diff --git a/.sops.yaml b/.sops.yaml
new file mode 100644
index 0000000..14bdb13
--- /dev/null
+++ b/.sops.yaml
@@ -0,0 +1,21 @@
+keys:
+ - &users:
+ - &prescientmoon age14mga4r0xa82a2uus3wq5q7rqnvflms3jmhknz4f3hsda8wttk9gsv2k9fs
+ - &hosts:
+ - &tethys age1avsekqqyr62urdwtpfpt0ledzm49wy0rq7wcg3rnsprdx22er5usp0jxgs
+ - &lapetus age1jem6jfkmfq54wzhqqhrnf786jsn5dmx82ewtt4vducac8m2fyukskun2p4
+creation_rules:
+ - path_regex: hosts/nixos/common/secrets.yaml
+ key_groups:
+ - age:
+ - *prescientmoon
+ - *tethys
+ - *lapetus
+ - path_regex: home/features/desktop/wakatime/secrets.yaml
+ key_groups:
+ - age:
+ - *prescientmoon
+ - path_regex: home/features/cli/productivity/smos/secrets.yaml
+ key_groups:
+ - age:
+ - *prescientmoon
diff --git a/README.md b/README.md
index 07537c5..de8bb17 100644
--- a/README.md
+++ b/README.md
@@ -7,7 +7,7 @@ In case you are not familiar with nix/nixos, this is a collection of configurati
## Features this repository includes:
- Consistent base16 theming using [stylix](https://github.com/danth/stylix)
-- [Agenix](https://github.com/ryantm/agenix) & [homeage](https://github.com/jordanisaacs/homeage) based secret management
+- [sops-nix](https://github.com/Mic92/sops-nix) based secret management
- Sets up all the apps I use — including git, neovim, fish, tmux, starship, hyprland, anyrun, discord, zathura, wezterm & much more.
The current state of this repo is a refactor of my old, messy nixos config, based on the structure of [this template](https://github.com/Misterio77/nix-starter-configs).
@@ -33,7 +33,7 @@ This repo's structure is based on the concept of hosts - individual machines con
| [overlays](./overlays) | Nix overlays |
| [pkgs](./pkgs) | Nix packages |
| [flake.nix](./flake.nix) | Nix flake entrypoint! |
-| [secrets.nix](./secrets.nix) | Agenix entrypoint |
+| [.sops.yaml](./.sops.yaml) | Sops entrypoint |
| [stylua.toml](./stylua.toml) | Lua formatter config for the repo |
## Points of interest
@@ -52,7 +52,7 @@ Here's some things you might want to check out:
- [Nixos](http://nixos.org/) — nix based operating system
- [Home-manager](https://github.com/nix-community/home-manager) — manage user configuration using nix
- [Impernanence](https://github.com/nix-community/impermanence) — see the article about [erasing your darlings](https://grahamc.com/blog/erase-your-darlings)
-- [Agenix](https://github.com/ryantm/agenix) & [homeage](https://github.com/jordanisaacs/homeage) — secret management
+- [Sops-nix](https://github.com/Mic92/sops-nix) — secret management
- [Slambda](https://github.com/Mateiadrielrafael/slambda) — custom keyboard chording utility
- [disko](https://github.com/nix-community/disko) — format disks using nix
- [zfs](https://openzfs.org/wiki/Main_Page) — filesystem
@@ -101,6 +101,7 @@ Here's some things you might want to check out:
Includes links to stuff which used to be in the previous section but is not used anymore. Only created this section in June 2023, so stuff I used earlier might not be here. Sorted with the most recently dropped things at the top.
+- [Agenix](https://github.com/ryantm/agenix) & [homeage](https://github.com/jordanisaacs/homeage) — I switched to [sops-nix](https://github.com/Mic92/sops-nix)
- [Mind.nvim](https://github.com/phaazon/mind.nvim) — self management tree editor. The project got archived, so I switched to [Smos](https://github.com/NorfairKing/smos).
- [Null-ls](https://github.com/jose-elias-alvarez/null-ls.nvim) — general purpose neovim LSP. The project got archived, so I switched to [formatter.nvim](https://github.com/mhartington/formatter.nvim).
