diff --git a/.sops.yaml b/.sops.yaml new file mode 100644 index 0000000..14bdb13 --- /dev/null +++ b/.sops.yaml @@ -0,0 +1,21 @@ +keys: + - &users: + - &prescientmoon age14mga4r0xa82a2uus3wq5q7rqnvflms3jmhknz4f3hsda8wttk9gsv2k9fs + - &hosts: + - &tethys age1avsekqqyr62urdwtpfpt0ledzm49wy0rq7wcg3rnsprdx22er5usp0jxgs + - &lapetus age1jem6jfkmfq54wzhqqhrnf786jsn5dmx82ewtt4vducac8m2fyukskun2p4 +creation_rules: + - path_regex: hosts/nixos/common/secrets.yaml + key_groups: + - age: + - *prescientmoon + - *tethys + - *lapetus + - path_regex: home/features/desktop/wakatime/secrets.yaml + key_groups: + - age: + - *prescientmoon + - path_regex: home/features/cli/productivity/smos/secrets.yaml + key_groups: + - age: + - *prescientmoon diff --git a/README.md b/README.md index 07537c5..de8bb17 100644 --- a/README.md +++ b/README.md @@ -7,7 +7,7 @@ In case you are not familiar with nix/nixos, this is a collection of configurati ## Features this repository includes: - Consistent base16 theming using [stylix](https://github.com/danth/stylix) -- [Agenix](https://github.com/ryantm/agenix) & [homeage](https://github.com/jordanisaacs/homeage) based secret management +- [sops-nix](https://github.com/Mic92/sops-nix) based secret management - Sets up all the apps I use — including git, neovim, fish, tmux, starship, hyprland, anyrun, discord, zathura, wezterm & much more. The current state of this repo is a refactor of my old, messy nixos config, based on the structure of [this template](https://github.com/Misterio77/nix-starter-configs). @@ -33,7 +33,7 @@ This repo's structure is based on the concept of hosts - individual machines con | [overlays](./overlays) | Nix overlays | | [pkgs](./pkgs) | Nix packages | | [flake.nix](./flake.nix) | Nix flake entrypoint! | -| [secrets.nix](./secrets.nix) | Agenix entrypoint | +| [.sops.yaml](./.sops.yaml) | Sops entrypoint | | [stylua.toml](./stylua.toml) | Lua formatter config for the repo | ## Points of interest @@ -52,7 +52,7 @@ Here's some things you might want to check out: - [Nixos](http://nixos.org/) — nix based operating system - [Home-manager](https://github.com/nix-community/home-manager) — manage user configuration using nix - [Impernanence](https://github.com/nix-community/impermanence) — see the article about [erasing your darlings](https://grahamc.com/blog/erase-your-darlings) -- [Agenix](https://github.com/ryantm/agenix) & [homeage](https://github.com/jordanisaacs/homeage) — secret management +- [Sops-nix](https://github.com/Mic92/sops-nix) — secret management - [Slambda](https://github.com/Mateiadrielrafael/slambda) — custom keyboard chording utility - [disko](https://github.com/nix-community/disko) — format disks using nix - [zfs](https://openzfs.org/wiki/Main_Page) — filesystem @@ -101,6 +101,7 @@ Here's some things you might want to check out: Includes links to stuff which used to be in the previous section but is not used anymore. Only created this section in June 2023, so stuff I used earlier might not be here. Sorted with the most recently dropped things at the