diff --git a/.sops.yaml b/.sops.yaml new file mode 100644 index 0000000..be0b15c --- /dev/null +++ b/.sops.yaml @@ -0,0 +1,12 @@ +keys: + - &lelgenio 0FECE8316E74BA6F44EFC21A2F8F21CE8721456B + - &lelgenio-age ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCxR/w+38b2lX90yNBqhq3mUmkn1WGu6GAPhN1tVp2ZjYRJNV/+5gWCnTtOWYtDx35HmK/spQ2Qy8X9ttkzORa24fysNx1Iqn/TiXhD7eIJjbGPnrOpIKTkW5/uB3SD/P5NBSa06//BaqJU4sBlG79hoXRpod052hQtdpTVDiMCIV+iboWPKqopmJJfWdBtVnHXs9rep0htPRExxGslImFk7Z6xjcaHyCpIQZPlOGf+sGsmUU7jRqzvZFV8ucIdbnAlMHrU4pepNFhuraESyZVTa/bi9sw0iozXp5Q5+5thMebEslmT1Z771kI4sieDy+O4r8c0Sx2/VY1UAzcpq1faggc3YB01MTh+tiEC6xdMvZLrQGL1NBWjHleMyL53GU5ERluC0vXJF3Hv3BGGBDfXWbrEm5n06DHr2apRVJGC0LwiQ7Woud1X4V4X1pKSusxCVMjT2lmcOwV6YhKhB2sowJc1OdMx4+tL0UWE+YKSZgBHfolwk6ml0F4EO9nnUHc= lelgenio@i15 + - &monolith ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHESKhLPhvJIFW5S8rXweS2i6c13sk6h1Oo6SSJwEsNr root@monolith +creation_rules: + - path_regex: secrets/[^/]+\.(yaml|json|env|ini)$ + key_groups: + - pgp: + - *lelgenio + - age: + - *lelgenio-age + - *monolith diff --git a/flake.lock b/flake.lock index 573ab5e..cabf4cf 100644 --- a/flake.lock +++ b/flake.lock @@ -722,6 +722,7 @@ "nixpkgs-unstable": "nixpkgs-unstable", "plymouth-themes": "plymouth-themes", "ranger-icons": "ranger-icons", + "sops-nix": "sops-nix", "tlauncher": "tlauncher", "tomater": "tomater", "treefmt-nix": "treefmt-nix", @@ -775,6 +776,26 @@ "type": "github" } }, + "sops-nix": { + "inputs": { + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1741043164, + "narHash": "sha256-9lfmSZLz6eq9Ygr6cCmvQiiBEaPb54pUBcjvbEMPORc=", + "owner": "Mic92", + "repo": "sops-nix", + "rev": "3f2412536eeece783f0d0ad3861417f347219f4d", + "type": "github" + }, + "original": { + "owner": "Mic92", + "repo": "sops-nix", + "type": "github" + } + }, "systems": { "locked": { "lastModified": 1681028828, diff --git a/flake.nix b/flake.nix index 636724e..300e233 100644 --- a/flake.nix +++ b/flake.nix @@ -26,6 +26,11 @@ inputs.home-manager.follows = "home-manager"; }; + sops-nix = { + url = "github:Mic92/sops-nix"; + inputs.nixpkgs.follows = "nixpkgs"; + }; + nixos-mailserver = { url = "gitlab:simple-nixos-mailserver/nixos-mailserver/master"; inputs.nixpkgs.follows = "nixpkgs"; @@ -100,6 +105,7 @@ { login-manager.greetd.enable = desktop == "sway"; } inputs.agenix.nixosModules.default + inputs.sops-nix.nixosModules.default inputs.home-manager.nixosModules.home-manager inputs.disko.nixosModules.disko ( diff --git a/overlays/default.nix b/overlays/default.nix index 8886897..598d4e2 100644 --- a/overlays/default.nix +++ b/overlays/default.nix @@ -47,6 +47,8 @@ rec { demoji = inputs.demoji.packages.${prev.system}.default; tlauncher = inputs.tlauncher.packages.${prev.system}.tlauncher; wl-crosshair = inputs.wl-crosshair.packages.