foglar/nixos-config
foglar/nixos-config
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

submit secrets and sops test

Browse Source
This commit is contained in:
foglar 2025-01-07 18:25:24 +01:00
parent 209a522033
commit 2095205ab5
2 changed files with 32 additions and 27 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
nixos/system/packages/sops/secrets/secrets.yaml
View File

@ -1,6 +1,6 @@
sync: ENC[AES256_GCM,data:2El2mY9XhCQ=,iv:EmgT5CgeCZjj9uwiDHbDNuty9czgQGJTSnXIIIm0JDM=,tag:ysZqmWibHkoQGjUoc/Mnxg==,type:str]
kogami: kogami:
password-hash: ENC[AES256_GCM,data:HXuzumA7zAzBUcOBszeslYVDLA7r3W7gINn2FvMCTEHkc+y3zWftK4CVnk+TuRcgP9/htUphs2BmusogFAdmRQ3HmQU8WGQN0A==,iv:n2063dWbEmFKEvXbY2uk+C6lwF7WzA8jalKOFHPVICc=,tag:wb5bq4Dk3a9UnzYFBInHEA==,type:str] password-hash: ENC[AES256_GCM,data:HXuzumA7zAzBUcOBszeslYVDLA7r3W7gINn2FvMCTEHkc+y3zWftK4CVnk+TuRcgP9/htUphs2BmusogFAdmRQ3HmQU8WGQN0A==,iv:n2063dWbEmFKEvXbY2uk+C6lwF7WzA8jalKOFHPVICc=,tag:wb5bq4Dk3a9UnzYFBInHEA==,type:str]
syncthing: ENC[AES256_GCM,data:699bwajY9/0=,iv:YXmw613vRfWlbjiex6LfACZD+otES3E6Mm0e+66dfA8=,tag:H3QCsg0VvZpxkhWKyGH8Gg==,type:str]
ginoza: ginoza:
password-hash: ENC[AES256_GCM,data:xqE0y3Z7+kasYFQLn4Wuo+/c9L8BEakf2HKgN5BsttC2iDuzYSvXrP8K6pe5Skdi5Aq0MVz9LixJFM3PBgLORL1C6k0iDSardw==,iv:bKL40h0rGNmnnkA7EieKAD5KyENXOiTNsTVH1V0B7HU=,tag:c1MsRuiOK/j2b0iKOyO8FQ==,type:str] password-hash: ENC[AES256_GCM,data:xqE0y3Z7+kasYFQLn4Wuo+/c9L8BEakf2HKgN5BsttC2iDuzYSvXrP8K6pe5Skdi5Aq0MVz9LixJFM3PBgLORL1C6k0iDSardw==,iv:bKL40h0rGNmnnkA7EieKAD5KyENXOiTNsTVH1V0B7HU=,tag:c1MsRuiOK/j2b0iKOyO8FQ==,type:str]
yubikey_id: ENC[AES256_GCM,data:ZyamX5gxoW4=,iv:4tW7muk6AaJf9VmXmFd6Ut63U27fFD8QgYSBx3RgOfw=,tag:IFlSiOffMyc33Rw1gxwCPA==,type:int] yubikey_id: ENC[AES256_GCM,data:ZyamX5gxoW4=,iv:4tW7muk6AaJf9VmXmFd6Ut63U27fFD8QgYSBx3RgOfw=,tag:IFlSiOffMyc33Rw1gxwCPA==,type:int]
@ -22,8 +22,8 @@ sops:
T0cxV21SN0hJaFg3R3hpTjIxa3lJNVEKdIrR5XDHxpCojk2A1pxc4dYtSJRrObbY T0cxV21SN0hJaFg3R3hpTjIxa3lJNVEKdIrR5XDHxpCojk2A1pxc4dYtSJRrObbY
JS/nDgu74LugEchiOhuIJ7nh3MS5XBOmmt2GTHrqxZEZFoIykjIGug== JS/nDgu74LugEchiOhuIJ7nh3MS5XBOmmt2GTHrqxZEZFoIykjIGug==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
lastmodified: "2025-01-04T14:26:29Z" lastmodified: "2025-01-07T17:20:45Z"
mac: ENC[AES256_GCM,data:5waKR2Ke3l5UIeg6nXqNMEYrQD75aXGsavQlbwQWRcyt+yr/Zn5CP+WB+8YTA56c+sZQ50xKiLP5q6WTEC3nnTb+AvOlvnF8FZ+NN+jLzDi9WbfWCChR3mAE3TbcLFfsdwKMwewLNjzRxGm9ErVORNo1+6i+VH8IUSBGcKTWy1s=,iv:Kem2lzKEUOEwtNkW57lfRFc3Ln7Au7mqbeA/9NEd0VU=,tag:9Nf4J7/SEIOPzRHeoBsVNA==,type:str] mac: ENC[AES256_GCM,data:oENblUlcgDrZaNV2/XggaPoGavqHBXv4i3DpcfFFKiymifmITHj5m6HflVePDqtkBceTnMyCNCzQ6Ijmrt8Xkr4wbEQpoLhjyfWW/4QOlKjT3GAxfWEth7uzCHxuqd24aHs1jRyphua7bgbVLLuI0khHiL5s8b+9wkkTmV9Y3WE=,iv:eDglG+RMUagzE0qVi73dGXMerup8ipg/rFxV+qJfNXM=,tag:wZyMqxZLUh4B6JuQL4GXFA==,type:str]
pgp: [] pgp: []
unencrypted_suffix: _unencrypted unencrypted_suffix: _unencrypted
version: 3.9.2 version: 3.9.2

