From ed2a7f94cfd61c160ed0197b166f7391f530d72d Mon Sep 17 00:00:00 2001 From: Julia Lange Date: Sun, 7 Apr 2024 00:33:49 -0700 Subject: [PATCH] Add sops-nix for secret management --- .sops.yaml | 11 +++ flake.lock | 112 ++++++++++----------------- flake.nix | 1 + modules/secrets/sops-nix/default.nix | 11 +++ secrets.yaml | 24 ++++++ 5 files changed, 86 insertions(+), 73 deletions(-) create mode 100644 .sops.yaml create mode 100644 modules/secrets/sops-nix/default.nix create mode 100644 secrets.yaml diff --git a/.sops.yaml b/.sops.yaml new file mode 100644 index 0000000..530c11f --- /dev/null +++ b/.sops.yaml @@ -0,0 +1,11 @@ +# This example uses YAML anchors which allows reuse of multiple keys +# without having to repeat yourself. +# Also see https://github.com/Mic92/dotfiles/blob/master/nixos/.sops.yaml +# for a more complex example. +keys: + - &onizuka age1ey3wr2wnkgny3dfgvnyrf0cptwzr7s5x464p2y9ya58lpay8lfrsds3y68 +creation_rules: + - path_regex: secrets.yaml$ + key_groups: + - age: + - *onizuka diff --git a/flake.lock b/flake.lock index f283cae..54d6c12 100644 --- a/flake.lock +++ b/flake.lock @@ -8,11 +8,11 @@ ] }, "locked": { - "lastModified": 1710342492, - "narHash": "sha256-vEE+z5Tm0xWRAJo6xBai88kojzfROfHJ1a5dkNWoGRA=", + "lastModified": 1712185015, + "narHash": "sha256-mL3VSJRkyDJbMh/QqUeOhGOsEOTS7Jw9Tqw4fM+VjB4=", "owner": "ezKEa", "repo": "aagl-gtk-on-nix", - "rev": "c0943e683baedeb19498562497aec35701b1fe02", + "rev": "1dbb1c233a249e8cbc03907e965bd2a48d880262", "type": "github" }, "original": { @@ -39,7 +39,10 @@ }, "hyprcursor": { "inputs": { - "hyprlang": "hyprlang", + "hyprlang": [ + "hyprland", + "hyprlang" + ], "nixpkgs": [ "hyprland", "nixpkgs" @@ -50,11 +53,11 @@ ] }, "locked": { - "lastModified": 1710257359, - "narHash": "sha256-43re5pzE/cswFAgw92/ugsB3+d5ufDaCcLtl9ztKfBo=", + "lastModified": 1712339458, + "narHash": "sha256-j8pv3tL2EFLGuvFoO64dHWD8YzNvD77hRb4EEx5ADgE=", "owner": "hyprwm", "repo": "hyprcursor", - "rev": "1761f6cefd77f4fcd2039d930c88d6716ddc4974", + "rev": "981b6617822dadc40246a6c70194d02dfc12e4c6", "type": "github" }, "original": { @@ -67,18 +70,18 @@ "inputs": { "hyprcursor": "hyprcursor", "hyprland-protocols": "hyprland-protocols", - "hyprlang": "hyprlang_2", + "hyprlang": "hyprlang", "nixpkgs": "nixpkgs", - "systems": "systems_2", + "systems": "systems", "wlroots": "wlroots", "xdph": "xdph" }, "locked": { - "lastModified": 1711070930, - "narHash": "sha256-jKOAO/NlfaTC/OcZkPoT87gsfVqt/+Ye+KcaIv6e2mU=", + "lastModified": 1712457111, + "narHash": "sha256-hTRMWHl49SYfui2W3qCq790MHnX8JTBfYQcxgwjbQ0g=", "owner": "hyprwm", "repo": "Hyprland", - "rev": "9bad62b85f179ad2c95c6e7f734768ef060a604b", + "rev": "f2a848cbcc41f29fb62ee67aef95136ae1a650da", "type": "github" }, "original": { @@ -113,29 +116,6 @@ } }, "hyprlang": { - "inputs": { - "nixpkgs": [ - "hyprland", - "hyprcursor", - "nixpkgs" - ], - "systems": "systems" - }, - "locked": { - "lastModified": 