wip
This commit is contained in:
Leonardo Eugênio
parent
35d687500b
commit
a46a304ae1
12
.sops.yaml
Normal file
12
.sops.yaml
Normal file
|
|
@ -0,0 +1,12 @@
|
|||
keys:
|
||||
- &lelgenio 0FECE8316E74BA6F44EFC21A2F8F21CE8721456B
|
||||
- &lelgenio-age ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCxR/w+38b2lX90yNBqhq3mUmkn1WGu6GAPhN1tVp2ZjYRJNV/+5gWCnTtOWYtDx35HmK/spQ2Qy8X9ttkzORa24fysNx1Iqn/TiXhD7eIJjbGPnrOpIKTkW5/uB3SD/P5NBSa06//BaqJU4sBlG79hoXRpod052hQtdpTVDiMCIV+iboWPKqopmJJfWdBtVnHXs9rep0htPRExxGslImFk7Z6xjcaHyCpIQZPlOGf+sGsmUU7jRqzvZFV8ucIdbnAlMHrU4pepNFhuraESyZVTa/bi9sw0iozXp5Q5+5thMebEslmT1Z771kI4sieDy+O4r8c0Sx2/VY1UAzcpq1faggc3YB01MTh+tiEC6xdMvZLrQGL1NBWjHleMyL53GU5ERluC0vXJF3Hv3BGGBDfXWbrEm5n06DHr2apRVJGC0LwiQ7Woud1X4V4X1pKSusxCVMjT2lmcOwV6YhKhB2sowJc1OdMx4+tL0UWE+YKSZgBHfolwk6ml0F4EO9nnUHc= lelgenio@i15
|
||||
- &monolith ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHESKhLPhvJIFW5S8rXweS2i6c13sk6h1Oo6SSJwEsNr root@monolith
|
||||
creation_rules:
|
||||
- path_regex: secrets/[^/]+\.(yaml|json|env|ini)$
|
||||
key_groups:
|
||||
- pgp:
|
||||
- *lelgenio
|
||||
- age:
|
||||
- *lelgenio-age
|
||||
- *monolith
|
||||
21
flake.lock
21
flake.lock
|
|
@ -722,6 +722,7 @@
|
|||
"nixpkgs-unstable": "nixpkgs-unstable",
|
||||
"plymouth-themes": "plymouth-themes",
|
||||
"ranger-icons": "ranger-icons",
|
||||
"sops-nix": "sops-nix",
|
||||
"tlauncher": "tlauncher",
|
||||
"tomater": "tomater",
|
||||
"treefmt-nix": "treefmt-nix",
|
||||
|
|
@ -775,6 +776,26 @@
|
|||
"type": "github"
|
||||
}
|
||||
},
|
||||
"sops-nix": {
|
||||
"inputs": {
|
||||
"nixpkgs": [
|
||||
"nixpkgs"
|
||||
]
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1741043164,
|
||||
"narHash": "sha256-9lfmSZLz6eq9Ygr6cCmvQiiBEaPb54pUBcjvbEMPORc=",
|
||||
"owner": "Mic92",
|
||||
"repo": "sops-nix",
|
||||
"rev": "3f2412536eeece783f0d0ad3861417f347219f4d",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "Mic92",
|
||||
"repo": "sops-nix",
|
||||
"type": "github"
|
||||
}
|
||||
},
|
||||
"systems": {
|
||||
"locked": {
|
||||
"lastModified": 1681028828,
|
||||
|
|
|
|||
|
|
@ -26,6 +26,11 @@
|
|||
inputs.home-manager.follows = "home-manager";
|
||||
};
|
||||
|
||||
sops-nix = {
|
||||
url = "github:Mic92/sops-nix";
|
||||
inputs.nixpkgs.follows = "nixpkgs";
|
||||
};
|
||||
|
||||
nixos-mailserver = {
|
||||
url = "gitlab:simple-nixos-mailserver/nixos-mailserver/master";
|
||||
inputs.nixpkgs.follows = "nixpkgs";
|
||||
|
|
@ -100,6 +105,7 @@
