diff --git a/.sops.yml b/.sops.yml new file mode 100644 index 00000000..28b16946 --- /dev/null +++ b/.sops.yml @@ -0,0 +1,9 @@ +keys: + - &lotte age1k5emdjljm5amrquky2tn3khqt38wq62s797nujxuhp8j6x7k5p0sedv0q2 + - &nixos-8gb-fsn1-1 age1273ps5thcy70ckdt0270s2nysqgu48t38pq3wq975v3y7mf4eavsw38wsl +creation_rules: + - path_regex: secrets/nixos-8gb-fsn1-1/[^/]+$ + key_groups: + - age: + - *lotte + - *nixos-8gb-fsn1-1 diff --git a/config/default.nix b/config/default.nix index 39cc9dfa..9c763841 100644 --- a/config/default.nix +++ b/config/default.nix @@ -3,6 +3,7 @@ ./zfs.nix ./users/darkkirb.nix ./nix.nix + ./sops.nix ]; services.openssh.enable = true; environment.systemPackages = [ pkgs.git ]; diff --git a/config/sops.nix b/config/sops.nix new file mode 100644 index 00000000..83d2da95 --- /dev/null +++ b/config/sops.nix @@ -0,0 +1,5 @@ +{ config, ... }: +{ + sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ]; + sops.defaultSopsFile = ../secrets + "/${config.networking.hostName}/config.yaml"; +} diff --git a/flake.lock b/flake.lock index b07f217c..1d97b4d3 100644 --- a/flake.lock +++ b/flake.lock @@ -22,11 +22,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1642154755, - "narHash": "sha256-hutfaWfSjrZgcJrLx7cpqofxv6By0pEU4K2xrGGgdPU=", + "lastModified": 1642167199, + "narHash": "sha256-KvwIaVwoa90jn8E0PhHlpnLxRHQFKb7nfpE0t8KCokU=", "owner": "nixos", "repo": "nixpkgs", - "rev": "c9101439cd6e924ee1e09888e0a110973ec56dfa", + "rev": "790b76e23d6ec303916e190b5400b27e7ca82620", "type": "github" }, "original": { diff --git a/flake.nix b/flake.nix index abca2cb5..756744da 100644 --- a/flake.nix +++ b/flake.nix @@ -8,7 +8,7 @@ rec { inputs.sops-nix.url = github:Mic92/sops-nix; inputs.sops-nix.inputs.nixpkgs.follows = "nixpkgs"; - outputs = { self, nixpkgs, ... } @ args: { + outputs = { self, nixpkgs, sops-nix, ... } @ args: { nixosConfigurations = let systems = [ @@ -24,6 +24,7 @@ rec { modules = [ (./config + "/${name}.nix") ./config/default.nix + sops-nix.nixosModules.sops ]; }; }) diff --git a/secrets/nixos-8gb-fsn1-1/secrets.yaml b/secrets/nixos-8gb-fsn1-1/secrets.yaml new file mode 100644 index 00000000..7b7b5d77 --- /dev/null +++ b/secrets/nixos-8gb-fsn1-1/secrets.yaml @@ -0,0 +1,32 @@ +network: + wireguard: + privkey: ENC[AES256_GCM,data:+avWYsJmrVYFnwi6T6NqQiXH1U+q3DsvMUT+pG4P2zJ+typzA3dQ+85HBVc=,iv:mdf2+p+7FOUPUNAmfS+CAMkw6xTHrjxQDTVDAHF4qbA=,tag:Ano//8t7dDjqfFVmdQXsfw==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1k5emdjljm5amrquky2tn3khqt38wq62s797nujxuhp8j6x7k5p0sedv0q2 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB4akg2SDcvV1d2Q1JaRWxS + clV4YlY4aWUrY1U3ejIxSTQrSmNrQzE1bm5RCldJeGxFdEpzVzFzSVZEczdIeHJD + MDl6TlJUUTBmcjE3UVBRYSt5eTZWbUEKLS0tIHZ6b1ZyQXNSWWZoZHRPSm5FdWN4 + ZkZVdk5jL0xxT3haRFg0WVJCNXJHYkUKlHrEyD0atydLMEX3S9F6b897G1YY88zu + l6gfV2/si4TXJPUwhfJej56RLq40i2uA2ZQT/I3XMccojMm5DvtS0A== + -----END AGE ENCRYPTED FILE----- + - recipient: age1273ps5thcy70ckdt0270s2nysqgu48t38pq3wq975v3y7mf4eavsw38wsl + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBsSGxIb2VFQ1BqWU9BWng2 + NHhRc1A4TlZtTlhtYlNFYWczaUsxbW90bXpzCkRGYWVScXZkVFFuRVV2RGdJbW1B + ZzFFYUNzMHdpSTIzQnh5c2RaYUw5cTAKLS0tIDRLQ211Z3JuUE9DaUZGWWh5S1VS + QkkzbUVrVWtYMWhLa0N5MzJ2KzV4MW8KEAtd2cnwNH01rYUFr+qWyAhHvUsqsxXg + not2RQLEIGbo80Z7CMIwqCIpUYOL4m70KlEKrFzflXFbOFX2en82iA== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2022-01-14T14:10:36Z" + mac: ENC[AES256_GCM,data:IJi2TNEG41bgjekGE67iwQrt1ZlmtN7QS8A4M4i417hao+g7IORArXSHDRTWrYT0Gw9xE7NEWtrnRue9ompPcgTV1bGt0Re2EAB+5TI4/7fFbxuIvpYZqhqIFUFEmOyYl+QqkvUH6yKdfdsVj4WgVI8mucxF890F5cWJ1abMaww=,iv:Rr9R3whv7gdBcj/nrsmqTm/JhqvhzdIgMh/Q8EFKP1s=,tag:sFlL5fyP/HWckrmZSgj5zA==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.7.1