- [Wofi](https://sr.ht/~scoopta/wofi/) — program launcher. I switched to [Anyrun](https://github.com/Kirottu/anyrun).
diff --git a/flake.lock b/flake.lock
index bd6496e..f71642f 100644
--- a/flake.lock
+++ b/flake.lock
@@ -1,27 +1,5 @@
{
"nodes": {
- "agenix": {
- "inputs": {
- "darwin": "darwin",
- "home-manager": "home-manager",
- "nixpkgs": [
- "nixpkgs"
- ]
- },
- "locked": {
- "lastModified": 1701216516,
- "narHash": "sha256-jKSeJn+7hZ1dZdiH1L+NWUGT2i/BGomKAJ54B9kT06Q=",
- "owner": "ryantm",
- "repo": "agenix",
- "rev": "13ac9ac6d68b9a0896e3d43a082947233189e247",
- "type": "github"
- },
- "original": {
- "owner": "ryantm",
- "repo": "agenix",
- "type": "github"
- }
- },
"anyrun": {
"inputs": {
"flake-parts": "flake-parts",
@@ -386,28 +364,6 @@
"type": "github"
}
},
- "darwin": {
- "inputs": {
- "nixpkgs": [
- "agenix",
- "nixpkgs"
- ]
- },
- "locked": {
- "lastModified": 1673295039,
- "narHash": "sha256-AsdYgE8/GPwcelGgrntlijMg4t3hLFJFCRF3tL5WVjA=",
- "owner": "lnl7",
- "repo": "nix-darwin",
- "rev": "87b9d090ad39b25b2400029c64825fc2a8868943",
- "type": "github"
- },
- "original": {
- "owner": "lnl7",
- "ref": "master",
- "repo": "nix-darwin",
- "type": "github"
- }
- },
"dekking": {
"flake": false,
"locked": {
@@ -1351,27 +1307,6 @@
}
},
"home-manager": {
- "inputs": {
- "nixpkgs": [
- "agenix",
- "nixpkgs"
- ]
- },
- "locked": {
- "lastModified": 1682203081,
- "narHash": "sha256-kRL4ejWDhi0zph/FpebFYhzqlOBrk0Pl3dzGEKSAlEw=",
- "owner": "nix-community",
- "repo": "home-manager",
- "rev": "32d3e39c491e2f91152c84f8ad8b003420eab0a1",
- "type": "github"
- },
- "original": {
- "owner": "nix-community",
- "repo": "home-manager",
- "type": "github"
- }
- },
- "home-manager_2": {
"inputs": {
"nixpkgs": [
"nixpkgs"
@@ -1392,7 +1327,7 @@
"type": "github"
}
},
- "home-manager_3": {
+ "home-manager_2": {
"inputs": {
"nixpkgs": "nixpkgs"
},
@@ -1411,7 +1346,7 @@
"type": "github"
}
},
- "home-manager_4": {
+ "home-manager_3": {
"inputs": {
"nixpkgs": "nixpkgs_9"
},
@@ -1430,26 +1365,6 @@
"type": "github"
}
},
- "homeage": {
- "inputs": {
- "nixpkgs": [
- "nixpkgs"
- ]
- },
- "locked": {
- "lastModified": 1669234151,
- "narHash": "sha256-TwT87E3m2TZLgwYJESlype14HxUOrRGojPM5C2akrMg=",
- "owner": "jordanisaacs",
- "repo": "homeage",
- "rev": "02bfe4ca06962d222e522fff0240c93946b20278",
- "type": "github"
- },
- "original": {
- "owner": "jordanisaacs",
- "repo": "homeage",
- "type": "github"
- }
- },
"hyprland": {
"inputs": {
"hyprland-protocols": "hyprland-protocols",
@@ -1556,7 +1471,7 @@
"dekking": "dekking",
"fast-myers-diff": "fast-myers-diff",
"haskell-dependency-graph-nix": "haskell-dependency-graph-nix",
- "home-manager": "home-manager_3",
+ "home-manager": "home-manager_2",
"linkcheck": "linkcheck",
"mergeless": "mergeless",
"nixpkgs": "nixpkgs_2",
@@ -2081,6 +1996,22 @@
}
},
"nixpkgs-stable_5": {
+ "locked": {
+ "lastModified": 1705957679,
+ "narHash": "sha256-Q8LJaVZGJ9wo33wBafvZSzapYsjOaNjP/pOnSiKVGHY=",
+ "owner": "NixOS",
+ "repo": "nixpkgs",
+ "rev": "9a333eaa80901efe01df07eade2c16d183761fa3",
+ "type": "github"
+ },
+ "original": {
+ "owner": "NixOS",
+ "ref": "release-23.05",
+ "repo": "nixpkgs",
+ "type": "github"
+ }
+ },
+ "nixpkgs-stable_6": {
"locked": {
"lastModified": 1685801374,
"narHash": "sha256-otaSUoFEMM+LjBI1XL/xGB5ao6IwnZOXc47qhIgJe8U=",
