feat(nix): add sops for secrets

2025-10-29 22:36:06 -07:00 · 2025-10-29 22:36:06 -07:00 · d04ba5d01a
commit d04ba5d01a
parent 89232a7cd1
5 changed files with 75 additions and 3 deletions
--- a/.sops.yaml
+++ b/.sops.yaml
@ -0,0 +1,21 @@
+keys:
+  - &server_lappy age1ew0qvrhjafqcdluupf0etgchh7h7987kgqnfvh7plxe44k8xy94qw9pe5n
+  - &server_tanzanite age1myy382gauvgg77lyaqmj4ty7a9pgzqu85pqufk2rytudg9g8edeq5rupzw
+
+creation_rules:
+  - path_regex: secrets/[^/]+\.(yaml|json|env|ini)$
+    key_groups:
+      - age:
+        - *admin_lappy
+  - path_regex: secrets/stitchynyan/[^/]+\.(yaml|json|env|ini)$
+    key_groups:
+      - age:
+        - *admin_lappy
+  - path_regex: secrets/nyadmin/[^/]+\.(yaml|json|env|ini)$
+    key_groups:
+      - age:
+        - *admin_tanzanite
+  - path_regex: secrets/email_accounts/[^/]+\.(yaml|json|env|ini)$
+    key_groups:
+      - age:
+        - *server_tanzanite
--- a/flake.lock
+++ b/flake.lock
@ -344,7 +344,8 @@
        "nixos-hardware": "nixos-hardware",
        "nixpkgs": "nixpkgs_2",
        "nixpkgs-quartus": "nixpkgs-quartus",
-        "nixpkgs-xr": "nixpkgs-xr"
+        "nixpkgs-xr": "nixpkgs-xr",
+        "sops-nix": "sops-nix"
      }
    },
    "rust-overlay": {
@ -368,6 +369,26 @@
        "type": "github"
      }
    },
+    "sops-nix": {
+      "inputs": {
+        "nixpkgs": [
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1760998189,
+        "narHash": "sha256-ee2e1/AeGL5X8oy/HXsZQvZnae6XfEVdstGopKucYLY=",
+        "owner": "Mic92",
+        "repo": "sops-nix",
+        "rev": "5a7d18b5c55642df5c432aadb757140edfeb70b3",
+        "type": "github"
+      },
+      "original": {
+        "owner": "Mic92",
+        "repo": "sops-nix",
+        "type": "github"
+      }
+    },
    "systems": {
      "locked": {
        "lastModified": 1689347949,
--- a/flake.nix
+++ b/flake.nix
@ -2,12 +2,13 @@
  description = "System Configuration Flake";
  outputs = inputs@{
    catppuccin,
+    home-manager,
    lanzaboote,
    nixpkgs,
    nixpkgs-xr,
    nixos-hardware,
    nixpkgs-quartus,
-    home-manager,
+    sops-nix,
    ...
  } : {

@ -17,6 +18,7 @@
        specialArgs = { inherit inputs; };
        modules = [
          catppuccin.nixosModules.catppuccin
+          sops-nix.nixosModules.sops

          ./hosts/malachite/default.nix
          ./users/stitchynyan/default.nix
@ -44,6 +46,7 @@
          catppuccin.nixosModules.catppuccin
          lanzaboote.nixosModules.lanzaboote
          nixos-hardware.nixosModules.framework-12th-gen-intel
+          sops-nix.nixosModules.sops

          ./hosts/lappy/default.nix
          ./users/stitchynyan/default.nix
@ -87,6 +90,7 @@
        specialArgs = { inherit inputs; };
        modules = [
          catppuccin.nixosModules.catppuccin
+          sops-nix.nixosModules.sops

          ./hosts/tanzanite/default.nix
          ./users/nyadmin/default.nix
@ -127,5 +131,9 @@
    nixpkgs-xr.url = "github:nix-community/nixpkgs-xr";
    nixos-hardware.url = "github:Nixos/nixos-hardware/master";
    nixpkgs-quartus.url = "github:nixos/nixpkgs/nixos-22.05";
+    sops-nix = {
+      url = "github:Mic92/sops-nix";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
  };
 }
--- a/secrets/stitchynyan/secrets.yaml
+++ b/secrets/stitchynyan/secrets.yaml
@ -0,0 +1,17 @@
+password-hash:
+    stitchynyan: ENC[AES256_GCM,data:bYrGWN3qhak742yo5fP+R767NrCDlc91ngxKA/e68uIXesx+J9od0C9VwBYtK6VfqUHT/3CkGRPxj9r73wrnSkYgpzZZ41syqg==,iv:uD1BBpzcRpGZpWEjxWT9cqDJfBqtj336/FOmVkEASE4=,tag:zEc0QlQPaKUfQpxwfbp68A==,type:str]
+sops:
+    age:
+        - recipient: age1ew0qvrhjafqcdluupf0etgchh7h7987kgqnfvh7plxe44k8xy94qw9pe5n
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB4MFdlSFQ4WjVwbFExUFdD
+            c05BOTJTSkdXM3hzdkdVTXN1bGh6bk92TFdJCjB5OUZyWDdqalU3akRKaHV4a3FE
+            YkdVUW9SRHA5NDJoT01wa1VOQTZGTGsKLS0tIGMwWVpGMHJEWDhpSVNLV1liWUhj
+            ZW1XSm9Td0JVODhBYnFpcnlNMHFvWkUKz0GCB+DYOXO5szkAtVhjnzjzPgMvAvc1
+            NuQRV9uI5OPElhkucxhO9QhQQ8OLl/5rv4UYJHuEaGbz9ijMOdrvFQ==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2025-10-30T05:24:37Z"
+    mac: ENC[AES256_GCM,data:+XXEIMIWoPhJFWQ4D8CFLNFL5ZjHya9tFrVlW6rUb7/NXEkN3UoqtnUxOJFw6dGjU7L9vX6p5dSYnGejhRFgZPXWGJywDoJiNg/A63HPhQNECNO7xKrHsB238PsNzBCC0p47R0XELywd77zZ8BHtezty6+8x5x6md7+kE5sDzgU=,iv:+MZKzxv5oYCldq7SQxl7kYwPb9IoDKp0im8yoU7KsSw=,tag:FXrj7o1Y6n9Ir9V03aLyww==,type:str]
+    unencrypted_suffix: _unencrypted
+    version: 3.11.0
--- a/users/stitchynyan/default.nix
+++ b/users/stitchynyan/default.nix
@ -54,11 +54,16 @@
    xserver.enable = true;
  };

+  sops.secrets."password-hash/stitchynyan" = {
+    neededForUsers = true;
+    sopsFile = ../../secrets/stitchynyan/secrets.yaml;
+  };
+
  users.users.stitchynyan = {
    description = "Personal user";
    extraGroups = [ "audio" "dialout" "docker" "kvm" "libvirtd" "networkmanager" "plugdev" "wireshark" "wheel" ];
    home = "/home/stitchynyan";
-    initialHashedPassword = "$y$j9T$rvySCWHYE4AO4A9J0Vf20.$x5hpBNsOWovQFtNfFUIt17OAH5MJFwFBGjxbaEIagJ3";
+    hashedPasswordFile = config.sops.secrets."password-hash/stitchynyan".path;
    isNormalUser = true;
    shell = pkgs.zsh;
  };