prescientmoon/satellite
1
Fork 0
Code Activity

Switch from agenix to sops-nix

Browse source
This commit is contained in:
Matei Adriel 2024-01-31 20:03:00 +01:00
parent ced418a65b
commit bd03871ece
No known key found for this signature in database
23 changed files with 194 additions and 180 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

21
.sops.yaml Normal file
View file

@ -0,0 +1,21 @@
keys:
- &users:
- &prescientmoon age14mga4r0xa82a2uus3wq5q7rqnvflms3jmhknz4f3hsda8wttk9gsv2k9fs
- &hosts:
- &tethys age1avsekqqyr62urdwtpfpt0ledzm49wy0rq7wcg3rnsprdx22er5usp0jxgs
- &lapetus age1jem6jfkmfq54wzhqqhrnf786jsn5dmx82ewtt4vducac8m2fyukskun2p4
creation_rules:
- path_regex: hosts/nixos/common/secrets.yaml
key_groups:
- age:
- *prescientmoon
- *tethys
- *lapetus
- path_regex: home/features/desktop/wakatime/secrets.yaml
key_groups:
- age:
- *prescientmoon
- path_regex: home/features/cli/productivity/smos/secrets.yaml
key_groups:
- age:
- *prescientmoon

7
README.md
View file

@ -7,7 +7,7 @@ In case you are not familiar with nix/nixos, this is a collection of configurati
## Features this repository includes:
- Consistent base16 theming using [stylix](https://github.com/danth/stylix)
- [Agenix](https://github.com/ryantm/agenix) & [homeage](https://github.com/jordanisaacs/homeage) based secret management
- [sops-nix](https://github.com/Mic92/sops-nix) based secret management
- Sets up all the apps I use — including git, neovim, fish, tmux, starship, hyprland, anyrun, discord, zathura, wezterm & much more.
The current state of this repo is a refactor of my old, messy nixos config, based on the structure of [this template](https://github.com/Misterio77/nix-starter-configs).
@ -33,7 +33,7 @@ This repo's structure is based on the concept of hosts - individual machines con
| [overlays](./overlays) | Nix overlays |
| [pkgs](./pkgs) | Nix packages |
| [flake.nix](./flake.nix) | Nix flake entrypoint! |
| [secrets.nix](./secrets.nix) | Agenix entrypoint |
| [.sops.yaml](./.sops.yaml) | Sops entrypoint |
| [stylua.toml](./stylua.toml) | Lua formatter config for the repo |
## Points of interest
@ -52,7 +52,7 @@ Here's some things you might want to check out:
- [Nixos](http://nixos.org/) — nix based operating system
- [Home-manager](https://github.com/nix-community/home-manager) — manage user configuration using nix
- [Impernanence](https://github.com/nix-community/impermanence) — see the article about [erasing your darlings](https://grahamc.com/blog/erase-your-darlings)
- [Agenix](https://github.com/ryantm/agenix) & [homeage](https://github.com/jordanisaacs/homeage) — secret management
- [Sops-nix](https://github.com/Mic92/sops-nix) — secret management
- [Slambda](https://github.com/Mateiadrielrafael/slambda) — custom keyboard chording utility
- [disko](https://github.com/nix-community/disko) — format disks using nix
- [zfs](https://openzfs.org/wiki/Main_Page) — filesystem
@ -101,6 +101,7 @@ Here's some things you might want to check out:
Includes links to stuff which used to be in the previous section but is not used anymore. Only created this section in June 2023, so stuff I used earlier might not be here. Sorted with the most recently dropped things at the top.
- [Agenix](https://github.com/ryantm/agenix) & [homeage](https://github.com/jordanisaacs/homeage) — I switched to [sops-nix](https://github.com/Mic92/sops-nix)
- [Mind.nvim](https://github.com/phaazon/mind.nvim) — self management tree editor. The project got archived, so I switched to [Smos](https://github.com/NorfairKing/smos).
- [Null-ls](https://github.com/jose-elias-alvarez/null-ls.nvim) — general purpose neovim LSP. The project got archived, so I switched to [formatter.nvim](https://github.com/mhartington/formatter.nvim).
- [Wofi](https://sr.ht/~scoopta/wofi/) — program launcher. I switched to [Anyrun](https://github.com/Kirottu/anyrun).

