inital steps into sops-nix. figured out ssh pubkey management.

configs/home-manager/sops.nix

@@ -0,0 +1,22 @@
+{
+  config,
+  pkgs,
+  lib,
+  inputs,
+  ...
+}: let
+  secretsPath = builtins.toString inputs.nix-secrets;
+in {
+  imports = [
+    inputs.sops-nix.homeManagerModules.sops
+  ];
+
+  sops={
+    defaultSopsFile="${secretsPath}/secrets.yaml";
+    age={
+      sshKeyPaths=["${config.home.homeDirectory}/keys/age/master.txt"];
+      keyFile="/var/lib/sops-nix/key.txt";
+      generateKey=true;
+    };
+  };
+}

flake.lock

@@ -237,6 +237,23 @@
         "type": "github"
       }
     },
+    "nix-secrets": {
+      "flake": false,
+      "locked": {
+        "lastModified": 1717206943,
+        "narHash": "sha256-TtBaZMGhA8fkQbt/RKJml992JFr/sdz4gqdIJeu6ltk=",
+        "ref": "refs/heads/main",
+        "rev": "3e19bf8fce17779c5f6fce5f8f894de8a5193fa2",
+        "shallow": true,
+        "type": "git",
+        "url": "ssh://git@git.venberg.xyz:7920/Gabe/nix-secrets.git"
+      },
+      "original": {
+        "shallow": true,
+        "type": "git",
+        "url": "ssh://git@git.venberg.xyz:7920/Gabe/nix-secrets.git"
+      }
+    },
     "nixos-wsl": {
       "inputs": {
         "flake-compat": [
@@ -361,6 +378,7 @@
         "flake-compat": "flake-compat",
         "flake-utils": "flake-utils",
         "home-manager": "home-manager",
+        "nix-secrets": "nix-secrets",
         "nixos-wsl": "nixos-wsl",
         "nixpkgs": "nixpkgs",
         "nixvim": "nixvim",

flake.nix

@@ -42,6 +42,12 @@
       inputs.nixpkgs.follows = "nixpkgs";
     };
 
+    nix-secrets = {
+      url = "git+ssh://git@git.venberg.xyz:7920/Gabe/nix-secrets.git?shallow=1";
+      # url = "git+https://git.venberg.xyz/Gabe/nix-secrets.git?shallow=1";
+      flake = false;
+    };
+
     # just for follows statements
     flake-utils.url = "github:numtide/flake-utils";
     flake-compat.url = "github:edolstra/flake-compat";
@@ -58,6 +64,8 @@
       "x86_64-linux"
       "aarch64-linux"
     ];
+    inherit (nixpkgs) lib;
+    configLib=import ./lib {inherit lib;};
   in {
     formatter = forAllSystems (system: nixpkgs.legacyPackages.${system}.alejandra);
 
@@ -69,9 +77,6 @@
           packages = with pkgs; [
             just
             deploy-rs.packages.${system}.deploy-rs
-            age
-            ssh-to-age
-            sops
           ];
         };
       }
@@ -82,18 +87,18 @@
     # NixOS configuration entrypoint
     # Available through 'nixos-rebuild --flake .#your-hostname'
     nixosConfigurations = {
-      archlaptop-vm = import ./hosts/archlaptop-vm {inherit inputs outputs;};
-      workstation-vm = import ./hosts/workstation-vm {inherit inputs outputs;};
-      gv-wsl = import ./hosts/wsl-workstation.nix {inherit inputs outputs;};
+      archlaptop-vm = import ./hosts/archlaptop-vm {inherit inputs outputs configLib;};
+      workstation-vm = import ./hosts/workstation-vm {inherit inputs outputs configLib;};
+      gv-wsl = import ./hosts/wsl-workstation.nix {inherit inputs outputs configLib;};
     };
 
