Setup nix-sops
This commit is contained in:
parent
658e232c79
commit
2b2eb73a27
|
@ -0,0 +1,10 @@
|
||||||
|
# Yaml anchor for key
|
||||||
|
keys:
|
||||||
|
- &nathan age1ud80054jwf6ff7xx65ta6g7qxx2flc24r5gyyfjz43kvppjutqyskr2qm2
|
||||||
|
- &levitation age1tsq68swufcjq6qavqpzrtse4474p5gs58v6qp6w7gum49yz45cgsegxhuw
|
||||||
|
creation_rules:
|
||||||
|
- path_regex: secrets/[^/]+\.yaml$
|
||||||
|
key_groups:
|
||||||
|
- age:
|
||||||
|
- *nathan
|
||||||
|
- *levitation
|
37
flake.lock
37
flake.lock
|
@ -98,13 +98,30 @@
|
||||||
"type": "github"
|
"type": "github"
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
|
"nixpkgs_3": {
|
||||||
|
"locked": {
|
||||||
|
"lastModified": 1638097282,
|
||||||
|
"narHash": "sha256-EXCzj9b8X/lqDPJapxZThIOKL5ASbpsJZ+8L1LnY1ig=",
|
||||||
|
"owner": "NixOS",
|
||||||
|
"repo": "nixpkgs",
|
||||||
|
"rev": "78cb77b29d37a9663e05b61abb4fa09465da4b70",
|
||||||
|
"type": "github"
|
||||||
|
},
|
||||||
|
"original": {
|
||||||
|
"owner": "NixOS",
|
||||||
|
"ref": "nixpkgs-unstable",
|
||||||
|
"repo": "nixpkgs",
|
||||||
|
"type": "github"
|
||||||
|
}
|
||||||
|
},
|
||||||
"root": {
|
"root": {
|
||||||
"inputs": {
|
"inputs": {
|
||||||
"emacs": "emacs",
|
"emacs": "emacs",
|
||||||
"fenix": "fenix",
|
"fenix": "fenix",
|
||||||
"mozilla": "mozilla",
|
"mozilla": "mozilla",
|
||||||
"nixpkgs": "nixpkgs_2",
|
"nixpkgs": "nixpkgs_2",
|
||||||
"nixpkgs-unstable": "nixpkgs-unstable"
|
"nixpkgs-unstable": "nixpkgs-unstable",
|
||||||
|
"sops-nix": "sops-nix"
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
"rust-analyzer-src": {
|
"rust-analyzer-src": {
|
||||||
|
@ -123,6 +140,24 @@
|
||||||
"repo": "rust-analyzer",
|
"repo": "rust-analyzer",
|
||||||
"type": "github"
|
"type": "github"
|
||||||
}
|
}
|
||||||
|
},
|
||||||
|
"sops-nix": {
|
||||||
|
"inputs": {
|
||||||
|
"nixpkgs": "nixpkgs_3"
|
||||||
|
},
|
||||||
|
"locked": {
|
||||||
|
"lastModified": 1643003126,
|
||||||
|
"narHash": "sha256-JO5WrnP6+5qN3isdmm9VmjzvCM64UElgGnql7vEGjKU=",
|
||||||
|
"owner": "Mic92",
|
||||||
|
"repo": "sops-nix",
|
||||||
|
"rev": "c86068ac9a317f235be24a468206f874ba00f8d0",
|
||||||
|
"type": "github"
|
||||||
|
},
|
||||||
|
"original": {
|
||||||
|
"owner": "Mic92",
|
||||||
|
"repo": "sops-nix",
|
||||||
|
"type": "github"
|
||||||
|
}
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
"root": "root",
|
"root": "root",
|
||||||
|
|
11
flake.nix
11
flake.nix
|
@ -14,15 +14,17 @@
|
||||||
url = "github:mozilla/nixpkgs-mozilla";
|
url = "github:mozilla/nixpkgs-mozilla";
|
||||||
flake = false;
|
flake = false;
|
||||||
};
|
};
|
||||||
|
sops-nix.url = "github:Mic92/sops-nix";
|
||||||
};
|
};
|
||||||
|
|
||||||
outputs = { self, nixpkgs, nixpkgs-unstable, fenix, emacs, mozilla }:
|
outputs = { self, nixpkgs, nixpkgs-unstable, fenix, emacs, mozilla, sops-nix }:
|
||||||
let
|
let
|
||||||
coreModules = [
|
coreModules = [
|
||||||
./modules/user.nix
|
./modules/user.nix
|
||||||
./modules/common.nix
|
./modules/common.nix