141
flake.lock
View file

@ -1,27 +1,5 @@
{
"nodes": {
"agenix": {
"inputs": {
"darwin": "darwin",
"home-manager": "home-manager",
"nixpkgs": [
"nixpkgs"
]
},
"locked": {
"lastModified": 1701216516,
"narHash": "sha256-jKSeJn+7hZ1dZdiH1L+NWUGT2i/BGomKAJ54B9kT06Q=",
"owner": "ryantm",
"repo": "agenix",
"rev": "13ac9ac6d68b9a0896e3d43a082947233189e247",
"type": "github"
},
"original": {
"owner": "ryantm",
"repo": "agenix",
"type": "github"
}
},
"anyrun": {
"inputs": {
"flake-parts": "flake-parts",
@ -386,28 +364,6 @@
"type": "github"
}
},
"darwin": {
"inputs": {
"nixpkgs": [
"agenix",
"nixpkgs"
]
},
"locked": {
"lastModified": 1673295039,
"narHash": "sha256-AsdYgE8/GPwcelGgrntlijMg4t3hLFJFCRF3tL5WVjA=",
"owner": "lnl7",
"repo": "nix-darwin",
"rev": "87b9d090ad39b25b2400029c64825fc2a8868943",
"type": "github"
},
"original": {
"owner": "lnl7",
"ref": "master",
"repo": "nix-darwin",
"type": "github"
}
},
"dekking": {
"flake": false,
"locked": {
@ -1351,27 +1307,6 @@
}
},
"home-manager": {
"inputs": {
"nixpkgs": [
"agenix",
"nixpkgs"
]
},
"locked": {
"lastModified": 1682203081,
"narHash": "sha256-kRL4ejWDhi0zph/FpebFYhzqlOBrk0Pl3dzGEKSAlEw=",
"owner": "nix-community",
"repo": "home-manager",
"rev": "32d3e39c491e2f91152c84f8ad8b003420eab0a1",
"type": "github"
},
"original": {
"owner": "nix-community",
"repo": "home-manager",
"type": "github"
}
},
"home-manager_2": {
"inputs": {
"nixpkgs": [
"nixpkgs"
@ -1392,7 +1327,7 @@
"type": "github"
}
},
"home-manager_3": {
"home-manager_2": {
"inputs": {
"nixpkgs": "nixpkgs"
},
@ -1411,7 +1346,7 @@
"type": "github"
}
},
"home-manager_4": {
"home-manager_3": {
"inputs": {
"nixpkgs": "nixpkgs_9"
},
@ -1430,26 +1365,6 @@
"type": "github"
}
},
"homeage": {
"inputs": {
"nixpkgs": [
"nixpkgs"
]
},
"locked": {
"lastModified": 1669234151,
"narHash": "sha256-TwT87E3m2TZLgwYJESlype14HxUOrRGojPM5C2akrMg=",
"owner": "jordanisaacs",
"repo": "homeage",
"rev": "02bfe4ca06962d222e522fff0240c93946b20278",
"type": "github"
},
"original": {
"owner": "jordanisaacs",
"repo": "homeage",
"type": "github"
}
},
"hyprland": {
"inputs": {
"hyprland-protocols": "hyprland-protocols",
@ -1556,7 +1471,7 @@
"dekking": "dekking",
"fast-myers-diff": "fast-myers-diff",
"haskell-dependency-graph-nix": "haskell-dependency-graph-nix",
"home-manager": "home-manager_3",
"home-manager": "home-manager_2",
"linkcheck": "linkcheck",
"mergeless": "mergeless",
"nixpkgs": "nixpkgs_2",
@ -2081,6 +1996,22 @@
}
},
"nixpkgs-stable_5": {
"locked": {
