Setup nix-sops

This commit is contained in:
Nathan McCarty 2022-02-03 06:29:22 -05:00
parent 658e232c79
commit 2b2eb73a27
Signed by: thatonelutenist
GPG Key ID: D70DA3DD4D1E9F96
4 changed files with 87 additions and 2 deletions

10
.sops.yaml Normal file
View File

@ -0,0 +1,10 @@
# Yaml anchor for key
keys:
- &nathan age1ud80054jwf6ff7xx65ta6g7qxx2flc24r5gyyfjz43kvppjutqyskr2qm2
- &levitation age1tsq68swufcjq6qavqpzrtse4474p5gs58v6qp6w7gum49yz45cgsegxhuw
creation_rules:
- path_regex: secrets/[^/]+\.yaml$
key_groups:
- age:
- *nathan
- *levitation

View File

@ -98,13 +98,30 @@
"type": "github"
}
},
"nixpkgs_3": {
"locked": {
"lastModified": 1638097282,
"narHash": "sha256-EXCzj9b8X/lqDPJapxZThIOKL5ASbpsJZ+8L1LnY1ig=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "78cb77b29d37a9663e05b61abb4fa09465da4b70",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "nixpkgs-unstable",
"repo": "nixpkgs",
"type": "github"
}
},
"root": {
"inputs": {
"emacs": "emacs",
"fenix": "fenix",
"mozilla": "mozilla",
"nixpkgs": "nixpkgs_2",
"nixpkgs-unstable": "nixpkgs-unstable"
"nixpkgs-unstable": "nixpkgs-unstable",
"sops-nix": "sops-nix"
}
},
"rust-analyzer-src": {
@ -123,6 +140,24 @@
"repo": "rust-analyzer",
"type": "github"
}
},
"sops-nix": {
"inputs": {
"nixpkgs": "nixpkgs_3"
},
"locked": {
"lastModified": 1643003126,
"narHash": "sha256-JO5WrnP6+5qN3isdmm9VmjzvCM64UElgGnql7vEGjKU=",
"owner": "Mic92",
"repo": "sops-nix",
"rev": "c86068ac9a317f235be24a468206f874ba00f8d0",
"type": "github"
},
"original": {
"owner": "Mic92",
"repo": "sops-nix",
"type": "github"
}
}
},
"root": "root",

View File

@ -14,15 +14,17 @@
url = "github:mozilla/nixpkgs-mozilla";
flake = false;
};
sops-nix.url = "github:Mic92/sops-nix";
};
outputs = { self, nixpkgs, nixpkgs-unstable, fenix, emacs, mozilla }:
outputs = { self, nixpkgs, nixpkgs-unstable, fenix, emacs, mozilla, sops-nix }:
let
coreModules = [
./modules/user.nix
./modules/common.nix
./modules/ssh.nix
./applications/utils-core.nix
sops-nix.nixosModules.sops
({ pkgs, ... }: {
## Setup binary caches
# First install cachix, so we can discover new ones
@ -37,6 +39,13 @@
];
};
})
## Setup sops
({ pkgs, config, ... }: {
sops.defaultSopsFile = ./secrets/nathan.yaml;
sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
sops.secrets.lastfm-username.owner = "nathan";
sops.secrets.lastfm-password.owner = "nathan";
})
];
desktopModules = coreModules ++ [
./modules/audio.nix

31
secrets/nathan.yaml Normal file
View File

@ -0,0 +1,31 @@
lastfm-username: ENC[AES256_GCM,data:mVx3ycAJj6hS9lO+DQ==,iv:9JSXwl+X5eKIoJFjOt7LntlK6iQcy/Fm1ViG/J3I1d8=,tag:f8Q2F0Op/YCPq0qYeJzcFg==,type:str]
lastfm-password: ENC[AES256_GCM,data:4jOnCDKn4fSD5mCIgoZqxOJP7E9TKP3r,iv:olko3/QHnNPoNpEMUeGL77qxphYLGhHSnn+ru5ANd2U=,tag:XAKVjDpS1Vc0NWKaS4OtHQ==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1ud80054jwf6ff7xx65ta6g7qxx2flc24r5gyyfjz43kvppjutqyskr2qm2
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBWV2hlQW1PV1hnTTZSWWtt
cmsxTTBvMHJLREtqZWFON1RQU0M5bVhDN1ZrClh0S2d0L0dDU1pkV25TRW5HWnNl
Rm9iV0QxS3ozLytRWjVqQ3pkR0lsc2cKLS0tIFJZcGlZWkM4dEI4cmJYOFhrNXZT
Um50R0dvK0E3M21qSDBaRkwrOXRvTHMKfDJZYDxrhS5QJzVbkdDI6JgqGI/C10e1
lW4ZDC6HVOao5KPCPQbPcxcQE3JT15FKfKEDqxGvdD3zLVT0BA5fTg==
-----END AGE ENCRYPTED FILE-----
- recipient: age1tsq68swufcjq6qavqpzrtse4474p5gs58v6qp6w7gum49yz45cgsegxhuw
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBidjBqaWRvOXI1SzZuRm1D
YW1WVUNJS3VHRlU3NXpDYi9pd3ordWJGSUFNCkNZNXFaMHFSV0VLVEdnWDdPejZL
RUZqNHBRMkEyMnZwcWVBeDY2ZzlJSVUKLS0tIDBEQ05TRDhVUjVsU2tTbHNMcmNW
cU0yNmUwZkRLQXFjQTRUT3EwUWFRcjgKw/mW2oZs32C25oxLBaHy1B8m1ADL/37X
0azQK3sxKUFesTM/p2zJ1ZLVm9uvCnKWA/eg1uJlJ0PmQ5YvBpuvpQ==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2022-02-03T11:57:24Z"
mac: ENC[AES256_GCM,data:V7C2AJwresf/td55Z7aww2Grjp9Om90u3v8ScusjfKnjxgVQUcY1oFdByt2TIAI2DYBrVXQOKoN6LGacGfC+K8/DrpsbVdP4g2Fcl/FZOQvyWuoW9SQVIbzrBi5fAZ9ztHodSbeg5OnhTgrPnEV6v6Rgr78e/LMiUniV/harltY=,iv:v2Nle+yZdNMEwfvH8IgXB7TyHuXIZOvufQ2L7DuRKK8=,tag:Ui74J+d4jRjTn157gHdADw==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.7.1