From 6cb20d396c1718285fe8953f5111d7417e88e98b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Leonardo=20Eug=C3=AAnio?= Date: Thu, 6 Mar 2025 09:28:25 -0300 Subject: [PATCH] wip --- .sops.yaml | 18 ++++-- flake.nix | 1 + hosts/phantom/default.nix | 13 ++++ overlays/default.nix | 2 - secrets/phantom/default.yaml | 30 +++++++++ secrets/test.yaml | 119 +++++++++++++++++------------------ system/configuration.nix | 10 ++- system/secrets.nix | 17 ----- system/sops.nix | 12 ++++ 9 files changed, 133 insertions(+), 89 deletions(-) create mode 100644 secrets/phantom/default.yaml create mode 100644 system/sops.nix diff --git a/.sops.yaml b/.sops.yaml index be0b15c..699e3c1 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -1,12 +1,18 @@ keys: - - &lelgenio 0FECE8316E74BA6F44EFC21A2F8F21CE8721456B - - &lelgenio-age ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCxR/w+38b2lX90yNBqhq3mUmkn1WGu6GAPhN1tVp2ZjYRJNV/+5gWCnTtOWYtDx35HmK/spQ2Qy8X9ttkzORa24fysNx1Iqn/TiXhD7eIJjbGPnrOpIKTkW5/uB3SD/P5NBSa06//BaqJU4sBlG79hoXRpod052hQtdpTVDiMCIV+iboWPKqopmJJfWdBtVnHXs9rep0htPRExxGslImFk7Z6xjcaHyCpIQZPlOGf+sGsmUU7jRqzvZFV8ucIdbnAlMHrU4pepNFhuraESyZVTa/bi9sw0iozXp5Q5+5thMebEslmT1Z771kI4sieDy+O4r8c0Sx2/VY1UAzcpq1faggc3YB01MTh+tiEC6xdMvZLrQGL1NBWjHleMyL53GU5ERluC0vXJF3Hv3BGGBDfXWbrEm5n06DHr2apRVJGC0LwiQ7Woud1X4V4X1pKSusxCVMjT2lmcOwV6YhKhB2sowJc1OdMx4+tL0UWE+YKSZgBHfolwk6ml0F4EO9nnUHc= lelgenio@i15 - - &monolith ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHESKhLPhvJIFW5S8rXweS2i6c13sk6h1Oo6SSJwEsNr root@monolith + - &lelgenio-gpg 0FECE8316E74BA6F44EFC21A2F8F21CE8721456B + - &lelgenio-ssh ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCxR/w+38b2lX90yNBqhq3mUmkn1WGu6GAPhN1tVp2ZjYRJNV/+5gWCnTtOWYtDx35HmK/spQ2Qy8X9ttkzORa24fysNx1Iqn/TiXhD7eIJjbGPnrOpIKTkW5/uB3SD/P5NBSa06//BaqJU4sBlG79hoXRpod052hQtdpTVDiMCIV+iboWPKqopmJJfWdBtVnHXs9rep0htPRExxGslImFk7Z6xjcaHyCpIQZPlOGf+sGsmUU7jRqzvZFV8ucIdbnAlMHrU4pepNFhuraESyZVTa/bi9sw0iozXp5Q5+5thMebEslmT1Z771kI4sieDy+O4r8c0Sx2/VY1UAzcpq1faggc3YB01MTh+tiEC6xdMvZLrQGL1NBWjHleMyL53GU5ERluC0vXJF3Hv3BGGBDfXWbrEm5n06DHr2apRVJGC0LwiQ7Woud1X4V4X1pKSusxCVMjT2lmcOwV6YhKhB2sowJc1OdMx4+tL0UWE+YKSZgBHfolwk6ml0F4EO9nnUHc= lelgenio@i15 + - &monolith-ssh age1ecyynwv93lfu7crjjp8l47defv07quzfzaktwurpep7jc9eha5pscg7lrw + - &phantom-ssh age1m4mqcd2kmuhfr8a22rvh02c68jkakhdfmuqgtusuv0czk4jvna7sz79p3y + creation_rules: - path_regex: secrets/[^/]+\.