rrvsh/pantheon
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

feat(sops): add sops-nix and set rafiq password with it

Browse source
This commit is contained in:
Mohammad Rafiq 2025-03-17 21:44:09 +08:00
parent 99b8255fd1
commit 26ba53fee3
No known key found for this signature in database
6 changed files with 103 additions and 6 deletions
Download patch file Download diff file Expand all files Collapse all files

9
.sops.yaml Normal file
View file

@ -0,0 +1,9 @@
keys:
- &rafiq-master-pub age1hzqnqfztm8azzr7k6m5zunw60fhupk6jfev7hv93gy6l5stltvtqg34u40
- &rafiq-nemesis-pub age15k23tac497yn9hnwvral66nd5hqtkengeck0fwlcdzm7gtqznafqxacsr3
creation_rules:
- path_regex: secrets/[^/]+\.(yaml|json|env|ini)$
key_groups:
- age:
- *rafiq-master-pub
- *rafiq-nemesis-pub

45
flake.lock generated
View file

@ -916,6 +916,22 @@
}
},
"nixpkgs_5": {
"locked": {
"lastModified": 1741865919,
"narHash": "sha256-4thdbnP6dlbdq+qZWTsm4ffAwoS8Tiq1YResB+RP6WE=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "573c650e8a14b2faa0041645ab18aed7e60f0c9a",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "nixpkgs-unstable",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs_6": {
"locked": {
"lastModified": 1741851582,
"narHash": "sha256-cPfs8qMccim2RBgtKGF+x9IBCduRvd/N5F4nYpU0TVE=",
@ -931,7 +947,7 @@
"type": "github"
}
},
"nixpkgs_6": {
"nixpkgs_7": {
"locked": {
"lastModified": 1741513245,
"narHash": "sha256-7rTAMNTY1xoBwz0h7ZMtEcd8LELk9R5TzBPoHuhNSCk=",
@ -947,7 +963,7 @@
"type": "github"
}
},
"nixpkgs_7": {
"nixpkgs_8": {
"locked": {
"lastModified": 1737003892,
"narHash": "sha256-RCzJE9wKByLCXmRBp+z8LK9EgdW+K+W/DXnJS4S/NVo=",
@ -1103,6 +1119,7 @@
"nixpkgs": "nixpkgs_3",
"nixvim": "nixvim",
"nvf": "nvf",
"sops-nix": "sops-nix",
"spicetify-nix": "spicetify-nix",
"stylix": "stylix",
"yazi": "yazi"
@ -1151,9 +1168,27 @@
"type": "github"
}
},
"sops-nix": {
"inputs": {
"nixpkgs": "nixpkgs_5"
},
"locked": {
"lastModified": 1742209060,
"narHash": "sha256-47/1bOPBGhmAegF06nxLN15d/MClCAkk8s/+WOhJJAM=",
"owner": "Mic92",
"repo": "sops-nix",
"rev": "b33837ae3cfa012b65810891bebbee71fa4c0658",
"type": "github"
},
"original": {
"owner": "Mic92",
"repo": "sops-nix",
"type": "github"
}
},
"spicetify-nix": {
"inputs": {
"nixpkgs": "nixpkgs_5",
"nixpkgs": "nixpkgs_6",
"systems": "systems_5"
},
"locked": {
@ -1182,7 +1217,7 @@
"git-hooks": "git-hooks",
"gnome-shell": "gnome-shell",
"home-manager": "home-manager_2",
"nixpkgs": "nixpkgs_6",
"nixpkgs": "nixpkgs_7",
"nur": "nur",
"systems": "systems_6",
"tinted-foot": "tinted-foot",
@ -1479,7 +1514,7 @@
"yazi": {
"inputs": {
"flake-utils": "flake-utils_4",
"nixpkgs": "nixpkgs_7",
"nixpkgs": "nixpkgs_8",
"rust-overlay": "rust-overlay_2"
},
"locked": {

1
flake.nix
View file

@ -56,5 +56,6 @@
nixd.url = "github:nix-community/nixd";
stylix.url = "github:danth/stylix";
spicetify-nix.url = "github:Gerg-L/spicetify-nix";
sops-nix.url = "github:Mic92/sops-nix";
};
}