@@ -2096,7 +2027,7 @@
"type": "github"
}
},
- "nixpkgs-stable_6": {
+ "nixpkgs-stable_7": {
"locked": {
"lastModified": 1685801374,
"narHash": "sha256-otaSUoFEMM+LjBI1XL/xGB5ao6IwnZOXc47qhIgJe8U=",
@@ -2538,7 +2469,7 @@
"flake-utils": "flake-utils_10",
"gitignore": "gitignore_4",
"nixpkgs": "nixpkgs_15",
- "nixpkgs-stable": "nixpkgs-stable_5"
+ "nixpkgs-stable": "nixpkgs-stable_6"
},
"locked": {
"lastModified": 1685970613,
@@ -2560,7 +2491,7 @@
"flake-utils": "flake-utils_11",
"gitignore": "gitignore_5",
"nixpkgs": "nixpkgs_16",
- "nixpkgs-stable": "nixpkgs-stable_6"
+ "nixpkgs-stable": "nixpkgs-stable_7"
},
"locked": {
"lastModified": 1700064067,
@@ -2594,15 +2525,13 @@
},
"root": {
"inputs": {
- "agenix": "agenix",
"anyrun": "anyrun",
"anyrun-nixos-options": "anyrun-nixos-options",
"catppuccin-base16": "catppuccin-base16",
"disko": "disko",
"firefox-addons": "firefox-addons",
"grub2-themes": "grub2-themes",
- "home-manager": "home-manager_2",
- "homeage": "homeage",
+ "home-manager": "home-manager",
"hyprland": "hyprland",
"hyprland-contrib": "hyprland-contrib",
"impermanence": "impermanence",
@@ -2621,6 +2550,7 @@
"rosepine-base16": "rosepine-base16",
"slambda": "slambda",
"smos": "smos",
+ "sops-nix": "sops-nix",
"spicetify-nix": "spicetify-nix",
"stylix": "stylix",
"tickler": "tickler",
@@ -2851,7 +2781,7 @@
"fuzzy-time": "fuzzy-time",
"get-flake": "get-flake",
"haskell-dependency-graph-nix": "haskell-dependency-graph-nix_2",
- "home-manager": "home-manager_4",
+ "home-manager": "home-manager_3",
"ical": "ical",
"linkcheck": "linkcheck_2",
"looper": "looper",
@@ -2899,6 +2829,27 @@
"type": "github"
}
},
+ "sops-nix": {
+ "inputs": {
+ "nixpkgs": [
+ "nixpkgs"
+ ],
+ "nixpkgs-stable": "nixpkgs-stable_5"
+ },
+ "locked": {
+ "lastModified": 1706410821,
+ "narHash": "sha256-iCfXspqUOPLwRobqQNAQeKzprEyVowLMn17QaRPQc+M=",
+ "owner": "Mic92",
+ "repo": "sops-nix",
+ "rev": "73bf36912e31a6b21af6e0f39218e067283c67ef",
+ "type": "github"
+ },
+ "original": {
+ "owner": "Mic92",
+ "repo": "sops-nix",
+ "type": "github"
+ }
+ },
"spicetify-nix": {
"inputs": {
"flake-utils": "flake-utils_9",
diff --git a/flake.nix b/flake.nix
index 0b902d0..f6e50d0 100644
--- a/flake.nix
+++ b/flake.nix
@@ -25,13 +25,6 @@
firefox-addons.inputs.nixpkgs.follows = "nixpkgs";
# }}}
# {{{ Nix-related tooling
- # {{{ Secret management
- agenix.url = "github:ryantm/agenix";
- agenix.inputs.nixpkgs.follows = "nixpkgs";
-
- homeage.url = "github:jordanisaacs/homeage";
- homeage.inputs.nixpkgs.follows = "nixpkgs";
- # }}}
# {{{ Storage
impermanence.url = "github:nix-community/impermanence";
@@ -46,6 +39,9 @@
nix-index-database.url = "github:Mic92/nix-index-database";
nix-index-database.inputs.nixpkgs.follows = "nixpkgs";
+ sops-nix.url = "github:Mic92/sops-nix";
+ sops-nix.inputs.nixpkgs.follows = "nixpkgs";
+
korora.url = "github:adisbladis/korora";
# Nix language server
diff --git a/home/features/cli/default.nix b/home/features/cli/default.nix
index 88b023c..2f80c70 100644
--- a/home/features/cli/default.nix
+++ b/home/features/cli/default.nix
@@ -38,7 +38,6 @@
ouch # Unified compression / decompression tool
mkpasswd # Hash passwords
jq # Json maniuplation
- inputs.agenix.packages.${pkgs.system}.agenix # Secret encryption
# }}}
];
diff --git a/home/features/cli/productivity/smos/default.nix b/home/features/cli/productivity/smos/default.nix
