From 70a5b8952859841f8613ee8abdf41073129bdb23 Mon Sep 17 00:00:00 2001 From: imterah Date: Mon, 5 May 2025 10:43:13 -0400 Subject: [PATCH] fix: Fix sops --- .sops.yaml | 7 +++++++ data/id_user.pub | 1 + flake.nix | 4 ++++ hosts/andromeda/configuration.nix | 3 +-- secrets | 2 +- system/impermanence.nix | 5 ++++- system/sops.nix | 23 ++++++++++++++++------- 7 files changed, 34 insertions(+), 11 deletions(-) create mode 100644 .sops.yaml create mode 100644 data/id_user.pub diff --git a/.sops.yaml b/.sops.yaml new file mode 100644 index 0000000..7d126d1 --- /dev/null +++ b/.sops.yaml @@ -0,0 +1,7 @@ +keys: + - &primkey age199lxhl3xjuf0xxgskxa3kdz89atnt6689g0pqr6kup4kvqe49vmsq63t35 +creation_rules: + - path_regex: secrets/[^/]+\.(yaml|json|env|ini)$ + key_groups: + - age: + - *primkey diff --git a/data/id_user.pub b/data/id_user.pub new file mode 100644 index 0000000..b3f9aad --- /dev/null +++ b/data/id_user.pub @@ -0,0 +1 @@ +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBSbHYeYqUlBQKZywVto5FqpIEosRvssnAsDKnL8nUa4 greysoh@pine diff --git a/flake.nix b/flake.nix index a6270e9..8f5d282 100755 --- a/flake.nix +++ b/flake.nix @@ -13,6 +13,10 @@ url = "github:viperML/nh"; inputs.nixpkgs.follows = "nixpkgs-unstable"; }; + nix-secrets = { + url = "git+https://git.terah.dev/imterah/sops?shallow=1&ref=main"; + flake = false; + }; }; outputs = { diff --git a/hosts/andromeda/configuration.nix b/hosts/andromeda/configuration.nix index 81df4a4..4dd31db 100755 --- a/hosts/andromeda/configuration.nix +++ b/hosts/andromeda/configuration.nix @@ -16,14 +16,13 @@ ../../system/i18n.nix ]; - sops.secrets.tera-password.neededForUsers = true; users.mutableUsers = false; users.users.tera = { uid = 1000; description = "Tera"; home = "/home/tera"; - hashedPasswordFile = config.sops.secrets.tera-password.path; + hashedPasswordFile = config.sops.secrets.tera_password.path; isNormalUser = true; createHome = true; shell = pkgs.bash; diff --git a/secrets b/secrets index ed485bb..c07d110 160000 --- a/secrets +++ b/secrets @@ -1 +1 @@ -Subproject commit ed485bba5151879e9b598fd18e6970624b0d21e5 +Subproject commit c07d110d71e32ff5fabf0219bc9cadab47d3d2a7 diff --git a/system/impermanence.nix b/system/impermanence.nix index 0ccda3f..320c5f2 100755 --- a/system/impermanence.nix +++ b/system/impermanence.nix @@ -1,6 +1,7 @@ {lib, ...}: { fileSystems."/persist".neededForBoot = true; fileSystems."/nix".neededForBoot = true; + boot.initrd.postDeviceCommands = lib.mkAfter '' mkdir /btrfs_tmp mount /dev/root_vg/root /btrfs_tmp @@ -25,12 +26,14 @@ btrfs subvolume create /btrfs_tmp/root umount /btrfs_tmp ''; + environment.persistence."/persist" = { enable = true; hideMounts = true; directories = [ "/var/log" "/var/lib/nixos" + "/var/lib/docker" "/var/lib/systemd/coredump" "/etc/nixos" "/etc/NetworkManager" @@ -39,7 +42,7 @@ "/etc/machine-id" "/etc/ssh/ssh_host_ed25519_key" "/etc/ssh/ssh_host_ed25519_key.pub" - #"/var/lib/sops-nix/key.txt" + "/var/lib/sops-nix/key.txt" ]; }; } diff --git a/system/sops.nix b/system/sops.nix index 773c596..40c2fab 100755 --- a/system/sops.nix +++ b/system/sops.nix @@ -1,12 +1,21 @@ -{inputs, ...}: { +{inputs, ...}; let + secretspath = builtins.toString inputs.nix-secrets; +in +{ imports = [ inputs.sops-nix.nixosModules.sops ]; - sops.defaultSopsFile = "${../secrets/secrets.yaml}"; - sops.validateSopsFiles = false; - sops.defaultSopsFormat = "yaml"; - sops.age.keyFile = "/persist/var/lib/sops-nix/key.txt"; - sops.age.sshKeyPaths = ["/etc/ssh/ssh_host_ed25519_key"]; - sops.age.generateKey = true; + sops = { + defaultSopsFile = "${secretspath}/secrets.yaml"; + age = { + keyFile = "/var/lib/sops-nix/key.txt"; + generateKey = false; + }; + secrets = { + tera_passwd = { + neededForUsers = true; + }; + }; + }; }