genebean/dots
1
0
Fork 0
mirror of https://github.com/genebean/dots.git synced 2026-03-27 01:17:42 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions

Setup and utilize SOPS

Browse source
This commit is contained in:
Gene Liverman 2023-12-18 15:34:47 -05:00
parent 0fc27eb75f
commit 5ab4df18b2
14 changed files with 213 additions and 14 deletions
Download patch file Download diff file Expand all files Collapse all files

25
.sops.yaml Normal file
View file

@ -0,0 +1,25 @@
---
keys:
- &system_nixnuc age1g24zhwvgenpc4wqejt63thvgd4rn5x9n7nnwwme7dm83nfqpp93se2vmq4
- &system_rainbow_planet age15xlw5vnnjdx2ypz6rq0mqcywuaj3yx8y6lrgf95satafqf7y4qus6rv6ck
- &user_blue_rock age1rt72txg22w8y3cdvq9w7zff0cas6xtkplpj36kxnevfnrtn82f6ss7yw7d
creation_rules:
- path_regex: nixnuc/secrets.yaml$
key_groups:
- age:
- *system_nixnuc
- path_regex: rainbow-planet/secrets.yaml$
key_groups:
- age:
- *system_rainbow_planet
- path_regex: Blue-Rock/secrets.yaml$
key_groups:
- age:
- *user_blue_rock
- path_regex: modules/system/common/secrets.yaml$
key_groups:
- age:
- *system_nixnuc
- *system_rainbow_planet
- *user_blue_rock

40
flake.lock generated
View file

@ -163,6 +163,22 @@
"type": "indirect"
}
},
"nixpkgs-stable": {
"locked": {
"lastModified": 1702777222,
"narHash": "sha256-/SYmqgxTYzqZnQEfbOCHCN4GzqB9uAIsR9IWLzo0/8I=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "a19a71d1ee93226fd71984359552affbc1cd3dc3",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "release-23.05",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs-unstable": {
"locked": {
"lastModified": 1702539185,
@ -218,7 +234,29 @@
"nix-darwin": "nix-darwin",
"nix-homebrew": "nix-homebrew",
"nixpkgs": "nixpkgs_3",
"nixpkgs-unstable": "nixpkgs-unstable"
"nixpkgs-unstable": "nixpkgs-unstable",
"sops-nix": "sops-nix"
}
},
"sops-nix": {
"inputs": {
"nixpkgs": [
"nixpkgs"
],
"nixpkgs-stable": "nixpkgs-stable"
},
"locked": {
"lastModified": 1702812162,
"narHash": "sha256-18cKptpAAfkatdQgjO5SZXZsbc1IVPRoYx2AxaiooL4=",
"owner": "mic92",
"repo": "sops-nix",
"rev": "21f2b8f123a1601fef3cf6bbbdf5171257290a77",
"type": "github"
},
"original": {
"owner": "mic92",
"repo": "sops-nix",
"type": "github"
}
},
"systems": {

14
flake.nix
View file

@ -27,6 +27,12 @@
inputs.nixpkgs.follows = "nixpkgs";
};
# Secrets managemnt
sops-nix = {
url = "github:mic92/sops-nix";
inputs.nixpkgs.follows ="nixpkgs";
};
# My oh-my-posh theme
genebean-omp-themes = {
url = "github:genebean/my-oh-my-posh-themes";
@ -34,7 +40,7 @@
};
}; # end inputs
outputs = inputs@{ self, nixpkgs, nixpkgs-unstable, nix-darwin, home-manager, nix-homebrew, disko, genebean-omp-themes, ... }: let
outputs = inputs@{ self, nixpkgs, nixpkgs-unstable, nix-darwin, home-manager, nix-homebrew, disko, sops-nix, genebean-omp-themes, ... }: let
# creates a macOS system config
darwinHostConfig = system: hostname: username: nix-darwin.lib.darwinSystem {
@ -57,10 +63,11 @@
home-manager.darwinModules.home-manager {
home-manager = {
extraSpecialArgs = { inherit genebean-omp-themes; };
extraSpecialArgs = { inherit genebean-omp-themes username; };
useGlobalPkgs = true;
useUserPackages = true;
users.${username}.imports = [
sops-nix.homeManagerModule # user-level secrets management
./modules/home-manager/hosts/${hostname}/${username}.nix
];
};
@ -84,7 +91,7 @@
modules = [
home-manager.nixosModules.home-manager {
home-manager = {
extraSpecialArgs = { inherit genebean-omp-themes; };
extraSpecialArgs = { inherit genebean-omp-themes hostname username; };
useGlobalPkgs = true;
useUserPackages = true;
users.${username}.imports = [
@ -93,6 +100,7 @@
};
}
sops-nix.nixosModules.sops # system wide secrets management
./modules/system/common/all-nixos.nix # system-wide stuff
./modules/hosts/nixos/${hostname} # host specific stuff
];

