From c952e6df1e8f581ad6227d8a7e927550ca2df702 Mon Sep 17 00:00:00 2001 From: Mohammad Rafiq Date: Thu, 20 Mar 2025 20:36:35 +0800 Subject: [PATCH] feat(sops): add cwp jira secret and url to sops as environment variables for rafiq --- secrets/secrets.yaml | 6 ++++-- systems/modules/common.nix | 22 ++++++++++++++++++---- systems/modules/sops.nix | 7 +++++-- 3 files changed, 27 insertions(+), 8 deletions(-) diff --git a/secrets/secrets.yaml b/secrets/secrets.yaml index 49bb976..a49a096 100644 --- a/secrets/secrets.yaml +++ b/secrets/secrets.yaml @@ -1,4 +1,6 @@ hashed_password_rafiq: ENC[AES256_GCM,data:mdlOGpXDDm7HZQU9gi7+IL/UQxDgjD76LO3LYR1zQPNq6JFBHkNrPDZ0cUedHfkFwxXmr5VSdVfNSqSArq4v7bNuD8FfW/K43w==,iv:4FPbEWDc1XIeFqYPaK07zDwQqgGSrVTGRAcaIYzXQsg=,tag:MRN+0a0uELXBSyx9RDQA7A==,type:str] +cwp_jira_access_key: ENC[AES256_GCM,data:iGH1xqToAM72n8sZbTsrgL5azgRGWiwq4g7YSJcyhscZLAOW10nX9PHrQ9w=,iv:xR9zqg8vE2O7VuWvYYJSC9F3w2M1VY4JiD+4yxJA+4Q=,tag:DxhqjH/CjsJgZ/8d2Z/Ltg==,type:str] +cwp_jira_link: ENC[AES256_GCM,data:7sNEkUd1AoUA8H1pWtiB24/cJP7cC98Uk1XDrfnf17jv,iv:QlsCBybTegL4lokNhD5vRyoxQJVVskZ52gQJZWoz974=,tag:0oAYSqNvyF6qqZw4gF0Jgg==,type:str] sops: kms: [] gcp_kms: [] @@ -23,8 +25,8 @@ sops: ZGlJMjlST1B2a1g4Uit5QkRhdFhHblUKHBDYMHxA8ZzGpII+tHLjuU1KoyQHRQr0 D1j1VPmee1DMLt29/wEjAlY1iLrXSxmCD3Ua+MosexDJnTtBQxs8tA== -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-03-17T13:38:02Z" - mac: ENC[AES256_GCM,data:gyjlmW3HBITwcZNE1Bk98V18AUCLJo/2xRwV3NvW5SvfK9vJEp7msw4860L79fZHIu4qnOhYhwUcTOqvFLs0W5kKcphw/8wPa6qPFmuby9OQnJGX35UZO4oxKrdrfFiWTKoLQ48Uk5Tnj7YZxkN5umSbACQWdcSSvflyj1Pt2m4=,iv:smcrFEtJv/hXmf96wQUlCwmU8cMaG1Zr0+azxFxw3KY=,tag:OJkE9VBp0U3zRHhgBEn1Kg==,type:str] + lastmodified: "2025-03-20T12:33:27Z" + mac: ENC[AES256_GCM,data:hiN4Ew6ZVBg4hxbqx1EAwGXSLR1YyArjJCK3yruAjFhw4id4Q992wzqVBmyCQRF7jZ7d0ZjPQOXynMY8Hbx2IMZcmEM/hcP0A5ZhRbI1j98TujIbRHK0Qz5PG71/DoZF7jl6E/UNDFjW4pdVd/wxnBOpIAJ7fWOw7Hkzi2Mkess=,iv:nM0Q+T0FETBEWkJRH+BRFxFX5g0gf1BSaDJNIGbF+zE=,tag:KpJiAFbybAnqoCuW59M2YQ==,type:str] pgp: [] unencrypted_suffix: _unencrypted version: 3.9.4 diff --git a/systems/modules/common.nix b/systems/modules/common.nix index b65a438..ee3efa2 100644 --- a/systems/modules/common.nix +++ b/systems/modules/common.nix @@ -2,7 +2,8 @@ pkgs, config, ... -}: { +}: +{ imports = [ ./networking.nix ./shell.nix @@ -15,21 +16,34 @@ isNormalUser = true; description = "rafiq"; hashedPasswordFile = config.sops.secrets.hashed_password_rafiq.path; - extraGroups = ["networkmanager" "wheel"]; + extraGroups = [ + "networkmanager" + "wheel" + ]; openssh.authorizedKeys.keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILv8HqazE294YdyGaXK6q2EniDlTpGaUL071kk9+W0GJ rafiq@nemesis" "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICbZfOYt6zydLyO4f9JAsxb1i6kHAjYzqa0SOqef6MKM rafiq@orpheus" ]; }; + environment.sessionVariables.CWP_JIRA_ACCESS_KEY_FILE = + config.sops.secrets.cwp_jira_access_key.path; + environment.sessionVariables.CWP_JIRA_LINK_FILE = config.sops.secrets.cwp_jira_link.path; + security.sudo.wheelNeedsPassword = false; # Enable basic fonts for reasonable Unicode coverage fonts.enableDefaultPackages = true; nixpkgs.config.allowUnfree = true; - nix.settings.experimental-features = ["nix-command" "flakes"]; - nix.settings.trusted-users = ["root" "@wheel"]; + nix.settings.experimental-features = [ + "nix-command" + "flakes" + ]; + nix.settings.trusted-users = [ + "root" + "@wheel" + ]; environment.systemPackages = with pkgs; [ git diff --git a/systems/modules/sops.nix b/systems/modules/sops.nix index 66dd2bb..6caf200 100644 --- a/systems/modules/sops.nix +++ b/systems/modules/sops.nix @@ -1,5 +1,6 @@ -{inputs, ...}: { - imports = [inputs.sops-nix.nixosModules.sops]; +{ inputs, ... }: +{ + imports = [ inputs.sops-nix.nixosModules.sops ]; sops = { defaultSopsFile = ../../secrets/secrets.yaml; age.sshKeyPaths = [ @@ -10,6 +11,8 @@ hashed_password_rafiq = { neededForUsers = true; }; + cwp_jira_access_key = { }; + cwp_jira_link = { }; }; }; }