|
|||
{ login-manager.greetd.enable = desktop == "sway"; }
|
||||
|
||||
inputs.agenix.nixosModules.default
|
||||
inputs.sops-nix.nixosModules.default
|
||||
inputs.home-manager.nixosModules.home-manager
|
||||
inputs.disko.nixosModules.disko
|
||||
(
|
||||
|
|
|
|||
|
|
@ -47,6 +47,8 @@ rec {
|
|||
demoji = inputs.demoji.packages.${prev.system}.default;
|
||||
tlauncher = inputs.tlauncher.packages.${prev.system}.tlauncher;
|
||||
wl-crosshair = inputs.wl-crosshair.packages.${prev.system}.default;
|
||||
|
||||
sops = final.sops-master;
|
||||
}
|
||||
);
|
||||
|
||||
|
|
|
|||
|
|
@ -11,4 +11,6 @@ rec {
|
|||
factorio-headless = pkgs.callPackage ./factorio-headless {
|
||||
inherit (pkgs.unstable) factorio-headless;
|
||||
};
|
||||
|
||||
sops-master = pkgs.callPackage ./sops/package.nix { };
|
||||
}
|
||||
|
|
|
|||
19
pkgs/sops/bash_autocomplete
Normal file
19
pkgs/sops/bash_autocomplete
Normal file
|
|
@ -0,0 +1,19 @@
|
|||
#!/usr/bin/env bash
|
||||
# based on https://github.com/urfave/cli/blob/v2.3.0/autocomplete/bash_autocomplete
|
||||
|
||||
_cli_bash_autocomplete() {
|
||||
if [[ "${COMP_WORDS[0]}" != "source" ]]; then
|
||||
local cur opts
|
||||
COMPREPLY=()
|
||||
cur="${COMP_WORDS[COMP_CWORD]}"
|
||||
if [[ "$cur" == "-"* ]]; then
|
||||
opts=$("${COMP_WORDS[@]:0:$COMP_CWORD}" "${cur}" --generate-bash-completion)
|
||||
else
|
||||
opts=$("${COMP_WORDS[@]:0:$COMP_CWORD}" --generate-bash-completion)
|
||||
fi
|
||||
IFS=$'\n' read -d '' -ra COMPREPLY < <(compgen -W "${opts}" -- "${cur}")
|
||||
return 0
|
||||
fi
|
||||
}
|
||||
|
||||
complete -o bashdefault -o default -o nospace -F _cli_bash_autocomplete sops
|
||||
60
pkgs/sops/package.nix
Normal file
60
pkgs/sops/package.nix
Normal file
|
|
@ -0,0 +1,60 @@
|
|||
{
|
||||
lib,
|
||||
buildGo123Module,
|
||||
fetchFromGitHub,
|
||||
installShellFiles,
|
||||
versionCheckHook,
|
||||
nix-update-script,
|
||||
}:
|
||||
|
||||
buildGo123Module rec {
|
||||
pname = "sops";
|
||||
version = "3.9.4-unstable";
|
||||
|
||||
src = fetchFromGitHub {
|
||||
owner = "getsops";
|
||||
repo = "sops";
|
||||
rev = "024b94f67afa967ed758ae17433d7da600e87599";
|
||||
hash = "sha256-rNO9+gIxxH4sYoemFbOD8HaKWL48VnbdCOKvQ0FoTgI=";
|
||||
};
|
||||
|
||||
vendorHash = "sha256-wdsPuUpYHEBkZ80d7L3iXIbBsnK4to0zDUOOlvOtde4=";
|
||||
|
||||
postPatch = ''
|
||||
substituteInPlace go.mod \
|
||||
--replace-fail "go 1.22" "go 1.23.0"
|
||||
'';
|
||||
|
||||
subPackages = [ "cmd/sops" ];