index 7a2dca9..bd7228b 100644
--- a/home/features/cli/productivity/smos/default.nix
+++ b/home/features/cli/productivity/smos/default.nix
@@ -2,6 +2,7 @@
let workflowDir = "${config.home.homeDirectory}/productivity/smos";
in
{
+ # {{{ Smos config
programs.smos = {
inherit workflowDir;
@@ -10,19 +11,21 @@ in
github = {
enable = true;
- oauth-token-file = config.homeage.file.smos.path;
+ oauth-token-file = config.sops.secrets.smos_github_token.path;
};
};
-
+ # }}}
+ # {{{ Storage & secrets
satellite.persistence.at.data.apps.smos.directories = [
config.programs.smos.workflowDir
];
- homeage.file.smos = {
- source = ./smos_github_oauth.age;
+ sops.secrets.smos_github_token = {
+ sopsFile = ./secrets.yaml;
path = "${config.xdg.dataHome}/smos/.github_token";
};
-
+ # }}}
+ # {{{ Add desktop entry
home.packages =
# Start smos with a custom class so our WM can move it to the correct workspace
let smosgui = pkgs.writeShellScriptBin "smosgui" ''
@@ -37,4 +40,5 @@ in
exec = "smosgui";
terminal = false;
};
+ # }}}
}
diff --git a/home/features/cli/productivity/smos/secrets.yaml b/home/features/cli/productivity/smos/secrets.yaml
new file mode 100644
index 0000000..ce4d25e
--- /dev/null
+++ b/home/features/cli/productivity/smos/secrets.yaml
@@ -0,0 +1,21 @@
+smos_github_token: ENC[AES256_GCM,data:kqy5mQf96DoPN1iEt2akJWFfD3IJWdSkvZa0MeAyF0WJ/+V5P5C4iQ==,iv:QwmIdV/vzGTLE89XJVi3prgfmXqRa/OYcp9CA7KJDYc=,tag:+S1EZBcxoOQO2ADjDx9STQ==,type:str]
+sops:
+ kms: []
+ gcp_kms: []
+ azure_kv: []
+ hc_vault: []
+ age:
+ - recipient: age14mga4r0xa82a2uus3wq5q7rqnvflms3jmhknz4f3hsda8wttk9gsv2k9fs
+ enc: |
+ -----BEGIN AGE ENCRYPTED FILE-----
+ YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBwYkx3eWhxZUpTRVR3R1R4
+ Vm9hMTVsbXBnU0tFU093amU3TTNjalhsVHdvCmZURElTY2Q0eTQvR3M1V3AzTVl4
+ VkR2NXRHR2FiTURqNUp5Y3VDWFQ1UjgKLS0tIEVlRWs3YUFaZzdvd1Q5bmFwazJi
+ Y2E3bmM1TkZoOEN0anJqYUNSQUN5ZDAKtobUBBKbfaUeiPtKN4/oTNaxY3C2joCK
+ 8h4FlRLXd+CGnAyjN2p4FliWzLgmOg4HFNmZSmYLpIh4E9yqadNSSg==
+ -----END AGE ENCRYPTED FILE-----
+ lastmodified: "2024-01-31T18:33:00Z"
+ mac: ENC[AES256_GCM,data:HMJ9K1Ox0GPFgi7yG+Kb7ogHCQHXhj0hZEWGs0gLFHw0qqXBAUpAZfqVDd5DvNQSK7m4lRoxZC+wyc2ni0o95QGoDM1wA83npalvTEZyRI+9N0TAsrO03JHq+1uSawwLEhmHjvcVsX8W3d5hJzY+/Tq21D14SBKMqXxgHwHsH2E=,iv:dEyBbXDHboP/x0Bqo7p3YHh8gJWWfmTNLAZhUYeqkfc=,tag:WduTOOkgox6GRtLkm2Zkdw==,type:str]
+ pgp: []
+ unencrypted_suffix: _unencrypted
+ version: 3.8.1
diff --git a/home/features/cli/productivity/smos/smos_github_oauth.age b/home/features/cli/productivity/smos/smos_github_oauth.age
deleted file mode 100644
index f86ad51..0000000
--- a/home/features/cli/productivity/smos/smos_github_oauth.age
+++ /dev/null
@@ -1,8 +0,0 @@
-age-encryption.org/v1
--> ssh-ed25519 UUF9JQ 8KhqQ8dEHYLDM89d+glRT9xtId2umJM2O8Vj6oWM0zY
-UAZ+pzFuL+wKSFY+yG1t1U9l0knA/VpupVBr6m2/+eY
--> Q7U4ZXW4-grease S8&{':OI EQs~v%Gq zp_"?LJ* z@)Y
-mmb3Yi9moBnueYa4AeMJwAA0A6lZAo9+L4zYgnxyjLBOUwQMPO/zDPmHqQ
---- HMqzE5ekHYLWxdxpC7J9NMdrfx4VJYVwwnvhq6JAtmI
-
-c�����F�;�U�KF�t�2���_��}����ns3����oYCn�쎪8���0������@�"A���j���Q�`
\ No newline at end of file
diff --git a/home/features/cli/ssh.nix b/home/features/cli/ssh.nix
index f702010..2d240ff 100644
--- a/home/features/cli/ssh.nix
+++ b/home/features/cli/ssh.nix
@@ -1,6 +1,7 @@
{
programs.ssh.enable = true;
+ # TODO: age persistence