30
secrets/secrets.yaml Normal file
View file

@ -0,0 +1,30 @@
hashed_password_rafiq: ENC[AES256_GCM,data:mdlOGpXDDm7HZQU9gi7+IL/UQxDgjD76LO3LYR1zQPNq6JFBHkNrPDZ0cUedHfkFwxXmr5VSdVfNSqSArq4v7bNuD8FfW/K43w==,iv:4FPbEWDc1XIeFqYPaK07zDwQqgGSrVTGRAcaIYzXQsg=,tag:MRN+0a0uELXBSyx9RDQA7A==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1hzqnqfztm8azzr7k6m5zunw60fhupk6jfev7hv93gy6l5stltvtqg34u40
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBubm5wMlgraUFkMm1majUy
eWFiK2h2Z0trbEswVWd6R3JzZ0pwMndnUjJrCi9meTJrdE5NL1dpN3ZlYVBUOVZt
Vmx5OWVUMDJnelRZNDJnMGRmUXNldmsKLS0tIGdrM2ptRmxhSitvdWttMHdKNVNl
NDNYcmRFdnFua3EveXpvbEVKOWM1Nm8K+Z/Tk5S55IfVxe6AbOS1ZcX+zILDEX1h
6osABT9rpPfGtycdteYuThO2zHVyRoWx+QYLknAlUsQrFdJt05kqmg==
-----END AGE ENCRYPTED FILE-----
- recipient: age15k23tac497yn9hnwvral66nd5hqtkengeck0fwlcdzm7gtqznafqxacsr3
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA5d25Pb1NuN0tvcWJZOTlT
a2J4WDV2aEZkRHhzWXNVWS9melE1cFhFaURFCjBEbUE0akJMckpQcEMycFl5WTVT
dkk1NjcxQmJSakhLZG9ucVNqSW93ZFUKLS0tIGsySnVURGRhVm15OElrWkVYcDBj
ZGlJMjlST1B2a1g4Uit5QkRhdFhHblUKHBDYMHxA8ZzGpII+tHLjuU1KoyQHRQr0
D1j1VPmee1DMLt29/wEjAlY1iLrXSxmCD3Ua+MosexDJnTtBQxs8tA==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2025-03-17T13:38:02Z"
mac: ENC[AES256_GCM,data:gyjlmW3HBITwcZNE1Bk98V18AUCLJo/2xRwV3NvW5SvfK9vJEp7msw4860L79fZHIu4qnOhYhwUcTOqvFLs0W5kKcphw/8wPa6qPFmuby9OQnJGX35UZO4oxKrdrfFiWTKoLQ48Uk5Tnj7YZxkN5umSbACQWdcSSvflyj1Pt2m4=,iv:smcrFEtJv/hXmf96wQUlCwmU8cMaG1Zr0+azxFxw3KY=,tag:OJkE9VBp0U3zRHhgBEn1Kg==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.9.4

9
systems/modules/common.nix
View file

@ -1,13 +1,20 @@
{pkgs, ...}: {
{
pkgs,
config,
...
}: {
imports = [
./networking.nix
./shell.nix
./stylix.nix
./sops.nix
];
users.mutableUsers = false; # Always reset users on system activation
users.users.rafiq = {
isNormalUser = true;
description = "rafiq";
hashedPasswordFile = config.sops.secrets.hashed_password_rafiq.path;
extraGroups = ["networkmanager" "wheel"];
openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILv8HqazE294YdyGaXK6q2EniDlTpGaUL071kk9+W0GJ rafiq@nemesis"

15
systems/modules/sops.nix Normal file
View file

@ -0,0 +1,15 @@
{inputs, ...}: {
imports = [inputs.sops-nix.nixosModules.sops];
sops = {
defaultSopsFile = ../../secrets/secrets.yaml;
age.sshKeyPaths = [
"/home/rafiq/.ssh/id_ed25519"
"/home/rafiq/.ssh/rafiq-master"
];
secrets = {
hashed_password_rafiq = {
neededForUsers = true;
};
};
};
}