added sos-nix for home-manager.

This commit is contained in:
Gabe Venberg 2024-06-04 11:00:43 -05:00
parent b04ab13d39
commit 8c552faa1b
13 changed files with 73 additions and 20 deletions

View file

@ -28,7 +28,7 @@
address = "gabevenberg@gmail.com"; address = "gabevenberg@gmail.com";
primary = true; primary = true;
flavor = "gmail.com"; flavor = "gmail.com";
passwordCommand = "cat ~/keys/plaintext/gmail"; passwordCommand = "cat ${config.sops.secrets.gmail-password.path}";
realName = "Gabe Venberg"; realName = "Gabe Venberg";
himalaya.enable = true; himalaya.enable = true;

View file

@ -0,0 +1,19 @@
{
inputs,
config,
lib,
pkgs,
...
}: let
secretsDirectory = builtins.toString inputs.nix-secrets;
in {
sops = {
defaultSopsFile = "${secretsDirectory}/common.yaml";
validateSopsFiles = false;
age = {
sshKeyPaths = ["${config.home.homeDirectory}/.ssh/id_ed25519"];
keyFile = "${config.home.homeDirectory}/.config/sops-nix/key.txt";
generateKey = true;
};
};
}

View file

@ -11,12 +11,12 @@ in {
inputs.sops-nix.homeManagerModules.sops inputs.sops-nix.homeManagerModules.sops
]; ];
sops={ sops = {
defaultSopsFile="${secretsPath}/secrets.yaml"; defaultSopsFile = "${secretsPath}/secrets.yaml";
age={ age = {
sshKeyPaths=["${config.home.homeDirectory}/keys/age/master.txt"]; sshKeyPaths = ["${config.home.homeDirectory}/keys/age/master.txt"];
keyFile="/var/lib/sops-nix/key.txt"; keyFile = "/var/lib/sops-nix/key.txt";
generateKey=true; generateKey = true;
}; };
}; };
} }

View file

@ -31,7 +31,7 @@
]; ];
sasl = { sasl = {
username = "toric"; username = "toric";
pem = "${config.home.homeDirectory}/keys/certs/irc.pem"; pem = config.sops.secrets.irc-cert.path;
}; };
} }
]; ];

View file

@ -13,5 +13,10 @@ in {
sops = { sops = {
defaultSopsFile = "${secretsDirectory}/common.yaml"; defaultSopsFile = "${secretsDirectory}/common.yaml";
validateSopsFiles = false; validateSopsFiles = false;
age = {
sshKeyPaths = ["/etc/ssh/ssh_host_ed25519_key"];
keyFile = "/var/lib/sops-nix/key.txt";
generateKey = true;
};
}; };
} }

View file

@ -240,10 +240,10 @@
"nix-secrets": { "nix-secrets": {
"flake": false, "flake": false,
"locked": { "locked": {
"lastModified": 1717206943, "lastModified": 1717515079,
"narHash": "sha256-TtBaZMGhA8fkQbt/RKJml992JFr/sdz4gqdIJeu6ltk=", "narHash": "sha256-R9oet/t4zJnLKYw5ZPq6WOaKNF+EMejlgr4+Y98FbzY=",
"ref": "refs/heads/main", "ref": "refs/heads/main",
"rev": "3e19bf8fce17779c5f6fce5f8f894de8a5193fa2", "rev": "a3bd4bad51a5b753f75dc8ff0c09140331320863",
"shallow": true, "shallow": true,
"type": "git", "type": "git",
"url": "ssh://git@git.venberg.xyz:7920/Gabe/nix-secrets.git" "url": "ssh://git@git.venberg.xyz:7920/Gabe/nix-secrets.git"

View file

@ -82,7 +82,7 @@
} }
); );
lib=configLib; lib = configLib;
homeManagerModules = import ./modules/home-manager; homeManagerModules = import ./modules/home-manager;