satellite.persistence.at.state.apps.ssh.directories = [ ".ssh" ];
# Makes it easy to copy ssh keys at install time without messing up permissions
diff --git a/home/features/desktop/wakatime/default.nix b/home/features/desktop/wakatime/default.nix
index bb555e8..22dbf85 100644
--- a/home/features/desktop/wakatime/default.nix
+++ b/home/features/desktop/wakatime/default.nix
@@ -1,9 +1,7 @@
{ pkgs, config, ... }: {
- homeage.file.wakatime = {
- source = ./wakatime_config.age;
- symlinks = [
- "${config.home.homeDirectory}/.wakatime.cfg"
- ];
+ sops.secrets.wakatime_config = {
+ sopsFile = ./secrets.yaml;
+ path = "${config.home.homeDirectory}/.wakatime.cfg";
};
home.packages = [ pkgs.wakatime ];
diff --git a/home/features/desktop/wakatime/secrets.yaml b/home/features/desktop/wakatime/secrets.yaml
new file mode 100644
index 0000000..6c6d93b
--- /dev/null
+++ b/home/features/desktop/wakatime/secrets.yaml
@@ -0,0 +1,21 @@
+wakatime_config: ENC[AES256_GCM,data:IgGcMQNf8u2KXjgI60zPKZ6M7oxibbQK+in/9jrnEzk20WA1JM122zICXYuLfuQgNd2CMoEeu4LivQHv/D79tw==,iv:HoS00ihAX+SCw58kgcnvqAy4ILdS+/RPMqQwXusTqYU=,tag:0sSaZTrjO43PB7g215wwUA==,type:str]
+sops:
+ kms: []
+ gcp_kms: []
+ azure_kv: []
+ hc_vault: []
+ age:
+ - recipient: age14mga4r0xa82a2uus3wq5q7rqnvflms3jmhknz4f3hsda8wttk9gsv2k9fs
+ enc: |
+ -----BEGIN AGE ENCRYPTED FILE-----
+ YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBDR0RmdFIxNFJpQTdGYXlq
+ bkZrNktMaFlrOEZtSXh6Y1l6NTN0REN6N2dnCmNMRUk2TXA3RWhtZVlnbTg2aE00
+ eFVwejBTcWRaTUhGWFFIS1RlVkhhQ28KLS0tIEdWWGRWSDZOQW9pQkdCRFFncTM2
+ cURjWFplY1pyMzY4a0h6cTRLS2I2ZW8KqGtYjCsdriSWdKhC+kGBAMSY9WVDL3tE
+ oMxyhrgDMtWndZEGv1+J3XLLmatDKmEcJO2k0CXZlCWWj17O4Rm+eA==
+ -----END AGE ENCRYPTED FILE-----
+ lastmodified: "2024-01-31T18:29:11Z"
+ mac: ENC[AES256_GCM,data:PmKn6D+olZSKrjY0i9zZ3YZxi+k39CS7ckUF7YaVINqZlCBNe12T+FnPyHhH/vDujA61ZzalsY14SHwSkOwMNVTJ9tdvOEfpEtwq0wKn+5TQmz8LfWNBUazRefhY0hKZN/k/akRjRh65wOvMZfah+L6A9wA7vW1OrCbLtAKExsY=,iv:9vGJAzjRN6MxRG7EeYKKft3YElkicu0XX8Q28Ua2n3M=,tag:eyg5yUH2ME2annShaFQAqg==,type:str]
+ pgp: []
+ unencrypted_suffix: _unencrypted
+ version: 3.8.1
diff --git a/home/features/desktop/wakatime/wakatime_config.age b/home/features/desktop/wakatime/wakatime_config.age
deleted file mode 100644
index c052136..0000000
Binary files a/home/features/desktop/wakatime/wakatime_config.age and /dev/null differ
diff --git a/home/global.nix b/home/global.nix
index dfea2e1..b143591 100644
--- a/home/global.nix
+++ b/home/global.nix
@@ -4,12 +4,12 @@ let
imports = [
# {{{ flake inputs
inputs.stylix.homeManagerModules.stylix
- inputs.homeage.homeManagerModules.homeage
inputs.nur.nixosModules.nur
inputs.impermanence.nixosModules.home-manager.impermanence
inputs.spicetify-nix.homeManagerModules.spicetify
inputs.anyrun.homeManagerModules.default
inputs.nix-index-database.hmModules.nix-index
+ inputs.sops-nix.homeManagerModules.sops
# {{{ self management
# NOTE: using `pkgs.system` before `module.options` is evaluated
@@ -58,8 +58,8 @@ in
# Nicely reload system units when changing configs
systemd.user.startServices = lib.mkForce "sd-switch";
- # Where homeage should look for our ssh key
- homeage.identityPaths = [ "~/.ssh/id_ed25519" ];
+ # Tell sops-nix to use ssh keys for decrypting secrets
+ sops.age.sshKeyPaths = [ "${config.home.homeDirectory}/.ssh/id_ed25519" ];
