From 21e49b05c5ee89ebbbac116f7f5e5d773c14bd5d Mon Sep 17 00:00:00 2001 From: stitchy Date: Wed, 29 Oct 2025 23:46:52 -0700 Subject: [PATCH] feat(nix): nyadmin password --- .sops.yaml | 6 +++--- secrets/nyadmin/secrets.yaml | 17 +++++++++++++++++ users/nyadmin/default.nix | 22 ++++++++++++++-------- 3 files changed, 34 insertions(+), 11 deletions(-) create mode 100644 secrets/nyadmin/secrets.yaml diff --git a/.sops.yaml b/.sops.yaml index 7769182..cb8f2a3 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -6,15 +6,15 @@ creation_rules: - path_regex: secrets/[^/]+\.(yaml|json|env|ini)$ key_groups: - age: - - *admin_lappy + - *server_lappy - path_regex: secrets/stitchynyan/[^/]+\.(yaml|json|env|ini)$ key_groups: - age: - - *admin_lappy + - *server_lappy - path_regex: secrets/nyadmin/[^/]+\.(yaml|json|env|ini)$ key_groups: - age: - - *admin_tanzanite + - *server_tanzanite - path_regex: secrets/email_accounts/[^/]+\.(yaml|json|env|ini)$ key_groups: - age: diff --git a/secrets/nyadmin/secrets.yaml b/secrets/nyadmin/secrets.yaml new file mode 100644 index 0000000..1d3974e --- /dev/null +++ b/secrets/nyadmin/secrets.yaml @@ -0,0 +1,17 @@ +password-hash: + nyadmin: ENC[AES256_GCM,data:9n1eMxDlqqT6j60yH8na5xGS2vnQT1k8q4Zr+x3epUOLcCvMLej+8rNImd0v1psvOTfOoSSSQGtp0ONaaE9nucfXd7zOwPjhzQ==,iv:5HMcPbeOt36DqXD1mY+ntnx+XLwWRygdU7UtjWHnwoA=,tag:RWEqQy/4Ck9pcy5cKF8Gsg==,type:str] +sops: + age: + - recipient: age1myy382gauvgg77lyaqmj4ty7a9pgzqu85pqufk2rytudg9g8edeq5rupzw + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBGSlpLSHU3M1lpbmxJWFFS + OHA5NDVYUm5OdVBwMVhkMVZmcktGZGdNWVRJClpOQWxEQXlmQituaXhBMForVDRX + TCtBZ0FWNGllTUZpa3o5bExTQUdhZEEKLS0tIFcrUGdwY3JyS1J1Nmd2MVU1TlFX + aTVENm5iVzYrZFprakFJTXlrS0hkczgKQzF73/HbOe+KebczZX1fDEbYb3bZ68p8 + FQQJXmC13snbF4O5gn/6jhMScVyuJqvE8Qvguloj7iNDl+FtJaQmTQ== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2025-10-30T05:59:30Z" + mac: ENC[AES256_GCM,data:sCkhfbhoZK4uuIa35Ik7pIz/Wi48MsIoKcQFzHrDLU86VfH11CFL9/DFSgkYjnmyOja3bhdi+99zaPP2Q8j10Rfk5+nqap2ZvQIEeE+FV4Vx3A0A9BxpCo8mUaqCLR64dd/h9EE1LJzwVJxNUYoe2wGegiH4XKn98OZQcS1cVvU=,iv:on6bCIjN+JZf4F2/G7mWmBAwvnt1fW74doXaWq9dW0I=,tag:7+UMdSNtc5YQENVotfxMAQ==,type:str] + unencrypted_suffix: _unencrypted + version: 3.11.0 diff --git a/users/nyadmin/default.nix b/users/nyadmin/default.nix index 3057e1a..6168167 100644 --- a/users/nyadmin/default.nix +++ b/users/nyadmin/default.nix @@ -2,14 +2,20 @@ { imports = [ ../default.nix ]; + + sops.secrets."password-hash/nyadmin" = { + neededForUsers = true; + sopsFile = ../../secrets/nyadmin/secrets.yaml; + }; + users.users.nyadmin = { - isNormalUser = true; - shell = pkgs.zsh; - home = "/home/nyadmin"; - description = "nyadministrator~"; - extraGroups = [ "wheel" "kvm" "libvirt" "docker" ]; - initialHashedPassword = "$y$j9T$XguIcj/AVXsWW/MxSYAGh0$TivGAa0z8KNCli2mKTd24vtqimpadNzqMFwfbeh0p30"; - openssh.authorizedKeys.keys = [ - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOVgHcJ9C8TD515x+KqFKNYUa6IZML6LU3FWovmDIvyZ" ]; + isNormalUser = true; + shell = pkgs.zsh; + home = "/home/nyadmin"; + description = "nyadministrator~"; + extraGroups = [ "wheel" "kvm" "libvirt" "docker" ]; + hashedPasswordFile = config.sops.secrets."password-hash/nyadmin".path; + openssh.authorizedKeys.keys = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOVgHcJ9C8TD515x+KqFKNYUa6IZML6LU3FWovmDIvyZ" ]; }; }