3vs4ss5tk + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBQL1YyalhGRXJnc1cxU0tx + NHRnWlBYYmZwV29aWUk1K0hhS3VRKzhEMTE4Ck9rTUQvQ0UvbllBMDEzenJEQURq + Sk9Lc1c5NHhYTG1LRGpZWVN3Qk16RGMKLS0tIFBhdEJUOEY4VVQ5UllGUXZWYVhy + OGJjR3NkQk1Ucyt5K3YraEZXdVFKODAK057dWbQGPrASAUqhaKmbsyt4DfjelZcI + 27Y9PpknTb+2W0DshjGzpcM6qZVlys98JRfM/0Hc5ZmYdj1rhfFR0Q== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-01-21T18:39:47Z" + mac: ENC[AES256_GCM,data:7J5iBhY7b8nNrM4tviSk8+ur2ldAa8NNFU2ai7kjuU0puqq3oYX2l/pkjY7/rIue92HoQ8PVaLUnm2j73gCrCiZSJ5Cp4Tbue1mPfG7V+RA6OCOIS5MUsY5dBNtUSaDAoUohuwMTPAXwf7oE+OYENqTJGgWdFFR/IUgHF4uIPKY=,iv:f2uq6sLx7kW/EN2zZzl6RYUg8lQ4JNuhfQXsjTzDeCc=,tag:T2dn3EUISNZFaYm+eX6wDA==,type:str] + pgp: + - created_at: "2024-01-21T18:06:27Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hF4DrTkQq20WUVESAQdACf7D7i9i3JL3mhfBBYfj5+YgqsabixPitpX3vU1lsDQw + VHzfVAwc/dZZpbKQtOQq3qCV1Cq8UqbHJ/PDXiqgTMWUA6OAw+v82BxTsMR/c0r1 + 1GgBCQIQ3qRPn6jKLT9cCPiyayxqyv+r1meT9A4t1j8e5ul2P6tqUJALSeyvydHA + iPKyS7DlVQ7uI4HTO9pd7Kj+JhwckFaxgZNVMqWicsTf0tCMd6+iJ3366bmetNYv + osKqKz9/c4ZF/A== + =Hv+Y + -----END PGP MESSAGE----- + fp: D3067BE844D3FC49535A47B29396B8BA6FBB14DE + unencrypted_suffix: _unencrypted + version: 3.8.1