"lastModified": 1705957679,
"narHash": "sha256-Q8LJaVZGJ9wo33wBafvZSzapYsjOaNjP/pOnSiKVGHY=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "9a333eaa80901efe01df07eade2c16d183761fa3",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "release-23.05",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs-stable_6": {
"locked": {
"lastModified": 1685801374,
"narHash": "sha256-otaSUoFEMM+LjBI1XL/xGB5ao6IwnZOXc47qhIgJe8U=",
@ -2096,7 +2027,7 @@
"type": "github"
}
},
"nixpkgs-stable_6": {
"nixpkgs-stable_7": {
"locked": {
"lastModified": 1685801374,
"narHash": "sha256-otaSUoFEMM+LjBI1XL/xGB5ao6IwnZOXc47qhIgJe8U=",
@ -2538,7 +2469,7 @@
"flake-utils": "flake-utils_10",
"gitignore": "gitignore_4",
"nixpkgs": "nixpkgs_15",
"nixpkgs-stable": "nixpkgs-stable_5"
"nixpkgs-stable": "nixpkgs-stable_6"
},
"locked": {
"lastModified": 1685970613,
@ -2560,7 +2491,7 @@
"flake-utils": "flake-utils_11",
"gitignore": "gitignore_5",
"nixpkgs": "nixpkgs_16",
"nixpkgs-stable": "nixpkgs-stable_6"
"nixpkgs-stable": "nixpkgs-stable_7"
},
"locked": {
"lastModified": 1700064067,
@ -2594,15 +2525,13 @@
},
"root": {
"inputs": {
"agenix": "agenix",
"anyrun": "anyrun",
"anyrun-nixos-options": "anyrun-nixos-options",
"catppuccin-base16": "catppuccin-base16",
"disko": "disko",
"firefox-addons": "firefox-addons",
"grub2-themes": "grub2-themes",
"home-manager": "home-manager_2",
"homeage": "homeage",
"home-manager": "home-manager",
"hyprland": "hyprland",
"hyprland-contrib": "hyprland-contrib",
"impermanence": "impermanence",
@ -2621,6 +2550,7 @@
"rosepine-base16": "rosepine-base16",
"slambda": "slambda",
"smos": "smos",
"sops-nix": "sops-nix",
"spicetify-nix": "spicetify-nix",
"stylix": "stylix",
"tickler": "tickler",
@ -2851,7 +2781,7 @@
"fuzzy-time": "fuzzy-time",
"get-flake": "get-flake",
"haskell-dependency-graph-nix": "haskell-dependency-graph-nix_2",
"home-manager": "home-manager_4",
"home-manager": "home-manager_3",
"ical": "ical",
"linkcheck": "linkcheck_2",
"looper": "looper",
@ -2899,6 +2829,27 @@
"type": "github"
}
},
"sops-nix": {
"inputs": {
"nixpkgs": [
"nixpkgs"
],
"nixpkgs-stable": "nixpkgs-stable_5"
},
"locked": {
"lastModified": 1706410821,
"narHash": "sha256-iCfXspqUOPLwRobqQNAQeKzprEyVowLMn17QaRPQc+M=",
"owner": "Mic92",
"repo": "sops-nix",
"rev": "73bf36912e31a6b21af6e0f39218e067283c67ef",
"type": "github"
},
"original": {
"owner": "Mic92",
"repo": "sops-nix",
"type": "github"
}
},
"spicetify-nix": {
"inputs": {
"flake-utils": "flake-utils_9",

