From 85f2cee212751f6b57665dddb14adb2620cddac3 Mon Sep 17 00:00:00 2001 From: Mohammad Rafiq Date: Mon, 7 Jul 2025 16:55:37 +0800 Subject: [PATCH] feat(nixos): add sops module for secrets Adds .sops.yaml file and sops module to nixos to manage secrets. --- .sops.yaml | 7 ++++++ nix/modules/secrets.nix | 52 +++++++++++++++++++++++++++++++++++++++++ 2 files changed, 59 insertions(+) create mode 100644 .sops.yaml create mode 100644 nix/modules/secrets.nix diff --git a/.sops.yaml b/.sops.yaml new file mode 100644 index 0000000..835dd06 --- /dev/null +++ b/.sops.yaml @@ -0,0 +1,7 @@ +keys: + - &rafiq age12l33pas8eptwjc7ewux3d8snyzfzwz0tn9qg5kw8le79fswmjgjqdjgyy6 +creation_rules: + - path_regex: \.(yaml)$ + key_groups: + - age: + - *rafiq diff --git a/nix/modules/secrets.nix b/nix/modules/secrets.nix new file mode 100644 index 0000000..5d76562 --- /dev/null +++ b/nix/modules/secrets.nix @@ -0,0 +1,52 @@ +{ + config, + inputs, + lib, + ... +}: +let + cfg = config.flake; + inherit (builtins) readFile; + inherit (lib.meta) getExe; + inherit (lib.strings) trim; + inherit (cfg.admin) username pubkey; +in +{ + flake.modules.nixos.default = + { config, ... }: + { + imports = [ inputs.sops-nix.nixosModules.sops ]; + config.sops = { + defaultSopsFile = "${cfg.root}/secrets/secrets.yaml"; + age.sshKeyPaths = [ + "/persist${config.users.defaultUserHome}/${username}/.ssh/id_ed25519" + ]; + }; + }; + perSystem = + { pkgs, ... }: + { + files.files = [ + { + path_ = ".sops.yaml"; + drv = + pkgs.writeText ".sops.yaml" # yaml + '' + keys: + - &${username} ${trim ( + readFile "${ + pkgs.runCommand "" { } '' + mkdir $out; echo ${pubkey} | ${getExe pkgs.ssh-to-age} > $out/agepubkey + '' + }/agepubkey" + )} + creation_rules: + - path_regex: \.(yaml)$ + key_groups: + - age: + - *${username} + ''; + } + ]; + }; +}