     # Standalone home-manager configuration entrypoint
     # Available through 'home-manager --flake .#your-username@your-hostname'
     homeConfigurations = {
-      "gabe@archlaptop" = import ./hosts/home-personal.nix {inherit inputs outputs;};
-      "gabe@linuxgamingrig" = import ./hosts/home-personal.nix {inherit inputs outputs;};
-      "gabe@gv-workstation" = import ./hosts/home-workstation.nix {inherit inputs outputs;};
-      "gabe@gv-ubuntu" = import ./hosts/home-workstation.nix {inherit inputs outputs;};
+      "gabe@archlaptop" = import ./hosts/home-personal.nix {inherit inputs outputs configLib;};
+      "gabe@linuxgamingrig" = import ./hosts/home-personal.nix {inherit inputs outputs configLib;};
+      "gabe@gv-workstation" = import ./hosts/home-workstation.nix {inherit inputs outputs configLib;};
+      "gabe@gv-ubuntu" = import ./hosts/home-workstation.nix {inherit inputs outputs configLib;};
     };
 
     templates = import ./templates {inherit inputs outputs;};

hosts/archlaptop-vm/default.nix

@@ -1,11 +1,12 @@
 {
   inputs,
   outputs,
+  configLib,
   ...
 }:
 inputs.nixpkgs.lib.nixosSystem {
   system = "x86_64-linux";
-  specialArgs = {inherit inputs outputs;};
+  specialArgs = {inherit inputs outputs configLib;};
   # > Our main nixos configuration file <
   modules = [
     inputs.home-manager.nixosModules.home-manager
@@ -19,6 +20,7 @@ inputs.nixpkgs.lib.nixosSystem {
     ({
       config,
       pkgs,
+      configLib,
       ...
     }: {
       host = {
@@ -39,6 +41,9 @@ inputs.nixpkgs.lib.nixosSystem {
         xkb.variant = "";
       };
 
+      users.users.root.openssh.authorizedKeys.keys =
+      configLib.dirToStrings "${inputs.nix-secrets}/public-keys";
+
       programs.zsh.enable = true;
       environment.shells = with pkgs; [zsh];
       # Define a user account. Don't forget to set a password with ‘passwd’.
@@ -51,6 +56,7 @@ inputs.nixpkgs.lib.nixosSystem {
           firefox
           #  thunderbird
         ];
+        openssh.authorizedKeys.keys=config.users.users.root.openssh.authorizedKeys.keys;
       };
 
       home-manager.users.${config.host.user} = {

hosts/home-personal.nix

@@ -1,16 +1,18 @@
 {
   inputs,
   outputs,
+  configLib,
   ...
 }:
 inputs.home-manager.lib.homeManagerConfiguration {
   pkgs = inputs.nixpkgs.legacyPackages.x86_64-linux; # Home-manager requires 'pkgs' instance
-  extraSpecialArgs = {inherit inputs outputs;};
+  extraSpecialArgs = {inherit inputs outputs configLib;};
   modules = [
     ({
       config,
       pkgs,
       lib,
+      configLib,
       ...
     }: {
       # machine specific options

hosts/home-workstation.nix

@@ -1,17 +1,19 @@
 {
   inputs,
   outputs,
+  configLib,
   ...
 }:
 inputs.home-manager.lib.homeManagerConfiguration {
   pkgs = inputs.nixpkgs.legacyPackages.x86_64-linux; # Home-manager requires 'pkgs' instance
-  extraSpecialArgs = {inherit inputs outputs;};
+  extraSpecialArgs = {inherit inputs outputs configLib;};
   modules = [
     inputs.nixvim.homeManagerModules.nixvim
     ({
       config,
       pkgs,
       lib,
+      configLib,
       ...
     }: {
       # machine specific options

