fix: Fix sops

2025-05-05 10:43:13 -04:00 · 2025-05-05 10:43:13 -04:00 · 70a5b89528
commit 70a5b89528
parent 1c1d6054b0
7 changed files with 34 additions and 11 deletions
--- a/system/impermanence.nix
+++ b/system/impermanence.nix
@ -1,6 +1,7 @@
 {lib, ...}: {
  fileSystems."/persist".neededForBoot = true;
  fileSystems."/nix".neededForBoot = true;
+
  boot.initrd.postDeviceCommands = lib.mkAfter ''
    mkdir /btrfs_tmp
    mount /dev/root_vg/root /btrfs_tmp
@ -25,12 +26,14 @@
    btrfs subvolume create /btrfs_tmp/root
    umount /btrfs_tmp
  '';
+
  environment.persistence."/persist" = {
    enable = true;
    hideMounts = true;
    directories = [
      "/var/log"
      "/var/lib/nixos"
+      "/var/lib/docker"
      "/var/lib/systemd/coredump"
      "/etc/nixos"
      "/etc/NetworkManager"
@ -39,7 +42,7 @@
      "/etc/machine-id"
      "/etc/ssh/ssh_host_ed25519_key"
      "/etc/ssh/ssh_host_ed25519_key.pub"
-      #"/var/lib/sops-nix/key.txt"
+      "/var/lib/sops-nix/key.txt"
    ];
  };
 }
--- a/system/sops.nix
+++ b/system/sops.nix
@ -1,12 +1,21 @@
-{inputs, ...}: {
+{inputs, ...}; let
+  secretspath = builtins.toString inputs.nix-secrets;
+in
+{
  imports = [
    inputs.sops-nix.nixosModules.sops
  ];

-  sops.defaultSopsFile = "${../secrets/secrets.yaml}";
-  sops.validateSopsFiles = false;
-  sops.defaultSopsFormat = "yaml";
-  sops.age.keyFile = "/persist/var/lib/sops-nix/key.txt";
-  sops.age.sshKeyPaths = ["/etc/ssh/ssh_host_ed25519_key"];
-  sops.age.generateKey = true;
+  sops = {
+    defaultSopsFile = "${secretspath}/secrets.yaml";
+    age = {
+      keyFile = "/var/lib/sops-nix/key.txt";
+      generateKey = false;
+    };
+    secrets = {
+      tera_passwd = {
+        neededForUsers = true;
+      };
+    };
+  };
 }