4
modules/home-manager/common/all-darwin.nix
View file

@ -1,4 +1,4 @@
{ pkgs, genebean-omp-themes, ... }: {
{ pkgs, genebean-omp-themes, sops-nix, username, ... }: {
# dawrwin-specific shell config
programs.zsh = {
initExtra = ''
@ -23,4 +23,6 @@
ykey = "pkill -9 gpg-agent && source ~/.zshrc; ssh-add -L";
};
};
sops.age.keyFile = "/Users/${username}/Library/Application Support/sops/age/keys.txt";
}

1
modules/home-manager/common/all-linux.nix
View file

@ -9,4 +9,5 @@
ykey = "sudo systemctl restart pcscd && sudo pkill -9 gpg-agent && source ~/.zshrc; ssh-add -L";
};
};
}

10
modules/home-manager/hosts/Blue-Rock/gene.liverman.nix
View file

@ -1,4 +1,4 @@
{ pkgs, genebean-omp-themes, ... }: {
{ pkgs, genebean-omp-themes, sops-nix, username, ... }: {
home.stateVersion = "23.11";
imports = [
../../common/all-cli.nix
@ -14,4 +14,12 @@
k9s.enable = true;
};
sops = {
defaultSopsFile = ./secrets.yaml;
secrets = {
local_git_config.path = "/Users/${username}/.gitconfig-local";
local_private_env.path = "/Users/${username}/.private-env";
};
};
}