10
flake.nix
View file

@ -25,13 +25,6 @@
firefox-addons.inputs.nixpkgs.follows = "nixpkgs";
# }}}
# {{{ Nix-related tooling
# {{{ Secret management
agenix.url = "github:ryantm/agenix";
agenix.inputs.nixpkgs.follows = "nixpkgs";
homeage.url = "github:jordanisaacs/homeage";
homeage.inputs.nixpkgs.follows = "nixpkgs";
# }}}
# {{{ Storage
impermanence.url = "github:nix-community/impermanence";
@ -46,6 +39,9 @@
nix-index-database.url = "github:Mic92/nix-index-database";
nix-index-database.inputs.nixpkgs.follows = "nixpkgs";
sops-nix.url = "github:Mic92/sops-nix";
sops-nix.inputs.nixpkgs.follows = "nixpkgs";
korora.url = "github:adisbladis/korora";
# Nix language server

1
home/features/cli/default.nix
View file

@ -38,7 +38,6 @@
ouch # Unified compression / decompression tool
mkpasswd # Hash passwords
jq # Json maniuplation
inputs.agenix.packages.${pkgs.system}.agenix # Secret encryption
# }}}
];

14
home/features/cli/productivity/smos/default.nix
View file

@ -2,6 +2,7 @@
let workflowDir = "${config.home.homeDirectory}/productivity/smos";
in
{
# {{{ Smos config
programs.smos = {
inherit workflowDir;
@ -10,19 +11,21 @@ in
github = {
enable = true;
oauth-token-file = config.homeage.file.smos.path;
oauth-token-file = config.sops.secrets.smos_github_token.path;
};
};
# }}}
# {{{ Storage & secrets
satellite.persistence.at.data.apps.smos.directories = [
config.programs.smos.workflowDir
];
homeage.file.smos = {
source = ./smos_github_oauth.age;
sops.secrets.smos_github_token = {
sopsFile = ./secrets.yaml;
path = "${config.xdg.dataHome}/smos/.github_token";
};
# }}}
# {{{ Add desktop entry
home.packages =
# Start smos with a custom class so our WM can move it to the correct workspace
let smosgui = pkgs.writeShellScriptBin "smosgui" ''
@ -37,4 +40,5 @@ in
exec = "smosgui";
terminal = false;
};
# }}}
}

21
home/features/cli/productivity/smos/secrets.yaml Normal file
View file

@ -0,0 +1,21 @@
smos_github_token: ENC[AES256_GCM,data:kqy5mQf96DoPN1iEt2akJWFfD3IJWdSkvZa0MeAyF0WJ/+V5P5C4iQ==,iv:QwmIdV/vzGTLE89XJVi3prgfmXqRa/OYcp9CA7KJDYc=,tag:+S1EZBcxoOQO2ADjDx9STQ==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age14mga4r0xa82a2uus3wq5q7rqnvflms3jmhknz4f3hsda8wttk9gsv2k9fs
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBwYkx3eWhxZUpTRVR3R1R4
Vm9hMTVsbXBnU0tFU093amU3TTNjalhsVHdvCmZURElTY2Q0eTQvR3M1V3AzTVl4
VkR2NXRHR2FiTURqNUp5Y3VDWFQ1UjgKLS0tIEVlRWs3YUFaZzdvd1Q5bmFwazJi
Y2E3bmM1TkZoOEN0anJqYUNSQUN5ZDAKtobUBBKbfaUeiPtKN4/oTNaxY3C2joCK
8h4FlRLXd+CGnAyjN2p4FliWzLgmOg4HFNmZSmYLpIh4E9yqadNSSg==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2024-01-31T18:33:00Z"
mac: ENC[AES256_GCM,data:HMJ9K1Ox0GPFgi7yG+Kb7ogHCQHXhj0hZEWGs0gLFHw0qqXBAUpAZfqVDd5DvNQSK7m4lRoxZC+wyc2ni0o95QGoDM1wA83npalvTEZyRI+9N0TAsrO03JHq+1uSawwLEhmHjvcVsX8W3d5hJzY+/Tq21D14SBKMqXxgHwHsH2E=,iv:dEyBbXDHboP/x0Bqo7p3YHh8gJWWfmTNLAZhUYeqkfc=,tag:WduTOOkgox6GRtLkm2Zkdw==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.8.1

8
home/features/cli/productivity/smos/smos_github_oauth.age
View file

@ -1,8 +0,0 @@
age-encryption.org/v1
-> ssh-ed25519 UUF9JQ 8KhqQ8dEHYLDM89d+glRT9xtId2umJM2O8Vj6oWM0zY
UAZ+pzFuL+wKSFY+yG1t1U9l0knA/VpupVBr6m2/+eY
-> Q7U4ZXW4-grease S8&{':OI EQs~v%Gq zp_"?LJ* z@)Y
mmb3Yi9moBnueYa4AeMJwAA0A6lZAo9+L4zYgnxyjLBOUwQMPO/zDPmHqQ
--- HMqzE5ekHYLWxdxpC7J9NMdrfx4VJYVwwnvhq6JAtmI
c ¤ÞµŒ­ûF ;úU¶KFçtö2üÚ_†}¦èns3µ„¼oYCn…쎪8Œ‰¾0á蠦@»"Aìjµ©³QÌ`