(yaml|json|env|ini)$ key_groups: - pgp: - - *lelgenio + - *lelgenio-gpg + age: + - *lelgenio-ssh + - *monolith-ssh + - path_regex: secrets/phantom/[^/]+\.(yaml|json|env|ini)$ + key_groups: - age: - - *lelgenio-age - - *monolith + - *phantom-ssh diff --git a/flake.nix b/flake.nix index 300e233..90ef37e 100644 --- a/flake.nix +++ b/flake.nix @@ -101,6 +101,7 @@ { nixpkgs.pkgs = pkgs; } ./system/configuration.nix ./system/secrets.nix + ./system/sops.nix ./system/greetd.nix { login-manager.greetd.enable = desktop == "sway"; } diff --git a/hosts/phantom/default.nix b/hosts/phantom/default.nix index 45c27d7..9111434 100644 --- a/hosts/phantom/default.nix +++ b/hosts/phantom/default.nix @@ -2,12 +2,16 @@ config, pkgs, inputs, + lib, ... }: { imports = [ inputs.vpsadminos.nixosConfigurations.container inputs.agenix.nixosModules.default + inputs.sops-nix.nixosModules.default + + ../../system/sops.nix ../../system/nix.nix ./hardware-config.nix ./mastodon.nix @@ -57,6 +61,15 @@ identityPaths = [ "/root/.ssh/id_rsa" ]; }; + sops = { + secrets.hello = { }; + defaultSopsFile = lib.mkForce ../../secrets/phantom/default.yaml; + }; + + environment.etc."teste-sops" = { + text = config.sops.secrets.hello.path; + }; + virtualisation.docker = { enable = true; daemon.settings = { diff --git a/overlays/default.nix b/overlays/default.nix index 598d4e2..8886897 100644 --- a/overlays/default.nix +++ b/overlays/default.nix @@ -47,8 +47,6 @@ rec { demoji = inputs.demoji.packages.${prev.system}.default; tlauncher = inputs.tlauncher.packages.${prev.system}.tlauncher; wl-crosshair = inputs.wl-crosshair.packages.${prev.system}.default; - - sops = final.sops-master; } ); diff --git a/secrets/phantom/default.yaml b/secrets/phantom/default.yaml new file mode 100644 index 0000000..a299b34 --- /dev/null +++ b/secrets/phantom/default.yaml @@ -0,0 +1,30 @@ +hello: ENC[AES256_GCM,data:UJAAdOL7wzQ1LduTyW+XK2NtXyw/u/Yz28Bmd7OoBe41FVLKwVfvdI1nAwYuNQ==,iv:7kPT2HF5T498bUJ9hUlz5Ez/jn1g7YIUVbJOTW/CHhQ=,tag:KJhJPg8AStyW4roEbEUJ2g==,type:str] +example_key: ENC[AES256_GCM,data:DcLN+C1BQ6WZg5fRiA==,iv:JC3GTWn4a4RekAHdOQB3YV5+eGa4cUK1JjyTPe8eNHY=,tag:W9CV4rsgHuXyqpWpUxlIQg==,type:str] +#ENC[AES256_GCM,data:RjdYJNz6qGfbsU/AiBeLlQ==,iv:LjRzSjBXp44cGSqUUfRDNLC9cW4Vd7lfsqDWINt31VA=,tag:NzVm1h9CVKE2XXt300aR/g==,type:comment] +example_array: + - ENC[AES256_GCM,data:K9j/t8MDibYO8Frhu1M=,iv:YnrxRnJJwTH6DJC6Bv/d1NUnX2ZPFwsjoji7L1Z+d7s=,tag:Dm7xCUlnjKdXHCuk8lwY8w==,type:str] + - ENC[AES256_GCM,data:0g6ACJzEHBtukwQYYTY=,iv:xLBJWfOYkX7Y28N01CX2+d5QOr9VGAhInH6pa1hNSGE=,tag:tCkCigo4yhi6YKVMe3Z3lQ==,type:str] +example_number: ENC[AES256_GCM,data:R+/m/QVBH9/3DA==,iv:FumBUj97ICrRQmyh5fg8Gu9Lba9oITD1pdsr1I/PCf0=,tag:hguw1gpPI3w64fG1WLnJqA==,type:float] +example_booleans: + - ENC[AES256_GCM,data:VvI5ag==,iv:koMzyWcua75sK19vuk65oywCD61lMyH3xUwue8LTqy4=,tag:2ym1M0FTwevLm7wefTUWAw==,type:bool] + - ENC[AES256_GCM,data:lFEC/S8=,iv:cJWbnmseP/AqJzyORM+VI5y7rK8axVeh7EXoLP7mT/Q=,tag:BaS5HyecokdLCq+LzQxGkg==,type:bool] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1m4mqcd2kmuhfr8a22rvh02c68jkakhdfmuqgtusuv0czk4jvna7sz79p3y + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAxQkRWWmYweUNpcDRNbzRW + NnQ4R3JPK0oydm9iL0owS0d6Nm92eTFJZldFCnZpUVUvWi9FYTBDSGNvUUJRZHNz + QStPT0hCc08xUmh4dEdJdmVPRm01V2cKLS0tIEZPMmNKdGUvNnVWYXZNTHA3SkE3 + ZTNJbW9EWktPb2M5TVBNekUrZXVoUFkKLEsQVYVp7fTBRDA7RO8Kjpc5MUPb5U7I + WKZtNhsMZsP+SLgZWBF1PpvcjlDlNA2Z+Hqsrw6vsq6DYpnxToxfZQ== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2025-03-05T22:27:18Z" + mac: ENC[AES256_GCM,data:WSopSnWZ+uOllywd7difaZtJcfxkL7eIf9Kr3GajZKO0+rP6pEHIS+5AbXZy6oKRlCLUPecY/WXFvk3//akpvvXHbf6Jp4fQ/YSuTcYKRQupbDBpOXSlc33QyRl6oEyiMOjxMxa2N2tmq8dmA0NbF9wSDMa5a4eNDoiL5T/sUZ8=,iv:QqbVRApzFF6q24rk8KfKuthj656nEczD9Si4INj+N9A=,tag:tMRNYo+u/jIQ6iX3KqKJdA==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.9.4-unstable diff --git a/secrets/test.yaml b/secrets/test.yaml index d3e232d..a2a8ee9 100644 --- a/secrets/test.yaml +++ b/secrets/test.yaml @@ -1,72 +1,65 @@ -hello: ENC[AES256_GCM,data:InrQC1cwHNYwCshr2RYZTRbeNWSHNr0Z319xqxQMZRf3BjAwtJ3FZ0y120P7dQ==,iv:/M6Hi3C29GySJO0XD9jnJuSbW0uwZ3DkD981leAoDFA=,tag:4fG3hrA4JWlCXEC4HCoVOA==,type:str] -example_key: ENC[AES256_GCM,data:rS8hhFYHFG5HuF052A==,iv:Ec1wMtt6Z2VMgI2pH3j17cwVtpxWOPHm+nhhbstwhto=,tag:iustehiDFbzNYsrSQt020A==,type:str] -#ENC[AES256_GCM,data:zMrmQNws4x9Tk4JV7tze4A==,iv:glvnI1ZxdSFWzDypM74uPbucyEbCyVmrKiGlUjuygXw=,tag:evh2xI6hWKQLDlrJIcviog==,type:comment] +hello: ENC[AES256_GCM,data:ADXdQUkrnh9lDrsHyInYsPBo21u/mIAH47KhGQsxuz5OshT6CoK+89CILEi9tQ==,iv:b/rnM77z69+pVO3kxQZxI2YzTCRiBwwO5fhcwCB2/CI=,tag:A0FOXIfgIkJawV3QhlJPWQ==,type:str] +example_key: