diff --git a/.sops.yaml b/.sops.yaml new file mode 100644 index 0000000..6f4035c --- /dev/null +++ b/.sops.yaml @@ -0,0 +1,9 @@ +keys: + - &rafiq-master-pub age1hzqnqfztm8azzr7k6m5zunw60fhupk6jfev7hv93gy6l5stltvtqg34u40 + - &rafiq-nemesis-pub age15k23tac497yn9hnwvral66nd5hqtkengeck0fwlcdzm7gtqznafqxacsr3 +creation_rules: + - path_regex: secrets/[^/]+\.(yaml|json|env|ini)$ + key_groups: + - age: + - *rafiq-master-pub + - *rafiq-nemesis-pub diff --git a/flake.lock b/flake.lock index 21e58e9..54e94c5 100644 --- a/flake.lock +++ b/flake.lock @@ -916,6 +916,22 @@ } }, "nixpkgs_5": { + "locked": { + "lastModified": 1741865919, + "narHash": "sha256-4thdbnP6dlbdq+qZWTsm4ffAwoS8Tiq1YResB+RP6WE=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "573c650e8a14b2faa0041645ab18aed7e60f0c9a", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixpkgs-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs_6": { "locked": { "lastModified": 1741851582, "narHash": "sha256-cPfs8qMccim2RBgtKGF+x9IBCduRvd/N5F4nYpU0TVE=", @@ -931,7 +947,7 @@ "type": "github" } }, - "nixpkgs_6": { + "nixpkgs_7": { "locked": { "lastModified": 1741513245, "narHash": "sha256-7rTAMNTY1xoBwz0h7ZMtEcd8LELk9R5TzBPoHuhNSCk=", @@ -947,7 +963,7 @@ "type": "github" } }, - "nixpkgs_7": { + "nixpkgs_8": { "locked": { "lastModified": 1737003892, "narHash": "sha256-RCzJE9wKByLCXmRBp+z8LK9EgdW+K+W/DXnJS4S/NVo=", @@ -1103,6 +1119,7 @@ "nixpkgs": "nixpkgs_3", "nixvim": "nixvim", "nvf": "nvf", + "sops-nix": "sops-nix", "spicetify-nix": "spicetify-nix", "stylix": "stylix", "yazi": "yazi" @@ -1151,9 +1168,27 @@ "type": "github" } }, + "sops-nix": { + "inputs": { + "nixpkgs": "nixpkgs_5" + }, + "locked": { + "lastModified": 1742209060, + "narHash": "sha256-47/1bOPBGhmAegF06nxLN15d/MClCAkk8s/+WOhJJAM=", + "owner": "Mic92", + "repo": "sops-nix", + "rev": "b33837ae3cfa012b65810891bebbee71fa4c0658", + "type": "github" + }, + "original": { + "owner": "Mic92", + "repo": "sops-nix", + "type": "github" + } + }, "spicetify-nix": { "inputs": { - "nixpkgs": "nixpkgs_5", + "nixpkgs": "nixpkgs_6", "systems": "systems_5" }, "locked": { @@ -1182,7 +1217,7 @@ "git-hooks": "git-hooks", "gnome-shell": "gnome-shell", "home-manager": "home-manager_2", - "nixpkgs": "nixpkgs_6", + "nixpkgs": "nixpkgs_7", "nur": "nur", "systems": "systems_6", "tinted-foot": "tinted-foot", @@ -1479,7 +1514,7 @@ "yazi": { "inputs": { "flake-utils": "flake-utils_4", - "nixpkgs": "nixpkgs_7", + "nixpkgs": "nixpkgs_8", "rust-overlay": "rust-overlay_2" }, "locked": { diff --git a/flake.nix b/flake.nix index 661be42..ec9aa09 100644 --- a/flake.nix +++ b/flake.nix @@ -56,5 +56,6 @@ nixd.url = "github:nix-community/nixd"; stylix.url = "github:danth/stylix"; spicetify-nix.url = "github:Gerg-L/spicetify-nix"; + sops-nix.url = "github:Mic92/sops-nix"; }; } diff --git a/secrets/secrets.yaml