Setup and utilize SOPS

2026-03-27 09:27:44 -04:00 · 2023-12-18 15:34:47 -05:00 · 2023-12-18 15:34:47 -05:00 · 5ab4df18b2
commit 5ab4df18b2
parent 0fc27eb75f
14 changed files with 213 additions and 14 deletions
--- a/modules/hosts/nixos/nixnuc/default.nix
+++ b/modules/hosts/nixos/nixnuc/default.nix
@ -1,4 +1,4 @@
-{ inputs, config, pkgs, username,  ... }: {
+{ inputs, config, hostname, pkgs, sops-nix, username,  ... }: {
  imports = [
    ./hardware-configuration.nix
  ];
@ -72,7 +72,6 @@
      enable = true;
      openFirewall = true;
    };
-    openssh.enable = true;
    tailscale = {
      extraUpFlags = [
        "--advertise-exit-node"
@ -82,6 +81,21 @@
    };
  };

+  sops = {
+    age.keyFile = /home/${username}/.config/sops/age/keys.txt;
+    defaultSopsFile = ./secrets.yaml;
+    secrets = {
+      local_git_config = {
+        owner = "${username}";
+        path = "/home/${username}/.gitconfig-local";
+      };
+      local_private_env = {
+        owner = "${username}";
+        path = "/home/${username}/.private-env";
+      };
+    };
+  };
+
  users.users.${username} = {
    isNormalUser = true;
    description = "Gene Liverman";
--- a/modules/hosts/nixos/nixnuc/secrets.yaml
+++ b/modules/hosts/nixos/nixnuc/secrets.yaml
@ -0,0 +1,23 @@
+tailscale_key: ENC[AES256_GCM,data:aB3KUD4QYm+ZDrjjLcU3gQ8kneVGkVYBsrkVcioOhxunal2FekLDrpKxJwNXuiwx2M5vipnGAEPO,iv:e+tPPfVYkv4U0KRGwspWb1O3ZQom/WFFGm9H9cd/KKE=,tag:ZG5z1C18bj1L7DcGzunQ0w==,type:str]
+local_git_config: ENC[AES256_GCM,data:Nqwog5C4wnRzNoS4oqaYQ4J1DIj7fUL1y/nXESquR0N7KQ+ebhvuJnM=,iv:Q6o45LZStS3k8iO7s2P6u7OrKFu5alplshZuGgeRKmk=,tag:NcLJrI9AK4eDroODX15lcA==,type:str]
+local_private_env: ""
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1g24zhwvgenpc4wqejt63thvgd4rn5x9n7nnwwme7dm83nfqpp93se2vmq4
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB6djJ0Z2t4SFNjbzlHUmt2
+            NjVudktRcU9yZ0NEQXlnZG5uYTNoNExySFUwCldETHFwNzhwWEExTmxVV2dkTlBL
+            VWYzbEtENUlhQmtUam9WTlhib1NZZDgKLS0tIGY2czVIdzVrQ2VoaGExNGlET0s5
+            bHZlNTZDV2NYU1hQQy9mem80SFF6TFkKfmjkJBfTdh0vTtGaVx1t3tHJvSsAwdYD
+            PF025X9U+yG2oIopwXEVBkxcD70eyuJn3OqH0xoVLBkbhNM9i8LHrA==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2023-12-18T23:32:41Z"
+    mac: ENC[AES256_GCM,data:ZBxEwy4+Z+o+WjpiSyYoRl3yipE38WlosHdlCjSW6evwrgZtMhGqOjvYloKLMhWNdRdRbpmfQfXjsdaiLIkyWMYAQ4zv3GdVTwCzjFOEQV/1J/7yohBMT6zDd73go73/2jys4HPYp44AuLIMm5ngzmt+fszOUvnuOFUBogqJ/rY=,iv:qnFlQ5NKbnu96ZURN5t1dS0279Pid9D5reWX1xVkqeQ=,tag:61rKxPC1TnuAgOJy0090Pw==,type:str]
+    pgp: []
+    unencrypted_suffix: _unencrypted
+    version: 3.8.1
--- a/modules/hosts/nixos/rainbow-planet/default.nix
+++ b/modules/hosts/nixos/rainbow-planet/default.nix
@ -95,6 +95,21 @@
    wireplumber.enable = true;
  };

