lelgenio/nixos-config
1
0
Fork 0
Code Issues 1 Pull requests Projects 2 Releases Packages Wiki Activity Actions

secrets: add sops

Browse source
This commit is contained in:
Leonardo Eugênio 2025-03-05 14:53:07 -03:00
parent 9fd65b02ba
commit 553ea251fa
9 changed files with 176 additions and 2 deletions
Download patch file Download diff file Expand all files Collapse all files

18
.sops.yaml Normal file
View file

@ -0,0 +1,18 @@
keys:
- &lelgenio-gpg 0FECE8316E74BA6F44EFC21A2F8F21CE8721456B
- &lelgenio-ssh ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCxR/w+38b2lX90yNBqhq3mUmkn1WGu6GAPhN1tVp2ZjYRJNV/+5gWCnTtOWYtDx35HmK/spQ2Qy8X9ttkzORa24fysNx1Iqn/TiXhD7eIJjbGPnrOpIKTkW5/uB3SD/P5NBSa06//BaqJU4sBlG79hoXRpod052hQtdpTVDiMCIV+iboWPKqopmJJfWdBtVnHXs9rep0htPRExxGslImFk7Z6xjcaHyCpIQZPlOGf+sGsmUU7jRqzvZFV8ucIdbnAlMHrU4pepNFhuraESyZVTa/bi9sw0iozXp5Q5+5thMebEslmT1Z771kI4sieDy+O4r8c0Sx2/VY1UAzcpq1faggc3YB01MTh+tiEC6xdMvZLrQGL1NBWjHleMyL53GU5ERluC0vXJF3Hv3BGGBDfXWbrEm5n06DHr2apRVJGC0LwiQ7Woud1X4V4X1pKSusxCVMjT2lmcOwV6YhKhB2sowJc1OdMx4+tL0UWE+YKSZgBHfolwk6ml0F4EO9nnUHc= lelgenio@i15
- &monolith-ssh age1ecyynwv93lfu7crjjp8l47defv07quzfzaktwurpep7jc9eha5pscg7lrw
- &phantom-ssh age1m4mqcd2kmuhfr8a22rvh02c68jkakhdfmuqgtusuv0czk4jvna7sz79p3y
creation_rules:
- path_regex: secrets/[^/]+\.(yaml|json|env|ini)$
key_groups:
- pgp:
- *lelgenio-gpg
age:
- *lelgenio-ssh
- *monolith-ssh
- path_regex: secrets/phantom/[^/]+\.(yaml|json|env|ini)$
key_groups:
- age:
- *phantom-ssh

21
flake.lock generated
View file

@ -722,6 +722,7 @@
"nixpkgs-unstable": "nixpkgs-unstable", "nixpkgs-unstable": "nixpkgs-unstable",
"plymouth-themes": "plymouth-themes", "plymouth-themes": "plymouth-themes",
"ranger-icons": "ranger-icons", "ranger-icons": "ranger-icons",
"sops-nix": "sops-nix",
"tlauncher": "tlauncher", "tlauncher": "tlauncher",
"tomater": "tomater", "tomater": "tomater",
"treefmt-nix": "treefmt-nix", "treefmt-nix": "treefmt-nix",
@ -775,6 +776,26 @@
"type": "github" "type": "github"
} }
}, },
"sops-nix": {
"inputs": {
"nixpkgs": [
"nixpkgs"
]
},
"locked": {
"lastModified": 1741043164,
"narHash": "sha256-9lfmSZLz6eq9Ygr6cCmvQiiBEaPb54pUBcjvbEMPORc=",
"owner": "Mic92",
"repo": "sops-nix",
"rev": "3f2412536eeece783f0d0ad3861417f347219f4d",
"type": "github"
},
"original": {
"owner": "Mic92",
"repo": "sops-nix",
"type": "github"
}
},
"systems": { "systems": {
"locked": { "locked": {
"lastModified": 1681028828, "lastModified": 1681028828,

