Sops, add user secret management

2024-11-07 14:58:37 -08:00 · 2024-11-07 14:58:37 -08:00 · 5186992f88
commit 5186992f88
parent 5c256edcb3
3 changed files with 24 additions and 32 deletions
--- a/.sops.yaml
+++ b/.sops.yaml
@ -4,8 +4,10 @@
 # for a more complex example.
 keys:
  - &onizuka age1ey3wr2wnkgny3dfgvnyrf0cptwzr7s5x464p2y9ya58lpay8lfrsds3y68
+  - &jibril age1n8936ux6ushjyz3kuumdrz63jcwsvz7qkfj66rrkgk8d78wl2dssgev4tm
 creation_rules:
-  - path_regex: secrets.yaml$
+  - path_regex: systems/[^/]+/secrets\.yaml$
    key_groups:
    - age:
      - *onizuka
+      - *jibril
--- a/nixosModules/services/sops-nix/default.nix
+++ b/nixosModules/services/sops-nix/default.nix
@ -1,18 +1,32 @@
 { inputs, config, pkgs, lib, ... }:
-let rootPath = ./.; in
+
 {
-  options = {
-    sops-nix.enable = lib.mkEnableOption "Enables nix-sops for secret management";
+  options.sops-nix = let
+    externalPath = lib.mkOptionType {
+      name = "externalPath";
+      check = x: !lib.path.hasStorePathPrefix (/. + x);
+      merge = lib.mergeEqualOption;
+    };
+  in {
+    enable = lib.mkEnableOption "Enables nix-sops for secret management";
+    keyFile = lib.mkOption {
+      description = "A key file to unlock your secrets file";
+      type = lib.types.nullOr externalPath;
+    };
+    sopsFile = lib.mkOption {
+      description = "The path to your secrets file";
+      type = lib.types.path;
+    };
+    secrets = lib.mkOption { default = {}; };
  };

  imports =  [ inputs.sops-nix.nixosModules.sops ];

  config = lib.mkIf config.sops-nix.enable {
-
    sops = {
-      defaultSopsFile = rootPath + "secrets.yaml";
-      defaultSopsFormat = "yaml";
-      age.keyFile = "/home/" + config.user.name + ".config/sops/age/keys.txt";
+      defaultSopsFile = config.sops-nix.sopsFile;
+      age.keyFile = config.sops-nix.keyFile;
+      secrets = config.sops-nix.secrets;
    };
    environment.systemPackages = with pkgs; [
      sops
--- a/secrets.yaml
+++ b/secrets.yaml
@ -1,24 +0,0 @@
-services:
-    spotify:
-        username: ENC[AES256_GCM,data:xyhcpSN4v9k294Vtxd+6RIicsd/QbWBr3Qk=,iv:fhKAo9sti/CFRQijzvAoWAAfSETVYTjvRsdUeTVj5rU=,tag:jggBE9ZKHiDerI0Fm+n12w==,type:str]
-        password: ENC[AES256_GCM,data:fmx/1zTF/Xc32tpjnq1pp7jzpIM=,iv:kwAzuhAcw3+v9Ilfh1GrdqmINR0w0F6nkjJJXjABcmI=,tag:Yyutz0EmQQ6n/UYgHLpYWA==,type:str]
-sops:
-    kms: []
-    gcp_kms: []
-    azure_kv: []
-    hc_vault: []
-    age:
-        - recipient: age1ey3wr2wnkgny3dfgvnyrf0cptwzr7s5x464p2y9ya58lpay8lfrsds3y68
-          enc: |
-            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBHM1REVU9wTVhxWHo3UW0x
-            WnNmanFmbXVCVGJwcmdZVzFJaTBxRnJzcEJZClFJdjB1QkpxS1QySVUzbGJySWY5
-            QURScWI5UTFzN1NVdkVZeG9WUkdnWWcKLS0tIGgrNEFpWi9idTQrZWNrZXMzcFZI
-            RUljSSs5L1JCampTOXdmY1IzYjNzeFEK2WC5HivIt77z0+yopZnmlUWYJCwn/eI+
-            V4UIgITsmTjN2c6df5Pc4nb7jWC7XsMq7VL1nG+uo39QQPRW/FaZYQ==
-            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-04-06T02:39:34Z"
-    mac: ENC[AES256_GCM,data:QAFXEXOm0Mi0GOJU4EG8JC9BizTGdbDjYfGlBAe6uhJAcMAO47vRwPADx7bWxSrAZ6kQRy+3OCBjin0YSADRHHmXOPXhqPzpFTeG3T19hLRG79W7R1UoRVm/PhajOimEj4urbZqdHC8mqtU0XngB/zlfRkfbT053J87TsvAlmwI=,iv:HMEhCmnXCEANA4s1L1nmnckHRIjWKxS3D9gbLcNTnmE=,tag:Chbl2JTKVqs8t91BTlX9QQ==,type:str]
-    pgp: []
-    unencrypted_suffix: _unencrypted
-    version: 3.8.1