+  sops = {
+    age.keyFile = /home/${username}/.config/sops/age/keys.txt;
+    defaultSopsFile = ./secrets.yaml;
+    secrets = {
+      local_git_config = {
+        owner = "${username}";
+        path = "/home/${username}/.gitconfig-local";
+      };
+      local_private_env = {
+        owner = "${username}";
+        path = "/home/${username}/.private-env";
+      };
+    };
+  };
+
  # Define a user account. Don't forget to set a password with ‘passwd’.
  users.users.${username} = {
    isNormalUser = true;
--- a/modules/hosts/nixos/rainbow-planet/secrets.yaml
+++ b/modules/hosts/nixos/rainbow-planet/secrets.yaml
@ -0,0 +1,23 @@
+local_git_config: ENC[AES256_GCM,data:/ACb6GC4hbj04TrCcvxeLEbG0V5CxlYTiaGmG/DINYun2CEZkFizES4=,iv:YzXCwRe6Vxsyvf/8LareEtc8boeR2V3Ykd09pOs4K4M=,tag:PcBRqupIOg4EvFH8NqUoqw==,type:str]
+local_private_env: ENC[AES256_GCM,data:QMxbb8SYgzmqNyoOa8Cd4fFXweTLZHurNz6ADVz6nRxoiBBUJRwWx6AF/MzL5ycsGVBnFWenwOg0SM8lxg==,iv:peGrUG0AdJ16wQD8GovlK1QcTT21pQQ2p/d10KsmF0Y=,tag:ZCTB5GTIpI/t9bfjDMJM3g==,type:str]
+tailscale_key: ENC[AES256_GCM,data:TCuAitDhMHkq0XCbuovgC9ePqtu9MzwhmgtL9G4BC9g08ggWA0cmbpCagR7ndTtSUwYRqBU/Blo=,iv:vh/neiDQuo4OyIo/c95xPzhhLuhG/yFQb7cCN+K57LM=,tag:mz7VOXUMrTQ8WZPauPxW+w==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age15xlw5vnnjdx2ypz6rq0mqcywuaj3yx8y6lrgf95satafqf7y4qus6rv6ck
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBxMmkwRnhYM2FyVFUyaE9Q
+            UnhoYkNrS0lpRE91V25IZmRLZFZzQUo3eDBnCitwZUxQNXArOVhBc2dMU2lBVkd4
+            K2hrRFlpME9KLzJYRmEwQjAyUVgxN0UKLS0tIFVXaDRFSmFpYnA2TFhQaE9xaGtj
+            dHRTcjV0UHJXbVZBODZRMmdPK0s0cTAKpuEK6KT0mWUdoWhCUJ3tjtJrWjontFS3
+            z7xrKE9hUcy22TheQGvUSu6xwRN4D9Mowx/zNA/Ox2bhsGbfx2rz6Q==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2023-12-19T00:55:46Z"
+    mac: ENC[AES256_GCM,data:fz9qPVGL6F2p12uThpZdvFZwTkqJ60zyc7aMij6BmvHeqW5lCDifV09rxpawQxUR/H6Za2erfkdijvAjy0GtZ8QsOmIzBnbHjOc7cV+qSXFENmAo2o9y/8DUpC53hJIA6ISRfYcfbGMkqio6GIsrWjgwVuA4Jk+p06EulXkCOxI=,iv:hLdBdnsjaFuK4C+FLNT/lHHW7B29qDW3zVd2a4X/cwk=,tag:h35x4TjNNujH3y3dgwul8w==,type:str]
+    pgp: []
+    unencrypted_suffix: _unencrypted
+    version: 3.7.3