7
flake.nix
View file

@ -26,6 +26,11 @@
inputs.home-manager.follows = "home-manager"; inputs.home-manager.follows = "home-manager";
}; };
sops-nix = {
url = "github:Mic92/sops-nix";
inputs.nixpkgs.follows = "nixpkgs";
};
nixos-mailserver = { nixos-mailserver = {
url = "gitlab:simple-nixos-mailserver/nixos-mailserver/master"; url = "gitlab:simple-nixos-mailserver/nixos-mailserver/master";
inputs.nixpkgs.follows = "nixpkgs"; inputs.nixpkgs.follows = "nixpkgs";
@ -96,10 +101,12 @@
{ nixpkgs.pkgs = pkgs; } { nixpkgs.pkgs = pkgs; }
./system/configuration.nix ./system/configuration.nix
./system/secrets.nix ./system/secrets.nix
./system/sops.nix
./system/greetd.nix ./system/greetd.nix
{ login-manager.greetd.enable = desktop == "sway"; } { login-manager.greetd.enable = desktop == "sway"; }
inputs.agenix.nixosModules.default inputs.agenix.nixosModules.default
inputs.sops-nix.nixosModules.default
inputs.home-manager.nixosModules.home-manager inputs.home-manager.nixosModules.home-manager
inputs.disko.nixosModules.disko inputs.disko.nixosModules.disko
( (

13
hosts/phantom/default.nix
View file

@ -2,12 +2,16 @@
config, config,
pkgs, pkgs,
inputs, inputs,
lib,
... ...
}: }:
{ {
imports = [ imports = [
inputs.vpsadminos.nixosConfigurations.container inputs.vpsadminos.nixosConfigurations.container
inputs.agenix.nixosModules.default inputs.agenix.nixosModules.default
inputs.sops-nix.nixosModules.default
../../system/sops.nix
../../system/nix.nix ../../system/nix.nix
./hardware-config.nix ./hardware-config.nix
./mastodon.nix ./mastodon.nix
@ -57,6 +61,15 @@
identityPaths = [ "/root/.ssh/id_rsa" ]; identityPaths = [ "/root/.ssh/id_rsa" ];
}; };
sops = {
secrets.hello = { };
defaultSopsFile = lib.mkForce ../../secrets/phantom/default.yaml;
};
environment.etc."teste-sops" = {
text = config.sops.secrets.hello.path;
};
virtualisation.docker = { virtualisation.docker = {
enable = true; enable = true;
daemon.settings = { daemon.settings = {

