jahanson/nix-config
Archived
1
0
Fork 0
Code Issues 1 Pull requests Projects Releases Packages Wiki Activity

Enable sops-nix.

Browse source
This commit is contained in:
Joseph Hanson 2024-04-29 09:22:17 -05:00
parent f16e385288
commit 67e83e764c
Signed by: jahanson
SSH key fingerprint: SHA256:vy6dKBECV522aPAwklFM3ReKAVB086rT3oWwiuiFG7o
3 changed files with 68 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

12
.sops.yaml Normal file
View file

@ -0,0 +1,12 @@
keys:
- users:
- &jahanson age18kj3xhlvgjeg2awwku3r8d95w360uysu0w5ejghnp4kh8qmtge5qwa2vjp
- hosts:
- &telperion age1z3vjvkead2h934n3w4m5m7tg4tj5qlzagsq6ly84h3tcu7x4ldsqd3s5fg
creation_rules:
- path_regex: secrets.yaml$
key_groups:
- age:
- *jahanson
- *telperion

26
nixos/common.nix
View file

@ -1,7 +1,28 @@
{ pkgs, ... }: { inputs, pkgs, ... }:
{ {
imports = [ ../cachix.nix ]; imports = [
../cachix.nix
inputs.sops-nix.nixosModules.sops
];
sops = {
defaultSopsFile = ../secrets.yaml;
validateSopsFiles = false;
age = {
# Derives sops private key from host ssh private key and places it at /var/lib/sops-nix/key.txt.
sshKeyPath = [ "/etc/ssh/ssh_host_ed25519_key" ];
keyFile = "/var/lib/sops-nix/key.txt";
generateKey = true;
};
# # Mounts unencrypted sops values at /run/secrets/rndc_keys accessible by root only by default.
# secrets = {
# rndc_keys = {};
# };
};
# Bootloader. # Bootloader.
boot = { boot = {
loader = { loader = {
@ -161,6 +182,7 @@
# nix tools # nix tools
nvd nvd
nix-inspect
]; ];
# my traceroute # my traceroute

32
secrets.yaml Normal file
View file

@ -0,0 +1,32 @@
rndc_keys:
main: ENC[AES256_GCM,data:ohxkgif+L3sinvm8lJXrcFIdabkO/VgH8i/Ewca5XAI9QP+2LQudDQ5V2xwEQAjy0MCDzqNdwhQwKGGotr8KshxBJZZZ4sy7ZF57FJzIM+ySUb6n5faKz9PpGFFxu8pNhQkthjEF,iv:SpUGmPT2mBOIDWzBZTAk7Mr86OakbW4CPP7hY3DLJUw=,tag:3xaQxRSZrXSgg3x/hu+Y/Q==,type:str]
externaldns: ENC[AES256_GCM,data:eMLZ9+vfkdtH2nxgZMB0FyCHc7+94lXLLfsyTvRVRCMKA+SKnzHQ1ep2pTGHRe8z9qdE9fzXNQAx8VyqxvQroadqFx8OA8yyfP5+A/a3GMQ3o+/dF9Nh8ysoLEZYvLk/qQYRSA0o/K39,iv:9wv4ySiQKWu4j7528aKdsX5XM/U+3BC05d/EgzK3gws=,tag:5XhYhSGETKP/exE2Zd6raA==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age18kj3xhlvgjeg2awwku3r8d95w360uysu0w5ejghnp4kh8qmtge5qwa2vjp
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBVNzRsKytjQ25NN2xsU0hI
MWZuRTZjRWNibnhnWkJsYklScmt5UFl2T2pBCnU4L2ZWVnRMclJaN2QyWHQwMVF2
Z1hTZUEwMXAwamxRWXgyQ0VQMUY3UVkKLS0tIHVVUXljMzh1MEExTURPSkFoV09u
MFB0VDhVUmxCc2JBaTlLV1BVTGJhVkEK2DtRNL6KBkBS23ywub66hpUcRn/Jea6k
+oXXU8kcQ30WqSupI6kUUK0Dd+at0vrV1tV/IkvfW0Qs5OzjgtPo5w==
-----END AGE ENCRYPTED FILE-----
- recipient: age1z3vjvkead2h934n3w4m5m7tg4tj5qlzagsq6ly84h3tcu7x4ldsqd3s5fg
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBoT3RINjA2SUVsT21EWFpm
a2V2YytIMktRbSsrNkhlOGI4c2dRS2ZpakFZCmFTNGs5aXA4SW1PQnhSSHlQM0hL
cFZvZzlXdGtXbjg2WDNDYytqQkpwYmsKLS0tIFAyUEkrVXJEYkhSNktQR2pQOWFz
SHZmN3JDL1ExVHZ5K2txM2h6MzRKWE0KbS3kO9teIcRDY4hnb54LgWzcRQu7aGGf
TjnTJzqKqmRRMLOs5be6wbrxBiRe9p5nCN/WJ9nqhr7rfNNMUiZePw==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2024-04-29T13:34:02Z"
mac: ENC[AES256_GCM,data:mrsov4+aHrhdtbZAwGoSSYpRNzzOHlSasGerHmS3tkY3CNskFCpgKNsdGMRsPJdO5JQmccFIRM5FOjdhxA2df+o64HJBWqVR41GzSAczz6m8jcRonsezC/53z684sLttRozR2mLVqU13dnUTNi+IfynJU8FsdwqgUhT6Kb7IvSI=,iv:bTgYT5nczrVmpF6cSLFipvr+5vu00yAi0JkJkBLYQdQ=,tag:qQcqON806EmFy4rpla0NOA==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.8.1