53
nixos/system/packages/sops/sops.nix
View File

@ -2,7 +2,6 @@
lib, lib,
config, config,
userSettings, userSettings,
pkgs,
... ...
}: { }: {
options = { options = {
@ -10,25 +9,32 @@
}; };
config = lib.mkIf config.sys.security.sops.enable { config = lib.mkIf config.sys.security.sops.enable {
sops.defaultSopsFile = ./secrets/secrets.yaml; sops = {
sops.defaultSopsFormat = "yaml"; defaultSopsFile = ./secrets/secrets.yaml;
defaultSopsFormat = "yaml";
sops.age.keyFile = "/home/${userSettings.username}/.config/sops/age/keys.txt"; age.keyFile = "/home/${userSettings.username}/.config/sops/age/keys.txt";
sops.secrets."${userSettings.hostname}/password-hash" = { # SSH private keys
neededForUsers = true; secrets = {
}; "ssh_keys/masaoka_private" = {
path = "/home/${userSettings.username}/.ssh/id_masaoka";
owner = userSettings.username;
group = "users";
};
environment.systemPackages = with pkgs; [ "${userSettings.hostname}/password-hash" = {
sops neededForUsers = true;
]; };
# SSH private keys "${userSettings.hostname}/syncthing" = {
sops.secrets = { owner = userSettings.username;
"ssh_keys/masaoka_private" = { group = "users";
path = "/home/${userSettings.username}/.ssh/id_masaoka"; };
owner = userSettings.username;
group = "users"; templates = {
"${userSettings.hostname}/syncthing".content = ''${config.sops.placeholder."${userSettings.hostname}/syncthing"}'';
};
}; };
}; };
@ -36,15 +42,14 @@
users.users.${userSettings.username}.hashedPasswordFile = "${config.sops.secrets."${userSettings.hostname}/password-hash".path}"; users.users.${userSettings.username}.hashedPasswordFile = "${config.sops.secrets."${userSettings.hostname}/password-hash".path}";
# YubiKey IDs # YubiKey IDs
security.pam.yubico.id = security.pam.yubico.id = [17032113];
[] #++ (
++ ( # if config.program.yubikey.enable
if config.program.yubikey.enable # then ["${config.sops.secrets.yubikey_id}".value]
then ["${config.sops.secrets.yubikey_id}".value] # else []
else [] #);
);
# Syncthing password # Syncthing password
services.syncthing.settings.gui.password = "${config.sops.secrets."syncthing".value}"; #services.syncthing.settings.gui.password = config.sops.templates."${userSettings.hostname}/syncthing".content;
}; };
} }