hosts/workstation-vm/default.nix

@@ -4,11 +4,12 @@
 {
   inputs,
   outputs,
+  configLib,
   ...
 }:
 inputs.nixpkgs.lib.nixosSystem {
   system = "x86_64-linux";
-  specialArgs = {inherit inputs outputs;};
+  specialArgs = {inherit inputs outputs configLib;};
   # > Our main nixos configuration file <
   modules = [
     inputs.home-manager.nixosModules.home-manager
@@ -20,10 +21,13 @@ inputs.nixpkgs.lib.nixosSystem {
     ../../configs/nixos/nfsv2.nix
     ../../configs/nixos/i3
     ../../configs/nixos/common.nix
+    ./secrets.nix
     ({
       config,
       pkgs,
       lib,
+      inputs,
+      configLib,
       ...
     }: {
       host = {
@@ -44,10 +48,15 @@ inputs.nixpkgs.lib.nixosSystem {
         xkb.variant = "";
       };
 
+      users.users.root.openssh.authorizedKeys.keys =
+        configLib.dirToStrings "${inputs.nix-secrets}/public-keys";
+
       programs.zsh.enable = true;
       environment.shells = with pkgs; [zsh];
       # Define a user account. Don't forget to set a password with ‘passwd’.
+      users.mutableUsers = false;
       users.users.${config.host.user} = {
+        hashedPasswordFile = config.sops.secrets.gv-password.path;
         isNormalUser = true;
         description = "Gabe Venberg";
         shell = pkgs.zsh;
@@ -56,6 +65,7 @@ inputs.nixpkgs.lib.nixosSystem {
           firefox
           #  thunderbird
         ];
+        openssh.authorizedKeys.keys = config.users.users.root.openssh.authorizedKeys.keys;
       };
 
       home-manager.users.${config.host.user} = {

hosts/workstation-vm/secrets.nix

@@ -0,0 +1,20 @@
+{
+  inputs,
+  config,
+  lib,
+  pkgs,
+  ...
+}: let
+  secretsDirectory = builtins.toString inputs.nix-secrets;
+in {
+  imports = [
+    inputs.sops-nix.nixosModules.sops
+  ];
+  sops = {
+    defaultSopsFile = "${secretsDirectory}/common.yaml";
+    validateSopsFiles = false;
+    secrets.gv-password={
+      neededForUsers=true;
+    };
+  };
+}

hosts/wsl-workstation.nix

@@ -1,10 +1,11 @@
 {
   inputs,
   outputs,
+  configLib,
 }:
 inputs.nixpkgs.lib.nixosSystem {
   system = "x86_64-linux";
-  specialArgs = {inherit inputs outputs;};
+  specialArgs = {inherit inputs outputs configLib;};
   # > Our main nixos configuration file <
   modules = [
     inputs.home-manager.nixosModules.home-manager
@@ -13,6 +14,7 @@ inputs.nixpkgs.lib.nixosSystem {
     ({
       config,
       pkgs,
+      configLib,
       ...
     }: {
       wsl.enable = true;

justfile

@@ -3,14 +3,17 @@ default:
 
 nixos target=`hostname`:
     git add -AN
+    nix flake lock --update-input nix-secrets
     sudo nixos-rebuild --flake .#{{target}} switch
 
 home-manager target=(`whoami`+"@"+`hostname`):
     git add -AN
+    nix flake lock --update-input nix-secrets
     home-manager --flake .#{{target}} switch
 
 check:
     git add -AN
+    nix flake lock --update-input nix-secrets
     nix flake check --keep-going
 
 bootstrap-home-manager target=(`whoami`+"@"+`hostname`):

lib/default.nix

@@ -0,0 +1,12 @@
+{lib}: {
+  dirToStrings = dir: (map (v: builtins.readFile "${dir}/${v}")
+    (builtins.filter (v:
+      (builtins.readFileType "${dir}/${v}") == "regular") (
+      if (builtins.pathExists dir && (builtins.readFileType dir) == "directory")
+      then
+        builtins.attrNames (
+          builtins.readDir dir
+        )
+      else []
+    )));
+}