Sops, security

2024-12-23 21:09:16 +01:00 · 2024-12-23 21:09:16 +01:00 · 938a72ce9e
commit 938a72ce9e
parent 2540cb9dd5
3 changed files with 20 additions and 7 deletions
--- a/flake.nix
+++ b/flake.nix
@ -40,6 +40,11 @@
      url = "gitlab:rycee/nur-expressions?dir=pkgs/firefox-addons";
      inputs.nixpkgs.follows = "nixpkgs";
    };
+
+    sops-nix = {
+      url = "github:Mic92/sops-nix";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
  };

  outputs = {
@ -92,6 +97,7 @@

          inputs.stylix.nixosModules.stylix
          inputs.nix-ld.nixosModules.nix-ld
+          inputs.sops-nix.nixosModules.sops
        ];
      };
      leanix = nixpkgs.lib.nixosSystem {
--- a/zenith/configuration.nix
+++ b/zenith/configuration.nix
@ -22,9 +22,9 @@

  sops.age.keyFile = "/home/foglar/.config/sops/age/keys.txt";

-  sops.secrets.email = {};
-  #sops.secrets.email.owner = config.users.users.foglar.name;
-  #sops.secrets.email.group = config.users.users.foglar.group;
+  sops.secrets."zenith/password-hash" = {
+    neededForUsers = true;
+  };

  # Home manager
  home-manager = {
@ -33,7 +33,10 @@
    users = {
      ${userSettings.username} = import ./home.nix;
    };
-    sharedModules = [inputs.plasma-manager.homeManagerModules.plasma-manager];
+    sharedModules = [
+      inputs.sops-nix.homeManagerModules.sops
+      inputs.plasma-manager.homeManagerModules.plasma-manager
+    ];
  };

  # User configuration
@ -41,6 +44,7 @@
    isNormalUser = true;
    description = "${userSettings.username}";
    extraGroups = ["wheel"];
+    hashedPasswordFile = "${config.sops.secrets."zenith/password-hash".path}";
  };

  # Bootloader
--- a/zenith/secrets/secrets.yaml
+++ b/zenith/secrets/secrets.yaml
@ -1,4 +1,7 @@
-email: ENC[AES256_GCM,data:B0I7UzBKR18oImVpzq3RhV4y8tLhAZWph7R0Rw==,iv:xxgH1jWLC5u+FqhnswqHQCRbdSN1M8/ou7jFChOHROg=,tag:EhiKsfWhKdTg7p6uH5H5MQ==,type:str]
+zenith:
+    password-hash: ENC[AES256_GCM,data:J0OpGQHKugEvDMJJsLApO4JFmAM4e01WODyonrwUinND/MpzxAjbozlMrDQqb8Lghay3RTOCrslizYIYOkNwUU+MhyFlTAbF7Q==,iv:J4PXhVAUcv1QSycdvQL2jb/IcayyXVdfiJDHiNUalXk=,tag:bm4N8mq/6QUdzwOcy6WVaw==,type:str]
+leanix:
+    password-hash: ENC[AES256_GCM,data:C5oGejwFkhhYvaDunG0AF9PcCKTQQA//uqi1LaWwEwOphepROoP9d1r1vD8k2cgcrikVSX4NQUBca6fQrqZTXMuxZKBxslE2Fw==,iv:oM2pWAifpCEpTRiGKbbG/QdQ0m8YaoyESzD3rIZkvmc=,tag:W+w3Bbtr8rBfp6SjYwcW0Q==,type:str]
 sops:
    kms: []
    gcp_kms: []
@ -14,8 +17,8 @@ sops:
            T0cxV21SN0hJaFg3R3hpTjIxa3lJNVEKdIrR5XDHxpCojk2A1pxc4dYtSJRrObbY
            JS/nDgu74LugEchiOhuIJ7nh3MS5XBOmmt2GTHrqxZEZFoIykjIGug==
            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-12-23T10:12:18Z"
-    mac: ENC[AES256_GCM,data:qnGM3IBvkly+LdfxU+wKeLUsNrlNJ3SfhobFM9qbPAsh1K3Wv+6S55V2E2rzf33syJ7gm32h++/pJxK7mJHx9BjkPHxcJ3d8g0B8cG364DANbANoG6MMIgnUTPZxV2eLEtEdta0tNIaQkQrEhEUGpc2Mc1nmaU6nxWt9RurR84Y=,iv:hzmiGfnnqm622phgafgnnr9lweE87trcXDDTlqgs4U4=,tag:9csc86pL9rB6hV1uYphWZQ==,type:str]
+    lastmodified: "2024-12-23T18:49:40Z"
+    mac: ENC[AES256_GCM,data:fWWZ3+RnGkQYP1R7q47JyB6NXHKG+D+y+qaB7i+uGfHsIf6VCkerO/ITCk4WSkvsXJDpB9mZWp2ciYypcDAHuBOlZzLscf/et9xDoDhXdM7MgRsX3fA9oeK9Q8D83cUptELlfXKU0Kvs02fAjbDrbwx5rdUtcUxfPNjW2X5lJ3o=,iv:5UwqRhZnj+u29O+x+KjxZJ9x1hcKuuZlnFYbgFnjkTs=,tag:w/z8u8PYkcW7etYg7y6y8w==,type:str]
    pgp: []
    unencrypted_suffix: _unencrypted
    version: 3.9.2