1
home/features/cli/ssh.nix
View file

@ -1,6 +1,7 @@
{
programs.ssh.enable = true;
# TODO: age persistence
satellite.persistence.at.state.apps.ssh.directories = [ ".ssh" ];
# Makes it easy to copy ssh keys at install time without messing up permissions

8
home/features/desktop/wakatime/default.nix
View file

@ -1,9 +1,7 @@
{ pkgs, config, ... }: {
homeage.file.wakatime = {
source = ./wakatime_config.age;
symlinks = [
"${config.home.homeDirectory}/.wakatime.cfg"
];
sops.secrets.wakatime_config = {
sopsFile = ./secrets.yaml;
path = "${config.home.homeDirectory}/.wakatime.cfg";
};
home.packages = [ pkgs.wakatime ];

21
home/features/desktop/wakatime/secrets.yaml Normal file
View file

@ -0,0 +1,21 @@
wakatime_config: ENC[AES256_GCM,data:IgGcMQNf8u2KXjgI60zPKZ6M7oxibbQK+in/9jrnEzk20WA1JM122zICXYuLfuQgNd2CMoEeu4LivQHv/D79tw==,iv:HoS00ihAX+SCw58kgcnvqAy4ILdS+/RPMqQwXusTqYU=,tag:0sSaZTrjO43PB7g215wwUA==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age14mga4r0xa82a2uus3wq5q7rqnvflms3jmhknz4f3hsda8wttk9gsv2k9fs
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBDR0RmdFIxNFJpQTdGYXlq
bkZrNktMaFlrOEZtSXh6Y1l6NTN0REN6N2dnCmNMRUk2TXA3RWhtZVlnbTg2aE00
eFVwejBTcWRaTUhGWFFIS1RlVkhhQ28KLS0tIEdWWGRWSDZOQW9pQkdCRFFncTM2
cURjWFplY1pyMzY4a0h6cTRLS2I2ZW8KqGtYjCsdriSWdKhC+kGBAMSY9WVDL3tE
oMxyhrgDMtWndZEGv1+J3XLLmatDKmEcJO2k0CXZlCWWj17O4Rm+eA==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2024-01-31T18:29:11Z"
mac: ENC[AES256_GCM,data:PmKn6D+olZSKrjY0i9zZ3YZxi+k39CS7ckUF7YaVINqZlCBNe12T+FnPyHhH/vDujA61ZzalsY14SHwSkOwMNVTJ9tdvOEfpEtwq0wKn+5TQmz8LfWNBUazRefhY0hKZN/k/akRjRh65wOvMZfah+L6A9wA7vW1OrCbLtAKExsY=,iv:9vGJAzjRN6MxRG7EeYKKft3YElkicu0XX8Q28Ua2n3M=,tag:eyg5yUH2ME2annShaFQAqg==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.8.1

BIN
home/features/desktop/wakatime/wakatime_config.age
View file

Binary file not shown.

6
home/global.nix
View file

@ -4,12 +4,12 @@ let
imports = [
# {{{ flake inputs
inputs.stylix.homeManagerModules.stylix
inputs.homeage.homeManagerModules.homeage
inputs.nur.nixosModules.nur
inputs.impermanence.nixosModules.home-manager.impermanence
inputs.spicetify-nix.homeManagerModules.spicetify
inputs.anyrun.homeManagerModules.default
inputs.nix-index-database.hmModules.nix-index
inputs.sops-nix.homeManagerModules.sops
# {{{ self management
# NOTE: using `pkgs.system` before `module.options` is evaluated
@ -58,8 +58,8 @@ in
# Nicely reload system units when changing configs
systemd.user.startServices = lib.mkForce "sd-switch";
# Where homeage should look for our ssh key
homeage.identityPaths = [ "~/.ssh/id_ed25519" ];
# Tell sops-nix to use ssh keys for decrypting secrets
sops.age.sshKeyPaths = [ "${config.home.homeDirectory}/.ssh/id_ed25519" ];
# Allow root to read persistent files from this user.
home.persistence."/persist/home/adrielus".allowOther = true;

