From d04ba5d01a1dd996d9b4406933fe0152968c77c9 Mon Sep 17 00:00:00 2001 From: stitchy Date: Wed, 29 Oct 2025 22:36:06 -0700 Subject: [PATCH] feat(nix): add sops for secrets --- .sops.yaml | 21 +++++++++++++++++++++ flake.lock | 23 ++++++++++++++++++++++- flake.nix | 10 +++++++++- secrets/stitchynyan/secrets.yaml | 17 +++++++++++++++++ users/stitchynyan/default.nix | 7 ++++++- 5 files changed, 75 insertions(+), 3 deletions(-) create mode 100644 .sops.yaml create mode 100644 secrets/stitchynyan/secrets.yaml diff --git a/.sops.yaml b/.sops.yaml new file mode 100644 index 0000000..7769182 --- /dev/null +++ b/.sops.yaml @@ -0,0 +1,21 @@ +keys: + - &server_lappy age1ew0qvrhjafqcdluupf0etgchh7h7987kgqnfvh7plxe44k8xy94qw9pe5n + - &server_tanzanite age1myy382gauvgg77lyaqmj4ty7a9pgzqu85pqufk2rytudg9g8edeq5rupzw + +creation_rules: + - path_regex: secrets/[^/]+\.(yaml|json|env|ini)$ + key_groups: + - age: + - *admin_lappy + - path_regex: secrets/stitchynyan/[^/]+\.(yaml|json|env|ini)$ + key_groups: + - age: + - *admin_lappy + - path_regex: secrets/nyadmin/[^/]+\.(yaml|json|env|ini)$ + key_groups: + - age: + - *admin_tanzanite + - path_regex: secrets/email_accounts/[^/]+\.(yaml|json|env|ini)$ + key_groups: + - age: + - *server_tanzanite diff --git a/flake.lock b/flake.lock index dc2e760..4191c27 100644 --- a/flake.lock +++ b/flake.lock @@ -344,7 +344,8 @@ "nixos-hardware": "nixos-hardware", "nixpkgs": "nixpkgs_2", "nixpkgs-quartus": "nixpkgs-quartus", - "nixpkgs-xr": "nixpkgs-xr" + "nixpkgs-xr": "nixpkgs-xr", + "sops-nix": "sops-nix" } }, "rust-overlay": { @@ -368,6 +369,26 @@ "type": "github" } }, + "sops-nix": { + "inputs": { + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1760998189, + "narHash": "sha256-ee2e1/AeGL5X8oy/HXsZQvZnae6XfEVdstGopKucYLY=", + "owner": "Mic92", + "repo": "sops-nix", + "rev": "5a7d18b5c55642df5c432aadb757140edfeb70b3", + "type": "github" + }, + "original": { + "owner": "Mic92", + "repo": "sops-nix", + "type": "github" + } + }, "systems": { "locked": { "lastModified": 1689347949, diff --git a/flake.nix b/flake.nix index e1f201e..5185729 100644 --- a/flake.nix +++ b/flake.nix @@ -2,12 +2,13 @@ description = "System Configuration Flake"; outputs = inputs@{ catppuccin, + home-manager, lanzaboote, nixpkgs, nixpkgs-xr, nixos-hardware, nixpkgs-quartus, - home-manager, + sops-nix, ... } : { @@ -17,6 +18,7 @@ specialArgs = { inherit inputs; }; modules = [ catppuccin.nixosModules.catppuccin + sops-nix.nixosModules.sops ./hosts/malachite/default.nix ./users/stitchynyan/default.nix @@ -44,6 +46,7 @@ catppuccin.nixosModules.catppuccin lanzaboote.nixosModules.lanzaboote