|
||||
|
||||
ldflags = [
|
||||
"-s"
|
||||
"-w"
|
||||
"-X github.com/getsops/sops/v3/version.Version=${version}"
|
||||
];
|
||||
|
||||
nativeBuildInputs = [ installShellFiles ];
|
||||
|
||||
postInstall = ''
|
||||
installShellCompletion --cmd sops --bash ${./bash_autocomplete}
|
||||
installShellCompletion --cmd sops --zsh ${./zsh_autocomplete}
|
||||
'';
|
||||
|
||||
nativeInstallCheckInputs = [ versionCheckHook ];
|
||||
versionCheckProgramArg = "--version";
|
||||
doInstallCheck = true;
|
||||
|
||||
passthru.updateScript = nix-update-script { };
|
||||
|
||||
meta = {
|
||||
homepage = "https://getsops.io/";
|
||||
description = "Simple and flexible tool for managing secrets";
|
||||
changelog = "https://github.com/getsops/sops/blob/v${version}/CHANGELOG.rst";
|
||||
mainProgram = "sops";
|
||||
maintainers = with lib.maintainers; [
|
||||
Scrumplex
|
||||
mic92
|
||||
];
|
||||
license = lib.licenses.mpl20;
|
||||
};
|
||||
}
|
||||
25
pkgs/sops/zsh_autocomplete
Normal file
25
pkgs/sops/zsh_autocomplete
Normal file
|
|
@ -0,0 +1,25 @@
|
|||
#compdef sops
|
||||
|
||||
## based on https://github.com/urfave/cli/blob/v2.3.0/autocomplete/zsh_autocomplete
|
||||
|
||||
_cli_zsh_autocomplete() {
|
||||
|
||||
local -a opts
|
||||
local cur
|
||||
cur=${words[-1]}
|
||||
if [[ "$cur" == "-"* ]]; then
|
||||
opts=("${(@f)$(_CLI_ZSH_AUTOCOMPLETE_HACK=1 ${words[@]:0:#words[@]-1} ${cur} --generate-bash-completion)}")
|
||||
else
|
||||
opts=("${(@f)$(_CLI_ZSH_AUTOCOMPLETE_HACK=1 ${words[@]:0:#words[@]-1} --generate-bash-completion)}")
|
||||
fi
|
||||
|
||||
if [[ "${opts[1]}" != "" ]]; then
|
||||
_describe 'values' opts
|
||||
else
|
||||
_files
|
||||
fi
|
||||
|
||||
return
|
||||
}
|
||||
|
||||
compdef _cli_zsh_autocomplete sops
|
||||
72
secrets/test.yaml
Normal file
72
secrets/test.yaml
Normal file
|
|
@ -0,0 +1,72 @@
|
|||
hello: ENC[AES256_GCM,data:InrQC1cwHNYwCshr2RYZTRbeNWSHNr0Z319xqxQMZRf3BjAwtJ3FZ0y120P7dQ==,iv:/M6Hi3C29GySJO0XD9jnJuSbW0uwZ3DkD981leAoDFA=,tag:4fG3hrA4JWlCXEC4HCoVOA==,type:str]
|
||||
example_key: ENC[AES256_GCM,data:rS8hhFYHFG5HuF052A==,iv:Ec1wMtt6Z2VMgI2pH3j17cwVtpxWOPHm+nhhbstwhto=,tag:iustehiDFbzNYsrSQt020A==,type:str]
|
||||
#ENC[AES256_GCM,data:zMrmQNws4x9Tk4JV7tze4A==,iv:glvnI1ZxdSFWzDypM74uPbucyEbCyVmrKiGlUjuygXw=,tag:evh2xI6hWKQLDlrJIcviog==,type:comment]
|
||||
example_array:
|
||||
- ENC[AES256_GCM,data:H6pL++V+9HBdboEOeeU=,iv:ZduKwwgZfdhli5aMIbJu/WUi5qdvZhENcV9G6A3ukG0=,tag:5YRywD1SensTM0hsg6qeDQ==,type:str]
