diff --git a/.sops.yaml b/.sops.yaml new file mode 100644 index 0000000..0956b03 --- /dev/null +++ b/.sops.yaml @@ -0,0 +1,25 @@ +--- +keys: + - &system_nixnuc age1g24zhwvgenpc4wqejt63thvgd4rn5x9n7nnwwme7dm83nfqpp93se2vmq4 + - &system_rainbow_planet age15xlw5vnnjdx2ypz6rq0mqcywuaj3yx8y6lrgf95satafqf7y4qus6rv6ck + - &user_blue_rock age1rt72txg22w8y3cdvq9w7zff0cas6xtkplpj36kxnevfnrtn82f6ss7yw7d +creation_rules: + - path_regex: nixnuc/secrets.yaml$ + key_groups: + - age: + - *system_nixnuc + - path_regex: rainbow-planet/secrets.yaml$ + key_groups: + - age: + - *system_rainbow_planet + - path_regex: Blue-Rock/secrets.yaml$ + key_groups: + - age: + - *user_blue_rock + - path_regex: modules/system/common/secrets.yaml$ + key_groups: + - age: + - *system_nixnuc + - *system_rainbow_planet + - *user_blue_rock + diff --git a/flake.lock b/flake.lock index 3b47bbc..c93eed6 100644 --- a/flake.lock +++ b/flake.lock @@ -163,6 +163,22 @@ "type": "indirect" } }, + "nixpkgs-stable": { + "locked": { + "lastModified": 1702777222, + "narHash": "sha256-/SYmqgxTYzqZnQEfbOCHCN4GzqB9uAIsR9IWLzo0/8I=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "a19a71d1ee93226fd71984359552affbc1cd3dc3", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "release-23.05", + "repo": "nixpkgs", + "type": "github" + } + }, "nixpkgs-unstable": { "locked": { "lastModified": 1702539185, @@ -218,7 +234,29 @@ "nix-darwin": "nix-darwin", "nix-homebrew": "nix-homebrew", "nixpkgs": "nixpkgs_3", - "nixpkgs-unstable": "nixpkgs-unstable" + "nixpkgs-unstable": "nixpkgs-unstable", + "sops-nix": "sops-nix" + } + }, + "sops-nix": { + "inputs": { + "nixpkgs": [ + "nixpkgs" + ], + "nixpkgs-stable": "nixpkgs-stable" + }, + "locked": { + "lastModified": 1702812162, + "narHash": "sha256-18cKptpAAfkatdQgjO5SZXZsbc1IVPRoYx2AxaiooL4=", + "owner": "mic92", + "repo": "sops-nix", + "rev": "21f2b8f123a1601fef3cf6bbbdf5171257290a77", + "type": "github" + }, + "original": { + "owner": "mic92", + "repo": "sops-nix", + "type": "github" } }, "systems": { diff --git a/flake.nix b/flake.nix index 27018a0..12a5129 100644 --- a/flake.nix +++ b/flake.nix @@ -27,6 +27,12 @@ inputs.nixpkgs.follows = "nixpkgs"; }; + # Secrets managemnt + sops-nix = { + url = "github:mic92/sops-nix"; + inputs.nixpkgs.follows ="nixpkgs"; + }; + # My oh-my-posh theme genebean-omp-themes = { url = "github:genebean/my-oh-my-posh-themes"; @@ -34,7 +40,7 @@ }; }; # end inputs - outputs = inputs@{ self, nixpkgs, nixpkgs-unstable, nix-darwin, home-manager, nix-homebrew, disko, genebean-omp-themes, ... }: let + outputs = inputs@{ self, nixpkgs, nixpkgs-unstable, nix-darwin, home-manager, nix-homebrew, disko, sops-nix, genebean-omp-themes, ... }: let # creates a macOS system config darwinHostConfig = system: hostname: username: nix-darwin.lib.darwinSystem { @@ -57,10 +63,11 @@ home-manager.darwinModules.home-manager { home-manager = { - extraSpecialArgs = { inherit genebean-omp-themes; }; + extraSpecialArgs = { inherit genebean-omp-themes username; }; useGlobalPkgs = true; useUserPackages = true; users.${username}.imports = [ + sops-nix.homeManagerModule # user-level secrets management ./modules/home-manager/hosts/${hostname}/${username}.nix ]; }; @@ -84,7 +91,7 @@ modules = [ home-manager.nixosModules.home-manager { home-manager = { - extraSpecialArgs = { inherit genebean-omp-themes; }; + extraSpecialArgs = { inherit genebean-omp-themes hostname username; }; useGlobalPkgs = true; useUserPackages = true; users.${username}.imports = [ @@ -93,6 +100,7 @@ }; } + sops-nix.nixosModules.sops # system wide secrets management ./modules/system/common/all-nixos.nix # system-wide stuff ./modules/hosts/nixos/${hostname} # host specific stuff ]; diff --git a/modules/home-manager/common/all-darwin.nix b/modules/home-manager/common/all-darwin.nix index 9d16bb6..0f364f0 100644 --- a/modules/home-manager/common/all-darwin.nix +++ b/modules/home-manager/common/all-darwin.nix @@ -1,4 +1,4 @@ -{ pkgs, genebean-omp-themes, ... }: { +{ pkgs, genebean-omp-themes, sops-nix, username, ... }: { # dawrwin-specific shell config programs.zsh = { initExtra = '' @@ -23,4 +23,6 @@ ykey = "pkill -9 gpg-agent && source ~/.zshrc; ssh-add -L"; }; }; + + sops.age.keyFile = "/Users/${username}/Library/Application Support/sops/age/keys.txt"; } diff --git a/modules/home-manager/common/all-linux.nix b/modules/home-manager/common/all-linux.nix index d50f5fd..480e37c 100644 --- a/modules/home-manager/common/all-linux.nix +++ b/modules/home-manager/common/all-linux.nix @@ -9,4 +9,5 @@ ykey = "sudo systemctl restart pcscd && sudo pkill -9 gpg-agent && source ~/.zshrc; ssh-add -L"; }; }; -} \ No newline at end of file + +} diff --git a/modules/home-manager/hosts/Blue-Rock/gene.liverman.nix b/modules/home-manager/hosts/Blue-Rock/gene.liverman.nix index 4b58941..3adea47 100644 --- a/modules/home-manager/hosts/Blue-Rock/gene.liverman.nix +++ b/modules/home-manager/hosts/Blue-Rock/gene.liverman.nix @@ -1,4 +1,4 @@ -{ pkgs, genebean-omp-themes, ... }: { +{ pkgs, genebean-omp-themes, sops-nix, username, ... }: { home.stateVersion = "23.11"; imports = [ ../../common/all-cli.nix @@ -14,4 +14,12 @@ k9s.enable = true; }; + sops = { + defaultSopsFile = ./secrets.yaml; + secrets = { + local_git_config.path = "/Users/${username}/.gitconfig-local"; + local_private_env.path = "/Users/${username}/.private-env"; + }; + }; + } diff --git a/modules/home-manager/hosts/Blue-Rock/secrets.yaml b/modules/home-manager/hosts/Blue-Rock/secrets.yaml new file mode 100644 index 0000000..8c90990 --- /dev/null +++ b/modules/home-manager/hosts/Blue-Rock/secrets.yaml @@ -0,0 +1,23 @@ +tailscale_key: ENC[AES256_GCM,data:7XXDKJ/x/8F5HabD7dYE4OE8kLMUjkxCp5eBnVayErPpobo+/4P2DC6ZAUlnaxllHpFMPMQE82S4,iv:aRUvoHuwNa3kOnH38foY/dfZl3JH8LyQsZb2qDGACsM=,tag:YL3Dm66WuDIv8KwvYLfjUw==,type:str] +local_git_config: ENC[AES256_GCM,data:DC8DzFYGT0H/5t2QhtvSc65WMil+nhj6BUdYujnNqyQJVlRe5DgIgCu280/y,iv:cCWJ9PmqIB8udCVQJfb8w5rPYIq9CWB0smtv+jiLm/o=,tag:5eeaHfPr6Y6B30CB7Yidqw==,type:str] +local_private_env: ENC[AES256_GCM,data:69a+k6o5FvNx3QuuYim8xDBGZqq/DQbqALBSOqGjyYLtox3ghzn4/X0SGP0keBXAlECNNaoKxCZ6BQIwthEotXn4eZAt/tMybY9qttT25OrZp31xnbCxA6piVPrTWaRMwb2dc8tJ9cci7TTCOFQyR9kQ5q2A39TkLw3co8MjbG6dj6tc6vt3pviTEC679LcoT9BCm/gWP/qgM/YDJMt89ldDnqF1tDdXWOBjpAzBxEWu97xtk3huxk36diphfFEBCizGnsX8ttdZb/Ltn894+u68upIAA7Y+mGTyNz91um4ix4cxtRqWe6ElZSekzVhUoxPM/3TXwXD+klWlV4hdRA4i5GiZbNSae6oC58lpZpVyfcrLRshk3cN9yqZAGSLRMbLdeAtIefcGZEMeIIhEC+sIvlTkkJ+Rz1nbzZ2tZMeBrr8z3R1TBeMZUli2qlt+yXH+LPW5WuhaLIFncyyxloPyZSCrhgQyocRyoH4J5Ee/Ym97wpkostLnm47271m4DJQBjbalxvSG5F55E4BHdh0jAnRBe45gEE3nWjnrcJ5kux6ANqTnNfdN98PNqyT/M9AbjLkw4YnZKVzGpBV6sAHtz66EpXWuEKDkiTzmsFyvu9SvNMVbWlNxhCv3H9Xf4e6031uFO5IBJLIMWiNMLyRnI5A+ZDRWe/CbUhP9xqQ81opbKgyuSRuteflGkKMacGQpoyK0upICyBDTS+f8wOGh0SEdQbr866+bdIdd4SCGEnWmQqQRqnvdt0kpere+tZ8488gaHZDGlmxIi0T5pFU81h5+QmXaAAB4LUo5KMffGOa6C86JgtGsC6wvaGGZ0/49cBdx2qZR8O+7XN4TCktZpyI4EFlBL2sAXHYVzxhge5xg+uYo6t8ZB0RohkJhdyTy5ScV0Xq0zwgACSkZ9rmEEN1S6chAmjwO4QEzn/9HNypc/7MdDt5SgrLM6wVzptaGqLIjWgYUD8/Y8ccWKJIJdx+LkaX9+FtJtSMVx63vsGs2JaJ+MtqSmswo+E6yshs1AjXIvyr8WKOwa+Gpa5U7bpwxPEa1XtVb1qLN2EtEQ5CAK+CrqMT4q1+iwcXPXTk4csk+ia8YDYsv7w5E2dR04V86jcsXXPlaOw3V8/ljnhRt2+jtiA3l9nEq0DK6Mlz9qfwMSdS2H8ZWVg6A1IFfXae5s4FD4skxLd423Hu8YI8lx+x5LoyYmqPMEilZQMVGuglf1avEYvxp9P+p44xZRo9CMkaFikVnKo4IOU3hCSK7DWfrXRMXnWg6D3PZBfDt2B5PHGClyQiqS5wYGPvPq1cXS/jO1AZlmX2Z+nXmWXA09BokbtkKuZ19zZ+HzWja73NnX8kTBCUVEyFDlKp+W7i0qL83405ZHN2btxUDOFRe5e+CTuprcyQtm2VtRu+lGU5Ss6wxDyqDg6W2WcU3FNyhj2eqddCa7HxcY33It3XuazXityo5hmYy6F4QrR2OeUTSTXTkTnGrd3mbGS70ey/geb+SVOXM9Hg3hzuE1zDWvELU6RioipOOMQ7K6yoYdxALrWRLkst1IjQCw75l0iKXJfp+M3rk1umX0lP2Nd8eXDuumfTEvC1STg7qAuXMsYPQ1OZjdD1pmGN3lVlVCVXrOdoZBtOo69IKZfqKHougrxnH0w1N5K4hVTwCh8N/+veV7kzDihfJeQa3ipLBT86YFDz7cw8+8Jn3qU/kAz1xUmChz/6jRHILxbn81RDaXbgh8saRhzpu4cOPWPMADUwyHgfMwpPqbydIcBDvwYzazSCHcEQsOccvpxCAaoA4WWprP8yKhznTpnFp+fKcPQy2HdxgmuHSjrzyJQAxJhVXsUEtD8StZbAhwLuriDoju1K4RQsDUGEFt8/363+UaP5/Qpa03nMg5uShQdflHgC67rVBmBKUxI7hAMD7eu3xrHIZqxUc7vTEtsT+Uy1VNMkRZ36eKZYxNMMBg4Sg64UE9a+C69qrMd02NEDW+YjtFmXJL4ZNEG8INaNPrDF+ZMWTvcTQsNpPVgdvkdQdX9fAhP0aKneFTBzDSFUPf8vSRWTZ,iv:/ljcG+rx0JjgXIfGpZ+rnuss0i+ZXi3vSCtly2XRxRo=,tag:+0+yPNQuTnCj4zF8cQEeeg==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1rt72txg22w8y3cdvq9w7zff0cas6xtkplpj36kxnevfnrtn82f6ss7yw7d + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBTd1Rzb3dKZW45MUgzVVZV + RTVCb201dGthUWZTYXpJbks3anh5THBBbFFJCnl2TkdLQnVwM1RJSy9xNzQ3SURs + MWRZbm41dUJiUTNhN1VuSnRCbktvUzgKLS0tIFdTODVoRkhJSnBPM0o1dlhyUTlU + b3U5ZWtYNXgzQXljYU5DSlJkUitjUGMKMtV3Q3X9Hn/ILCm5Wf9rt5YezT76Nnrn + XYbIIVIglNfgaS4iVgQhMOPh+yLJ5P+swFSt6/vrDH72LUFA9YNxSw== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2023-12-18T19:39:41Z" + mac: ENC[AES256_GCM,data:LwQGcpDFrsuc0yYEv0ElJa50AdnzWk/xs78UJz4VjRPOEZbw3ibo3MmLcrYSsatU4cLqtBbVO60/lWjeeKiqmzAKdbxA/sui3JLYB4aS6wEnJvrNa4+cNr9cryaAMBF2zz9eXifBGa5Hk1VuXPCwLzAftBSTqdhIWfOHA/jej2w=,iv:eUk2TJ4fVk8y4FPYW9mgoT4UHRH6SP5GEWYsf68K714=,tag:TPn9xY+IiWHFEuD4jVvvkA==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.8.1 diff --git a/modules/home-manager/hosts/nixnuc/gene.nix b/modules/home-manager/hosts/nixnuc/gene.nix index 0c2ef47..30158a5 100644 --- a/modules/home-manager/hosts/nixnuc/gene.nix +++ b/modules/home-manager/hosts/nixnuc/gene.nix @@ -3,6 +3,5 @@ imports = [ ../../common/all-cli.nix ../../common/all-linux.nix - ]; - + ]; } diff --git a/modules/hosts/nixos/nixnuc/default.nix b/modules/hosts/nixos/nixnuc/default.nix index d8754c2..17266d5 100644 --- a/modules/hosts/nixos/nixnuc/default.nix +++ b/modules/hosts/nixos/nixnuc/default.nix @@ -1,4 +1,4 @@ -{ inputs, config, pkgs, username, ... }: { +{ inputs, config, hostname, pkgs, sops-nix, username, ... }: { imports = [ ./hardware-configuration.nix ]; @@ -72,7 +72,6 @@ enable = true; openFirewall = true; }; - openssh.enable = true; tailscale = { extraUpFlags = [ "--advertise-exit-node" @@ -82,6 +81,21 @@ }; }; + sops = { + age.keyFile = /home/${username}/.config/sops/age/keys.txt; + defaultSopsFile = ./secrets.yaml; + secrets = { + local_git_config = { + owner = "${username}"; + path = "/home/${username}/.gitconfig-local"; + }; + local_private_env = { + owner = "${username}"; + path = "/home/${username}/.private-env"; + }; + }; + }; + users.users.