Julia/nix-dotfiles
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Sops, add user secret management

Browse source
This commit is contained in:
Julia Lange 2024-11-07 14:58:37 -08:00
parent 5c256edcb3
commit 5186992f88
Signed by: Julia
SSH key fingerprint: SHA256:KI8YxpkPRbnDRkXPgCuQCVz181++Vy7NAvmQj8alOhM
3 changed files with 24 additions and 32 deletions
Download patch file Download diff file Expand all files Collapse all files

4
.sops.yaml
View file

@ -4,8 +4,10 @@
# for a more complex example. # for a more complex example.
keys: keys:
- &onizuka age1ey3wr2wnkgny3dfgvnyrf0cptwzr7s5x464p2y9ya58lpay8lfrsds3y68 - &onizuka age1ey3wr2wnkgny3dfgvnyrf0cptwzr7s5x464p2y9ya58lpay8lfrsds3y68
- &jibril age1n8936ux6ushjyz3kuumdrz63jcwsvz7qkfj66rrkgk8d78wl2dssgev4tm
creation_rules: creation_rules:
- path_regex: secrets.yaml$ - path_regex: systems/[^/]+/secrets\.yaml$
key_groups: key_groups:
- age: - age:
- *onizuka - *onizuka
- *jibril

28
nixosModules/services/sops-nix/default.nix
View file

@ -1,18 +1,32 @@
{ inputs, config, pkgs, lib, ... }: { inputs, config, pkgs, lib, ... }:
let rootPath = ./.; in
{ {
options = { options.sops-nix = let
sops-nix.enable = lib.mkEnableOption "Enables nix-sops for secret management"; externalPath = lib.mkOptionType {
name = "externalPath";
check = x: !lib.path.hasStorePathPrefix (/. + x);
merge = lib.mergeEqualOption;
};
in {
enable = lib.mkEnableOption "Enables nix-sops for secret management";
keyFile = lib.mkOption {
description = "A key file to unlock your secrets file";
type = lib.types.nullOr externalPath;
};
sopsFile = lib.mkOption {
description = "The path to your secrets file";
type = lib.types.path;
};
secrets = lib.mkOption { default = {}; };
}; };
imports = [ inputs.sops-nix.nixosModules.sops ]; imports = [ inputs.sops-nix.nixosModules.sops ];
config = lib.mkIf config.sops-nix.enable { config = lib.mkIf config.sops-nix.enable {
sops = { sops = {
defaultSopsFile = rootPath + "secrets.yaml"; defaultSopsFile = config.sops-nix.sopsFile;
defaultSopsFormat = "yaml"; age.keyFile = config.sops-nix.keyFile;
age.keyFile = "/home/" + config.user.name + ".config/sops/age/keys.txt"; secrets = config.sops-nix.secrets;
}; };
environment.systemPackages = with pkgs; [ environment.systemPackages = with pkgs; [
sops sops

24
secrets.yaml
View file

@ -1,24 +0,0 @@
services:
spotify:
username: ENC[AES256_GCM,data:xyhcpSN4v9k294Vtxd+6RIicsd/QbWBr3Qk=,iv:fhKAo9sti/CFRQijzvAoWAAfSETVYTjvRsdUeTVj5rU=,tag:jggBE9ZKHiDerI0Fm+n12w==,type:str]
password: ENC[AES256_GCM,data:fmx/1zTF/Xc32tpjnq1pp7jzpIM=,iv:kwAzuhAcw3+v9Ilfh1GrdqmINR0w0F6nkjJJXjABcmI=,tag:Yyutz0EmQQ6n/UYgHLpYWA==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1ey3wr2wnkgny3dfgvnyrf0cptwzr7s5x464p2y9ya58lpay8lfrsds3y68
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBHM1REVU9wTVhxWHo3UW0x
WnNmanFmbXVCVGJwcmdZVzFJaTBxRnJzcEJZClFJdjB1QkpxS1QySVUzbGJySWY5
QURScWI5UTFzN1NVdkVZeG9WUkdnWWcKLS0tIGgrNEFpWi9idTQrZWNrZXMzcFZI
RUljSSs5L1JCampTOXdmY1IzYjNzeFEK2WC5HivIt77z0+yopZnmlUWYJCwn/eI+
V4UIgITsmTjN2c6df5Pc4nb7jWC7XsMq7VL1nG+uo39QQPRW/FaZYQ==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2024-04-06T02:39:34Z"
mac: ENC[AES256_GCM,data:QAFXEXOm0Mi0GOJU4EG8JC9BizTGdbDjYfGlBAe6uhJAcMAO47vRwPADx7bWxSrAZ6kQRy+3OCBjin0YSADRHHmXOPXhqPzpFTeG3T19hLRG79W7R1UoRVm/PhajOimEj4urbZqdHC8mqtU0XngB/zlfRkfbT053J87TsvAlmwI=,iv:HMEhCmnXCEANA4s1L1nmnckHRIjWKxS3D9gbLcNTnmE=,tag:Chbl2JTKVqs8t91BTlX9QQ==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.8.1