23
modules/home-manager/hosts/Blue-Rock/secrets.yaml Normal file
View file

@ -0,0 +1,23 @@
tailscale_key: ENC[AES256_GCM,data:7XXDKJ/x/8F5HabD7dYE4OE8kLMUjkxCp5eBnVayErPpobo+/4P2DC6ZAUlnaxllHpFMPMQE82S4,iv:aRUvoHuwNa3kOnH38foY/dfZl3JH8LyQsZb2qDGACsM=,tag:YL3Dm66WuDIv8KwvYLfjUw==,type:str]
local_git_config: ENC[AES256_GCM,data:DC8DzFYGT0H/5t2QhtvSc65WMil+nhj6BUdYujnNqyQJVlRe5DgIgCu280/y,iv:cCWJ9PmqIB8udCVQJfb8w5rPYIq9CWB0smtv+jiLm/o=,tag:5eeaHfPr6Y6B30CB7Yidqw==,type:str]
local_private_env: ENC[AES256_GCM,data:69a+k6o5FvNx3QuuYim8xDBGZqq/DQbqALBSOqGjyYLtox3ghzn4/X0SGP0keBXAlECNNaoKxCZ6BQIwthEotXn4eZAt/tMybY9qttT25OrZp31xnbCxA6piVPrTWaRMwb2dc8tJ9cci7TTCOFQyR9kQ5q2A39TkLw3co8MjbG6dj6tc6vt3pviTEC679LcoT9BCm/gWP/qgM/YDJMt89ldDnqF1tDdXWOBjpAzBxEWu97xtk3huxk36diphfFEBCizGnsX8ttdZb/Ltn894+u68upIAA7Y+mGTyNz91um4ix4cxtRqWe6ElZSekzVhUoxPM/3TXwXD+klWlV4hdRA4i5GiZbNSae6oC58lpZpVyfcrLRshk3cN9yqZAGSLRMbLdeAtIefcGZEMeIIhEC+sIvlTkkJ+Rz1nbzZ2tZMeBrr8z3R1TBeMZUli2qlt+yXH+LPW5WuhaLIFncyyxloPyZSCrhgQyocRyoH4J5Ee/Ym97wpkostLnm47271m4DJQBjbalxvSG5F55E4BHdh0jAnRBe45gEE3nWjnrcJ5kux6ANqTnNfdN98PNqyT/M9AbjLkw4YnZKVzGpBV6sAHtz66EpXWuEKDkiTzmsFyvu9SvNMVbWlNxhCv3H9Xf4e6031uFO5IBJLIMWiNMLyRnI5A+ZDRWe/CbUhP9xqQ81opbKgyuSRuteflGkKMacGQpoyK0upICyBDTS+f8wOGh0SEdQbr866+bdIdd4SCGEnWmQqQRqnvdt0kpere+tZ8488gaHZDGlmxIi0T5pFU81h5+QmXaAAB4LUo5KMffGOa6C86JgtGsC6wvaGGZ0/49cBdx2qZR8O+7XN4TCktZpyI4EFlBL2sAXHYVzxhge5xg+uYo6t8ZB0RohkJhdyTy5ScV0Xq0zwgACSkZ9rmEEN1S6chAmjwO4QEzn/9HNypc/7MdDt5SgrLM6wVzptaGqLIjWgYUD8/Y8ccWKJIJdx+LkaX9+FtJtSMVx63vsGs2JaJ+MtqSmswo+E6yshs1AjXIvyr8WKOwa+Gpa5U7bpwxPEa1XtVb1qLN2EtEQ5CAK+CrqMT4q1+iwcXPXTk4csk+ia8YDYsv7w5E2dR04V86jcsXXPlaOw3V8/ljnhRt2+jtiA3l9nEq0DK6Mlz9qfwMSdS2H8ZWVg6A1IFfXae5s4FD4skxLd423Hu8YI8lx+x5LoyYmqPMEilZQMVGuglf1avEYvxp9P+p44xZRo9CMkaFikVnKo4IOU3hCSK7DWfrXRMXnWg6D3PZBfDt2B5PHGClyQiqS5wYGPvPq1cXS/jO1AZlmX2Z+nXmWXA09BokbtkKuZ19zZ+HzWja73NnX8kTBCUVEyFDlKp+W7i0qL83405ZHN2btxUDOFRe5e+CTuprcyQtm2VtRu+lGU5Ss6wxDyqDg6W2WcU3FNyhj2eqddCa7HxcY33It3XuazXityo5hmYy6F4QrR2OeUTSTXTkTnGrd3mbGS70ey/geb+SVOXM9Hg3hzuE1zDWvELU6RioipOOMQ7K6yoYdxALrWRLkst1IjQCw75l0iKXJfp+M3rk1umX0lP2Nd8eXDuumfTEvC1STg7qAuXMsYPQ1OZjdD1pmGN3lVlVCVXrOdoZBtOo69IKZfqKHougrxnH0w1N5K4hVTwCh8N/+veV7kzDihfJeQa3ipLBT86YFDz7cw8+8Jn3qU/kAz1xUmChz/6jRHILxbn81RDaXbgh8saRhzpu4cOPWPMADUwyHgfMwpPqbydIcBDvwYzazSCHcEQsOccvpxCAaoA4WWprP8yKhznTpnFp+fKcPQy2HdxgmuHSjrzyJQAxJhVXsUEtD8StZbAhwLuriDoju1K4RQsDUGEFt8/363+UaP5/Qpa03nMg5uShQdflHgC67rVBmBKUxI7hAMD7eu3xrHIZqxUc7vTEtsT+Uy1VNMkRZ36eKZYxNMMBg4Sg64UE9a+C69qrMd02NEDW+YjtFmXJL4ZNEG8INaNPrDF+ZMWTvcTQsNpPVgdvkdQdX9fAhP0aKneFTBzDSFUPf8vSRWTZ,iv:/ljcG+rx0JjgXIfGpZ+rnuss0i+ZXi3vSCtly2XRxRo=,tag:+0+yPNQuTnCj4zF8cQEeeg==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1rt72txg22w8y3cdvq9w7zff0cas6xtkplpj36kxnevfnrtn82f6ss7yw7d
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBTd1Rzb3dKZW45MUgzVVZV
RTVCb201dGthUWZTYXpJbks3anh5THBBbFFJCnl2TkdLQnVwM1RJSy9xNzQ3SURs
MWRZbm41dUJiUTNhN1VuSnRCbktvUzgKLS0tIFdTODVoRkhJSnBPM0o1dlhyUTlU
b3U5ZWtYNXgzQXljYU5DSlJkUitjUGMKMtV3Q3X9Hn/ILCm5Wf9rt5YezT76Nnrn
XYbIIVIglNfgaS4iVgQhMOPh+yLJ5P+swFSt6/vrDH72LUFA9YNxSw==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2023-12-18T19:39:41Z"
mac: ENC[AES256_GCM,data:LwQGcpDFrsuc0yYEv0ElJa50AdnzWk/xs78UJz4VjRPOEZbw3ibo3MmLcrYSsatU4cLqtBbVO60/lWjeeKiqmzAKdbxA/sui3JLYB4aS6wEnJvrNa4+cNr9cryaAMBF2zz9eXifBGa5Hk1VuXPCwLzAftBSTqdhIWfOHA/jej2w=,iv:eUk2TJ4fVk8y4FPYW9mgoT4UHRH6SP5GEWYsf68K714=,tag:TPn9xY+IiWHFEuD4jVvvkA==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.8.1