30
secrets/phantom/default.yaml Normal file
View file

@ -0,0 +1,30 @@
hello: ENC[AES256_GCM,data:UJAAdOL7wzQ1LduTyW+XK2NtXyw/u/Yz28Bmd7OoBe41FVLKwVfvdI1nAwYuNQ==,iv:7kPT2HF5T498bUJ9hUlz5Ez/jn1g7YIUVbJOTW/CHhQ=,tag:KJhJPg8AStyW4roEbEUJ2g==,type:str]
example_key: ENC[AES256_GCM,data:DcLN+C1BQ6WZg5fRiA==,iv:JC3GTWn4a4RekAHdOQB3YV5+eGa4cUK1JjyTPe8eNHY=,tag:W9CV4rsgHuXyqpWpUxlIQg==,type:str]
#ENC[AES256_GCM,data:RjdYJNz6qGfbsU/AiBeLlQ==,iv:LjRzSjBXp44cGSqUUfRDNLC9cW4Vd7lfsqDWINt31VA=,tag:NzVm1h9CVKE2XXt300aR/g==,type:comment]
example_array:
- ENC[AES256_GCM,data:K9j/t8MDibYO8Frhu1M=,iv:YnrxRnJJwTH6DJC6Bv/d1NUnX2ZPFwsjoji7L1Z+d7s=,tag:Dm7xCUlnjKdXHCuk8lwY8w==,type:str]
- ENC[AES256_GCM,data:0g6ACJzEHBtukwQYYTY=,iv:xLBJWfOYkX7Y28N01CX2+d5QOr9VGAhInH6pa1hNSGE=,tag:tCkCigo4yhi6YKVMe3Z3lQ==,type:str]
example_number: ENC[AES256_GCM,data:R+/m/QVBH9/3DA==,iv:FumBUj97ICrRQmyh5fg8Gu9Lba9oITD1pdsr1I/PCf0=,tag:hguw1gpPI3w64fG1WLnJqA==,type:float]
example_booleans:
- ENC[AES256_GCM,data:VvI5ag==,iv:koMzyWcua75sK19vuk65oywCD61lMyH3xUwue8LTqy4=,tag:2ym1M0FTwevLm7wefTUWAw==,type:bool]
- ENC[AES256_GCM,data:lFEC/S8=,iv:cJWbnmseP/AqJzyORM+VI5y7rK8axVeh7EXoLP7mT/Q=,tag:BaS5HyecokdLCq+LzQxGkg==,type:bool]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1m4mqcd2kmuhfr8a22rvh02c68jkakhdfmuqgtusuv0czk4jvna7sz79p3y
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAxQkRWWmYweUNpcDRNbzRW
NnQ4R3JPK0oydm9iL0owS0d6Nm92eTFJZldFCnZpUVUvWi9FYTBDSGNvUUJRZHNz
QStPT0hCc08xUmh4dEdJdmVPRm01V2cKLS0tIEZPMmNKdGUvNnVWYXZNTHA3SkE3
ZTNJbW9EWktPb2M5TVBNekUrZXVoUFkKLEsQVYVp7fTBRDA7RO8Kjpc5MUPb5U7I
WKZtNhsMZsP+SLgZWBF1PpvcjlDlNA2Z+Hqsrw6vsq6DYpnxToxfZQ==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2025-03-05T22:27:18Z"
mac: ENC[AES256_GCM,data:WSopSnWZ+uOllywd7difaZtJcfxkL7eIf9Kr3GajZKO0+rP6pEHIS+5AbXZy6oKRlCLUPecY/WXFvk3//akpvvXHbf6Jp4fQ/YSuTcYKRQupbDBpOXSlc33QyRl6oEyiMOjxMxa2N2tmq8dmA0NbF9wSDMa5a4eNDoiL5T/sUZ8=,iv:QqbVRApzFF6q24rk8KfKuthj656nEczD9Si4INj+N9A=,tag:tMRNYo+u/jIQ6iX3KqKJdA==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.9.4-unstable