# Allow root to read persistent files from this user.
home.persistence."/persist/home/adrielus".allowOther = true;
diff --git a/hosts/nixos/common/global/default.nix b/hosts/nixos/common/global/default.nix
index 65f4f04..8f71930 100644
--- a/hosts/nixos/common/global/default.nix
+++ b/hosts/nixos/common/global/default.nix
@@ -6,10 +6,10 @@ let
# {{{ flake inputs
# inputs.hyprland.nixosModules.default
inputs.disko.nixosModules.default
- inputs.agenix.nixosModules.default
inputs.stylix.nixosModules.stylix
inputs.nur.nixosModules.nur
inputs.slambda.nixosModule
+ inputs.sops-nix.nixosModules.sops
# {{{ self management
# NOTE: using `pkgs.system` before `module.options` is evaluated
@@ -38,6 +38,9 @@ in
# Import all modules defined in modules/nixos
imports = builtins.attrValues outputs.nixosModules ++ imports;
+ # Tell sops-nix to use the host keys for decrypting secrets
+ sops.age.sshKeyPaths = [ "/persist/state/etc/ssh/ssh_host_ed25519_key" ];
+
# {{{ ad-hoc options
# Customize tty colors
stylix.targets.console.enable = true;
diff --git a/hosts/nixos/common/global/wireless/default.nix b/hosts/nixos/common/global/wireless/default.nix
index aa1404e..1753601 100644
--- a/hosts/nixos/common/global/wireless/default.nix
+++ b/hosts/nixos/common/global/wireless/default.nix
@@ -1,6 +1,5 @@
{ config, ... }: {
- # Wireless secrets stored through agenix
- age.secrets.wireless.file = ./wifi_passwords.age;
+ sops.secrets.wireless.sopsFile = ../../secrets.yaml;
# https://github.com/NixOS/nixpkgs/blob/nixos-22.11/nixos/modules/services/networking/wpa_supplicant.nix
networking.wireless = {
@@ -8,7 +7,7 @@
fallbackToWPA2 = false;
# Declarative
- environmentFile = config.age.secrets.wireless.path;
+ environmentFile = config.sops.secrets.wireless.path;
networks = {
"Neptune".psk = "@ENCELADUS_HOTSPOT_PASS@";
@@ -51,13 +50,6 @@
# Ensure group exists
users.groups.network = { };
- # Persist imperative config
- environment.persistence."/persist/state".files = [
- # TODO: investigate why this doesn't work
- # "/etc/wpa_supplicant.conf"
- ];
-
-
# The service seems to fail if this file does not exist
systemd.tmpfiles.rules = [ "f /etc/wpa_supplicant.conf" ];
}
diff --git a/hosts/nixos/common/global/wireless/wifi_passwords.age b/hosts/nixos/common/global/wireless/wifi_passwords.age
deleted file mode 100644
index adf81cb..0000000
Binary files a/hosts/nixos/common/global/wireless/wifi_passwords.age and /dev/null differ
diff --git a/hosts/nixos/common/secrets.yaml b/hosts/nixos/common/secrets.yaml
new file mode 100644
index 0000000..735a672
--- /dev/null
+++ b/hosts/nixos/common/secrets.yaml
@@ -0,0 +1,40 @@
+wireless: ENC[AES256_GCM,data:QKM3llNba24/3Hfjph9JFpOF+G4aGuGDfhlwE/bfvvAX7G/dYRZ5GMZtUIifREviacCywtqYcmLe+IIA9/NtLom3JkgXV5VEoaNym78fMaY5fVvsjqOgzp1O0XXu70UYvHgtA1pDZrCQEv/q7slkBS7mYP+g8NaRff9eIzs6zMWIl3HzqQbdwb5TOzsKzPNZgNp8f9nTmxm6EVdEHx0fhBLepXw6uDGA2Op12XDvR9UDkzwOkyy7oxEhKiPhqi5in8OqfhBGmQ73WV+g38pUNobp5cGL0YjjxHIWKEbX0N6ov2DH4QkeQhJgWNtEsTuGugjWkPvoAgfARMirt+PFZotFPBib1/xZHB7H,iv:TruRRS9fAGjkQU4zs2cOs1olxUYkOOypMmpxOIw9N9o=,tag:Yd4t0DKVpaUul4CrA8hYPA==,type:str]
