From b8f99cf3bcec82303b28db7b9acb7b220aaaf0f3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Charlotte=20=F0=9F=A6=9D=20Delenk?= Date: Tue, 29 Oct 2024 10:06:17 +0100 Subject: [PATCH] add sops support --- .envrc | 1 + .gitignore | 3 ++- .sops.yaml | 10 ++++++++++ flake.lock | 24 ++++++++++++++++++++++++ flake.nix | 15 ++++++++++++++- modules/default.nix | 1 + modules/secrets/sops.nix | 14 ++++++++++++++ 7 files changed, 66 insertions(+), 2 deletions(-) create mode 100644 .envrc create mode 100644 .sops.yaml create mode 100644 modules/secrets/sops.nix diff --git a/.envrc b/.envrc new file mode 100644 index 00000000..8392d159 --- /dev/null +++ b/.envrc @@ -0,0 +1 @@ +use flake \ No newline at end of file diff --git a/.gitignore b/.gitignore index e2f5dd2e..76570c15 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1,2 @@ -result \ No newline at end of file +result +.direnv/ \ No newline at end of file diff --git a/.sops.yaml b/.sops.yaml new file mode 100644 index 00000000..a9403124 --- /dev/null +++ b/.sops.yaml @@ -0,0 +1,10 @@ +keys: + - &lotte age1tltjgexkp5fz3rum4j0k66ty5q4u8ptvkgkepumd20zal24g2qfs5xgw76 + - &vf2 age1emv3kzvwgl36hgllrv7rlekqy3y3c6eztadl3lv09ks3z9vv6vdqw06yqa + +creation_rules: + - path_regex: machine/vf2/secrets\.yaml$ + key_groups: + - age: + - *vf2 + - *lotte diff --git a/flake.lock b/flake.lock index 9ee08d2d..34054541 100644 --- a/flake.lock +++ b/flake.lock @@ -261,9 +261,33 @@ "nixpkgs": "nixpkgs", "pre-commit-hooks": "pre-commit-hooks", "riscv-overlay": "riscv-overlay", + "sops-nix": "sops-nix", "systems": "systems" } }, + "sops-nix": { + "inputs": { + "nixpkgs": [ + "nixpkgs" + ], + "nixpkgs-stable": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1729999681, + "narHash": "sha256-qm0uCtM9bg97LeJTKQ8dqV/FvqRN+ompyW4GIJruLuw=", + "owner": "Mic92", + "repo": "sops-nix", + "rev": "1666d16426abe79af5c47b7c0efa82fd31bf4c56", + "type": "github" + }, + "original": { + "owner": "Mic92", + "repo": "sops-nix", + "type": "github" + } + }, "systems": { "locked": { "lastModified": 1681028828, diff --git a/flake.nix b/flake.nix index c3b911a8..0987ecb8 100644 --- a/flake.nix +++ b/flake.nix @@ -51,6 +51,11 @@ url = "github:DarkKirb/riscv-overlay"; inputs.nixpkgs.follows = "nixpkgs"; }; + sops-nix = { + url = "github:Mic92/sops-nix"; + inputs.nixpkgs.follows = "nixpkgs"; + inputs.nixpkgs-stable.follows = "nixpkgs"; + }; systems.url = "github:nix-systems/default"; }; @@ -139,8 +144,16 @@ in containers; hydraJobs = { - inherit (self) checks; + inherit (self) checks devShells; nixosConfigurations = nixpkgs.lib.mapAttrs (_: v: v.config.system.build.toplevel) self.nixosConfigurations; }; + devShells.x86_64-linux.default = with pkgsFor "x86_64-linux"; + mkShell { + nativeBuildInputs = with pkgs; [ + age + sops + ssh-to-age + ]; + }; }; } diff --git a/modules/default.nix b/modules/default.nix index 11cd9298..91b8d70d 100644 --- a/modules/default.nix +++ b/modules/default.nix @@ -4,5 +4,6 @@ ./containers/autoconfig.nix ./nix/lix.nix ./environment/impermanence.nix + ./secrets/sops.nix ]; } diff --git a/modules/secrets/sops.nix b/modules/secrets/sops.nix new file mode 100644 index 00000000..e0332982 --- /dev/null +++ b/modules/secrets/sops.nix @@ -0,0 +1,14 @@ +{ + sops-nix, + config, + ... +}: { + imports = [ + "${sops-nix}/modules/sops" + ]; + sops.age = { + sshKeyPaths = [ + "/etc/ssh/ssh_host_ed25519_key" + ]; + }; +}