|
||||
- ENC[AES256_GCM,data:/GRa1ZYqGj4x+cbmQSo=,iv:bj9WussUEMyF61grr1AXeGyumyPO2pjXdEWdlMuBQGk=,tag:3PtjHeEUJApdiVjcQCAuHQ==,type:str]
|
||||
example_number: ENC[AES256_GCM,data:j+7tF6HOYjEUfg==,iv:VDQPA+Ium+S9voKiQPNQ+HxayM0bRf6txSX7zsED+6Y=,tag:RyP8MlNKpJTiFq4yki3IHA==,type:float]
|
||||
example_booleans:
|
||||
- ENC[AES256_GCM,data:vsYeAQ==,iv:MIUmFU7UJdkixIKCb0CCMAzhJ5uvkEZZlWHhleoZIEA=,tag:jMpWcJSwJv+yzkBB2/uvmg==,type:bool]
|
||||
- ENC[AES256_GCM,data:0aq01xA=,iv:wF7WwrDVFG0hful9S5284olMTKlS+RnNnySAsw5UZp8=,tag:KqD1Quq0i0xeRiCMEC9yTQ==,type:bool]
|
||||
sops:
|
||||
shamir_threshold: 2
|
||||
key_groups:
|
||||
- pgp:
|
||||
- created_at: "2025-03-05T17:47:53Z"
|
||||
enc: |-
|
||||
-----BEGIN PGP MESSAGE-----
|
||||
|
||||
hQEMAzy6JxafzLr5AQgAl3m6zci5ipAkoy6mJKHCs8lq7s+wyvZ2tuHmUarbGxUP
|
||||
Jg98Btnr4VTMdy116TeuRte+upGIN3bJLBSEYPGodpKkHhmFmInSmR2gXQCEvxAP
|
||||
2JQQLceYVTyHqtlxrgyRKQwMJQd4J44TZ0WUTUEOH5M2x+tnTrdG0cWug+unKr9G
|
||||
omomiO3PQF5ImGKwdsPfyEK2/80j0Zu2+wBzbPuPIiBgHhk+SfUc/iLzUH6UupdQ
|
||||
DYPGWwbFXptVLt/sqeZ1jQAivtFlu+NlcF2/Qd5vXZ636oKWSth9degTdYX4RKfW
|
||||
osXzWAlvftUE/ZY6bQ14sV0Ug8/Y35BCrInh+I2ZENJSAUouvWfmsrqWsoXn9Kcp
|
||||
3UCfpQnlPmcK0I5pzROL8sE4n5/BpTEYx2iZe0bbY7xSnGC5N5VEP/s/OODLMpaQ
|
||||
RnQUAsNJrQ9Iely+OS2K7jo7HA==
|
||||
=5CNC
|
||||
-----END PGP MESSAGE-----
|
||||
fp: 0FECE8316E74BA6F44EFC21A2F8F21CE8721456B
|
||||
hc_vault: []
|
||||
age: []
|
||||
- hc_vault: []
|
||||
age:
|
||||
- recipient: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCxR/w+38b2lX90yNBqhq3mUmkn1WGu6GAPhN1tVp2ZjYRJNV/+5gWCnTtOWYtDx35HmK/spQ2Qy8X9ttkzORa24fysNx1Iqn/TiXhD7eIJjbGPnrOpIKTkW5/uB3SD/P5NBSa06//BaqJU4sBlG79hoXRpod052hQtdpTVDiMCIV+iboWPKqopmJJfWdBtVnHXs9rep0htPRExxGslImFk7Z6xjcaHyCpIQZPlOGf+sGsmUU7jRqzvZFV8ucIdbnAlMHrU4pepNFhuraESyZVTa/bi9sw0iozXp5Q5+5thMebEslmT1Z771kI4sieDy+O4r8c0Sx2/VY1UAzcpq1faggc3YB01MTh+tiEC6xdMvZLrQGL1NBWjHleMyL53GU5ERluC0vXJF3Hv3BGGBDfXWbrEm5n06DHr2apRVJGC0LwiQ7Woud1X4V4X1pKSusxCVMjT2lmcOwV6YhKhB2sowJc1OdMx4+tL0UWE+YKSZgBHfolwk6ml0F4EO9nnUHc= lelgenio@i15
|
||||
enc: |
|
||||
-----BEGIN AGE ENCRYPTED FILE-----
|
||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1yc2EgQnd3eEhnCmtodG9TZ0ph
|
||||
MjM0dnVMa2c4L0wvRXJmSkRYVFpYYnloYktBamw4VXR6anRBaHJxckR2MXNqdXB0
|
||||
QnJleGdFVjEKQkdlanc3T0YvWWJiMVFVTm9sNmM5RXUvVjhyLytqeHJ6eVJPZ3Vw
|
||||
VDdYaUJlSmlMZFVCQmd3MmhROWdJSXlNeApHN3c2dUwwNDVBUURTREo3b2hpRG9K
|
||||
azZTYXhFbGtzYmZURTM2WVA2NUREOHdwZFZncWF2TXhsK0hJNWNYeFVBCmtiTWtv