View file

@ -44,14 +44,14 @@ inputs.nixpkgs.lib.nixosSystem {
}; };
users.users.root.openssh.authorizedKeys.keys = users.users.root.openssh.authorizedKeys.keys =
configLib.dirToStrings "${inputs.nix-secrets}/public-keys"; configLib.dirToStrings "${inputs.nix-secrets}/public-keys";
programs.zsh.enable = true; programs.zsh.enable = true;
environment.shells = with pkgs; [zsh]; environment.shells = with pkgs; [zsh];
users.mutableUsers=false; users.mutableUsers = false;
# Define a user account. Don't forget to set a password with passwd. # Define a user account. Don't forget to set a password with passwd.
users.users.${config.host.user} = { users.users.${config.host.user} = {
hashedPasswordFile=config.sops.secrets.gv-password.path; hashedPasswordFile = config.sops.secrets.gv-password.path;
isNormalUser = true; isNormalUser = true;
description = "Gabe Venberg"; description = "Gabe Venberg";
shell = pkgs.zsh; shell = pkgs.zsh;
@ -62,6 +62,9 @@ inputs.nixpkgs.lib.nixosSystem {
]; ];
}; };
home-manager.sharedModules = [
inputs.sops-nix.homeManagerModules.sops
];
home-manager.users.${config.host.user} = { home-manager.users.${config.host.user} = {
inputs, inputs,
osConfig, osConfig,
@ -82,7 +85,15 @@ inputs.nixpkgs.lib.nixosSystem {
../../configs/home-manager/common.nix ../../configs/home-manager/common.nix
../../configs/home-manager/email.nix ../../configs/home-manager/email.nix
inputs.nixvim.homeManagerModules.nixvim inputs.nixvim.homeManagerModules.nixvim
../../configs/home-manager/secrets.nix
]; ];
sops = {
secrets = {
gmail-password.sopsFile = "${inputs.nix-secrets}/workstations.yaml";
irc-cert.sopsFile = "${inputs.nix-secrets}/workstations.yaml";
};
};
}; };
# Enable the OpenSSH daemon. # Enable the OpenSSH daemon.
services.openssh.enable = true; services.openssh.enable = true;

View file

@ -5,8 +5,8 @@
pkgs, pkgs,
... ...
}: { }: {
imports=[ imports = [
../../configs/nixos/secrets.nix ../../configs/nixos/secrets.nix
]; ];
sops.secrets.gv-password = { sops.secrets.gv-password = {
neededForUsers = true; neededForUsers = true;

View file

@ -37,8 +37,18 @@ inputs.home-manager.lib.homeManagerConfiguration {
../configs/home-manager/common.nix ../configs/home-manager/common.nix
../configs/home-manager/syncthing.nix ../configs/home-manager/syncthing.nix
../configs/home-manager/email.nix ../configs/home-manager/email.nix
../../configs/home-manager/tiny-irc.nix
../configs/home-manager/terminal/voice.nix ../configs/home-manager/terminal/voice.nix
../configs/home-manager/secrets.nix
inputs.sops-nix.homeManagerModules.sops
]; ];
sops = {
secrets = {
gmail-password.sopsFile = "${inputs.nix-secrets}/workstations.yaml";
irc-cert.sopsFile = "${inputs.nix-secrets}/workstations.yaml";
};
};
}) })
inputs.nixvim.homeManagerModules.nixvim inputs.nixvim.homeManagerModules.nixvim
]; ];

View file

@ -41,7 +41,16 @@ inputs.home-manager.lib.homeManagerConfiguration {
../roles/home-manager/terminal.nix ../roles/home-manager/terminal.nix
../configs/home-manager/common.nix ../configs/home-manager/common.nix
../configs/home-manager/syncthing.nix ../configs/home-manager/syncthing.nix
../../configs/home-manager/tiny-irc.nix
../configs/home-manager/secrets.nix
inputs.sops-nix.homeManagerModules.sops
]; ];
sops = {
secrets = {
irc-cert.sopsFile = "${inputs.nix-secrets}/workstations.yaml";
};
};
}) })
]; ];
} }

View file

@ -5,8 +5,8 @@
pkgs, pkgs,
... ...
}: { }: {
imports=[ imports = [
../../configs/nixos/secrets.nix ../../configs/nixos/secrets.nix
]; ];
sops.secrets.gv-password = { sops.secrets.gv-password = {
neededForUsers = true; neededForUsers = true;

View file

@ -8,7 +8,6 @@
./minimal-terminal.nix ./minimal-terminal.nix
../../configs/home-manager/nushell ../../configs/home-manager/nushell
../../configs/home-manager/starship.nix ../../configs/home-manager/starship.nix
../../configs/home-manager/tiny-irc.nix
]; ];
user = { user = {