b/secrets/secrets.yaml new file mode 100644 index 0000000..49bb976 --- /dev/null +++ b/secrets/secrets.yaml @@ -0,0 +1,30 @@ +hashed_password_rafiq: ENC[AES256_GCM,data:mdlOGpXDDm7HZQU9gi7+IL/UQxDgjD76LO3LYR1zQPNq6JFBHkNrPDZ0cUedHfkFwxXmr5VSdVfNSqSArq4v7bNuD8FfW/K43w==,iv:4FPbEWDc1XIeFqYPaK07zDwQqgGSrVTGRAcaIYzXQsg=,tag:MRN+0a0uELXBSyx9RDQA7A==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1hzqnqfztm8azzr7k6m5zunw60fhupk6jfev7hv93gy6l5stltvtqg34u40 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBubm5wMlgraUFkMm1majUy + eWFiK2h2Z0trbEswVWd6R3JzZ0pwMndnUjJrCi9meTJrdE5NL1dpN3ZlYVBUOVZt + Vmx5OWVUMDJnelRZNDJnMGRmUXNldmsKLS0tIGdrM2ptRmxhSitvdWttMHdKNVNl + NDNYcmRFdnFua3EveXpvbEVKOWM1Nm8K+Z/Tk5S55IfVxe6AbOS1ZcX+zILDEX1h + 6osABT9rpPfGtycdteYuThO2zHVyRoWx+QYLknAlUsQrFdJt05kqmg== + -----END AGE ENCRYPTED FILE----- + - recipient: age15k23tac497yn9hnwvral66nd5hqtkengeck0fwlcdzm7gtqznafqxacsr3 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA5d25Pb1NuN0tvcWJZOTlT + a2J4WDV2aEZkRHhzWXNVWS9melE1cFhFaURFCjBEbUE0akJMckpQcEMycFl5WTVT + dkk1NjcxQmJSakhLZG9ucVNqSW93ZFUKLS0tIGsySnVURGRhVm15OElrWkVYcDBj + ZGlJMjlST1B2a1g4Uit5QkRhdFhHblUKHBDYMHxA8ZzGpII+tHLjuU1KoyQHRQr0 + D1j1VPmee1DMLt29/wEjAlY1iLrXSxmCD3Ua+MosexDJnTtBQxs8tA== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2025-03-17T13:38:02Z" + mac: ENC[AES256_GCM,data:gyjlmW3HBITwcZNE1Bk98V18AUCLJo/2xRwV3NvW5SvfK9vJEp7msw4860L79fZHIu4qnOhYhwUcTOqvFLs0W5kKcphw/8wPa6qPFmuby9OQnJGX35UZO4oxKrdrfFiWTKoLQ48Uk5Tnj7YZxkN5umSbACQWdcSSvflyj1Pt2m4=,iv:smcrFEtJv/hXmf96wQUlCwmU8cMaG1Zr0+azxFxw3KY=,tag:OJkE9VBp0U3zRHhgBEn1Kg==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.9.4 diff --git a/systems/modules/common.nix b/systems/modules/common.nix index 41d38e9..b65a438 100644 --- a/systems/modules/common.nix +++ b/systems/modules/common.nix @@ -1,13 +1,20 @@ -{pkgs, ...}: { +{ + pkgs, + config, + ... +}: { imports = [ ./networking.nix ./shell.nix ./stylix.nix + ./sops.nix ]; + users.mutableUsers = false; # Always reset users on system activation users.users.rafiq = { isNormalUser = true; description = "rafiq"; + hashedPasswordFile = config.sops.secrets.hashed_password_rafiq.path; extraGroups = ["networkmanager" "wheel"]; openssh.authorizedKeys.keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILv8HqazE294YdyGaXK6q2EniDlTpGaUL071kk9+W0GJ rafiq@nemesis" diff --git a/systems/modules/sops.nix b/systems/modules/sops.nix new file mode 100644 index 0000000..66dd2bb --- /dev/null +++ b/systems/modules/sops.nix @@ -0,0 +1,15 @@ +{inputs, ...}: { + imports = [inputs.sops-nix.nixosModules.sops]; + sops = { + defaultSopsFile = ../../secrets/secrets.yaml; + age.sshKeyPaths = [ + "/home/rafiq/.ssh/id_ed25519" + "/home/rafiq/.ssh/rafiq-master" + ]; + secrets = { + hashed_password_rafiq = { + neededForUsers = true; + }; + }; + }; +}