nixos-hardware.nixosModules.framework-12th-gen-intel + sops-nix.nixosModules.sops ./hosts/lappy/default.nix ./users/stitchynyan/default.nix @@ -87,6 +90,7 @@ specialArgs = { inherit inputs; }; modules = [ catppuccin.nixosModules.catppuccin + sops-nix.nixosModules.sops ./hosts/tanzanite/default.nix ./users/nyadmin/default.nix @@ -127,5 +131,9 @@ nixpkgs-xr.url = "github:nix-community/nixpkgs-xr"; nixos-hardware.url = "github:Nixos/nixos-hardware/master"; nixpkgs-quartus.url = "github:nixos/nixpkgs/nixos-22.05"; + sops-nix = { + url = "github:Mic92/sops-nix"; + inputs.nixpkgs.follows = "nixpkgs"; + }; }; } diff --git a/secrets/stitchynyan/secrets.yaml b/secrets/stitchynyan/secrets.yaml new file mode 100644 index 0000000..4432999 --- /dev/null +++ b/secrets/stitchynyan/secrets.yaml @@ -0,0 +1,17 @@ +password-hash: + stitchynyan: ENC[AES256_GCM,data:bYrGWN3qhak742yo5fP+R767NrCDlc91ngxKA/e68uIXesx+J9od0C9VwBYtK6VfqUHT/3CkGRPxj9r73wrnSkYgpzZZ41syqg==,iv:uD1BBpzcRpGZpWEjxWT9cqDJfBqtj336/FOmVkEASE4=,tag:zEc0QlQPaKUfQpxwfbp68A==,type:str] +sops: + age: + - recipient: age1ew0qvrhjafqcdluupf0etgchh7h7987kgqnfvh7plxe44k8xy94qw9pe5n + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB4MFdlSFQ4WjVwbFExUFdD + c05BOTJTSkdXM3hzdkdVTXN1bGh6bk92TFdJCjB5OUZyWDdqalU3akRKaHV4a3FE + YkdVUW9SRHA5NDJoT01wa1VOQTZGTGsKLS0tIGMwWVpGMHJEWDhpSVNLV1liWUhj + ZW1XSm9Td0JVODhBYnFpcnlNMHFvWkUKz0GCB+DYOXO5szkAtVhjnzjzPgMvAvc1 + NuQRV9uI5OPElhkucxhO9QhQQ8OLl/5rv4UYJHuEaGbz9ijMOdrvFQ== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2025-10-30T05:24:37Z" + mac: ENC[AES256_GCM,data:+XXEIMIWoPhJFWQ4D8CFLNFL5ZjHya9tFrVlW6rUb7/NXEkN3UoqtnUxOJFw6dGjU7L9vX6p5dSYnGejhRFgZPXWGJywDoJiNg/A63HPhQNECNO7xKrHsB238PsNzBCC0p47R0XELywd77zZ8BHtezty6+8x5x6md7+kE5sDzgU=,iv:+MZKzxv5oYCldq7SQxl7kYwPb9IoDKp0im8yoU7KsSw=,tag:FXrj7o1Y6n9Ir9V03aLyww==,type:str] + unencrypted_suffix: _unencrypted + version: 3.11.0 diff --git a/users/stitchynyan/default.nix b/users/stitchynyan/default.nix index e8b1045..140015e 100644 --- a/users/stitchynyan/default.nix +++ b/users/stitchynyan/default.nix @@ -54,11 +54,16 @@ xserver.enable = true; }; + sops.secrets."password-hash/stitchynyan" = { + neededForUsers = true; + sopsFile = ../../secrets/stitchynyan/secrets.yaml; + }; + users.users.stitchynyan = { description = "Personal user"; extraGroups = [ "audio" "dialout" "docker" "kvm" "libvirtd" "networkmanager" "plugdev" "wireshark" "wheel" ]; home = "/home/stitchynyan"; - initialHashedPassword = "$y$j9T$rvySCWHYE4AO4A9J0Vf20.$x5hpBNsOWovQFtNfFUIt17OAH5MJFwFBGjxbaEIagJ3"; + hashedPasswordFile = config.sops.secrets."password-hash/stitchynyan".path; isNormalUser = true; shell = pkgs.zsh; };