1709914708, - "narHash": "sha256-bR4o3mynoTa1Wi4ZTjbnsZ6iqVcPGriXp56bZh5UFTk=", - "owner": "hyprwm", - "repo": "hyprlang", - "rev": "a685493fdbeec01ca8ccdf1f3655c044a8ce2fe2", - "type": "github" - }, - "original": { - "owner": "hyprwm", - "repo": "hyprlang", - "type": "github" - } - }, - "hyprlang_2": { "inputs": { "nixpkgs": [ "hyprland", @@ -147,11 +127,11 @@ ] }, "locked": { - "lastModified": 1709914708, - "narHash": "sha256-bR4o3mynoTa1Wi4ZTjbnsZ6iqVcPGriXp56bZh5UFTk=", + "lastModified": 1711671891, + "narHash": "sha256-C/Wwsy/RLxHP1axFFl+AnwJRWfd8gxDKKoa8nt8Qk3c=", "owner": "hyprwm", "repo": "hyprlang", - "rev": "a685493fdbeec01ca8ccdf1f3655c044a8ce2fe2", + "rev": "c1402612146ba06606ebf64963a02bc1efe11e74", "type": "github" }, "original": { @@ -162,11 +142,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1710272261, - "narHash": "sha256-g0bDwXFmTE7uGDOs9HcJsfLFhH7fOsASbAuOzDC+fhQ=", + "lastModified": 1712163089, + "narHash": "sha256-Um+8kTIrC19vD4/lUCN9/cU9kcOsD1O1m+axJqQPyMM=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "0ad13a6833440b8e238947e47bea7f11071dc2b2", + "rev": "fd281bd6b7d3e32ddfa399853946f782553163b5", "type": "github" }, "original": { @@ -178,11 +158,11 @@ }, "nixpkgs-stable": { "locked": { - "lastModified": 1710951922, - "narHash": "sha256-FOOBJ3DQenLpTNdxMHR2CpGZmYuctb92gF0lpiirZ30=", + "lastModified": 1712310679, + "narHash": "sha256-XgC/a/giEeNkhme/AV1ToipoZ/IVm1MV2ntiK4Tm+pw=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "f091af045dff8347d66d186a62d42aceff159456", + "rev": "72da83d9515b43550436891f538ff41d68eecc7f", "type": "github" }, "original": { @@ -193,11 +173,11 @@ }, "nixpkgs-stable_2": { "locked": { - "lastModified": 1710628718, - "narHash": "sha256-y+l3eH53UlENaYa1lmnCBHusZb1kxBEFd2/c7lDsGpw=", + "lastModified": 1712437997, + "narHash": "sha256-g0whLLwRvgO2FsyhY8fNk+TWenS3jg5UdlWL4uqgFeo=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "6dc11d9859d6a18ab0c5e5829a5b8e4810658de3", + "rev": "e38d7cb66ea4f7a0eb6681920615dfcc30fc2920", "type": "github" }, "original": { @@ -209,11 +189,11 @@ }, "nixpkgs_2": { "locked": { - "lastModified": 1710806803, - "narHash": "sha256-qrxvLS888pNJFwJdK+hf1wpRCSQcqA6W5+Ox202NDa0=", + "lastModified": 1712163089, + "narHash": "sha256-Um+8kTIrC19vD4/lUCN9/cU9kcOsD1O1m+axJqQPyMM=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "b06025f1533a1e07b6db3e75151caa155d1c7eb3", + "rev": "fd281bd6b7d3e32ddfa399853946f782553163b5", "type": "github" }, "original": { @@ -224,11 +204,11 @@ }, "nixpkgs_3": { "locked": { - "lastModified": 1710534455, - "narHash": "sha256-huQT4Xs0y4EeFKn2BTBVYgEwJSv8SDlm82uWgMnCMmI=", + "lastModified": 1712420723, + "narHash": "sha256-VnG0Eu394Ga2FCe8Q66m6OEQF8iAqjDYsjmtl+N2omk=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "9af9c1c87ed3e3ed271934cb896e0cdd33dae212", + "rev": "9e7f26f82acb057498335362905fde6fea4ca50a", "type": "github" }, "original": { @@ -253,16 +233,17 @@ "nixpkgs-stable": "nixpkgs-stable_2" }, "locked": { - "lastModified": 