feat(nix): nyadmin password

2025-10-29 23:46:52 -07:00 · 2025-10-29 23:46:52 -07:00 · 21e49b05c5
commit 21e49b05c5
parent af5c0b9f3c
3 changed files with 34 additions and 11 deletions
--- a/.sops.yaml
+++ b/.sops.yaml
@ -6,15 +6,15 @@ creation_rules:
  - path_regex: secrets/[^/]+\.(yaml|json|env|ini)$
    key_groups:
      - age:
-        - *admin_lappy
+        - *server_lappy
  - path_regex: secrets/stitchynyan/[^/]+\.(yaml|json|env|ini)$
    key_groups:
      - age:
-        - *admin_lappy
+        - *server_lappy
  - path_regex: secrets/nyadmin/[^/]+\.(yaml|json|env|ini)$
    key_groups:
      - age:
-        - *admin_tanzanite
+        - *server_tanzanite
  - path_regex: secrets/email_accounts/[^/]+\.(yaml|json|env|ini)$
    key_groups:
      - age:
--- a/secrets/nyadmin/secrets.yaml
+++ b/secrets/nyadmin/secrets.yaml
@ -0,0 +1,17 @@
+password-hash:
+    nyadmin: ENC[AES256_GCM,data:9n1eMxDlqqT6j60yH8na5xGS2vnQT1k8q4Zr+x3epUOLcCvMLej+8rNImd0v1psvOTfOoSSSQGtp0ONaaE9nucfXd7zOwPjhzQ==,iv:5HMcPbeOt36DqXD1mY+ntnx+XLwWRygdU7UtjWHnwoA=,tag:RWEqQy/4Ck9pcy5cKF8Gsg==,type:str]
+sops:
+    age:
+        - recipient: age1myy382gauvgg77lyaqmj4ty7a9pgzqu85pqufk2rytudg9g8edeq5rupzw
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBGSlpLSHU3M1lpbmxJWFFS
+            OHA5NDVYUm5OdVBwMVhkMVZmcktGZGdNWVRJClpOQWxEQXlmQituaXhBMForVDRX
+            TCtBZ0FWNGllTUZpa3o5bExTQUdhZEEKLS0tIFcrUGdwY3JyS1J1Nmd2MVU1TlFX
+            aTVENm5iVzYrZFprakFJTXlrS0hkczgKQzF73/HbOe+KebczZX1fDEbYb3bZ68p8
+            FQQJXmC13snbF4O5gn/6jhMScVyuJqvE8Qvguloj7iNDl+FtJaQmTQ==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2025-10-30T05:59:30Z"
+    mac: ENC[AES256_GCM,data:sCkhfbhoZK4uuIa35Ik7pIz/Wi48MsIoKcQFzHrDLU86VfH11CFL9/DFSgkYjnmyOja3bhdi+99zaPP2Q8j10Rfk5+nqap2ZvQIEeE+FV4Vx3A0A9BxpCo8mUaqCLR64dd/h9EE1LJzwVJxNUYoe2wGegiH4XKn98OZQcS1cVvU=,iv:on6bCIjN+JZf4F2/G7mWmBAwvnt1fW74doXaWq9dW0I=,tag:7+UMdSNtc5YQENVotfxMAQ==,type:str]
+    unencrypted_suffix: _unencrypted
+    version: 3.11.0
--- a/users/nyadmin/default.nix
+++ b/users/nyadmin/default.nix
@ -2,14 +2,20 @@

 {
  imports = [ ../default.nix ];
+
+  sops.secrets."password-hash/nyadmin" = {
+    neededForUsers = true;
+    sopsFile = ../../secrets/nyadmin/secrets.yaml;
+  };
+
  users.users.nyadmin = {
-   isNormalUser = true;
-   shell = pkgs.zsh;
-   home = "/home/nyadmin";
-   description = "nyadministrator~";
-   extraGroups = [ "wheel" "kvm" "libvirt" "docker" ];
-   initialHashedPassword = "$y$j9T$XguIcj/AVXsWW/MxSYAGh0$TivGAa0z8KNCli2mKTd24vtqimpadNzqMFwfbeh0p30";
-   openssh.authorizedKeys.keys = [
-     "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOVgHcJ9C8TD515x+KqFKNYUa6IZML6LU3FWovmDIvyZ" ];
+    isNormalUser = true;
+    shell = pkgs.zsh;
+    home = "/home/nyadmin";
+    description = "nyadministrator~";
+    extraGroups = [ "wheel" "kvm" "libvirt" "docker" ];
+    hashedPasswordFile = config.sops.secrets."password-hash/nyadmin".path;
+    openssh.authorizedKeys.keys = [
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOVgHcJ9C8TD515x+KqFKNYUa6IZML6LU3FWovmDIvyZ" ];
  };
 }