top. +- [Agenix](https://github.com/ryantm/agenix) & [homeage](https://github.com/jordanisaacs/homeage) — I switched to [sops-nix](https://github.com/Mic92/sops-nix) - [Mind.nvim](https://github.com/phaazon/mind.nvim) — self management tree editor. The project got archived, so I switched to [Smos](https://github.com/NorfairKing/smos). - [Null-ls](https://github.com/jose-elias-alvarez/null-ls.nvim) — general purpose neovim LSP. The project got archived, so I switched to [formatter.nvim](https://github.com/mhartington/formatter.nvim). - [Wofi](https://sr.ht/~scoopta/wofi/) — program launcher. I switched to [Anyrun](https://github.com/Kirottu/anyrun). diff --git a/flake.lock b/flake.lock index bd6496e..f71642f 100644 --- a/flake.lock +++ b/flake.lock @@ -1,27 +1,5 @@ { "nodes": { - "agenix": { - "inputs": { - "darwin": "darwin", - "home-manager": "home-manager", - "nixpkgs": [ - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1701216516, - "narHash": "sha256-jKSeJn+7hZ1dZdiH1L+NWUGT2i/BGomKAJ54B9kT06Q=", - "owner": "ryantm", - "repo": "agenix", - "rev": "13ac9ac6d68b9a0896e3d43a082947233189e247", - "type": "github" - }, - "original": { - "owner": "ryantm", - "repo": "agenix", - "type": "github" - } - }, "anyrun": { "inputs": { "flake-parts": "flake-parts", @@ -386,28 +364,6 @@ "type": "github" } }, - "darwin": { - "inputs": { - "nixpkgs": [ - "agenix", - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1673295039, - "narHash": "sha256-AsdYgE8/GPwcelGgrntlijMg4t3hLFJFCRF3tL5WVjA=", - "owner": "lnl7", - "repo": "nix-darwin", - "rev": "87b9d090ad39b25b2400029c64825fc2a8868943", - "type": "github" - }, - "original": { - "owner": "lnl7", - "ref": "master", - "repo": "nix-darwin", - "type": "github" - } - }, "dekking": { "flake": false, "locked": { @@ -1351,27 +1307,6 @@ } }, "home-manager": { - "inputs": { - "nixpkgs": [ - "agenix", - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1682203081, - "narHash": "sha256-kRL4ejWDhi0zph/FpebFYhzqlOBrk0Pl3dzGEKSAlEw=", - "owner": "nix-community", - "repo": "home-manager", - "rev": "32d3e39c491e2f91152c84f8ad8b003420eab0a1", - "type": "github" - }, - "original": { - "owner": "nix-community", - "repo": "home-manager", - "type": "github" - } - }, - "home-manager_2": { "inputs": { "nixpkgs": [ "nixpkgs" @@ -1392,7 +1327,7 @@ "type": "github" } }, - "home-manager_3": { + "home-manager_2": { "inputs": { "nixpkgs": "nixpkgs" }, @@ -1411,7 +1346,7 @@ "type": "github" } }, - "home-manager_4": { + "home-manager_3": { "inputs": { "nixpkgs": "nixpkgs_9" }, @@ -1430,26 +1365,6 @@ "type": "github" } }, - "homeage": { - "inputs": { - "nixpkgs": [ - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1669234151, - "narHash": "sha256-TwT87E3m2TZLgwYJESlype14HxUOrRGojPM5C2akrMg=", - "owner": "jordanisaacs", - "repo": "homeage", - "rev": "02bfe4ca06962d222e522fff0240c93946b20278", - "type": "github" - }, - "original": { - "owner": "jordanisaacs", - "repo": "homeage", - "type": "github" - } - }, "hyprland": { "inputs": { "hyprland-protocols": "hyprland-protocols", @@ -1556,7 +1471,7 @@ "dekking": "dekking", "fast-myers-diff": "fast-myers-diff", "haskell-dependency-graph-nix": "haskell-dependency-graph-nix", - "home-manager": "home-manager_3", + "home-manager": "home-manager_2", "linkcheck": "linkcheck", "mergeless": "mergeless", "nixpkgs": "nixpkgs_2", @@ -2081,6 +1996,22 @@ } }, "nixpkgs-stable_5": { + "locked": { + "lastModified": 1705957679, + "narHash": "sha256-Q8LJaVZGJ9wo33wBafvZSzapYsjOaNjP/pOnSiKVGHY=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "9a333eaa80901efe01df07eade2c16d183761fa3", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "release-23.05", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs-stable_6": { "locked": { "lastModified": 1685801374, "narHash": "sha256-otaSUoFEMM+LjBI1XL/xGB5ao6IwnZOXc47qhIgJe8U=", @@ -2096,7 +2027,7 @@ "type": "github" } }, - "nixpkgs-stable_6": { + "nixpkgs-stable_7": { "locked": { "lastModified": 1685801374, "narHash": "sha256-otaSUoFEMM+LjBI1XL/xGB5ao6IwnZOXc47qhIgJe8U=", @@ -2538,7 +2469,7 @@ "flake-utils": "flake-utils_10", "gitignore": "gitignore_4", "nixpkgs": "nixpkgs_15", - "nixpkgs-stable": "nixpkgs-stable_5" + "nixpkgs-stable": "nixpkgs-stable_6" }, "locked": { "lastModified": 1685970613, @@ -2560,7 +2491,7 @@ "flake-utils": "flake-utils_11", "gitignore": "gitignore_5", "nixpkgs": "nixpkgs_16", - "nixpkgs-stable": "nixpkgs-stable_6" + "nixpkgs-stable": "nixpkgs-stable_7" }, "locked": { "lastModified": 1700064067, @@ -2594,15 +2525,13 @@ }, "root": { "inputs": { - "agenix": "agenix", "anyrun": "anyrun", "anyrun-nixos-options": "anyrun-nixos-options", "catppuccin-base16": "catppuccin-base16", "disko": "disko", "firefox-addons": "firefox-addons", "grub2-themes": "grub2-themes", - "home-manager": "home-manager_2", - "homeage": "homeage", + "home-manager": "home-manager", "hyprland": "hyprland", "hyprland-contrib": "hyprland-contrib", "impermanence": "impermanence", @@ -2621,6 +2550,7 @@ "rosepine-base16": "rosepine-base16", "slambda": "slambda", "smos": "smos", + "sops-nix": "sops-nix", "spicetify-nix": "spicetify-nix", "stylix": "stylix", "tickler": "tickler", @@ -2851,7 +2781,7 @@ "fuzzy-time": "fuzzy-time", "get-flake": "get-flake", "haskell-dependency-graph-nix": "haskell-dependency-graph-nix_2", - "home-manager": "home-manager_4", + "home-manager": "home-manager_3", "ical": "ical", "linkcheck": "linkcheck_2", "looper": "looper", @@ -2899,6 +2829,27 @@ "type": "github" } }, + "sops-nix": { + "inputs": { + "nixpkgs": [ + "nixpkgs" + ], + "nixpkgs-stable": "nixpkgs-stable_5" + }, + "locked": { + "lastModified": 1706410821, + "narHash": "sha256-iCfXspqUOPLwRobqQNAQeKzprEyVowLMn17QaRPQc+M=", + "owner": "Mic92", + "repo": "sops-nix", + "rev": "73bf36912e31a6b21af6e0f39218e067283c67ef", + "type": "github" + }, + "original": { + "owner": "Mic92", + "repo": "sops-nix", + "type": "github" + } + }, "spicetify-nix": { "inputs": { "flake-utils": "flake-utils_9", diff --git a/flake.nix b/flake.nix index 0b902d0..f6e50d0 100644 --- a/flake.nix +++ b/flake.nix @@ -25,13 +25,6 @@ firefox-addons.inputs.nixpkgs.follows = "nixpkgs"; # }}} # {{{ Nix-related tooling - # {{{ Secret management - agenix.url = "github:ryantm/agenix"; - agenix.inputs.nixpkgs.follows = "nixpkgs"; - - homeage.url = "github:jordanisaacs/homeage"; - homeage.inputs.nixpkgs.follows = "nixpkgs"; - # }}} # {{{ Storage impermanence.url = "github:nix-community/impermanence"; @@ -46,6 +39,9 @@ nix-index-database.url = "github:Mic92/nix-index-database"; nix-index-database.inputs.nixpkgs.follows = "nixpkgs"; + sops-nix.url = "github:Mic92/sops-nix"; + sops-nix.inputs.nixpkgs.follows = "nixpkgs"; + korora.url = "github:adisbladis/korora"; # Nix language server diff --git a/home/features/cli/default.nix b/home/features/cli/default.nix index 88b023c..2f80c70 100644 --- a/home/features/cli/default.nix +++ b/home/features/cli/default.nix @@ -38,7 +38,6 @@ ouch # Unified compression / decompression tool mkpasswd # Hash passwords jq # Json maniuplation - inputs.agenix.packages.${pkgs.system}.agenix # Secret encryption # }}} ]; diff --git a/home/features/cli/productivity/smos/default.nix b/home/features/cli/productivity/smos/default.nix index 7a2dca9..bd7228b 100644 --- a/home/features/cli/productivity/smos/default.nix +++ b/home/features/cli/productivity/smos/default.nix @@ -2,6 +2,7 @@ let workflowDir = "${config.home.homeDirectory}/productivity/smos"; in { + # {{{ Smos config programs.smos = { inherit workflowDir; @@ -10,19 +11,21 @@ in github = { enable = true; - oauth-token-file = config.homeage.file.smos.path; + oauth-token-file = config.sops.secrets.smos_github_token.path; }; }; - + # }}} + # {{{ Storage & secrets satellite.persistence.at.data.apps.smos.directories = [ config.programs.smos.workflowDir ]; - homeage.file.smos = { - source = ./smos_github_oauth.age; + sops.secrets.smos_github_token = { + sopsFile = ./secrets.yaml; path = "${config.xdg.dataHome}/smos/.github_token"; }; - + # }}} + # {{{ Add desktop entry home.packages = # Start smos with a custom class so our WM can move it to the correct workspace let smosgui = pkgs.writeShellScriptBin "smosgui" '' @@ -37,4 +40,5 @@ in exec = "smosgui"; terminal = false; }; + # }}} } diff --git a/home/features/cli/productivity/smos/secrets.yaml b/home/features/cli/productivity/smos/secrets.yaml new file mode 100644 index 0000000..ce4d25e --- /dev/null +++ b/home/features/cli/productivity/smos/secrets.yaml @@ -0,0 +1,21 @@ +smos_github_token: ENC[AES256_GCM,data:kqy5mQf96DoPN1iEt2akJWFfD3IJWdSkvZa0MeAyF0WJ/+V5P5C4iQ==,iv:QwmIdV/vzGTLE89XJVi3prgfmXqRa/OYcp9CA7KJDYc=,tag:+S1EZBcxoOQO2ADjDx9STQ==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age14mga4r0xa82a2uus3wq5q7rqnvflms3jmhknz4f3hsda8wttk9gsv2k9fs + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBwYkx3eWhxZUpTRVR3R1R4 + Vm9hMTVsbXBnU0tFU093amU3TTNjalhsVHdvCmZURElTY2Q0eTQvR3M1V3AzTVl4 + VkR2NXRHR2FiTURqNUp5Y3VDWFQ1UjgKLS0tIEVlRWs3YUFaZzdvd1Q5bmFwazJi + Y2E3bmM1TkZoOEN0anJqYUNSQUN5ZDAKtobUBBKbfaUeiPtKN4/oTNaxY3C2joCK + 8h4FlRLXd+CGnAyjN2p4FliWzLgmOg4HFNmZSmYLpIh4E9yqadNSSg== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-01-31T18:33:00Z" + mac: ENC[AES256_GCM,data:HMJ9K1Ox0GPFgi7yG+Kb7ogHCQHXhj0hZEWGs0gLFHw0qqXBAUpAZfqVDd5DvNQSK7m4lRoxZC+wyc2ni0o95QGoDM1wA83npalvTEZyRI+9N0TAsrO03JHq+1uSawwLEhmHjvcVsX8W3d5hJzY+/Tq21D14SBKMqXxgHwHsH2E=,iv:dEyBbXDHboP/x0Bqo7p3YHh8gJWWfmTNLAZhUYeqkfc=,tag:WduTOOkgox6GRtLkm2Zkdw==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.8.1 diff --git a/home/features/cli/productivity/smos/smos_github_oauth.age b/home/features/cli/productivity/smos/smos_github_oauth.age deleted file mode 100644 index f86ad51..0000000 --- a/home/features/cli/productivity/smos/smos_github_oauth.age +++ /dev/null @@ -1,8 +0,0 @@ -age-encryption.org/v1 --> ssh-ed25519 UUF9JQ 8KhqQ8dEHYLDM89d+glRT9xtId2umJM2O8Vj6oWM0zY -UAZ+pzFuL+wKSFY+yG1t1U9l0knA/VpupVBr6m2/+eY --> Q7U4ZXW4-grease S8&{':OI EQs~v%Gq zp_"?LJ* z@)Y -mmb3Yi9moBnueYa4AeMJwAA0A6lZAo9+L4zYgnxyjLBOUwQMPO/zDPmHqQ ---- HMqzE5ekHYLWxdxpC7J9NMdrfx4VJYVwwnvhq6JAtmI - -c ޵F;UKFt2_}ns3oYCn쎪80@"AjQ` \ No newline at end of file diff --git a/home/features/cli/ssh.nix b/home/features/cli/ssh.nix index f702010..2d240ff 100644 --- a/home/features/cli/ssh.nix +++ b/home/features/cli/ssh.nix @@ -1,6 +1,7 @@ { programs.ssh.enable = true; + # TODO: age persistence satellite.persistence.at.state.apps.ssh.directories = [ ".ssh" ]; # Makes it easy to copy ssh keys at install time without messing up permissions diff --git a/home/features/desktop/wakatime/default.nix b/home/features/desktop/wakatime/default.nix index bb555e8..22dbf85 100644 --- a/home/features/desktop/wakatime/default.nix +++ b/home/features/desktop/wakatime/default.nix @@ -1,9 +1,7 @@ { pkgs, config, ... }: { - homeage.file.wakatime = { - source = ./wakatime_config.age; - symlinks = [ - "${config.home.homeDirectory}/.wakatime.cfg" - ]; + sops.secrets.wakatime_config = { + sopsFile = ./secrets.yaml; + path = "${config.home.homeDirectory}/.wakatime.cfg"; }; home.packages = [ pkgs.wakatime ]; diff --git a/home/features/desktop/wakatime/secrets.yaml b/home/features/desktop/wakatime/secrets.yaml new file mode 100644 index 0000000..6c6d93b --- /dev/null +++ b/home/features/desktop/wakatime/secrets.yaml @@ -0,0 +1,21 @@ +wakatime_config: ENC[AES256_GCM,data:IgGcMQNf8u2KXjgI60zPKZ6M7oxibbQK+in/9jrnEzk20WA1JM122zICXYuLfuQgNd2CMoEeu4LivQHv/D79tw==,iv:HoS00ihAX+SCw58kgcnvqAy4ILdS+/RPMqQwXusTqYU=,tag:0sSaZTrjO43PB7g215wwUA==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age14mga4r0xa82a2uus3wq5q7rqnvflms3jmhknz4f3hsda8wttk9gsv2k9fs + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBDR0RmdFIxNFJpQTdGYXlq + bkZrNktMaFlrOEZtSXh6Y1l6NTN0REN6N2dnCmNMRUk2TXA3RWhtZVlnbTg2aE00 + eFVwejBTcWRaTUhGWFFIS1RlVkhhQ28KLS0tIEdWWGRWSDZOQW9pQkdCRFFncTM2 + cURjWFplY1pyMzY4a0h6cTRLS2I2ZW8KqGtYjCsdriSWdKhC+kGBAMSY9WVDL3tE + oMxyhrgDMtWndZEGv1+J3XLLmatDKmEcJO2k0CXZlCWWj17O4Rm+eA== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-01-31T18:29:11Z" + mac: ENC[AES256_GCM,data:PmKn6D+olZSKrjY0i9zZ3YZxi+k39CS7ckUF7YaVINqZlCBNe12T+FnPyHhH/vDujA61ZzalsY14SHwSkOwMNVTJ9tdvOEfpEtwq0wKn+5TQmz8LfWNBUazRefhY0hKZN/k/akRjRh65wOvMZfah+L6A9wA7vW1OrCbLtAKExsY=,iv:9vGJAzjRN6MxRG7EeYKKft3YElkicu0XX8Q28Ua2n3M=,tag:eyg5yUH2ME2annShaFQAqg==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.8.1 