+adrielus_password: ENC[AES256_GCM,data:lREgbcKwzAJQ3PPTWt7LXmgAsrKFCN+baQx4Q2YrHlu16yvKpmaZzPHJ/C5IjucUNbdceTs6Ef99IWzju0d8Hl5Z5UTMspYIhQ==,iv:JqnL3zfCd/xMRqTciA/Q6nYmFKzJkBqda4zucsE5KFw=,tag:RGZ/0/NEpdchj9h/l3Z7Ig==,type:str]
+sops:
+ kms: []
+ gcp_kms: []
+ azure_kv: []
+ hc_vault: []
+ age:
+ - recipient: age14mga4r0xa82a2uus3wq5q7rqnvflms3jmhknz4f3hsda8wttk9gsv2k9fs
+ enc: |
+ -----BEGIN AGE ENCRYPTED FILE-----
+ YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBvbzNLcXFBcTlIM3hjZTN0
+ bTFZUDJnS3lROExSREVkd0FMeHU3RGVWdzJnCkszOVROZlBmZWl2cjFkcTZ1OWZw
+ eThXSTliNmxHM3o3NzhUOUkvU0YzNzgKLS0tIHBWSmRTTlJBdmlKQy9YWHR0NGds
+ ak5kUFRJK3JCcUYvSFY2eGtIOTk3RkkKl3yBZjjBExU9RoZbaKBixfsywqFWFnq4
+ n7olhkNMVIC+BcLYno0oIT2oILASMkE3NbH85IHlYZY2qQvFKDbG7w==
+ -----END AGE ENCRYPTED FILE-----
+ - recipient: age1avsekqqyr62urdwtpfpt0ledzm49wy0rq7wcg3rnsprdx22er5usp0jxgs
+ enc: |
+ -----BEGIN AGE ENCRYPTED FILE-----
+ YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB3aExaRC9SclVvT1g4WFI0
+ N1grVzZWWmpPaGEwRmx3TjUyK0dvL0RNdmhjClY5UmI0eWZOTXZqbGFxT05OSnk1
+ RTAyYStRN0NsRnZlWk03eXIrajdiRjQKLS0tIHlMdzBVNFEzR2FuVFZEWStFY1hh
+ MnFiSGt3dWZxWnF3M2FkbTJzSTA2VTAKtD40Gp12vB24Wnr8NvY7/ZWr9XVDF9Bl
+ FUL34R1mpgweNJ1IowFPgQbxsyMTG7iYB4jC50JZNOKJxe9NaeOUlQ==
+ -----END AGE ENCRYPTED FILE-----
+ - recipient: age1jem6jfkmfq54wzhqqhrnf786jsn5dmx82ewtt4vducac8m2fyukskun2p4
+ enc: |
+ -----BEGIN AGE ENCRYPTED FILE-----
+ YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBtK0pFcWlheEwzV3N3bVFQ
+ K3EwNXI5MXQyYld6Z3J1aVNHWlQ4UjlxSzIwCktDbG9iMFRVQnJBenhWVFhLa2N1
+ SWRMR3JLajJscWFqMy84aGNFcy9UK1UKLS0tIEZoT0d2bVJpV3ByWmV0eENZVjM3
+ WFd4ZFNHWG5Cakw5cU9MRE9HWHQ4THMKr/S7v1Oj3zQziMtI/NuFVm6AaJF5JV5U
+ sEr2nEptYFz4G6YL5psQGXHaKzQKBg+crgKRbYL4akhqT7pfYPC0bQ==
+ -----END AGE ENCRYPTED FILE-----
+ lastmodified: "2024-01-31T18:18:48Z"
+ mac: ENC[AES256_GCM,data:9kYBMib8MuIdcJK0Lxh3sYP4OrlFCn3DZP8X82mSvnK15l8rVXFu2xfIbt1nviDj9IFhsZ3+2qzUnPq650erG6JpuHdzdmxIE49nU8BqmqtiQ4SAFAdC7zEbWaWk3SKmm1ouarBuHWtfvN3uw/ULpdExxt8Or8kvgvoVPX2L85E=,iv:wDWg/ba89AqW5bwqVydLZdfhPFgkNLRTKx1caER6SmI=,tag:1JY/HsipandxtmCmYXuavQ==,type:str]
+ pgp: []
+ unencrypted_suffix: _unencrypted
+ version: 3.8.1
diff --git a/hosts/nixos/common/users/adrielus.nix b/hosts/nixos/common/users/adrielus.nix
index 7bf9135..0c22bcd 100644
--- a/hosts/nixos/common/users/adrielus.nix
+++ b/hosts/nixos/common/users/adrielus.nix
@@ -1,7 +1,9 @@
{ pkgs, outputs, config, lib, ... }:
{
- # Password file stored through agenix
- age.secrets.adrielusPassword.file = ./adrielus_password.age;
+ sops.secrets.adrielus_password = {
+ sopsFile = ../secrets.yaml;
+ neededForUsers = true;
+ };
users = {
# Configure users through nix only
@@ -12,12 +14,6 @@
# Adds me to some default groups, and creates the home dir
isNormalUser = true;
- # File containing my password, managed by agenix
- hashedPasswordFile = config.age.secrets.adrielusPassword.path;
-
- # Set default shell
- shell = pkgs.fish;
-
# Picked up by our persistence module
homeMode = "755";
@@ -31,6 +27,9 @@
"syncthing" # syncthing!
