imterah/nix-infra
1
0
Fork 0
Code Issues 1 Pull requests Projects Releases Packages Wiki Activity Actions

fix: Fix sops

Browse source
This commit is contained in:
Tera << 8 2025-05-05 10:43:13 -04:00
parent 1c1d6054b0
commit 70a5b89528
Signed by: imterah
GPG key ID: 8FA7DD57BA6CEA37
7 changed files with 34 additions and 11 deletions
Download patch file Download diff file Expand all files Collapse all files

7
.sops.yaml Normal file
View file

@ -0,0 +1,7 @@
keys:
- &primkey age199lxhl3xjuf0xxgskxa3kdz89atnt6689g0pqr6kup4kvqe49vmsq63t35
creation_rules:
- path_regex: secrets/[^/]+\.(yaml|json|env|ini)$
key_groups:
- age:
- *primkey

1
data/id_user.pub Normal file
View file

@ -0,0 +1 @@
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBSbHYeYqUlBQKZywVto5FqpIEosRvssnAsDKnL8nUa4 greysoh@pine

4
flake.nix
View file

@ -13,6 +13,10 @@
url = "github:viperML/nh"; url = "github:viperML/nh";
inputs.nixpkgs.follows = "nixpkgs-unstable"; inputs.nixpkgs.follows = "nixpkgs-unstable";
}; };
nix-secrets = {
url = "git+https://git.terah.dev/imterah/sops?shallow=1&ref=main";
flake = false;
};
}; };
outputs = { outputs = {

3
hosts/andromeda/configuration.nix
View file

@ -16,14 +16,13 @@
../../system/i18n.nix ../../system/i18n.nix
]; ];
sops.secrets.tera-password.neededForUsers = true;
users.mutableUsers = false; users.mutableUsers = false;
users.users.tera = { users.users.tera = {
uid = 1000; uid = 1000;
description = "Tera"; description = "Tera";
home = "/home/tera"; home = "/home/tera";
hashedPasswordFile = config.sops.secrets.tera-password.path; hashedPasswordFile = config.sops.secrets.tera_password.path;
isNormalUser = true; isNormalUser = true;
createHome = true; createHome = true;
shell = pkgs.bash; shell = pkgs.bash;

2
secrets

@ -1 +1 @@
Subproject commit ed485bba5151879e9b598fd18e6970624b0d21e5 Subproject commit c07d110d71e32ff5fabf0219bc9cadab47d3d2a7

5
system/impermanence.nix
View file

@ -1,6 +1,7 @@
{lib, ...}: { {lib, ...}: {
fileSystems."/persist".neededForBoot = true; fileSystems."/persist".neededForBoot = true;
fileSystems."/nix".neededForBoot = true; fileSystems."/nix".neededForBoot = true;
boot.initrd.postDeviceCommands = lib.mkAfter '' boot.initrd.postDeviceCommands = lib.mkAfter ''
mkdir /btrfs_tmp mkdir /btrfs_tmp
mount /dev/root_vg/root /btrfs_tmp mount /dev/root_vg/root /btrfs_tmp
@ -25,12 +26,14 @@
btrfs subvolume create /btrfs_tmp/root btrfs subvolume create /btrfs_tmp/root
umount /btrfs_tmp umount /btrfs_tmp
''; '';
environment.persistence."/persist" = { environment.persistence."/persist" = {
enable = true; enable = true;
hideMounts = true; hideMounts = true;
directories = [ directories = [
"/var/log" "/var/log"
"/var/lib/nixos" "/var/lib/nixos"
"/var/lib/docker"
"/var/lib/systemd/coredump" "/var/lib/systemd/coredump"
"/etc/nixos" "/etc/nixos"
"/etc/NetworkManager" "/etc/NetworkManager"
@ -39,7 +42,7 @@
"/etc/machine-id" "/etc/machine-id"
"/etc/ssh/ssh_host_ed25519_key" "/etc/ssh/ssh_host_ed25519_key"
"/etc/ssh/ssh_host_ed25519_key.pub" "/etc/ssh/ssh_host_ed25519_key.pub"
#"/var/lib/sops-nix/key.txt" "/var/lib/sops-nix/key.txt"
]; ];
}; };
} }

23
system/sops.nix
View file

@ -1,12 +1,21 @@
{inputs, ...}: { {inputs, ...}; let
secretspath = builtins.toString inputs.nix-secrets;
in
{
imports = [ imports = [
inputs.sops-nix.nixosModules.sops inputs.sops-nix.nixosModules.sops
]; ];
sops.defaultSopsFile = "${../secrets/secrets.yaml}"; sops = {
sops.validateSopsFiles = false; defaultSopsFile = "${secretspath}/secrets.yaml";
sops.defaultSopsFormat = "yaml"; age = {
sops.age.keyFile = "/persist/var/lib/sops-nix/key.txt"; keyFile = "/var/lib/sops-nix/key.txt";
sops.age.sshKeyPaths = ["/etc/ssh/ssh_host_ed25519_key"]; generateKey = false;
sops.age.generateKey = true; };
secrets = {
tera_passwd = {
neededForUsers = true;
};
};
};
} }