Setup nix-sops

2022-02-03 06:29:22 -05:00 · 2022-02-03 06:29:22 -05:00 · 2b2eb73a27
parent 658e232c79
commit 2b2eb73a27
4 changed files with 87 additions and 2 deletions
--- a/.sops.yaml
+++ b/.sops.yaml
@ -0,0 +1,10 @@
+# Yaml anchor for key
+keys:
+  - &nathan age1ud80054jwf6ff7xx65ta6g7qxx2flc24r5gyyfjz43kvppjutqyskr2qm2
+  - &levitation age1tsq68swufcjq6qavqpzrtse4474p5gs58v6qp6w7gum49yz45cgsegxhuw
+creation_rules:
+  - path_regex: secrets/[^/]+\.yaml$
+    key_groups:
+      - age:
+          - *nathan
+          - *levitation
--- a/flake.lock
+++ b/flake.lock
@ -98,13 +98,30 @@
        "type": "github"
      }
    },
+    "nixpkgs_3": {
+      "locked": {
+        "lastModified": 1638097282,
+        "narHash": "sha256-EXCzj9b8X/lqDPJapxZThIOKL5ASbpsJZ+8L1LnY1ig=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "78cb77b29d37a9663e05b61abb4fa09465da4b70",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "ref": "nixpkgs-unstable",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
    "root": {
      "inputs": {
        "emacs": "emacs",
        "fenix": "fenix",
        "mozilla": "mozilla",
        "nixpkgs": "nixpkgs_2",
-        "nixpkgs-unstable": "nixpkgs-unstable"
+        "nixpkgs-unstable": "nixpkgs-unstable",
+        "sops-nix": "sops-nix"
      }
    },
    "rust-analyzer-src": {
@ -123,6 +140,24 @@
        "repo": "rust-analyzer",
        "type": "github"
      }
+    },
+    "sops-nix": {
+      "inputs": {
+        "nixpkgs": "nixpkgs_3"
+      },
+      "locked": {
+        "lastModified": 1643003126,
+        "narHash": "sha256-JO5WrnP6+5qN3isdmm9VmjzvCM64UElgGnql7vEGjKU=",
+        "owner": "Mic92",
+        "repo": "sops-nix",
+        "rev": "c86068ac9a317f235be24a468206f874ba00f8d0",
+        "type": "github"
+      },
+      "original": {
+        "owner": "Mic92",
+        "repo": "sops-nix",
+        "type": "github"
+      }
    }
  },
  "root": "root",
--- a/flake.nix
+++ b/flake.nix
@ -14,15 +14,17 @@
      url = "github:mozilla/nixpkgs-mozilla";
      flake = false;
    };
+    sops-nix.url = "github:Mic92/sops-nix";
  };

-  outputs = { self, nixpkgs, nixpkgs-unstable, fenix, emacs, mozilla }:
+  outputs = { self, nixpkgs, nixpkgs-unstable, fenix, emacs, mozilla, sops-nix }:
    let
      coreModules = [
        ./modules/user.nix
        ./modules/common.nix
        ./modules/ssh.nix
        ./applications/utils-core.nix
+        sops-nix.nixosModules.sops
        ({ pkgs, ... }: {
          ## Setup binary caches
          # First install cachix, so we can discover new ones
@ -37,6 +39,13 @@
            ];
          };
        })
+        ## Setup sops
+        ({ pkgs, config, ... }: {
+          sops.defaultSopsFile = ./secrets/nathan.yaml;
+          sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
+          sops.secrets.lastfm-username.owner = "nathan";
+          sops.secrets.lastfm-password.owner = "nathan";
+        })
      ];
      desktopModules = coreModules ++ [
        ./modules/audio.nix
--- a/secrets/nathan.yaml
+++ b/secrets/nathan.yaml
@ -0,0 +1,31 @@
+lastfm-username: ENC[AES256_GCM,data:mVx3ycAJj6hS9lO+DQ==,iv:9JSXwl+X5eKIoJFjOt7LntlK6iQcy/Fm1ViG/J3I1d8=,tag:f8Q2F0Op/YCPq0qYeJzcFg==,type:str]
+lastfm-password: ENC[AES256_GCM,data:4jOnCDKn4fSD5mCIgoZqxOJP7E9TKP3r,iv:olko3/QHnNPoNpEMUeGL77qxphYLGhHSnn+ru5ANd2U=,tag:XAKVjDpS1Vc0NWKaS4OtHQ==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1ud80054jwf6ff7xx65ta6g7qxx2flc24r5gyyfjz43kvppjutqyskr2qm2
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBWV2hlQW1PV1hnTTZSWWtt
+            cmsxTTBvMHJLREtqZWFON1RQU0M5bVhDN1ZrClh0S2d0L0dDU1pkV25TRW5HWnNl
+            Rm9iV0QxS3ozLytRWjVqQ3pkR0lsc2cKLS0tIFJZcGlZWkM4dEI4cmJYOFhrNXZT
+            Um50R0dvK0E3M21qSDBaRkwrOXRvTHMKfDJZYDxrhS5QJzVbkdDI6JgqGI/C10e1
+            lW4ZDC6HVOao5KPCPQbPcxcQE3JT15FKfKEDqxGvdD3zLVT0BA5fTg==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1tsq68swufcjq6qavqpzrtse4474p5gs58v6qp6w7gum49yz45cgsegxhuw
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBidjBqaWRvOXI1SzZuRm1D
+            YW1WVUNJS3VHRlU3NXpDYi9pd3ordWJGSUFNCkNZNXFaMHFSV0VLVEdnWDdPejZL
+            RUZqNHBRMkEyMnZwcWVBeDY2ZzlJSVUKLS0tIDBEQ05TRDhVUjVsU2tTbHNMcmNW
+            cU0yNmUwZkRLQXFjQTRUT3EwUWFRcjgKw/mW2oZs32C25oxLBaHy1B8m1ADL/37X
+            0azQK3sxKUFesTM/p2zJ1ZLVm9uvCnKWA/eg1uJlJ0PmQ5YvBpuvpQ==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2022-02-03T11:57:24Z"
+    mac: ENC[AES256_GCM,data:V7C2AJwresf/td55Z7aww2Grjp9Om90u3v8ScusjfKnjxgVQUcY1oFdByt2TIAI2DYBrVXQOKoN6LGacGfC+K8/DrpsbVdP4g2Fcl/FZOQvyWuoW9SQVIbzrBi5fAZ9ztHodSbeg5OnhTgrPnEV6v6Rgr78e/LMiUniV/harltY=,iv:v2Nle+yZdNMEwfvH8IgXB7TyHuXIZOvufQ2L7DuRKK8=,tag:Ui74J+d4jRjTn157gHdADw==,type:str]
+    pgp: []
+    unencrypted_suffix: _unencrypted
+    version: 3.7.1