|
||||
aStUcW1IVDVIb2ZxQ0E2U29Jd1ZXc1NHMEg5aVpMSHJDVU5KQk15N1lZVkJNdWpS
|
||||
ZzZVNlFVSWg2bHMKMXRnU3o2RnV5blVlL0ZlYlFIeHp4aXFUTjBpSUIyeERDNmZI
|
||||
a1h3c1RjOUdZOXhNaU5ueVhKaGFCZFpZMm9mcApCNEZwUTk5dEc5NTlXei9ZZ1A4
|
||||
WVc5ckt3YldXb3dCSzBjK3UySVhRNmlRVlVSNVlsSlppVThPVXBHN0JlT3F0CjA0
|
||||
THVDZ1hqcmROODlNWjB0aGxPM1J0MzYxQnd5ejJlUnppZ1JQOUR5ckY0VXZTSkND
|
||||
dzd3S3JYdngzeEx3djUKb2xJRXVBd0lVbEZ5MEdQN2FEaloxc05zYTYrMWJpVmU4
|
||||
OHRlc0ZpNVJoWDJkOGErYVFrZlpmZS9wZUIvWU1mLwoKLS0tIHNqUFZCQ3RqVjIw
|
||||
WTVxR21vUjdxWWdDa3F6QmRvQUdQTEllcTdpdGlKZHcKeFppXJ/3fVylNSYT3utw
|
||||
5MErQHe5ATw0kWH1Sq6dmuRuCNRTFIrozk+wWvZCEehRZoP7Fr9yieTtWlRsgL6J
|
||||
O5k=
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
- recipient: ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHESKhLPhvJIFW5S8rXweS2i6c13sk6h1Oo6SSJwEsNr root@monolith
|
||||
enc: |
|
||||
-----BEGIN AGE ENCRYPTED FILE-----
|
||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IFl3cDFOZyBidkUr
|
||||
dDNqem5qNS9UUUNMSEl2M3JIcU5MYzgzdG5HQTZoMUZMc1liNTBZCm9veDZ6MlQv
|
||||
Rm5NbzljWG1kRlRIV09iaVl2c2JPUGpqT1Y1YkNSZHRjQWsKLS0tIENDVXl3cTVs
|
||||
MGtReUpHTDBqNTBpM09FWU1ETHJzTlJHa1UyUXk3bTIrRFUK7zV5PlkcUpgQCWqm
|
||||
DVpUxUzh6tNWSwOqFsCKSXwxRdVPTZwHiO8+fpYKyk5gNA1WyhgkJl34qvcyh2rN
|
||||
ZqPElPc=
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
kms: []
|
||||
gcp_kms: []
|
||||
azure_kv: []
|
||||
hc_vault: []
|
||||
age: []
|
||||
lastmodified: "2025-03-05T16:50:53Z"
|
||||
mac: ENC[AES256_GCM,data:Q0oAUxQb29WCm6HBhR2RTfNUA3upKHFYEiVOGftGd9MUMRGW4WP9jLgFZ9NQah1hIpdJWv9nNKNaJslpA5LmrYOIFMLCORbk8hJC+/Mg8HZa+mRARUGvGOebNC7p10rgsAIloaOK8/eFteENMcIhDqFBfWlqX+yoXJb5XsaHx4U=,iv:Tf8yIqyLA1wDx/dXj6KhU4eG6CLsrAaZjEVIm8uFZpo=,tag:hxJgbyMQ6cWboIs/40C7Xg==,type:str]
|
||||
pgp: []
|
||||
unencrypted_suffix: _unencrypted
|
||||
version: 3.9.4
|
||||
|
|
@ -1,5 +1,22 @@
|
|||
{ pkgs, ... }:
|
||||
{ pkgs, config, ... }:
|
||||
{
|
||||
environment.systemPackages = with pkgs; [
|
||||
sops-master
|
||||
gnupg
|
||||
];
|
||||
|
||||
sops = {
|
||||
package = pkgs.sops-master;
|
||||
|
||||
defaultSopsFile = ../secrets/test.yaml;
|
||||
|
||||
secrets.hello = { };
|
||||
};
|
||||
|
||||
environment.etc."teste-sops" = {
|
||||
text = config.sops.secrets.hello.path;
|
||||
};
|
||||
|
||||
age = {
|
||||
identityPaths = [ "/root/.ssh/id_rsa" ];
|
||||
secrets.lelgenio-cachix.file = ../secrets/lelgenio-cachix.age;
|
||||
|
|
|
|||
Loading…
Reference in a new issue