|
||||||
./modules/ssh.nix
|
./modules/ssh.nix
|
||||||
./applications/utils-core.nix
|
./applications/utils-core.nix
|
||||||
|
sops-nix.nixosModules.sops
|
||||||
({ pkgs, ... }: {
|
({ pkgs, ... }: {
|
||||||
## Setup binary caches
|
## Setup binary caches
|
||||||
# First install cachix, so we can discover new ones
|
# First install cachix, so we can discover new ones
|
||||||
|
@ -37,6 +39,13 @@
|
||||||
];
|
];
|
||||||
};
|
};
|
||||||
})
|
})
|
||||||
|
## Setup sops
|
||||||
|
({ pkgs, config, ... }: {
|
||||||
|
sops.defaultSopsFile = ./secrets/nathan.yaml;
|
||||||
|
sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
|
||||||
|
sops.secrets.lastfm-username.owner = "nathan";
|
||||||
|
sops.secrets.lastfm-password.owner = "nathan";
|
||||||
|
})
|
||||||
];
|
];
|
||||||
desktopModules = coreModules ++ [
|
desktopModules = coreModules ++ [
|
||||||
./modules/audio.nix
|
./modules/audio.nix
|
||||||
|
|
|
@ -0,0 +1,31 @@
|
||||||
|
lastfm-username: ENC[AES256_GCM,data:mVx3ycAJj6hS9lO+DQ==,iv:9JSXwl+X5eKIoJFjOt7LntlK6iQcy/Fm1ViG/J3I1d8=,tag:f8Q2F0Op/YCPq0qYeJzcFg==,type:str]
|
||||||
|
lastfm-password: ENC[AES256_GCM,data:4jOnCDKn4fSD5mCIgoZqxOJP7E9TKP3r,iv:olko3/QHnNPoNpEMUeGL77qxphYLGhHSnn+ru5ANd2U=,tag:XAKVjDpS1Vc0NWKaS4OtHQ==,type:str]
|
||||||
|
sops:
|
||||||
|
kms: []
|
||||||
|
gcp_kms: []
|
||||||
|
azure_kv: []
|
||||||
|
hc_vault: []
|
||||||
|
age:
|
||||||
|
- recipient: age1ud80054jwf6ff7xx65ta6g7qxx2flc24r5gyyfjz43kvppjutqyskr2qm2
|
||||||
|
enc: |
|
||||||
|
-----BEGIN AGE ENCRYPTED FILE-----
|
||||||
|
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBWV2hlQW1PV1hnTTZSWWtt
|
||||||
|
cmsxTTBvMHJLREtqZWFON1RQU0M5bVhDN1ZrClh0S2d0L0dDU1pkV25TRW5HWnNl
|
||||||
|
Rm9iV0QxS3ozLytRWjVqQ3pkR0lsc2cKLS0tIFJZcGlZWkM4dEI4cmJYOFhrNXZT
|
||||||
|
Um50R0dvK0E3M21qSDBaRkwrOXRvTHMKfDJZYDxrhS5QJzVbkdDI6JgqGI/C10e1
|
||||||
|
lW4ZDC6HVOao5KPCPQbPcxcQE3JT15FKfKEDqxGvdD3zLVT0BA5fTg==
|
||||||
|
-----END AGE ENCRYPTED FILE-----
|
||||||
|
- recipient: age1tsq68swufcjq6qavqpzrtse4474p5gs58v6qp6w7gum49yz45cgsegxhuw
|
||||||
|
enc: |
|
||||||
|
-----BEGIN AGE ENCRYPTED FILE-----
|
||||||
|
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBidjBqaWRvOXI1SzZuRm1D
|
||||||
|
YW1WVUNJS3VHRlU3NXpDYi9pd3ordWJGSUFNCkNZNXFaMHFSV0VLVEdnWDdPejZL
|
||||||
|
RUZqNHBRMkEyMnZwcWVBeDY2ZzlJSVUKLS0tIDBEQ05TRDhVUjVsU2tTbHNMcmNW
|
||||||
|
cU0yNmUwZkRLQXFjQTRUT3EwUWFRcjgKw/mW2oZs32C25oxLBaHy1B8m1ADL/37X
|
||||||
|
0azQK3sxKUFesTM/p2zJ1ZLVm9uvCnKWA/eg1uJlJ0PmQ5YvBpuvpQ==
|
||||||
|
-----END AGE ENCRYPTED FILE-----
|
||||||
|
lastmodified: "2022-02-03T11:57:24Z"
|
||||||
|
mac: ENC[AES256_GCM,data:V7C2AJwresf/td55Z7aww2Grjp9Om90u3v8ScusjfKnjxgVQUcY1oFdByt2TIAI2DYBrVXQOKoN6LGacGfC+K8/DrpsbVdP4g2Fcl/FZOQvyWuoW9SQVIbzrBi5fAZ9ztHodSbeg5OnhTgrPnEV6v6Rgr78e/LMiUniV/harltY=,iv:v2Nle+yZdNMEwfvH8IgXB7TyHuXIZOvufQ2L7DuRKK8=,tag:Ui74J+d4jRjTn157gHdADw==,type:str]
|
||||||
|
pgp: []
|
||||||
|
unencrypted_suffix: _unencrypted
|
||||||
|
version: 3.7.1
|
Loading…
Reference in New Issue