add: sops support

2024-07-13 19:04:25 -04:00 · 2024-07-13 19:04:25 -04:00 · 9305702771
commit 9305702771
parent b5dc006bef
5 changed files with 102 additions and 10 deletions
--- a/flake.lock
+++ b/flake.lock
@ -416,6 +416,24 @@
        "type": "github"
      }
    },
+    "mysecrets": {
+      "flake": false,
+      "locked": {
+        "lastModified": 1720910245,
+        "narHash": "sha256-xACM/LGDLmgy8JQIPWojb5KOiIqbQpofX9WUbGQHiZE=",
+        "ref": "main",
+        "rev": "2f617698545719fd26f7fc074a0da1e6673e62d9",
+        "shallow": true,
+        "type": "git",
+        "url": "ssh://git@192.168.1.203:2222/deva/secrets.git"
+      },
+      "original": {
+        "ref": "main",
+        "shallow": true,
+        "type": "git",
+        "url": "ssh://git@192.168.1.203:2222/deva/secrets.git"
+      }
+    },
    "nh": {
      "inputs": {
        "nixpkgs": [
@ -505,6 +523,22 @@
        "url": "https://github.com/NixOS/nixpkgs/archive/eb9ceca17df2ea50a250b6b27f7bf6ab0186f198.tar.gz"
      }
    },
+    "nixpkgs-stable": {
+      "locked": {
+        "lastModified": 1720282526,
+        "narHash": "sha256-dudRkHPRivMNOhd04YI+v4sWvn2SnN5ODSPIu5IVbco=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "550ac3e955c30fe96dd8b2223e37e0f5d225c927",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "ref": "release-24.05",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
    "nixpkgs-unstable": {
      "locked": {
        "lastModified": 1719848872,
@ -559,14 +593,37 @@
        "home-manager": "home-manager",
        "hyprland": "hyprland",
        "impermanence": "impermanence",
+        "mysecrets": "mysecrets",
        "nh": "nh",
        "nix-gaming": "nix-gaming",
        "nix-index-db": "nix-index-db",
        "nixpkgs": "nixpkgs_2",
        "nixpkgs-unstable": "nixpkgs-unstable",
+        "sops-nix": "sops-nix",
        "stylix": "stylix"
      }
    },
+    "sops-nix": {
+      "inputs": {
+        "nixpkgs": [
+          "nixpkgs"
+        ],
+        "nixpkgs-stable": "nixpkgs-stable"
+      },
+      "locked": {
+        "lastModified": 1720321395,
+        "narHash": "sha256-kcI8q9Nh8/CSj0ygfWq1DLckHl8IHhFarL8ie6g7OEk=",
+        "owner": "Mic92",
+        "repo": "sops-nix",
+        "rev": "c184aca4db5d71c3db0c8cbfcaaec337a5d065ea",
+        "type": "github"
+      },
+      "original": {
+        "owner": "Mic92",
+        "repo": "sops-nix",
+        "type": "github"
+      }
+    },
    "stylix": {
      "inputs": {
        "base16": "base16",
--- a/flake.nix
+++ b/flake.nix
@ -36,6 +36,16 @@
      inputs.nixpkgs.follows = "nixpkgs";
    };

+    sops-nix = {
+      url = "github:Mic92/sops-nix";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
+
+    mysecrets = {
+      url = "git+ssh://git@192.168.1.203:2222/deva/secrets.git?ref=main&shallow=1";
+      flake = false;
+    };
+
    stylix.url = "github:danth/stylix";
  };

--- a/os/configuration.nix
+++ b/os/configuration.nix
@ -5,11 +5,37 @@
  outputs,
  inputs,
  ...
-}: {
+}: let
+  secretspath = builtins.toString inputs.mysecrets;
+in {
  imports = [
    inputs.nix-gaming.nixosModules.pipewireLowLatency
+    inputs.sops-nix.nixosModules.sops
  ];

+  sops.defaultSopsFormat = "yaml";
+  sops.defaultSopsFile = "${secretspath}/secrets.yaml";
+  sops.validateSopsFiles = false;
+  # sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
+  # sops.age.keyFile = "/var/lib/sops-nix/key.txt";
+  # sops.age.generateKey = true;
+
+  # This file below is the only file that needs to be copied over (for sops support)
+  sops.age.keyFile = "/home/${config.users.users.me.name}/.config/sops/age/keys.txt";
+  sops.secrets = {
+    id_dev = {
+      owner = config.users.users.me.name;
+      inherit (config.users.users.me) group;
+      path = "/home/${config.users.users.me.name}/.ssh/id_dev";
+    };
+    user_password = {
+      neededForUsers = true;
+    };
+  };
+  home-manager.users.me.home.file.".ssh/id_dev.pub".text = builtins.readFile ./id_dev.pub;
+  users.mutableUsers = false;
+  users.users.me.hashedPasswordFile = config.sops.secrets.user_password.path;
+
  nixpkgs.config = {allowUnfree = true;};
  nixpkgs.overlays = [
    outputs.overlays.additions
--- a/os/dev/default.nix
+++ b/os/dev/default.nix
@ -100,17 +100,12 @@
      enable = true;
      matchBlocks = {
        "hi@dessa.dev" = {
-          host = "gitlab.com github.com";
+          host = "gitlab.com github.com 192.168.1.203";
          identitiesOnly = true;
          identityFile = [
            "~/.ssh/id_dev"
          ];
        };
-        "dess_key" = {
-          host = "192.168.1.203";
-          identitiesOnly = true;
-          identityFile = ["~/.ssh/id_dess"];
-        };
      };
    };
    gpg = {
--- a/os/users.nix
+++ b/os/users.nix
@ -1,10 +1,14 @@
-{pkgs, ...}: {
+{
+  pkgs,
+  config,
+  ...
+}: {
  imports = [./util/user.nix ./gnome_support.nix];

-  user.deva = {
+  user.me = {
+    username = "deva";
    shell = "zsh";
    description = "Deva Waves";
-    initialPassword = "12345";
    sudoer = true;
    developer = true;
    extraGroups = ["networkmanager" "audio" "docker" "input" "libvirtd" "plugdev" "video" "adbusers"];