fix: Fix more installation errors and potential security flaws

2025-05-05 16:28:37 -04:00 · 2025-05-05 16:28:37 -04:00 · dd929d89d3
commit dd929d89d3
parent 86c41180b8
6 changed files with 29 additions and 15 deletions
--- a/system/impermanence.nix
+++ b/system/impermanence.nix
@ -35,6 +35,7 @@
      "/var/lib/nixos"
      "/var/lib/docker"
      "/var/lib/systemd/coredump"
+      "/var/lib/sops-nix"
      "/etc/nixos"
      "/etc/NetworkManager"
    ];
@ -42,7 +43,6 @@
      "/etc/machine-id"
      "/etc/ssh/ssh_host_ed25519_key"
      "/etc/ssh/ssh_host_ed25519_key.pub"
-      "/var/lib/sops-nix/key.txt"
    ];
  };
 }
--- a/system/sops.nix
+++ b/system/sops.nix
@ -1,4 +1,4 @@
-{inputs, ...}; let
+{inputs, ...}: let
  secretspath = builtins.toString inputs.nix-secrets;
 in
 {
@ -9,11 +9,14 @@ in
  sops = {
    defaultSopsFile = "${secretspath}/secrets.yaml";
    age = {
+      # I'd prefer different OpenSSH keys for different hosts so I'm not 100% screwed if one of my devices get compromised.
+      # Therefore, we set a custom path for the sops key.
+      sshKeyPaths = ["/var/lib/sops-nix/ssh_host_ed25519_key"];
      keyFile = "/var/lib/sops-nix/key.txt";
      generateKey = false;
    };
    secrets = {
-      tera_passwd = {
+      tera_password = {
        neededForUsers = true;
      };
    };