${username} = { isNormalUser = true; description = "Gene Liverman"; diff --git a/modules/hosts/nixos/nixnuc/secrets.yaml b/modules/hosts/nixos/nixnuc/secrets.yaml new file mode 100644 index 0000000..1895889 --- /dev/null +++ b/modules/hosts/nixos/nixnuc/secrets.yaml @@ -0,0 +1,23 @@ +tailscale_key: ENC[AES256_GCM,data:aB3KUD4QYm+ZDrjjLcU3gQ8kneVGkVYBsrkVcioOhxunal2FekLDrpKxJwNXuiwx2M5vipnGAEPO,iv:e+tPPfVYkv4U0KRGwspWb1O3ZQom/WFFGm9H9cd/KKE=,tag:ZG5z1C18bj1L7DcGzunQ0w==,type:str] +local_git_config: ENC[AES256_GCM,data:Nqwog5C4wnRzNoS4oqaYQ4J1DIj7fUL1y/nXESquR0N7KQ+ebhvuJnM=,iv:Q6o45LZStS3k8iO7s2P6u7OrKFu5alplshZuGgeRKmk=,tag:NcLJrI9AK4eDroODX15lcA==,type:str] +local_private_env: "" +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1g24zhwvgenpc4wqejt63thvgd4rn5x9n7nnwwme7dm83nfqpp93se2vmq4 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB6djJ0Z2t4SFNjbzlHUmt2 + NjVudktRcU9yZ0NEQXlnZG5uYTNoNExySFUwCldETHFwNzhwWEExTmxVV2dkTlBL + VWYzbEtENUlhQmtUam9WTlhib1NZZDgKLS0tIGY2czVIdzVrQ2VoaGExNGlET0s5 + bHZlNTZDV2NYU1hQQy9mem80SFF6TFkKfmjkJBfTdh0vTtGaVx1t3tHJvSsAwdYD + PF025X9U+yG2oIopwXEVBkxcD70eyuJn3OqH0xoVLBkbhNM9i8LHrA== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2023-12-18T23:32:41Z" + mac: ENC[AES256_GCM,data:ZBxEwy4+Z+o+WjpiSyYoRl3yipE38WlosHdlCjSW6evwrgZtMhGqOjvYloKLMhWNdRdRbpmfQfXjsdaiLIkyWMYAQ4zv3GdVTwCzjFOEQV/1J/7yohBMT6zDd73go73/2jys4HPYp44AuLIMm5ngzmt+fszOUvnuOFUBogqJ/rY=,iv:qnFlQ5NKbnu96ZURN5t1dS0279Pid9D5reWX1xVkqeQ=,tag:61rKxPC1TnuAgOJy0090Pw==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.8.1 diff --git a/modules/hosts/nixos/rainbow-planet/default.nix b/modules/hosts/nixos/rainbow-planet/default.nix index 1e05786..30ee43e 100644 --- a/modules/hosts/nixos/rainbow-planet/default.nix +++ b/modules/hosts/nixos/rainbow-planet/default.nix @@ -95,6 +95,21 @@ wireplumber.enable = true; }; + sops = { + age.keyFile = /home/${username}/.config/sops/age/keys.txt; + defaultSopsFile = ./secrets.yaml; + secrets = { + local_git_config = { + owner = "${username}"; + path = "/home/${username}/.gitconfig-local"; + }; + local_private_env = { + owner = "${username}"; + path = "/home/${username}/.private-env"; + }; + }; + }; + # Define a user account. Don't forget to set a password with ‘passwd’. users.users.${username} = { isNormalUser = true; diff --git a/modules/hosts/nixos/rainbow-planet/secrets.yaml b/modules/hosts/nixos/rainbow-planet/secrets.yaml new file mode 100644 index 0000000..5b7d276 --- /dev/null +++ b/modules/hosts/nixos/rainbow-planet/secrets.yaml @@ -0,0 +1,23 @@ +local_git_config: ENC[AES256_GCM,data:/ACb6GC4hbj04TrCcvxeLEbG0V5CxlYTiaGmG/DINYun2CEZkFizES4=,iv:YzXCwRe6Vxsyvf/8LareEtc8boeR2V3Ykd09pOs4K4M=,tag:PcBRqupIOg4EvFH8NqUoqw==,type:str] +local_private_env: ENC[AES256_GCM,data:QMxbb8SYgzmqNyoOa8Cd4fFXweTLZHurNz6ADVz6nRxoiBBUJRwWx6AF/MzL5ycsGVBnFWenwOg0SM8lxg==,iv:peGrUG0AdJ16wQD8GovlK1QcTT21pQQ2p/d10KsmF0Y=,tag:ZCTB5GTIpI/t9bfjDMJM3g==,type:str] +tailscale_key: ENC[AES256_GCM,data:TCuAitDhMHkq0XCbuovgC9ePqtu9MzwhmgtL9G4BC9g08ggWA0cmbpCagR7ndTtSUwYRqBU/Blo=,iv:vh/neiDQuo4OyIo/c95xPzhhLuhG/yFQb7cCN+K57LM=,tag:mz7VOXUMrTQ8WZPauPxW+w==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age15xlw5vnnjdx2ypz6rq0mqcywuaj3yx8y6lrgf95satafqf7y4qus6rv6ck + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBxMmkwRnhYM2FyVFUyaE9Q + UnhoYkNrS0lpRE91V25IZmRLZFZzQUo3eDBnCitwZUxQNXArOVhBc2dMU2lBVkd4 + K2hrRFlpME9KLzJYRmEwQjAyUVgxN0UKLS0tIFVXaDRFSmFpYnA2TFhQaE9xaGtj + dHRTcjV0UHJXbVZBODZRMmdPK0s0cTAKpuEK6KT0mWUdoWhCUJ3tjtJrWjontFS3 + z7xrKE9hUcy22TheQGvUSu6xwRN4D9Mowx/zNA/Ox2bhsGbfx2rz6Q== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2023-12-19T00:55:46Z" + mac: ENC[AES256_GCM,data:fz9qPVGL6F2p12uThpZdvFZwTkqJ60zyc7aMij6BmvHeqW5lCDifV09rxpawQxUR/H6Za2erfkdijvAjy0GtZ8QsOmIzBnbHjOc7cV+qSXFENmAo2o9y/8DUpC53hJIA6ISRfYcfbGMkqio6GIsrWjgwVuA4Jk+p06EulXkCOxI=,iv:hLdBdnsjaFuK4C+FLNT/lHHW7B29qDW3zVd2a4X/cwk=,tag:h35x4TjNNujH3y3dgwul8w==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.7.3 diff --git a/modules/system/common/all-darwin.nix b/modules/system/common/all-darwin.nix index 608c496..045dee8 100644 --- a/modules/system/common/all-darwin.nix +++ b/modules/system/common/all-darwin.nix @@ -7,6 +7,7 @@ "/share/zsh" ]; systemPackages = with pkgs; [ + age coreutils hugo mas @@ -14,6 +15,8 @@ nodejs nodePackages.npm openjdk + sops + ssh-to-age ]; }; diff --git a/modules/system/common/all-nixos.nix b/modules/system/common/all-nixos.nix index fd82a32..7526668 100644 --- a/modules/system/common/all-nixos.nix +++ b/modules/system/common/all-nixos.nix @@ -1,4 +1,4 @@ -{ config, pkgs, hostname, username, ... }: { +{ config, hostname, pkgs, sops-nix, username, ... }: { imports = [ ./linux/internationalisation.nix ]; @@ -6,10 +6,13 @@ environment = { shells = with pkgs; [ bash zsh ]; systemPackages = with pkgs; [ + age dconf2nix file neofetch python3 + sops + ssh-to-age tailscale unzip wget @@ -44,8 +47,22 @@ security.sudo.wheelNeedsPassword = false; - services.tailscale = { - enable = true; + services = { + openssh.enable = true; + tailscale = { + enable = true; + authKeyFile = config.sops.secrets.tailscale_key.path; + }; + }; + + sops = { + age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ]; + secrets = { + tailscale_key = { + restartUnits = [ "tailscaled-autoconnect.service" ]; + sopsFile = ../../hosts/nixos/${hostname}/secrets.yaml; + }; + }; }; time.timeZone = "America/New_York";