];
+ hashedPasswordFile = config.sops.secrets.adrielus_password.path;
+ shell = pkgs.fish;
+
openssh.authorizedKeys.keyFiles =
(import ./common.nix).authorizedKeys { inherit outputs lib; };
};
diff --git a/hosts/nixos/common/users/adrielus_password.age b/hosts/nixos/common/users/adrielus_password.age
deleted file mode 100644
index ab17351..0000000
--- a/hosts/nixos/common/users/adrielus_password.age
+++ /dev/null
@@ -1,14 +0,0 @@
-age-encryption.org/v1
--> ssh-ed25519 qgVaDQ sYn14+1vJEk4dnYdHQ58q36LTMS7tU5V3V/3xswLWHk
-mnr7r/IJOmVtnsSiIq9B8GvO6xnNs3r7jiz0yLAAL8Q
--> ssh-ed25519 3gahUA kpYU2sudkfqfCGrqjeNsU61IEal7AGJLJuXE8Wyo0Ro
-m3Z6vZGG+h3lvtT7zYl1lIb+z9tVzRw0Tpr17LHE1NA
--> ssh-ed25519 UUF9JQ MzmLpgpJ/t4XrLFUk8xUhyO+W2if+aCG7t7aHv3Tqkw
-Yf51xXY5pzC+txLTIiK4PwZksjeaTDlPIwGhghaAQPg
--> <jAUJ|5-grease )*]+{]30 T_Hy 8I jR@u$
-clZ4bFz5PYI24Ddnvg4saB9XQu/hmUa7b4eiTEs1o6/IPh5sgQyNTDjcVh+b3M2R
-BynXRA0VmzlXj4fr0mgM7X0t+w510aS5IJxM8XK3HkrCb32y40lv7VcJeSA
---- dj4NWvivR9a4Spob27oag9Hgx5T5169brKAmr6MqWfM
-���fu�������.<���1T4~�����OCo��1�A���J�ǩ�\gF&!e��Q:��3�����~/��r
-���� Q�W
-v��
O���Z���l�".ߚs2NAn,�#
\ No newline at end of file
diff --git a/scripts/age-public-key.sh b/scripts/age-public-key.sh
new file mode 100755
index 0000000..c6298ed
--- /dev/null
+++ b/scripts/age-public-key.sh
@@ -0,0 +1,2 @@
+#!/usr/bin/env bash
+nix-shell -p age --run "age-keygen -y ~/.config/sops/age/keys.txt"
diff --git a/scripts/emergency-lapetus.sh b/scripts/emergency-lapetus.sh
index 19797cf..cfb6b76 100755
--- a/scripts/emergency-lapetus.sh
+++ b/scripts/emergency-lapetus.sh
@@ -1,4 +1,4 @@
-#!/usr/bin/env nix-shell
+#!/usr/bin/env nix-shellge
#!nix-shell ../devshells/bootstrap/shell.nix
#!nix-shell -i bash
diff --git a/scripts/ssh-to-age.sh b/scripts/ssh-to-age.sh
new file mode 100755
index 0000000..2fcfe2d
--- /dev/null
+++ b/scripts/ssh-to-age.sh
@@ -0,0 +1,6 @@
+#!/usr/bin/env bash
+echo "📁 Creating sops directory"
+mkdir -p ~/.config/sops/age
+echo "🔑 Converting ssh key to age"
+nix-shell -p ssh-to-age --run "ssh-to-age -private-key -i ~/.ssh/id_ed25519 > ~/.config/sops/age/keys.txt"
+echo "🚀 All done"
diff --git a/secrets.nix b/secrets.nix
deleted file mode 100644
index 1bd2211..0000000
--- a/secrets.nix
+++ /dev/null
@@ -1,19 +0,0 @@
-let
- tethys = builtins.readFile ./hosts/nixos/tethys/keys/ssh_host_ed25519_key.pub;
- lapetus = builtins.readFile ./hosts/nixos/lapetus/keys/ssh_host_ed25519_key.pub;
-
- adrielus_tethys = builtins.readFile ./hosts/nixos/tethys/keys/id_ed25519.pub;
- adrielus_lapetus = builtins.readFile ./hosts/nixos/lapetus/keys/id_ed25519.pub;
-
- all_hosts = [ tethys lapetus ];
-in
-{
- # Scoped for entire systems
- "./hosts/nixos/common/global/wireless/wifi_passwords.age".publicKeys = all_hosts ++ [ adrielus_tethys ];
- "./hosts/nixos/common/users/adrielus_password.age".publicKeys = all_hosts ++ [ adrielus_tethys ];
-
- # Scoped for the user
- # TODO: perhaps move this into `pass`?.
- "./home/features/desktop/wakatime/wakatime_config.age".publicKeys = [ adrielus_tethys ];
- "./home/features/cli/productivity/smos/smos_github_oauth.age".publicKeys = [ adrielus_tethys ];
-}