65
secrets/test.yaml Normal file
View file

@ -0,0 +1,65 @@
hello: ENC[AES256_GCM,data:ADXdQUkrnh9lDrsHyInYsPBo21u/mIAH47KhGQsxuz5OshT6CoK+89CILEi9tQ==,iv:b/rnM77z69+pVO3kxQZxI2YzTCRiBwwO5fhcwCB2/CI=,tag:A0FOXIfgIkJawV3QhlJPWQ==,type:str]
example_key: ENC[AES256_GCM,data:gXXl6hhdYNLC1Grmyw==,iv:miSL7Wdewd5zs4A86/r8OW6gK+PGZJ+gaqZRHHxvZos=,tag:Ty+IaoXdMSEThNPRjwhqTA==,type:str]
#ENC[AES256_GCM,data:FLhydTaiOqLRFk+ZrgGx9Q==,iv:TqhX2ylJKFQjdOpmwCER1+gRe4iR+I0hkVkNnYH4ESo=,tag:1BSk9TKqTma4MVUMswwmog==,type:comment]
example_array:
- ENC[AES256_GCM,data:1sIEL3xGDAygUKoodBA=,iv:1DumVv8vDvhT/K0jXM1vHdrFTE7dIxqqjS8CIpWdnc8=,tag:WSs+3a816zVOaGCTElxgFQ==,type:str]
- ENC[AES256_GCM,data:tFi1czQnVgX/nlWrJrs=,iv:isH65ldilVe3EjsKNP/dOKgtWZtHQPw364fPHBI+LEw=,tag:Ka5ywriFptKg3+lIHPEIyA==,type:str]
example_number: ENC[AES256_GCM,data:sxSM8a9oAp+u6g==,iv:KRLfIxZuBsnK+QE4mqm3pyhJmE7Fsd4ykJA++KrOnEQ=,tag:F5EkVUzw06ulr5jZvlTJdg==,type:float]
example_booleans:
- ENC[AES256_GCM,data:PDts2Q==,iv:qtfKg5gmUw2aERJe3gfT15Pk7mWocXwKdJhAzSic1o0=,tag:gn1sWsgt9ihYF8bHAkAQwQ==,type:bool]
- ENC[AES256_GCM,data:o9as7T0=,iv:YXyTB2X9PmTsOd37+BAp2xnT/+Yzyajcn5y1GE1O5rE=,tag:hyXA43jpyAbgH2hg1ivloQ==,type:bool]
sops:
shamir_threshold: 1
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCxR/w+38b2lX90yNBqhq3mUmkn1WGu6GAPhN1tVp2ZjYRJNV/+5gWCnTtOWYtDx35HmK/spQ2Qy8X9ttkzORa24fysNx1Iqn/TiXhD7eIJjbGPnrOpIKTkW5/uB3SD/P5NBSa06//BaqJU4sBlG79hoXRpod052hQtdpTVDiMCIV+iboWPKqopmJJfWdBtVnHXs9rep0htPRExxGslImFk7Z6xjcaHyCpIQZPlOGf+sGsmUU7jRqzvZFV8ucIdbnAlMHrU4pepNFhuraESyZVTa/bi9sw0iozXp5Q5+5thMebEslmT1Z771kI4sieDy+O4r8c0Sx2/VY1UAzcpq1faggc3YB01MTh+tiEC6xdMvZLrQGL1NBWjHleMyL53GU5ERluC0vXJF3Hv3BGGBDfXWbrEm5n06DHr2apRVJGC0LwiQ7Woud1X4V4X1pKSusxCVMjT2lmcOwV6YhKhB2sowJc1OdMx4+tL0UWE+YKSZgBHfolwk6ml0F4EO9nnUHc= lelgenio@i15
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1yc2EgQnd3eEhnCm4zQnZFV2hJ
cFR0Z0hGeFlQd1Rtb2dDUDRJOVc3dmtWT3FIa2xOV0hRREE4LzVKQ01FTHd6M3kz
M0JLeEtXTXoKZkhnMTNETnZVc2tEbU84NWlGWk5YaUg5NjJDdk9yb01QMTVCOHlh
SDE3c0c0dUV3bXQ4MjAxYWJjYUFscmlORwplOFZLc1JzUzdjU0lCZGUyQWl4b3d0
L3hmekNSUUZia2FOR0k3TWcyQm9xZytCakFpSGRidEJUZHQzaC9sVlppCmJBSnl0
VW9Tb2hRME9MdmFlcUw5Z3MyV0k3V1FKQTNQZ3M0UTRLK0FvL3NOUTZ3RDBQY0M5
UHdnLzU3VkFCME0KWTV4c29NbmIvLzl3WXJvMkhnT1gwTTBRNzV3RVVnRTdiMkpn
WmVWanB5VFpnTmhQMWRibXc4VGdhblAwWkQ1WQo0YnFjcnpnYTZITnVueTlZYzhW
OGs3MmlPcmhtaWZoU3h1T3FkbmpoMFFUN0UwQ1FDTGs5L1hGUHdJbmU5Q3haCjJG
bXAyd1lycGhELzY4ZWR2cEtmcWt4NnhXcjIyREw3cTR5d3ZoQlZySlg4Z2lwRmQ1
cEF1VGthTkV0ekg4M2UKZS9aN0IxazdjUWhUMnBFSmYrOEdYQWdocWtQcFhtYlpN
M3FyTDdMSmpESncydnFFd3lTcE1FMEg5a1ZoTXVIRgoKLS0tIEsvb090WDRBZFdV
dFRUUms3S0J2b201OExwTy9DZERhZVlqVEdtaThkTE0KFT1RB8s+hEOJk7XGjSak
34qTDcoBnaF0jPZ5Z0HsUx84G4Nu5teRVeHgVKyC7Iv7Gi9TkYtsdgM+q/3rdSvn
aA==
-----END AGE ENCRYPTED FILE-----
- recipient: age1ecyynwv93lfu7crjjp8l47defv07quzfzaktwurpep7jc9eha5pscg7lrw
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB5eVFsWHZZYkNrdjNraW5q
OTdmbWF6Tm02elk3NGt0TGQ3ZUoxaHp3VGdBCnVqSDRIMlRSOXdTSER2U0tDcjR1
Tk5FcURQOW90bENWL2Nyck1CU3RBR1UKLS0tIFRZZzlNNWRtUkJmVzBHWTA3L21K
VCsyS0x4Rk83eC9UTHJvM1NJZG9DbTQKbGp6n/45qGA3rgmdxUJQKZdA1zen5kfZ
pXnExsrIhfPDx0oE2jIWGW0N8cizkCJA4k7ROGu56GqIqga9h55VTw==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2025-03-05T21:02:24Z"
mac: ENC[AES256_GCM,data:QfyrJrLERhs14KnuBJ0eCEUqKIBwhmQHROflBAArGlPmyVZU6KLvvOOANv+PJWk9Kt9yPU9Avwt6/e2q0jq9u2OUrvxHbqF4SWvkwhvSoSD3EOe27NGPjDLkVHOdszObo/fT8xglvc6LY8NqL9dXnUoLl58IrY7SE18F7EjrYuE=,iv:rjonQvZQjsr0oC5p3pjh1FAH/7B8SnHpAQ/qFxxfhQs=,tag:/DgHviNrSIzLyjj6ndwY0w==,type:str]
pgp:
- created_at: "2025-03-05T21:28:21Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQEMAzy6JxafzLr5AQf/aiSW1yeJJ3VLiJ6I+vafWPVe702+6IstICKNdTz4AFgo
2yUkY/alpgkcH1ybAiRQK0lOs63NBL51Pe2XsKAWXTlHVgFU0B6e+7YoDuwPWnTP
dyTASd+++EAbf0l7bIVQbx28Ib5F5DZyB1VMhhGAZXQqURJGQpLrSqzaoMFPGodg
V7whjtOaEmtFKNhNeRIdrnTW2raeKO0J3mQ5nawCekeIHnx22NxCIbhBMsKpF8EH
3SZSCNiGrrfbLZFHcM/P5N5qEPc53r9Zvpxcwc8NayIS3kUPwLqKmvhCbRW3WOr0
2fc8TQgHTWEYSRSYIVw5vPHWs4+3T4cjdGb0atJ4rtJeAUnGlwchAvxLfFFG096r
SDdiJBBZ03r31EJqnplNwwitKyR4jj+HaM/CNmtSFo7c99iA91A7C1PBri+NpuCK
Fr0JVEom4Fm9WY7BMPduiLN77XLB0aaYN7zu7pwdYA==
=4URT
-----END PGP MESSAGE-----
fp: 0FECE8316E74BA6F44EFC21A2F8F21CE8721456B
unencrypted_suffix: _unencrypted
version: 3.9.4