1
modules/home-manager/hosts/nixnuc/gene.nix
View file

@ -4,5 +4,4 @@
../../common/all-cli.nix
../../common/all-linux.nix
];
}

18
modules/hosts/nixos/nixnuc/default.nix
View file

@ -1,4 +1,4 @@
{ inputs, config, pkgs, username, ... }: {
{ inputs, config, hostname, pkgs, sops-nix, username, ... }: {
imports = [
./hardware-configuration.nix
];
@ -72,7 +72,6 @@
enable = true;
openFirewall = true;
};
openssh.enable = true;
tailscale = {
extraUpFlags = [
"--advertise-exit-node"
@ -82,6 +81,21 @@
};
};
sops = {
age.keyFile = /home/${username}/.config/sops/age/keys.txt;
defaultSopsFile = ./secrets.yaml;
secrets = {
local_git_config = {
owner = "${username}";
path = "/home/${username}/.gitconfig-local";
};
local_private_env = {
owner = "${username}";
path = "/home/${username}/.private-env";
};
};
};
users.users.${username} = {
isNormalUser = true;
description = "Gene Liverman";

23
modules/hosts/nixos/nixnuc/secrets.yaml Normal file
View file

@ -0,0 +1,23 @@
tailscale_key: ENC[AES256_GCM,data:aB3KUD4QYm+ZDrjjLcU3gQ8kneVGkVYBsrkVcioOhxunal2FekLDrpKxJwNXuiwx2M5vipnGAEPO,iv:e+tPPfVYkv4U0KRGwspWb1O3ZQom/WFFGm9H9cd/KKE=,tag:ZG5z1C18bj1L7DcGzunQ0w==,type:str]
local_git_config: ENC[AES256_GCM,data:Nqwog5C4wnRzNoS4oqaYQ4J1DIj7fUL1y/nXESquR0N7KQ+ebhvuJnM=,iv:Q6o45LZStS3k8iO7s2P6u7OrKFu5alplshZuGgeRKmk=,tag:NcLJrI9AK4eDroODX15lcA==,type:str]
local_private_env: ""
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1g24zhwvgenpc4wqejt63thvgd4rn5x9n7nnwwme7dm83nfqpp93se2vmq4
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB6djJ0Z2t4SFNjbzlHUmt2
NjVudktRcU9yZ0NEQXlnZG5uYTNoNExySFUwCldETHFwNzhwWEExTmxVV2dkTlBL
VWYzbEtENUlhQmtUam9WTlhib1NZZDgKLS0tIGY2czVIdzVrQ2VoaGExNGlET0s5
bHZlNTZDV2NYU1hQQy9mem80SFF6TFkKfmjkJBfTdh0vTtGaVx1t3tHJvSsAwdYD
PF025X9U+yG2oIopwXEVBkxcD70eyuJn3OqH0xoVLBkbhNM9i8LHrA==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2023-12-18T23:32:41Z"
mac: ENC[AES256_GCM,data:ZBxEwy4+Z+o+WjpiSyYoRl3yipE38WlosHdlCjSW6evwrgZtMhGqOjvYloKLMhWNdRdRbpmfQfXjsdaiLIkyWMYAQ4zv3GdVTwCzjFOEQV/1J/7yohBMT6zDd73go73/2jys4HPYp44AuLIMm5ngzmt+fszOUvnuOFUBogqJ/rY=,iv:qnFlQ5NKbnu96ZURN5t1dS0279Pid9D5reWX1xVkqeQ=,tag:61rKxPC1TnuAgOJy0090Pw==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.8.1

15
modules/hosts/nixos/rainbow-planet/default.nix
View file

@ -95,6 +95,21 @@
wireplumber.enable = true;
};
sops = {
age.keyFile = /home/${username}/.config/sops/age/keys.txt;
defaultSopsFile = ./secrets.yaml;
secrets = {
local_git_config = {
owner = "${username}";
path = "/home/${username}/.gitconfig-local";
};
local_private_env = {
owner = "${username}";
path = "/home/${username}/.private-env";
};
};
};
# Define a user account. Don't forget to set a password with passwd.
users.users.${username} = {
isNormalUser = true;

