diff --git a/.sops.yaml b/.sops.yaml new file mode 100644 index 0000000..915c7ae --- /dev/null +++ b/.sops.yaml @@ -0,0 +1,7 @@ +keys: + - &terra age167thunwadsswd0u37tajk85wy4x7sgw6sg3j2aspcax7essmge6qwen0uz +creation_rules: + - path_regex: secrets/secrets.yaml$ + key_groups: + - age: + - *terra diff --git a/flake.lock b/flake.lock index 76dcccd..3fef56f 100644 --- a/flake.lock +++ b/flake.lock @@ -36,6 +36,22 @@ "type": "github" } }, + "nixpkgs-stable": { + "locked": { + "lastModified": 1716061101, + "narHash": "sha256-H0eCta7ahEgloGIwE/ihkyGstOGu+kQwAiHvwVoXaA0=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "e7cc61784ddf51c81487637b3031a6dd2d6673a2", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "release-23.11", + "repo": "nixpkgs", + "type": "github" + } + }, "plasma-manager": { "inputs": { "home-manager": [ @@ -63,7 +79,29 @@ "inputs": { "home-manager": "home-manager", "nixpkgs": "nixpkgs", - "plasma-manager": "plasma-manager" + "plasma-manager": "plasma-manager", + "sops-nix": "sops-nix" + } + }, + "sops-nix": { + "inputs": { + "nixpkgs": [ + "nixpkgs" + ], + "nixpkgs-stable": "nixpkgs-stable" + }, + "locked": { + "lastModified": 1716400300, + "narHash": "sha256-0lMkIk9h3AzOHs1dCL9RXvvN4PM8VBKb+cyGsqOKa4c=", + "owner": "Mic92", + "repo": "sops-nix", + "rev": "b549832718b8946e875c016a4785d204fcfc2e53", + "type": "github" + }, + "original": { + "owner": "Mic92", + "repo": "sops-nix", + "type": "github" } } }, diff --git a/flake.nix b/flake.nix index 7d26f93..8b99acb 100644 --- a/flake.nix +++ b/flake.nix @@ -1,19 +1,22 @@ { - description = "Your new nix config"; - inputs = { - # Nixpkgs nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable"; - # Home manager - home-manager.url = "github:nix-community/home-manager"; - home-manager.inputs.nixpkgs.follows = "nixpkgs"; + home-manager = { + url = "github:nix-community/home-manager"; + inputs.nixpkgs.follows = "nixpkgs"; + }; plasma-manager = { url = "github:pjones/plasma-manager"; inputs.nixpkgs.follows = "nixpkgs"; inputs.home-manager.follows = "home-manager"; }; + + sops-nix = { + url = "github:Mic92/sops-nix"; + inputs.nixpkgs.follows = "nixpkgs"; + }; }; outputs = { @@ -21,6 +24,7 @@ nixpkgs, home-manager, plasma-manager, + sops-nix, ... } @ inputs: let inherit (self) outputs; @@ -60,6 +64,7 @@ modules = [ ./machines/luna/configuration.nix home-manager.nixosModules.home-manager + sops-nix.nixosModules.sops { home-manager.sharedModules = [ plasma-manager.homeManagerModules.plasma-manager ]; } @@ -70,6 +75,7 @@ modules = [ ./machines/terra/configuration.nix home-manager.nixosModules.home-manager + sops-nix.nixosModules.sops { home-manager.sharedModules = [ plasma-manager.homeManagerModules.plasma-manager ]; } @@ -79,6 +85,7 @@ specialArgs = {inherit inputs outputs;}; modules = [ ./machines/solis/configuration.nix + sops-nix.nixosModules.sops ]; }; }; diff --git a/home-manager/apps.nix b/home-manager/apps.nix index ff0829e..ec1b470 100644 --- a/home-manager/apps.nix +++ b/home-manager/apps.nix @@ -58,6 +58,7 @@ reaper retext solaar + sops spotify thunderbird whatsapp-for-linux diff --git a/home-manager/server-apps.nix b/home-manager/server-apps.nix index 1536805..0bb7c10 100644 --- a/home-manager/server-apps.nix +++ b/home-manager/server-apps.nix @@ -33,6 +33,7 @@ gnupg jdk python3 + sops tailscale tmux wakeonlan diff --git a/machines/common/configuration.nix b/machines/common/configuration.nix index eca3c4b..3cf36eb 100644 --- a/machines/common/configuration.nix +++ b/machines/common/configuration.nix @@ -8,6 +8,7 @@ }: { imports = [ ../../pkgs/zsh.nix +# inputs.sops-nix.nixosModules.sops ]; nixpkgs = { @@ -51,35 +52,51 @@ fallbackDns = [ "1.1.1.1#one.one.one.one" "1.0.0.1#one.one.one.one" ]; }; - # services.syncthing = { - # enable = true; - # user = "horseman"; - # dataDir = "/home/horseman"; - # configDir = "/home/horseman/.config/syncthing"; - # overrideDevices = true; - # overrideFolders = true; - # settings = { - # devices = { - # "luna" = ; - # "terra" = ; - # "solis" = ; - # }; - # folders = { - # "Documents" = { - # path = "/home/horseman/Documents"; - # devices = [ "solis" "terra" "luna" ]; - # }: - # "Programming" = { - # path = "/home/horseman/Programming"; - # devices = [ "solis" "terra" "luna" ]; - # }; - # }; - # gui = { - # user = ; - # password = ; - # }; - # }; - # }; +# sops = { +# defaultSopsFile = ../../secrets/secrets.yaml; +# defaultSopsFormat = "yaml"; +# age = { +# sshKeyPaths = [ "/etc/ssh/id_ed25519" ]; +# keyFile = "/home/horseman/.config/sops/age/keys.txt"; +# generateKey = true; +# }; +# +# secrets = { +# "syncthing/solis".owner = "horseman"; +# "syncthing/terra".owner = "horseman"; +# "syncthing/luna".owner = "horseman"; +# }; +# }; + +# services.syncthing = { +# enable = true; +# user = "horseman"; +# dataDir = "/home/horseman"; +# configDir = "/home/horseman/.config/syncthing"; +# overrideDevices = true; +# overrideFolders = true; +# settings = { +# devices = { +# "luna" = ; +# "terra" = ; +# "solis" = ; +# }; +# folders = { +# "Documents" = { +# path = "/home/horseman/Documents"; +# devices = [ "solis" "terra" "luna" ]; +# }: +# "Programming" = { +# path = "/home/horseman/Programming"; +# devices = [ "solis" "terra" "luna" ]; +# }; +# }; +# gui = { +# user = ; +# password = ; +# }; +# }; +# }; users.users = { horseman = { @@ -91,8 +108,8 @@ "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCmYI+jn1B69r4GUEeVE1/q+HSNcLzT+qG0nEpIjyO3VCsocLIJqT6cJtPKTh/j9RPySvz1lo2ZFemCeKBfsdHy95JoYqbAcoJ9jacH3X8LixIiGin6ew/h6QJONU1UAuxcEDoEyeHfmNBRdgaahNTWtgvFd1YhB4WQwN9THZ/axGdnWLi/y0y98aqERw98fGOhAzxqZyeGkWK5ByRiiGmfrmU7IsX916z5s9OPFYeIGvI3UPKL5awpQMrD/+VhtQjAy8guWbBKbN+7cVU/JQjhaPAeVC18iON++Ux6pGq1/yA+IFDb/fFofXD70vRYemg7zSVbf2ceBg8iSR2OdcZVPfhIKq7mx62TcYVY7aDlz7fFedl7tVhxRd5Ze7T/kbRQtbqL++3UQaZwnx6HoXGMvdIbKV/KHcmqjQQClzWZyk8oI+VbkF/nfTgShW/X0UQYzBSdsCb4XywzfnLRH4Ops/v7ZOc2zBApl7j1Oj+nW7dJ5/P6FgMw553tNXnEVXqGvdvalmDl/hjR3UVedm18ZKwu+6+1mcHsDGKCi5C79zVksr9IbFNICosA23xfrnKQYmncBzobbY4N39SToI9ulcukOJj26ooAG3RhHqSyOkcM3nTUbHwKb/19J+NAm2iT9ipNGurwwPO4VcJY36237es7MEkmQHfD1ZOo6biafw= horseman@terra" ]; extraGroups = [ - "wheel" - "networkmanager" + "wheel" + "networkmanager" ]; }; }; diff --git a/secrets/secrets.yaml b/secrets/secrets.yaml new file mode 100644 index 0000000..5fc9eb4 --- /dev/null +++ b/secrets/secrets.yaml @@ -0,0 +1,27 @@ +syncthing: + #ENC[AES256_GCM,data:LJUC,iv:MlEcsaCuH7W/cj/JQhYAKJVwyQ+Uqk7I4/WFZeBpr04=,tag:hlEgSpdtXx1Twt+SIIckGg==,type:comment] + solis: null + #ENC[AES256_GCM,data:6MOB,iv:7Rmzh5LYM7wD+K6Idi2DLkyKSSm8/rgQtUWf8gPEMzQ=,tag:EmCkhFO7016xszMogrNUpg==,type:comment] + terra: null + #ENC[AES256_GCM,data:1EoT,iv:ytmfI03F4A4qMtk3l7HYGyng/NIWHho+Riq8Fj6vtCE=,tag:U/4qWsZYA+dU4dcJ7lkx5Q==,type:comment] + luna: null +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age167thunwadsswd0u37tajk85wy4x7sgw6sg3j2aspcax7essmge6qwen0uz + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA2S3hLRWQrSHBQdjNhbDV2 + VmwrbUVsc0IwaDZKUndOTEMxN0kwWUtaYzJrCjJtNUdBMkhDVDB0akg2TTlqS1lF + NWJESlorR28rUGZHeEh6dFJYcEFsQnMKLS0tIFY3b0ZDSzM3SGVCZW9xcnJLc296 + ckJwQ3EzU2JzdGhnWkNnRExRNlprM28KUHkZe8FvLOAt+UVqvgOxBQdApbEXQ44v + vXW8UtZuq7GjsP5qD2MK6oKs/ZDfe+PhqiWl4ONNHvpn8rmfbQDcRw== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-05-24T19:11:16Z" + mac: ENC[AES256_GCM,data:UAz/pCKzV0HPFfus7tKafOLr1DWIBWWBVNDs6C43m+QdWpUHQ99jgK7yyq8YbAglGIfWB3AIlriQkcem9Wx3ExVh1BPKtCzwnfjFBEhzPws428JIzEOIZzrSk6tho2bvjaaOTQOWOERmbJhiL/e1pXdX+pln+kEtLdeq/9TDRK8=,iv:QtJPxvq9mGCu2Df5m+E+2+XD25so1cyDga/mdjBaH5c=,tag:TGllydw+4XGLIqnZ5QDxdg==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.8.1