5
hosts/nixos/common/global/default.nix
View file

@ -6,10 +6,10 @@ let
# {{{ flake inputs
# inputs.hyprland.nixosModules.default
inputs.disko.nixosModules.default
inputs.agenix.nixosModules.default
inputs.stylix.nixosModules.stylix
inputs.nur.nixosModules.nur
inputs.slambda.nixosModule
inputs.sops-nix.nixosModules.sops
# {{{ self management
# NOTE: using `pkgs.system` before `module.options` is evaluated
@ -38,6 +38,9 @@ in
# Import all modules defined in modules/nixos
imports = builtins.attrValues outputs.nixosModules ++ imports;
# Tell sops-nix to use the host keys for decrypting secrets
sops.age.sshKeyPaths = [ "/persist/state/etc/ssh/ssh_host_ed25519_key" ];
# {{{ ad-hoc options
# Customize tty colors
stylix.targets.console.enable = true;

12
hosts/nixos/common/global/wireless/default.nix
View file

@ -1,6 +1,5 @@
{ config, ... }: {
# Wireless secrets stored through agenix
age.secrets.wireless.file = ./wifi_passwords.age;
sops.secrets.wireless.sopsFile = ../../secrets.yaml;
# https://github.com/NixOS/nixpkgs/blob/nixos-22.11/nixos/modules/services/networking/wpa_supplicant.nix
networking.wireless = {
@ -8,7 +7,7 @@
fallbackToWPA2 = false;
# Declarative
environmentFile = config.age.secrets.wireless.path;
environmentFile = config.sops.secrets.wireless.path;
networks = {
"Neptune".psk = "@ENCELADUS_HOTSPOT_PASS@";
@ -51,13 +50,6 @@
# Ensure group exists
users.groups.network = { };
# Persist imperative config
environment.persistence."/persist/state".files = [
# TODO: investigate why this doesn't work
# "/etc/wpa_supplicant.conf"
];
# The service seems to fail if this file does not exist
systemd.tmpfiles.rules = [ "f /etc/wpa_supplicant.conf" ];
}

BIN
hosts/nixos/common/global/wireless/wifi_passwords.age
View file

Binary file not shown.