diff --git a/home/features/desktop/wakatime/wakatime_config.age b/home/features/desktop/wakatime/wakatime_config.age deleted file mode 100644 index c052136..0000000 Binary files a/home/features/desktop/wakatime/wakatime_config.age and /dev/null differ diff --git a/home/global.nix b/home/global.nix index dfea2e1..b143591 100644 --- a/home/global.nix +++ b/home/global.nix @@ -4,12 +4,12 @@ let imports = [ # {{{ flake inputs inputs.stylix.homeManagerModules.stylix - inputs.homeage.homeManagerModules.homeage inputs.nur.nixosModules.nur inputs.impermanence.nixosModules.home-manager.impermanence inputs.spicetify-nix.homeManagerModules.spicetify inputs.anyrun.homeManagerModules.default inputs.nix-index-database.hmModules.nix-index + inputs.sops-nix.homeManagerModules.sops # {{{ self management # NOTE: using `pkgs.system` before `module.options` is evaluated @@ -58,8 +58,8 @@ in # Nicely reload system units when changing configs systemd.user.startServices = lib.mkForce "sd-switch"; - # Where homeage should look for our ssh key - homeage.identityPaths = [ "~/.ssh/id_ed25519" ]; + # Tell sops-nix to use ssh keys for decrypting secrets + sops.age.sshKeyPaths = [ "${config.home.homeDirectory}/.ssh/id_ed25519" ]; # Allow root to read persistent files from this user. home.persistence."/persist/home/adrielus".allowOther = true; diff --git a/hosts/nixos/common/global/default.nix b/hosts/nixos/common/global/default.nix index 65f4f04..8f71930 100644 --- a/hosts/nixos/common/global/default.nix +++ b/hosts/nixos/common/global/default.nix @@ -6,10 +6,10 @@ let # {{{ flake inputs # inputs.hyprland.nixosModules.default inputs.disko.nixosModules.default - inputs.agenix.nixosModules.default inputs.stylix.nixosModules.stylix inputs.nur.nixosModules.nur inputs.slambda.nixosModule + inputs.sops-nix.nixosModules.sops # {{{ self management # NOTE: using `pkgs.system` before `module.options` is evaluated @@ -38,6 +38,9 @@ in # Import all modules defined in modules/nixos imports = builtins.attrValues outputs.nixosModules ++ imports; + # Tell sops-nix to use the host keys for decrypting secrets + sops.age.sshKeyPaths = [ "/persist/state/etc/ssh/ssh_host_ed25519_key" ]; + # {{{ ad-hoc options # Customize tty colors stylix.targets.console.enable = true; diff --git a/hosts/nixos/common/global/wireless/default.nix b/hosts/nixos/common/global/wireless/default.nix index aa1404e..1753601 100644 --- a/hosts/nixos/common/global/wireless/default.nix +++ b/hosts/nixos/common/global/wireless/default.nix @@ -1,6 +1,5 @@ { config, ... }: { - # Wireless secrets stored through agenix - age.secrets.wireless.file = ./wifi_passwords.age; + sops.secrets.wireless.sopsFile = ../../secrets.yaml; # https://github.com/NixOS/nixpkgs/blob/nixos-22.11/nixos/modules/services/networking/wpa_supplicant.nix networking.wireless = { @@ -8,7 +7,7 @@ fallbackToWPA2 = false; # Declarative - environmentFile = config.age.secrets.wireless.path; + environmentFile = config.sops.secrets.wireless.path; networks = { "Neptune".psk = "@ENCELADUS_HOTSPOT_PASS@"; @@ -51,13 +50,6 @@ # Ensure group exists users.groups.network = { }; - # Persist imperative config - environment.persistence."