ENC[AES256_GCM,data:gXXl6hhdYNLC1Grmyw==,iv:miSL7Wdewd5zs4A86/r8OW6gK+PGZJ+gaqZRHHxvZos=,tag:Ty+IaoXdMSEThNPRjwhqTA==,type:str] +#ENC[AES256_GCM,data:FLhydTaiOqLRFk+ZrgGx9Q==,iv:TqhX2ylJKFQjdOpmwCER1+gRe4iR+I0hkVkNnYH4ESo=,tag:1BSk9TKqTma4MVUMswwmog==,type:comment] example_array: - - ENC[AES256_GCM,data:H6pL++V+9HBdboEOeeU=,iv:ZduKwwgZfdhli5aMIbJu/WUi5qdvZhENcV9G6A3ukG0=,tag:5YRywD1SensTM0hsg6qeDQ==,type:str] - - ENC[AES256_GCM,data:/GRa1ZYqGj4x+cbmQSo=,iv:bj9WussUEMyF61grr1AXeGyumyPO2pjXdEWdlMuBQGk=,tag:3PtjHeEUJApdiVjcQCAuHQ==,type:str] -example_number: ENC[AES256_GCM,data:j+7tF6HOYjEUfg==,iv:VDQPA+Ium+S9voKiQPNQ+HxayM0bRf6txSX7zsED+6Y=,tag:RyP8MlNKpJTiFq4yki3IHA==,type:float] + - ENC[AES256_GCM,data:1sIEL3xGDAygUKoodBA=,iv:1DumVv8vDvhT/K0jXM1vHdrFTE7dIxqqjS8CIpWdnc8=,tag:WSs+3a816zVOaGCTElxgFQ==,type:str] + - ENC[AES256_GCM,data:tFi1czQnVgX/nlWrJrs=,iv:isH65ldilVe3EjsKNP/dOKgtWZtHQPw364fPHBI+LEw=,tag:Ka5ywriFptKg3+lIHPEIyA==,type:str] +example_number: ENC[AES256_GCM,data:sxSM8a9oAp+u6g==,iv:KRLfIxZuBsnK+QE4mqm3pyhJmE7Fsd4ykJA++KrOnEQ=,tag:F5EkVUzw06ulr5jZvlTJdg==,type:float] example_booleans: - - ENC[AES256_GCM,data:vsYeAQ==,iv:MIUmFU7UJdkixIKCb0CCMAzhJ5uvkEZZlWHhleoZIEA=,tag:jMpWcJSwJv+yzkBB2/uvmg==,type:bool] - - ENC[AES256_GCM,data:0aq01xA=,iv:wF7WwrDVFG0hful9S5284olMTKlS+RnNnySAsw5UZp8=,tag:KqD1Quq0i0xeRiCMEC9yTQ==,type:bool] + - ENC[AES256_GCM,data:PDts2Q==,iv:qtfKg5gmUw2aERJe3gfT15Pk7mWocXwKdJhAzSic1o0=,tag:gn1sWsgt9ihYF8bHAkAQwQ==,type:bool] + - ENC[AES256_GCM,data:o9as7T0=,iv:YXyTB2X9PmTsOd37+BAp2xnT/+Yzyajcn5y1GE1O5rE=,tag:hyXA43jpyAbgH2hg1ivloQ==,type:bool] sops: - shamir_threshold: 2 - key_groups: - - pgp: - - created_at: "2025-03-05T17:47:53Z" - enc: |- - -----BEGIN PGP MESSAGE----- - - hQEMAzy6JxafzLr5AQgAl3m6zci5ipAkoy6mJKHCs8lq7s+wyvZ2tuHmUarbGxUP - Jg98Btnr4VTMdy116TeuRte+upGIN3bJLBSEYPGodpKkHhmFmInSmR2gXQCEvxAP - 2JQQLceYVTyHqtlxrgyRKQwMJQd4J44TZ0WUTUEOH5M2x+tnTrdG0cWug+unKr9G - omomiO3PQF5ImGKwdsPfyEK2/80j0Zu2+wBzbPuPIiBgHhk+SfUc/iLzUH6UupdQ - DYPGWwbFXptVLt/sqeZ1jQAivtFlu+NlcF2/Qd5vXZ636oKWSth9degTdYX4RKfW - osXzWAlvftUE/ZY6bQ14sV0Ug8/Y35BCrInh+I2ZENJSAUouvWfmsrqWsoXn9Kcp - 3UCfpQnlPmcK0I5pzROL8sE4n5/BpTEYx2iZe0bbY7xSnGC5N5VEP/s/OODLMpaQ - RnQUAsNJrQ9Iely+OS2K7jo7HA== - =5CNC - -----END PGP MESSAGE----- - fp: 0FECE8316E74BA6F44EFC21A2F8F21CE8721456B - hc_vault: [] - age: [] - - hc_vault: [] - age: - - recipient: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCxR/w+38b2lX90yNBqhq3mUmkn1WGu6GAPhN1tVp2ZjYRJNV/+5gWCnTtOWYtDx35HmK/spQ2Qy8X9ttkzORa24fysNx1Iqn/TiXhD7eIJjbGPnrOpIKTkW5/uB3SD/P5NBSa06//BaqJU4sBlG79hoXRpod052hQtdpTVDiMCIV+iboWPKqopmJJfWdBtVnHXs9rep0htPRExxGslImFk7Z6xjcaHyCpIQZPlOGf+sGsmUU7jRqzvZFV8ucIdbnAlMHrU4pepNFhuraESyZVTa/bi9sw0iozXp5Q5+5thMebEslmT1Z771kI4sieDy+O4r8c0Sx2/VY1UAzcpq1faggc3YB01MTh+tiEC6xdMvZLrQGL1NBWjHleMyL53GU5ERluC0vXJF3Hv3BGGBDfXWbrEm5n06DHr2apRVJGC0LwiQ7Woud1X4V4X1pKSusxCVMjT2lmcOwV6YhKhB2sowJc1OdMx4+tL0UWE+YKSZgBHfolwk6ml0F4EO9nnUHc= lelgenio@i15 - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1yc2EgQnd3eEhnCmtodG9TZ0ph - MjM0dnVMa2c4L0wvRXJmSkRYVFpYYnloYktBamw4VXR6anRBaHJxckR2MXNqdXB0 - QnJleGdFVjEKQkdlanc3T0YvWWJiMVFVTm9sNmM5RXUvVjhyLytqeHJ6eVJPZ3Vw - VDdYaUJlSmlMZFVCQmd3MmhROWdJSXlNeApHN3c2dUwwNDVBUURTREo3b2hpRG9K - azZTYXhFbGtzYmZURTM2WVA2NUREOHdwZFZncWF2TXhsK0hJNWNYeFVBCmtiTWtv - aStUcW1IVDVIb2ZxQ0E2U29Jd1ZXc1NHMEg5aVpMSHJDVU5KQk15N1lZVkJNdWpS - ZzZVNlFVSWg2bHMKMXRnU3o2RnV5blVlL0ZlYlFIeHp4aXFUTjBpSUIyeERDNmZI - a1h3c1RjOUdZOXhNaU5ueVhKaGFCZFpZMm9mcApCNEZwUTk5dEc5NTlXei9ZZ1A4 - WVc5ckt3YldXb3dCSzBjK3UySVhRNmlRVlVSNVlsSlppVThPVXBHN0JlT3F0CjA0 - THVDZ1hqcmROODlNWjB0aGxPM1J0MzYxQnd5ejJlUnppZ1JQOUR5ckY0VXZTSkND - dzd3S3JYdngzeEx3djUKb2xJRXVBd0lVbEZ5MEdQN2FEaloxc05zYTYrMWJpVmU4 - OHRlc0ZpNVJoWDJkOGErYVFrZlpmZS9wZUIvWU1mLwoKLS0tIHNqUFZCQ3RqVjIw - WTVxR21vUjdxWWdDa3F6QmRvQUdQTEllcTdpdGlKZHcKeFppXJ/3fVylNSYT3utw - 5MErQHe5ATw0kWH1Sq6dmuRuCNRTFIrozk+wWvZCEehRZoP7Fr9yieTtWlRsgL6J - O5k= - -----END AGE ENCRYPTED FILE----- - - recipient: ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHESKhLPhvJIFW5S8rXweS2i6c13sk6h1Oo6SSJwEsNr root@monolith - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IFl3cDFOZyBidkUr - dDNqem5qNS9UUUNMSEl2M3JIcU5MYzgzdG5HQTZoMUZMc1liNTBZCm9veDZ6MlQv - Rm5NbzljWG1kRlRIV09iaVl2c2JPUGpqT1Y1YkNSZHRjQWsKLS0tIENDVXl3cTVs - MGtReUpHTDBqNTBpM09FWU1ETHJzTlJHa1UyUXk3bTIrRFUK7zV5PlkcUpgQCWqm - DVpUxUzh6tNWSwOqFsCKSXwxRdVPTZwHiO8+fpYKyk5gNA1WyhgkJl34qvcyh2rN - ZqPElPc= - -----END AGE ENCRYPTED FILE----- + shamir_threshold: 1 kms: [] gcp_kms: [] azure_kv: [] hc_vault: [] - age: [] - lastmodified: "2025-03-05T16:50:53Z" - mac: ENC[AES256_GCM,data:Q0oAUxQb29WCm6HBhR2RTfNUA3upKHFYEiVOGftGd9MUMRGW4WP9jLgFZ9NQah1hIpdJWv9nNKNaJslpA5LmrYOIFMLCORbk8hJC+/Mg8HZa+mRARUGvGOebNC7p10rgsAIloaOK8/eFteENMcIhDqFBfWlqX+yoXJb5XsaHx4U=,iv:Tf8yIqyLA1wDx/dXj6KhU4eG6CLsrAaZjEVIm8uFZpo=,tag:hxJgbyMQ6cWboIs/40C7Xg==,type:str] - pgp: [] + age: + - recipient: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCxR/w+38b2lX90yNBqhq3mUmkn1WGu6GAPhN1tVp2ZjYRJNV/+5gWCnTtOWYtDx35HmK/spQ2Qy8X9ttkzORa24fysNx1Iqn/TiXhD7eIJjbGPnrOpIKTkW5/uB3SD/P5NBSa06//BaqJU4sBlG79hoXRpod052hQtdpTVDiMCIV+iboWPKqopmJJfWdBtVnHXs9rep0htPRExxGslImFk7Z6xjcaHyCpIQZPlOGf+sGsmUU7jRqzvZFV8ucIdbnAlMHrU4pepNFhuraESyZVTa/bi9sw0iozXp5Q5+5thMebEslmT1Z771kI4sieDy+O4r8c0Sx2/VY1UAzcpq1faggc3YB01MTh+tiEC6xdMvZLrQGL1NBWjHleMyL53GU5ERluC0vXJF3Hv3BGGBDfXWbrEm5n06DHr2apRVJGC0LwiQ7Woud1X4V4X1pKSusxCVMjT2lmcOwV6YhKhB2sowJc1OdMx4+tL0UWE+YKSZgBHfolwk6ml0F4EO9nnUHc= lelgenio@i15 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1yc2EgQnd3eEhnCm4zQnZFV2hJ + cFR0Z0hGeFlQd1Rtb2dDUDRJOVc3dmtWT3FIa2xOV0hRREE4LzVKQ01FTHd6M3kz + M0JLeEtXTXoKZkhnMTNETnZVc2tEbU84NWlGWk5YaUg5NjJDdk9yb01QMTVCOHlh + SDE3c0c0dUV3bXQ4MjAxYWJjYUFscmlORwplOFZLc1JzUzdjU0lCZGUyQWl4b3d0 + L3hmekNSUUZia2FOR0k3TWcyQm9xZytCakFpSGRidEJUZHQzaC9sVlppCmJBSnl0 + VW9Tb2hRME9MdmFlcUw5Z3MyV0k3V1FKQTNQZ3M0UTRLK0FvL3NOUTZ3RDBQY0M5 + UHdnLzU3VkFCME0KWTV4c29NbmIvLzl3WXJvMkhnT1gwTTBRNzV3RVVnRTdiMkpn + WmVWanB5VFpnTmhQMWRibXc4VGdhblAwWkQ1WQo0YnFjcnpnYTZITnVueTlZYzhW + OGs3MmlPcmhtaWZoU3h1T3FkbmpoMFFUN0UwQ1FDTGs5L1hGUHdJbmU5Q3haCjJG + bXAyd1lycGhELzY4ZWR2cEtmcWt4NnhXcjIyREw3cTR5d3ZoQlZySlg4Z2lwRmQ1 + cEF1VGthTkV0ekg4M2UKZS9aN0IxazdjUWhUMnBFSmYrOEdYQWdocWtQcFhtYlpN + M3FyTDdMSmpESncydnFFd3lTcE1FMEg5a1ZoTXVIRgoKLS0tIEsvb090WDRBZFdV + dFRUUms3S0J2b201OExwTy9DZERhZVlqVEdtaThkTE0KFT1RB8s+hEOJk7XGjSak + 34qTDcoBnaF0jPZ5Z0HsUx84G4Nu5teRVeHgVKyC7Iv7Gi9TkYtsdgM+q/3rdSvn + aA== + -----END AGE ENCRYPTED FILE----- + - recipient: age1ecyynwv93lfu7crjjp8l47defv07quzfzaktwurpep7jc9eha5pscg7lrw + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB5eVFsWHZZYkNrdjNraW5q + OTdmbWF6Tm02elk3NGt0TGQ3ZUoxaHp3VGdBCnVqSDRIMlRSOXdTSER2U0tDcjR1 + Tk5FcURQOW90bENWL2Nyck1CU3RBR1UKLS0tIFRZZzlNNWRtUkJmVzBHWTA3L21K + VCsyS0x4Rk83eC9UTHJvM1NJZG9DbTQKbGp6n/45qGA3rgmdxUJQKZdA1zen5kfZ + pXnExsrIhfPDx0oE2jIWGW0N8cizkCJA4k7ROGu56GqIqga9h55VTw== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2025-03-05T21:02:24Z" + mac: ENC[AES256_GCM,data:QfyrJrLERhs14KnuBJ0eCEUqKIBwhmQHROflBAArGlPmyVZU6KLvvOOANv+PJWk9Kt9yPU9Avwt6/e2q0jq9u2OUrvxHbqF4SWvkwhvSoSD3EOe27NGPjDLkVHOdszObo/fT8xglvc6LY8NqL9dXnUoLl58IrY7SE18F7EjrYuE=,iv:rjonQvZQjsr0oC5p3pjh1FAH/7B8SnHpAQ/qFxxfhQs=,tag:/DgHviNrSIzLyjj6ndwY0w==,type:str] + pgp: + - created_at: "2025-03-05T21:28:21Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQEMAzy6JxafzLr5AQf/aiSW1yeJJ3VLiJ6I+vafWPVe702+6IstICKNdTz4AFgo + 2yUkY/alpgkcH1ybAiRQK0lOs63NBL51Pe2XsKAWXTlHVgFU0B6e+7YoDuwPWnTP + dyTASd+++EAbf0l7bIVQbx28Ib5F5DZyB1VMhhGAZXQqURJGQpLrSqzaoMFPGodg + V7whjtOaEmtFKNhNeRIdrnTW2raeKO0J3mQ5nawCekeIHnx22NxCIbhBMsKpF8EH + 3SZSCNiGrrfbLZFHcM/P5N5qEPc53r9Zvpxcwc8NayIS3kUPwLqKmvhCbRW3WOr0 + 2fc8TQgHTWEYSRSYIVw5vPHWs4+3T4cjdGb0atJ4rtJeAUnGlwchAvxLfFFG096r + SDdiJBBZ03r31EJqnplNwwitKyR4jj+HaM/CNmtSFo7c99iA91A7C1PBri+NpuCK + Fr0JVEom4Fm9WY7BMPduiLN77XLB0aaYN7zu7pwdYA== + =4URT + -----END PGP MESSAGE----- + fp: 0FECE8316E74BA6F44EFC21A2F8F21CE8721456B unencrypted_suffix: _unencrypted version: 3.9.4 diff --git a/system/configuration.nix b/system/configuration.nix index a227e36..11f327e 100644 --- a/system/configuration.nix +++ b/system/configuration.nix @@ -1,7 +1,7 @@ # Edit this configuration file to define what should be installed on # your system. Help is available in the configuration.nix(5) man page # and in the NixOS manual (accessible by running ‘nixos-help’). -{ pkgs, ... }: +{ pkgs, config, ... }: { imports = [ ./android.nix @@ -29,6 +29,14 @@ zramSwap.enable = true; + sops = { + secrets.hello = { }; + }; + + environment.etc."teste-sops" = { + text = config.sops.secrets.hello.path; + }; + # Enable touchpad support (enabled default in most desktopManager). services.libinput.enable = true; diff --git a/system/secrets.nix b/system/secrets.nix index 81c2876..588dfe4 100644 --- a/system/secrets.nix +++ b/system/secrets.nix @@ -1,22 +1,5 @@ { pkgs, config, ... }: { - environment.systemPackages = with pkgs; [ - sops-master - gnupg - ]; - - sops = { - package = pkgs.sops-master; - - defaultSopsFile = ../secrets/test.yaml; - - secrets.hello = { }; - }; - - environment.etc."teste-sops" = { - text = config.sops.secrets.hello.path; - }; - age = { identityPaths = [ "/root/.ssh/id_rsa" ]; secrets.lelgenio-cachix.file = ../secrets/lelgenio-cachix.age; diff --git a/system/sops.nix b/system/sops.nix new file mode 100644 index 0000000..673d1c1 --- /dev/null +++ b/system/sops.nix @@ -0,0 +1,12 @@ +{ pkgs, ... }: +{ + environment.systemPackages = with pkgs; [ + sops-master + gnupg + ]; + + sops = { + defaultSopsFile = ../secrets/test.yaml; + age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ]; + }; +}