10
system/configuration.nix
View file

@ -1,7 +1,7 @@
# Edit this configuration file to define what should be installed on # Edit this configuration file to define what should be installed on
# your system. Help is available in the configuration.nix(5) man page # your system. Help is available in the configuration.nix(5) man page
# and in the NixOS manual (accessible by running nixos-help). # and in the NixOS manual (accessible by running nixos-help).
{ pkgs, ... }: { pkgs, config, ... }:
{ {
imports = [ imports = [
./android.nix ./android.nix
@ -29,6 +29,14 @@
zramSwap.enable = true; zramSwap.enable = true;
sops = {
secrets.hello = { };
};
environment.etc."teste-sops" = {
text = config.sops.secrets.hello.path;
};
# Enable touchpad support (enabled default in most desktopManager). # Enable touchpad support (enabled default in most desktopManager).
services.libinput.enable = true; services.libinput.enable = true;

2
system/secrets.nix
View file

@ -1,4 +1,4 @@
{ pkgs, ... }: { pkgs, config, ... }:
{ {
age = { age = {
identityPaths = [ "/root/.ssh/id_rsa" ]; identityPaths = [ "/root/.ssh/id_rsa" ];

12
system/sops.nix Normal file
View file

@ -0,0 +1,12 @@
{ pkgs, ... }:
{
environment.systemPackages = with pkgs; [
sops-master
gnupg
];
sops = {
defaultSopsFile = ../secrets/test.yaml;
age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
};
}