40
hosts/nixos/common/secrets.yaml Normal file
View file

@ -0,0 +1,40 @@
wireless: ENC[AES256_GCM,data:QKM3llNba24/3Hfjph9JFpOF+G4aGuGDfhlwE/bfvvAX7G/dYRZ5GMZtUIifREviacCywtqYcmLe+IIA9/NtLom3JkgXV5VEoaNym78fMaY5fVvsjqOgzp1O0XXu70UYvHgtA1pDZrCQEv/q7slkBS7mYP+g8NaRff9eIzs6zMWIl3HzqQbdwb5TOzsKzPNZgNp8f9nTmxm6EVdEHx0fhBLepXw6uDGA2Op12XDvR9UDkzwOkyy7oxEhKiPhqi5in8OqfhBGmQ73WV+g38pUNobp5cGL0YjjxHIWKEbX0N6ov2DH4QkeQhJgWNtEsTuGugjWkPvoAgfARMirt+PFZotFPBib1/xZHB7H,iv:TruRRS9fAGjkQU4zs2cOs1olxUYkOOypMmpxOIw9N9o=,tag:Yd4t0DKVpaUul4CrA8hYPA==,type:str]
adrielus_password: ENC[AES256_GCM,data:lREgbcKwzAJQ3PPTWt7LXmgAsrKFCN+baQx4Q2YrHlu16yvKpmaZzPHJ/C5IjucUNbdceTs6Ef99IWzju0d8Hl5Z5UTMspYIhQ==,iv:JqnL3zfCd/xMRqTciA/Q6nYmFKzJkBqda4zucsE5KFw=,tag:RGZ/0/NEpdchj9h/l3Z7Ig==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age14mga4r0xa82a2uus3wq5q7rqnvflms3jmhknz4f3hsda8wttk9gsv2k9fs
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBvbzNLcXFBcTlIM3hjZTN0
bTFZUDJnS3lROExSREVkd0FMeHU3RGVWdzJnCkszOVROZlBmZWl2cjFkcTZ1OWZw
eThXSTliNmxHM3o3NzhUOUkvU0YzNzgKLS0tIHBWSmRTTlJBdmlKQy9YWHR0NGds
ak5kUFRJK3JCcUYvSFY2eGtIOTk3RkkKl3yBZjjBExU9RoZbaKBixfsywqFWFnq4
n7olhkNMVIC+BcLYno0oIT2oILASMkE3NbH85IHlYZY2qQvFKDbG7w==
-----END AGE ENCRYPTED FILE-----
- recipient: age1avsekqqyr62urdwtpfpt0ledzm49wy0rq7wcg3rnsprdx22er5usp0jxgs
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB3aExaRC9SclVvT1g4WFI0
N1grVzZWWmpPaGEwRmx3TjUyK0dvL0RNdmhjClY5UmI0eWZOTXZqbGFxT05OSnk1
RTAyYStRN0NsRnZlWk03eXIrajdiRjQKLS0tIHlMdzBVNFEzR2FuVFZEWStFY1hh
MnFiSGt3dWZxWnF3M2FkbTJzSTA2VTAKtD40Gp12vB24Wnr8NvY7/ZWr9XVDF9Bl
FUL34R1mpgweNJ1IowFPgQbxsyMTG7iYB4jC50JZNOKJxe9NaeOUlQ==
-----END AGE ENCRYPTED FILE-----
- recipient: age1jem6jfkmfq54wzhqqhrnf786jsn5dmx82ewtt4vducac8m2fyukskun2p4
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBtK0pFcWlheEwzV3N3bVFQ
K3EwNXI5MXQyYld6Z3J1aVNHWlQ4UjlxSzIwCktDbG9iMFRVQnJBenhWVFhLa2N1
SWRMR3JLajJscWFqMy84aGNFcy9UK1UKLS0tIEZoT0d2bVJpV3ByWmV0eENZVjM3
WFd4ZFNHWG5Cakw5cU9MRE9HWHQ4THMKr/S7v1Oj3zQziMtI/NuFVm6AaJF5JV5U
sEr2nEptYFz4G6YL5psQGXHaKzQKBg+crgKRbYL4akhqT7pfYPC0bQ==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2024-01-31T18:18:48Z"
mac: ENC[AES256_GCM,data:9kYBMib8MuIdcJK0Lxh3sYP4OrlFCn3DZP8X82mSvnK15l8rVXFu2xfIbt1nviDj9IFhsZ3+2qzUnPq650erG6JpuHdzdmxIE49nU8BqmqtiQ4SAFAdC7zEbWaWk3SKmm1ouarBuHWtfvN3uw/ULpdExxt8Or8kvgvoVPX2L85E=,iv:wDWg/ba89AqW5bwqVydLZdfhPFgkNLRTKx1caER6SmI=,tag:1JY/HsipandxtmCmYXuavQ==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.8.1

15
hosts/nixos/common/users/adrielus.nix
View file

@ -1,7 +1,9 @@
{ pkgs, outputs, config, lib, ... }:
{
# Password file stored through agenix
age.secrets.adrielusPassword.file = ./adrielus_password.age;
sops.secrets.adrielus_password = {
sopsFile = ../secrets.yaml;
neededForUsers = true;
};
users = {
# Configure users through nix only
@ -12,12 +14,6 @@
# Adds me to some default groups, and creates the home dir
isNormalUser = true;
# File containing my password, managed by agenix
hashedPasswordFile = config.age.secrets.adrielusPassword.path;
# Set default shell
shell = pkgs.fish;
# Picked up by our persistence module
homeMode = "755";
@ -31,6 +27,9 @@
"syncthing" # syncthing!
];
hashedPasswordFile = config.sops.secrets.adrielus_password.path;
shell = pkgs.fish;
openssh.authorizedKeys.keyFiles =
(import ./common.nix).authorizedKeys { inherit outputs lib; };
};