1710644594, - "narHash": "sha256-RquCuzxfy4Nr8DPbdp3D/AsbYep21JgQzG8aMH9jJ4A=", + "lastModified": 1712458908, + "narHash": "sha256-DMgBS+jNHDg8z3g9GkwqL8xTKXCRQ/0FGsAyrniVonc=", "owner": "Mic92", "repo": "sops-nix", - "rev": "83b68a0e8c94b72cdd0a6e547a14ca7eb1c03616", + "rev": "39191e8e6265b106c9a2ba0cfd3a4dafe98a31c6", "type": "github" }, "original": { - "id": "sops-nix", - "type": "indirect" + "owner": "Mic92", + "repo": "sops-nix", + "type": "github" } }, "systems": { @@ -280,21 +261,6 @@ "type": "github" } }, - "systems_2": { - "locked": { - "lastModified": 1689347949, - "narHash": "sha256-12tWmuL2zgBgZkdoB6qXZsgJEH9LR3oUgpaQq2RbI80=", - "owner": "nix-systems", - "repo": "default-linux", - "rev": "31732fcf5e8fea42e59c2488ad31a0e651500f68", - "type": "github" - }, - "original": { - "owner": "nix-systems", - "repo": "default-linux", - "type": "github" - } - }, "wlroots": { "flake": false, "locked": { diff --git a/flake.nix b/flake.nix index 6996e97..bd59e11 100644 --- a/flake.nix +++ b/flake.nix @@ -7,6 +7,7 @@ url = "github:ezKEa/aagl-gtk-on-nix"; inputs.nixpkgs.follows = "nixpkgs-stable"; }; + sops-nix.url = "github:Mic92/sops-nix"; }; outputs = { self, nixpkgs, hyprland, aagl, sops-nix, ... }@inputs: diff --git a/modules/secrets/sops-nix/default.nix b/modules/secrets/sops-nix/default.nix new file mode 100644 index 0000000..2c26d07 --- /dev/null +++ b/modules/secrets/sops-nix/default.nix @@ -0,0 +1,11 @@ +{ inputs, pkgs, lib, ... }: +let rootPath = ./.; in +{ + imports = [ inputs.sops-nix.nixosModules.sops ]; + + sops = { + defaultSopsFile = rootPath + "secrets.yaml"; + defaultSopsFormat = "yaml"; + age.keyFile = "/home/pan/.config/sops/age/keys.txt"; + }; +} diff --git a/secrets.yaml b/secrets.yaml new file mode 100644 index 0000000..0c3098f --- /dev/null +++ b/secrets.yaml @@ -0,0 +1,24 @@ +services: + spotify: + username: ENC[AES256_GCM,data:xyhcpSN4v9k294Vtxd+6RIicsd/QbWBr3Qk=,iv:fhKAo9sti/CFRQijzvAoWAAfSETVYTjvRsdUeTVj5rU=,tag:jggBE9ZKHiDerI0Fm+n12w==,type:str] + password: ENC[AES256_GCM,data:fmx/1zTF/Xc32tpjnq1pp7jzpIM=,iv:kwAzuhAcw3+v9Ilfh1GrdqmINR0w0F6nkjJJXjABcmI=,tag:Yyutz0EmQQ6n/UYgHLpYWA==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1ey3wr2wnkgny3dfgvnyrf0cptwzr7s5x464p2y9ya58lpay8lfrsds3y68 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBHM1REVU9wTVhxWHo3UW0x + WnNmanFmbXVCVGJwcmdZVzFJaTBxRnJzcEJZClFJdjB1QkpxS1QySVUzbGJySWY5 + QURScWI5UTFzN1NVdkVZeG9WUkdnWWcKLS0tIGgrNEFpWi9idTQrZWNrZXMzcFZI + RUljSSs5L1JCampTOXdmY1IzYjNzeFEK2WC5HivIt77z0+yopZnmlUWYJCwn/eI+ + V4UIgITsmTjN2c6df5Pc4nb7jWC7XsMq7VL1nG+uo39QQPRW/FaZYQ== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-04-06T02:39:34Z" + mac: ENC[AES256_GCM,data:QAFXEXOm0Mi0GOJU4EG8JC9BizTGdbDjYfGlBAe6uhJAcMAO47vRwPADx7bWxSrAZ6kQRy+3OCBjin0YSADRHHmXOPXhqPzpFTeG3T19hLRG79W7R1UoRVm/PhajOimEj4urbZqdHC8mqtU0XngB/zlfRkfbT053J87TsvAlmwI=,iv:HMEhCmnXCEANA4s1L1nmnckHRIjWKxS3D9gbLcNTnmE=,tag:Chbl2JTKVqs8t91BTlX9QQ==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.8.1