feat(nixos): add user password secrets to sops
This commit adds the user password secrets to sops. It leverages the `userListToAttrs` lib function.
This commit is contained in:
parent
f53a6c6c99
commit
033755b4bb
2 changed files with 24 additions and 2 deletions
|
|
@ -1,7 +1,7 @@
|
|||
{ config, lib, ... }:
|
||||
let
|
||||
cfg = config.flake;
|
||||
inherit (cfg.lib.modules) forAllUsers';
|
||||
inherit (cfg.lib.modules) userListToAttrs forAllUsers';
|
||||
inherit (lib.lists) optional;
|
||||
in
|
||||
{
|
||||
|
|
@ -19,13 +19,17 @@ in
|
|||
mutableUsers = false;
|
||||
groups.users.gid = 100;
|
||||
users = forAllUsers' (
|
||||
_: value: {
|
||||
name: value: {
|
||||
isNormalUser = true;
|
||||
hashedPasswordFile = config.sops.secrets."${name}/hashedPassword".path;
|
||||
extraGroups = optional (value.primary or false) "wheel";
|
||||
openssh.authorizedKeys.keys = [ value.pubkey ];
|
||||
}
|
||||
);
|
||||
};
|
||||
sops.secrets = userListToAttrs (name: {
|
||||
"${name}/hashedPassword".neededForUsers = true;
|
||||
});
|
||||
home-manager.users = forAllUsers' (
|
||||
name: _: {
|
||||
home.username = name;
|
||||
|
|
|
|||
18
secrets/secrets.yaml
Normal file
18
secrets/secrets.yaml
Normal file
|
|
@ -0,0 +1,18 @@
|
|||
rafiq:
|
||||
password: ENC[AES256_GCM,data:8KAfatz+YSaNozd5VGo=,iv:LNRxt47iBKSWzMZuBHSxv/qDZ2h6JiTIPps7OK/o7uU=,tag:oiSfLyRVswb/wxSTE69QMA==,type:str]
|
||||
hashedPassword: ENC[AES256_GCM,data:NogYQ3kR1TseC79HIXARrXhIncCnvxzf9zMF2QrUyTmojTffPXRGtMdjNpfMEFj5dkKfZujBL/QTIpPFFTm1py7Dreg5/9VSKQ==,iv:IwfZsrsJbLYG1ELte6aBHUtff6hIQu9rHT5tSvILIGQ=,tag:oav3paDcUY+cl4FJlZa90A==,type:str]
|
||||
sops:
|
||||
age:
|
||||
- recipient: age12l33pas8eptwjc7ewux3d8snyzfzwz0tn9qg5kw8le79fswmjgjqdjgyy6
|
||||
enc: |
|
||||
-----BEGIN AGE ENCRYPTED FILE-----
|
||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBVd09tYkhKUkVjNTBRdld6
|
||||
a1RkUnZqdnRqMlFTSGgwUFVCZlRhL0tLTnpVCjNXVjZldzNUOE9DQ0ZGejhWakY2
|
||||
TmRIZnpobE0ydDhNSDdJQUp2U3pSTzgKLS0tIDkxU3Fxa2lMUkhZY0g1Wm02T2ZE
|
||||
UkQwOWZtVXVPSGJiRk1qRHVHYkN2cDgKLiYiA0q5se/oHfGRqvHLn3gRRDfmefEZ
|
||||
z2U2N1Tjt0QgCfYOOXVfPV9F36a7PpabFva5ElSazawHgvI+Bot6og==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
lastmodified: "2025-07-07T08:56:26Z"
|
||||
mac: ENC[AES256_GCM,data:2uGjIMxRgk7uWToQC4MrHpHFAt4bI7sEhaHvPU6Ae3bvRVH/TdJxZtikSPe95LEwReOuBmPajbcM580/d3Jt6VbA7nZzj1JduVscrRkSAFCzZp9Ti/mbOGITPJa6xWSGwVF1wSN3BnHXYIHDcKeSGtUdP7L7nBZr1KXPkok4NCo=,iv:+ELIes7lzb8M6CvOemAcyoq7Rx7L6NkNmHwntJN/RSc=,tag:ubyxO6VllH9cQK3VbvxiGg==,type:str]
|
||||
unencrypted_suffix: _unencrypted
|
||||
version: 3.10.2
|
||||
Loading…
Add table
Add a link
Reference in a new issue