/persist/state".files = [ - # TODO: investigate why this doesn't work - # "/etc/wpa_supplicant.conf" - ]; - - # The service seems to fail if this file does not exist systemd.tmpfiles.rules = [ "f /etc/wpa_supplicant.conf" ]; } diff --git a/hosts/nixos/common/global/wireless/wifi_passwords.age b/hosts/nixos/common/global/wireless/wifi_passwords.age deleted file mode 100644 index adf81cb..0000000 Binary files a/hosts/nixos/common/global/wireless/wifi_passwords.age and /dev/null differ diff --git a/hosts/nixos/common/secrets.yaml b/hosts/nixos/common/secrets.yaml new file mode 100644 index 0000000..735a672 --- /dev/null +++ b/hosts/nixos/common/secrets.yaml @@ -0,0 +1,40 @@ +wireless: ENC[AES256_GCM,data:QKM3llNba24/3Hfjph9JFpOF+G4aGuGDfhlwE/bfvvAX7G/dYRZ5GMZtUIifREviacCywtqYcmLe+IIA9/NtLom3JkgXV5VEoaNym78fMaY5fVvsjqOgzp1O0XXu70UYvHgtA1pDZrCQEv/q7slkBS7mYP+g8NaRff9eIzs6zMWIl3HzqQbdwb5TOzsKzPNZgNp8f9nTmxm6EVdEHx0fhBLepXw6uDGA2Op12XDvR9UDkzwOkyy7oxEhKiPhqi5in8OqfhBGmQ73WV+g38pUNobp5cGL0YjjxHIWKEbX0N6ov2DH4QkeQhJgWNtEsTuGugjWkPvoAgfARMirt+PFZotFPBib1/xZHB7H,iv:TruRRS9fAGjkQU4zs2cOs1olxUYkOOypMmpxOIw9N9o=,tag:Yd4t0DKVpaUul4CrA8hYPA==,type:str] +adrielus_password: ENC[AES256_GCM,data:lREgbcKwzAJQ3PPTWt7LXmgAsrKFCN+baQx4Q2YrHlu16yvKpmaZzPHJ/C5IjucUNbdceTs6Ef99IWzju0d8Hl5Z5UTMspYIhQ==,iv:JqnL3zfCd/xMRqTciA/Q6nYmFKzJkBqda4zucsE5KFw=,tag:RGZ/0/NEpdchj9h/l3Z7Ig==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age14mga4r0xa82a2uus3wq5q7rqnvflms3jmhknz4f3hsda8wttk9gsv2k9fs + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBvbzNLcXFBcTlIM3hjZTN0 + bTFZUDJnS3lROExSREVkd0FMeHU3RGVWdzJnCkszOVROZlBmZWl2cjFkcTZ1OWZw + eThXSTliNmxHM3o3NzhUOUkvU0YzNzgKLS0tIHBWSmRTTlJBdmlKQy9YWHR0NGds + ak5kUFRJK3JCcUYvSFY2eGtIOTk3RkkKl3yBZjjBExU9RoZbaKBixfsywqFWFnq4 + n7olhkNMVIC+BcLYno0oIT2oILASMkE3NbH85IHlYZY2qQvFKDbG7w== + -----END AGE ENCRYPTED FILE----- + - recipient: age1avsekqqyr62urdwtpfpt0ledzm49wy0rq7wcg3rnsprdx22er5usp0jxgs + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB3aExaRC9SclVvT1g4WFI0 + N1grVzZWWmpPaGEwRmx3TjUyK0dvL0RNdmhjClY5UmI0eWZOTXZqbGFxT05OSnk1 + RTAyYStRN0NsRnZlWk03eXIrajdiRjQKLS0tIHlMdzBVNFEzR2FuVFZEWStFY1hh + MnFiSGt3dWZxWnF3M2FkbTJzSTA2VTAKtD40Gp12vB24Wnr8NvY7/ZWr9XVDF9Bl + FUL34R1mpgweNJ1IowFPgQbxsyMTG7iYB4jC50JZNOKJxe9NaeOUlQ== + -----END AGE ENCRYPTED FILE----- + - recipient: age1jem6jfkmfq54wzhqqhrnf786jsn5dmx82ewtt4vducac8m2fyukskun2p4 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBtK0pFcWlheEwzV3N3bVFQ + K3EwNXI5MXQyYld6Z3J1aVNHWlQ4UjlxSzIwCktDbG9iMFRVQnJBenhWVFhLa2N1 + SWRMR3JLajJscWFqMy84aGNFcy9UK1UKLS0tIEZoT0d2bVJpV3ByWmV0eENZVjM3 + WFd4ZFNHWG5Cakw5cU9MRE9HWHQ4THMKr/S7v1Oj3zQziMtI/NuFVm6AaJF5JV5U + sEr2nEptYFz4G6YL5psQGXHaKzQKBg+crgKRbYL4akhqT7pfYPC0bQ== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-01-31T18:18:48Z" + mac: ENC[AES256_GCM,data:9kYBMib8MuIdcJK0Lxh3sYP4OrlFCn3DZP8X82mSvnK15l8rVXFu2xfIbt1nviDj9IFhsZ3+2qzUnPq650erG6JpuHdzdmxIE49nU8BqmqtiQ4SAFAdC7zEbWaWk3SKmm1ouarBuHWtfvN3uw/ULpdExxt8Or8kvgvoVPX2L85E=,iv:wDWg/ba89AqW5bwqVydLZdfhPFgkNLRTKx1caER6SmI=,tag:1JY/HsipandxtmCmYXuavQ==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.8.1 diff --git a/hosts/nixos/common/users/adrielus.nix b/hosts/nixos/common/users/adrielus.nix index 7bf9135..0c22bcd 100644 --- a/hosts/nixos/common/users/adrielus.nix +++ b/hosts/nixos/common/users/adrielus.nix @@ -1,7 +1,9 @@ { pkgs, outputs, config, lib, ... }: { - # Password file stored through agenix - age.secrets.adrielusPassword.file = ./adrielus_password.age; + sops.secrets.adrielus_password = { + sopsFile = ../secrets.yaml; + neededForUsers = true; + }; users = { # Configure users through nix only @@ -12,12 +14,6 @@ # Adds me to some default groups, and creates the home dir isNormalUser = true; - # File containing my password, managed by agenix - hashedPasswordFile = config.age.secrets.adrielusPassword.path; - - # Set default shell - shell = pkgs.fish; - # Picked up by our persistence module homeMode = "755"; @@ -31,6 +27,9 @@ "syncthing" # syncthing! ]; + hashedPasswordFile = config.sops.secrets.adrielus_password.path; + shell = pkgs.fish; + openssh.authorizedKeys.keyFiles = (import ./common.nix).authorizedKeys { inherit outputs lib; }; }; diff --git a/hosts/nixos/common/users/adrielus_password.age b/hosts/nixos/common/users/adrielus_password.age deleted file mode 100644 index ab17351..0000000 --- a/hosts/nixos/common/users/adrielus_password.age +++ /dev/null @@ -1,14 +0,0 @@ -age-encryption.org/v1 --> ssh-ed25519 qgVaDQ sYn14+1vJEk4dnYdHQ58q36LTMS7tU5V3V/3xswLWHk -mnr7r/IJOmVtnsSiIq9B8GvO6xnNs3r7jiz0yLAAL8Q --> ssh-ed25519 3gahUA kpYU2sudkfqfCGrqjeNsU61IEal7AGJLJuXE8Wyo0Ro -m3Z6vZGG+h3lvtT7zYl1lIb+z9tVzRw0Tpr17LHE1NA --> ssh-ed25519 UUF9JQ MzmLpgpJ/t4XrLFUk8xUhyO+W2if+aCG7t7aHv3Tqkw -Yf51xXY5pzC+txLTIiK4PwZksjeaTDlPIwGhghaAQPg --> ~/.config/sops/age/keys.txt" +echo "🚀 All done" diff --git a/secrets.nix b/secrets.nix deleted file mode 100644 index 1bd2211..0000000 --- a/secrets.nix +++ /dev/null @@ -1,19 +0,0 @@ -let - tethys = builtins.readFile ./hosts/nixos/tethys/keys/ssh_host_ed25519_key.pub; - lapetus = builtins.readFile ./hosts/nixos/lapetus/keys/ssh_host_ed25519_key.pub; - - adrielus_tethys = builtins.readFile ./hosts/nixos/tethys/keys/id_ed25519.pub; - adrielus_lapetus = builtins.readFile ./hosts/nixos/lapetus/keys/id_ed25519.pub; - - all_hosts = [ tethys lapetus ]; -in -{ - # Scoped for entire systems - "./hosts/nixos/common/global/wireless/wifi_passwords.age".publicKeys = all_hosts ++ [ adrielus_tethys ]; - "./hosts/nixos/common/users/adrielus_password.age".publicKeys = all_hosts ++ [ adrielus_tethys ]; - - # Scoped for the user - # TODO: perhaps move this into `pass`?. - "./home/features/desktop/wakatime/wakatime_config.age".publicKeys = [ adrielus_tethys ]; - "./home/features/cli/productivity/smos/smos_github_oauth.age".publicKeys = [ adrielus_tethys ]; -}