14
hosts/nixos/common/users/adrielus_password.age
View file

@ -1,14 +0,0 @@
age-encryption.org/v1
-> ssh-ed25519 qgVaDQ sYn14+1vJEk4dnYdHQ58q36LTMS7tU5V3V/3xswLWHk
mnr7r/IJOmVtnsSiIq9B8GvO6xnNs3r7jiz0yLAAL8Q
-> ssh-ed25519 3gahUA kpYU2sudkfqfCGrqjeNsU61IEal7AGJLJuXE8Wyo0Ro
m3Z6vZGG+h3lvtT7zYl1lIb+z9tVzRw0Tpr17LHE1NA
-> ssh-ed25519 UUF9JQ MzmLpgpJ/t4XrLFUk8xUhyO+W2if+aCG7t7aHv3Tqkw
Yf51xXY5pzC+txLTIiK4PwZksjeaTDlPIwGhghaAQPg
-> <jAUJ|5-grease )*]+{]30 T_Hy 8I jR@u$
clZ4bFz5PYI24Ddnvg4saB9XQu/hmUa7b4eiTEs1o6/IPh5sgQyNTDjcVh+b3M2R
BynXRA0VmzlXj4fr0mgM7X0t+w510aS5IJxM8XK3HkrCb32y40lv7VcJeSA
--- dj4NWvivR9a4Spob27oag9Hgx5T5169brKAmr6MqWfM
ÿø»fu¸¬–Äò.<ËÞù1T4~™î’¯ÓáÿOCoåÆ1åAúúJÈÇ©\gF&!eŽàQ:ç®3”÷½Ð~/ûr
¬Øò‘ QÓW
v<EFBFBD>² Oœ¯ Z†ËÝlÖ".ßšs2NAn,·#

2
scripts/age-public-key.sh Executable file
View file

@ -0,0 +1,2 @@
#!/usr/bin/env bash
nix-shell -p age --run "age-keygen -y ~/.config/sops/age/keys.txt"

2
scripts/emergency-lapetus.sh
View file

@ -1,4 +1,4 @@
#!/usr/bin/env nix-shell
#!/usr/bin/env nix-shellge
#!nix-shell ../devshells/bootstrap/shell.nix
#!nix-shell -i bash

6
scripts/ssh-to-age.sh Executable file
View file

@ -0,0 +1,6 @@
#!/usr/bin/env bash
echo "📁 Creating sops directory"
mkdir -p ~/.config/sops/age
echo "🔑 Converting ssh key to age"
nix-shell -p ssh-to-age --run "ssh-to-age -private-key -i ~/.ssh/id_ed25519 > ~/.config/sops/age/keys.txt"
echo "🚀 All done"

19
secrets.nix
View file

@ -1,19 +0,0 @@
let
tethys = builtins.readFile ./hosts/nixos/tethys/keys/ssh_host_ed25519_key.pub;
lapetus = builtins.readFile ./hosts/nixos/lapetus/keys/ssh_host_ed25519_key.pub;
adrielus_tethys = builtins.readFile ./hosts/nixos/tethys/keys/id_ed25519.pub;
adrielus_lapetus = builtins.readFile ./hosts/nixos/lapetus/keys/id_ed25519.pub;
all_hosts = [ tethys lapetus ];
in
{
# Scoped for entire systems
"./hosts/nixos/common/global/wireless/wifi_passwords.age".publicKeys = all_hosts ++ [ adrielus_tethys ];
"./hosts/nixos/common/users/adrielus_password.age".publicKeys = all_hosts ++ [ adrielus_tethys ];
# Scoped for the user
# TODO: perhaps move this into `pass`?.
"./home/features/desktop/wakatime/wakatime_config.age".publicKeys = [ adrielus_tethys ];
"./home/features/cli/productivity/smos/smos_github_oauth.age".publicKeys = [ adrielus_tethys ];
}