diff --git a/nixos/system/packages/sops/secrets/secrets.yaml b/nixos/system/packages/sops/secrets/secrets.yaml index ebce6df..0813856 100644 --- a/nixos/system/packages/sops/secrets/secrets.yaml +++ b/nixos/system/packages/sops/secrets/secrets.yaml @@ -1,6 +1,6 @@ -sync: ENC[AES256_GCM,data:2El2mY9XhCQ=,iv:EmgT5CgeCZjj9uwiDHbDNuty9czgQGJTSnXIIIm0JDM=,tag:ysZqmWibHkoQGjUoc/Mnxg==,type:str] kogami: password-hash: ENC[AES256_GCM,data:HXuzumA7zAzBUcOBszeslYVDLA7r3W7gINn2FvMCTEHkc+y3zWftK4CVnk+TuRcgP9/htUphs2BmusogFAdmRQ3HmQU8WGQN0A==,iv:n2063dWbEmFKEvXbY2uk+C6lwF7WzA8jalKOFHPVICc=,tag:wb5bq4Dk3a9UnzYFBInHEA==,type:str] + syncthing: ENC[AES256_GCM,data:699bwajY9/0=,iv:YXmw613vRfWlbjiex6LfACZD+otES3E6Mm0e+66dfA8=,tag:H3QCsg0VvZpxkhWKyGH8Gg==,type:str] ginoza: password-hash: ENC[AES256_GCM,data:xqE0y3Z7+kasYFQLn4Wuo+/c9L8BEakf2HKgN5BsttC2iDuzYSvXrP8K6pe5Skdi5Aq0MVz9LixJFM3PBgLORL1C6k0iDSardw==,iv:bKL40h0rGNmnnkA7EieKAD5KyENXOiTNsTVH1V0B7HU=,tag:c1MsRuiOK/j2b0iKOyO8FQ==,type:str] yubikey_id: ENC[AES256_GCM,data:ZyamX5gxoW4=,iv:4tW7muk6AaJf9VmXmFd6Ut63U27fFD8QgYSBx3RgOfw=,tag:IFlSiOffMyc33Rw1gxwCPA==,type:int] @@ -22,8 +22,8 @@ sops: T0cxV21SN0hJaFg3R3hpTjIxa3lJNVEKdIrR5XDHxpCojk2A1pxc4dYtSJRrObbY JS/nDgu74LugEchiOhuIJ7nh3MS5XBOmmt2GTHrqxZEZFoIykjIGug== -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-01-04T14:26:29Z" - mac: ENC[AES256_GCM,data:5waKR2Ke3l5UIeg6nXqNMEYrQD75aXGsavQlbwQWRcyt+yr/Zn5CP+WB+8YTA56c+sZQ50xKiLP5q6WTEC3nnTb+AvOlvnF8FZ+NN+jLzDi9WbfWCChR3mAE3TbcLFfsdwKMwewLNjzRxGm9ErVORNo1+6i+VH8IUSBGcKTWy1s=,iv:Kem2lzKEUOEwtNkW57lfRFc3Ln7Au7mqbeA/9NEd0VU=,tag:9Nf4J7/SEIOPzRHeoBsVNA==,type:str] + lastmodified: "2025-01-07T17:20:45Z" + mac: ENC[AES256_GCM,data:oENblUlcgDrZaNV2/XggaPoGavqHBXv4i3DpcfFFKiymifmITHj5m6HflVePDqtkBceTnMyCNCzQ6Ijmrt8Xkr4wbEQpoLhjyfWW/4QOlKjT3GAxfWEth7uzCHxuqd24aHs1jRyphua7bgbVLLuI0khHiL5s8b+9wkkTmV9Y3WE=,iv:eDglG+RMUagzE0qVi73dGXMerup8ipg/rFxV+qJfNXM=,tag:wZyMqxZLUh4B6JuQL4GXFA==,type:str] pgp: [] unencrypted_suffix: _unencrypted version: 3.9.2 diff --git a/nixos/system/packages/sops/sops.nix b/nixos/system/packages/sops/sops.nix index 7b33c54..c212997 100644 --- a/nixos/system/packages/sops/sops.nix +++ b/nixos/system/packages/sops/sops.nix @@ -2,7 +2,6 @@ lib, config, userSettings, - pkgs, ... }: { options = { @@ -10,25 +9,32 @@ }; config = lib.mkIf config.sys.security.sops.enable { - sops.defaultSopsFile = ./secrets/secrets.yaml; - sops.defaultSopsFormat = "yaml"; + sops = { + defaultSopsFile = ./secrets/secrets.yaml; + defaultSopsFormat = "yaml"; - sops.age.keyFile = "/home/${userSettings.username}/.config/sops/age/keys.txt"; + age.keyFile = "/home/${userSettings.username}/.config/sops/age/keys.txt"; - sops.secrets."${userSettings.hostname}/password-hash" = { - neededForUsers = true; - }; + # SSH private keys + secrets = { + "ssh_keys/masaoka_private" = { + path = "/home/${userSettings.username}/.ssh/id_masaoka"; + owner = userSettings.username; + group = "users"; + }; - environment.systemPackages = with pkgs; [ - sops - ]; + "${userSettings.hostname}/password-hash" = { + neededForUsers = true; + }; - # SSH private keys - sops.secrets = { - "ssh_keys/masaoka_private" = { - path = "/home/${userSettings.username}/.ssh/id_masaoka"; - owner = userSettings.username; - group = "users"; + "${userSettings.hostname}/syncthing" = { + owner = userSettings.username; + group = "users"; + }; + + templates = { + "${userSettings.hostname}/syncthing".content = ''${config.sops.placeholder."${userSettings.hostname}/syncthing"}''; + }; }; }; @@ -36,15 +42,14 @@ users.users.${userSettings.username}.hashedPasswordFile = "${config.sops.secrets."${userSettings.hostname}/password-hash".path}"; # YubiKey IDs - security.pam.yubico.id = - [] - ++ ( - if config.program.yubikey.enable - then ["${config.sops.secrets.yubikey_id}".value] - else [] - ); + security.pam.yubico.id = [17032113]; + #++ ( + # if config.program.yubikey.enable + # then ["${config.sops.secrets.yubikey_id}".value] + # else [] + #); # Syncthing password - services.syncthing.settings.gui.password = "${config.sops.secrets."syncthing".value}"; + #services.syncthing.settings.gui.password = config.sops.templates."${userSettings.hostname}/syncthing".content; }; }