23
modules/hosts/nixos/rainbow-planet/secrets.yaml Normal file
View file

@ -0,0 +1,23 @@
local_git_config: ENC[AES256_GCM,data:/ACb6GC4hbj04TrCcvxeLEbG0V5CxlYTiaGmG/DINYun2CEZkFizES4=,iv:YzXCwRe6Vxsyvf/8LareEtc8boeR2V3Ykd09pOs4K4M=,tag:PcBRqupIOg4EvFH8NqUoqw==,type:str]
local_private_env: ENC[AES256_GCM,data:QMxbb8SYgzmqNyoOa8Cd4fFXweTLZHurNz6ADVz6nRxoiBBUJRwWx6AF/MzL5ycsGVBnFWenwOg0SM8lxg==,iv:peGrUG0AdJ16wQD8GovlK1QcTT21pQQ2p/d10KsmF0Y=,tag:ZCTB5GTIpI/t9bfjDMJM3g==,type:str]
tailscale_key: ENC[AES256_GCM,data:TCuAitDhMHkq0XCbuovgC9ePqtu9MzwhmgtL9G4BC9g08ggWA0cmbpCagR7ndTtSUwYRqBU/Blo=,iv:vh/neiDQuo4OyIo/c95xPzhhLuhG/yFQb7cCN+K57LM=,tag:mz7VOXUMrTQ8WZPauPxW+w==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age15xlw5vnnjdx2ypz6rq0mqcywuaj3yx8y6lrgf95satafqf7y4qus6rv6ck
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBxMmkwRnhYM2FyVFUyaE9Q
UnhoYkNrS0lpRE91V25IZmRLZFZzQUo3eDBnCitwZUxQNXArOVhBc2dMU2lBVkd4
K2hrRFlpME9KLzJYRmEwQjAyUVgxN0UKLS0tIFVXaDRFSmFpYnA2TFhQaE9xaGtj
dHRTcjV0UHJXbVZBODZRMmdPK0s0cTAKpuEK6KT0mWUdoWhCUJ3tjtJrWjontFS3
z7xrKE9hUcy22TheQGvUSu6xwRN4D9Mowx/zNA/Ox2bhsGbfx2rz6Q==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2023-12-19T00:55:46Z"
mac: ENC[AES256_GCM,data:fz9qPVGL6F2p12uThpZdvFZwTkqJ60zyc7aMij6BmvHeqW5lCDifV09rxpawQxUR/H6Za2erfkdijvAjy0GtZ8QsOmIzBnbHjOc7cV+qSXFENmAo2o9y/8DUpC53hJIA6ISRfYcfbGMkqio6GIsrWjgwVuA4Jk+p06EulXkCOxI=,iv:hLdBdnsjaFuK4C+FLNT/lHHW7B29qDW3zVd2a4X/cwk=,tag:h35x4TjNNujH3y3dgwul8w==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.7.3

3
modules/system/common/all-darwin.nix
View file

@ -7,6 +7,7 @@
"/share/zsh"
];
systemPackages = with pkgs; [
age
coreutils
hugo
mas
@ -14,6 +15,8 @@
nodejs
nodePackages.npm
openjdk
sops
ssh-to-age
];
};

23
modules/system/common/all-nixos.nix
View file

@ -1,4 +1,4 @@
{ config, pkgs, hostname, username, ... }: {
{ config, hostname, pkgs, sops-nix, username, ... }: {
imports = [
./linux/internationalisation.nix
];
@ -6,10 +6,13 @@
environment = {
shells = with pkgs; [ bash zsh ];
systemPackages = with pkgs; [
age
dconf2nix
file
neofetch
python3
sops
ssh-to-age
tailscale
unzip
wget
@ -44,8 +47,22 @@
security.sudo.wheelNeedsPassword = false;
services.tailscale = {
enable = true;
services = {
openssh.enable = true;
tailscale = {
enable = true;
authKeyFile = config.sops.secrets.tailscale_key.path;
};
};
sops = {
age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
secrets = {
tailscale_key = {
restartUnits = [ "tailscaled-autoconnect.service" ];
sopsFile = ../../hosts/nixos/${hostname}/secrets.yaml;
};
};
};
time.timeZone = "America/New_York";