diff --git a/.sops.yaml b/.sops.yaml new file mode 100644 index 0000000..d65f997 --- /dev/null +++ b/.sops.yaml @@ -0,0 +1,7 @@ +keys: + - &admin age12l33pas8eptwjc7ewux3d8snyzfzwz0tn9qg5kw8le79fswmjgjqdjgyy6 +creation_rules: + - path_regex: secrets/[^/]+\.(yaml|json|env|ini)$ + key_groups: + - age: + - *admin diff --git a/flake.lock b/flake.lock index 4f1be5f..1196979 100644 --- a/flake.lock +++ b/flake.lock @@ -151,7 +151,8 @@ "impermanence": "impermanence", "nix-index-database": "nix-index-database", "nixpkgs": "nixpkgs", - "snowfall-lib": "snowfall-lib" + "snowfall-lib": "snowfall-lib", + "sops-nix": "sops-nix" } }, "snowfall-lib": { @@ -176,6 +177,26 @@ "type": "github" } }, + "sops-nix": { + "inputs": { + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1746485181, + "narHash": "sha256-PxrrSFLaC7YuItShxmYbMgSuFFuwxBB+qsl9BZUnRvg=", + "owner": "Mic92", + "repo": "sops-nix", + "rev": "e93ee1d900ad264d65e9701a5c6f895683433386", + "type": "github" + }, + "original": { + "owner": "Mic92", + "repo": "sops-nix", + "type": "github" + } + }, "systems": { "locked": { "lastModified": 1681028828, diff --git a/flake.nix b/flake.nix index 90f9dde..74e0d56 100644 --- a/flake.nix +++ b/flake.nix @@ -10,6 +10,8 @@ home-manager.inputs.nixpkgs.follows = "nixpkgs"; nix-index-database.url = "github:nix-community/nix-index-database"; nix-index-database.inputs.nixpkgs.follows = "nixpkgs"; + sops-nix.url = "github:Mic92/sops-nix"; + sops-nix.inputs.nixpkgs.follows = "nixpkgs"; }; outputs = inputs: @@ -20,6 +22,7 @@ systems.modules.nixos = with inputs; [ disko.nixosModules.disko impermanence.nixosModules.impermanence + sops-nix.nixosModules.sops ]; homes.modules = with inputs; [ impermanence.homeManagerModules.impermanence diff --git a/homes/x86_64-linux/rafiq/default.nix b/homes/x86_64-linux/rafiq/default.nix index 61bac0e..4df8036 100644 --- a/homes/x86_64-linux/rafiq/default.nix +++ b/homes/x86_64-linux/rafiq/default.nix @@ -9,6 +9,7 @@ home.persistence."/persist/home/rafiq" = { directories = [ ".ssh" + ".config/sops/age" "repos" ]; allowOther = true; diff --git a/modules/nixos/system/default.nix b/modules/nixos/system/default.nix index be676e6..4794286 100644 --- a/modules/nixos/system/default.nix +++ b/modules/nixos/system/default.nix @@ -5,6 +5,7 @@ ./users.nix ./localisation.nix ./nix-config.nix + ./secrets.nix ]; options.system = { diff --git a/modules/nixos/system/secrets.nix b/modules/nixos/system/secrets.nix new file mode 100644 index 0000000..f45a750 --- /dev/null +++ b/modules/nixos/system/secrets.nix @@ -0,0 +1,10 @@ +{ config, lib, ... }: +{ + sops = { + defaultSopsFile = lib.snowfall.fs.get-file "secrets/secrets.yaml"; + age.sshKeyPaths = ["/persist/home/rafiq/.ssh/id_ed25519"]; + secrets ={ + "rafiq/hashedPassword".neededForUsers = true; + }; + }; +} diff --git a/secrets/secrets.yaml b/secrets/secrets.yaml new file mode 100644 index 0000000..f80aae1 --- /dev/null +++ b/secrets/secrets.yaml @@ -0,0 +1,17 @@ +rafiq: + hashedPassword: ENC[AES256_GCM,data:SzzSPg5Ze4H+fVl6ZvAULO9FDfRehusmP6uldT4Ok2/9ZeOp9r4LgjKajoiw2A1DWD1zQ1GQwMCHKpeZjCC4rBUNWW5DMcBUJA==,iv:KktKuqr0JNhjeJIlIgkoAv6mP2dQlfQrXiIOASLPkbw=,tag:g9LarkT6EjDrH+dXSjMwPg==,type:str] +sops: + age: + - recipient: age12l33pas8eptwjc7ewux3d8snyzfzwz0tn9qg5kw8le79fswmjgjqdjgyy6 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBrUDN6TFlTVHdlWCsrWkFn + R1g5UjVLVk1NQzJRRE9NbDZlRVVJUjVvbmlnCk93NFhSRS9vbDUzNVd6Q3RuTEtZ + cFZvY0JML2tDSUZIbkcyVWVWWVFMY0UKLS0tIDlCbmxhUThUaHRGNkgySEp2QTB1 + WXFKbjNMWDF0LzNyekJJMGFva2diemcKQTc8ODuK6IWqRhulHiCF92aU+3p23riY + M94Nzh+VT6QTFOgb3J7bBJMLhRH/fkQb6L6ia2n9QrVXFyYYMJ0oBw== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2025-05-18T14:48:00Z" + mac: ENC[AES256_GCM,data:ZXqR1G5h1airqlLPi/yyRgVycqk8aMEBKihOqTXpeKIXev5upA5P5+I4ZQtVXTtSkwzIiRRhkzQfGnASjEGWezNRoPZffjIbMn7RkssyUcz+lFKinec1ZZJxc51lOGP22gP/qrcGjmtqDgVDfWsjTtaZjlr3qmL5e6MK7RbhO5g=,iv:kGRvTNcPjsxvsP3EXVpnsQunCXXpYirAFsMEnVx0kR4=,tag:JVHIlhRW2x50M0gGgXy3oQ==,type:str] + unencrypted_suffix: _unencrypted + version: 3.10.2