${prev.system}.default; + + sops = final.sops-master; } ); diff --git a/pkgs/default.nix b/pkgs/default.nix index b702886..4e2fea6 100644 --- a/pkgs/default.nix +++ b/pkgs/default.nix @@ -11,4 +11,6 @@ rec { factorio-headless = pkgs.callPackage ./factorio-headless { inherit (pkgs.unstable) factorio-headless; }; + + sops-master = pkgs.callPackage ./sops/package.nix { }; } diff --git a/pkgs/sops/bash_autocomplete b/pkgs/sops/bash_autocomplete new file mode 100644 index 0000000..ab3da32 --- /dev/null +++ b/pkgs/sops/bash_autocomplete @@ -0,0 +1,19 @@ +#!/usr/bin/env bash +# based on https://github.com/urfave/cli/blob/v2.3.0/autocomplete/bash_autocomplete + +_cli_bash_autocomplete() { + if [[ "${COMP_WORDS[0]}" != "source" ]]; then + local cur opts + COMPREPLY=() + cur="${COMP_WORDS[COMP_CWORD]}" + if [[ "$cur" == "-"* ]]; then + opts=$("${COMP_WORDS[@]:0:$COMP_CWORD}" "${cur}" --generate-bash-completion) + else + opts=$("${COMP_WORDS[@]:0:$COMP_CWORD}" --generate-bash-completion) + fi + IFS=$'\n' read -d '' -ra COMPREPLY < <(compgen -W "${opts}" -- "${cur}") + return 0 + fi +} + +complete -o bashdefault -o default -o nospace -F _cli_bash_autocomplete sops diff --git a/pkgs/sops/package.nix b/pkgs/sops/package.nix new file mode 100644 index 0000000..622afdf --- /dev/null +++ b/pkgs/sops/package.nix @@ -0,0 +1,60 @@ +{ + lib, + buildGo123Module, + fetchFromGitHub, + installShellFiles, + versionCheckHook, + nix-update-script, +}: + +buildGo123Module rec { + pname = "sops"; + version = "3.9.4-unstable"; + + src = fetchFromGitHub { + owner = "getsops"; + repo = "sops"; + rev = "024b94f67afa967ed758ae17433d7da600e87599"; + hash = "sha256-rNO9+gIxxH4sYoemFbOD8HaKWL48VnbdCOKvQ0FoTgI="; + }; + + vendorHash = "sha256-wdsPuUpYHEBkZ80d7L3iXIbBsnK4to0zDUOOlvOtde4="; + + postPatch = '' + substituteInPlace go.mod \ + --replace-fail "go 1.22" "go 1.23.0" + ''; + + subPackages = [ "cmd/sops" ]; + + ldflags = [ + "-s" + "-w" + "-X github.com/getsops/sops/v3/version.Version=${version}" + ]; + + nativeBuildInputs = [ installShellFiles ]; + + postInstall = '' + installShellCompletion --cmd sops --bash ${./bash_autocomplete} + installShellCompletion --cmd sops --zsh ${./zsh_autocomplete} + ''; + + nativeInstallCheckInputs = [ versionCheckHook ]; + versionCheckProgramArg = "--version"; + doInstallCheck = true; + + passthru.updateScript = nix-update-script { }; + + meta = { + homepage = "https://getsops.io/"; + description = "Simple and flexible tool for managing secrets"; + changelog = "https://github.com/getsops/sops/blob/v${version}/CHANGELOG.rst"; + mainProgram = "sops"; + maintainers = with lib.maintainers; [ + Scrumplex + mic92 + ]; + license = lib.licenses.mpl20; + }; +} diff --git a/pkgs/sops/zsh_autocomplete b/pkgs/sops/zsh_autocomplete new file mode 100644 index 0000000..1569af6 --- /dev/null +++ b/pkgs/sops/zsh_autocomplete @@ -0,0 +1,25 @@ +#compdef sops + +## based on https://github.com/urfave/cli/blob/v2.3.0/autocomplete/zsh_autocomplete + +_cli_zsh_autocomplete() { + + local -a opts + local cur + cur=${words[-1]} + if [[ "$cur" == "-"* ]]; then + opts=("${(@f)$(_CLI_ZSH_AUTOCOMPLETE_HACK=1 ${words[@]:0:#words[@]-1} ${cur} --generate-bash-completion)}") + else + opts=("${(@f)$(_CLI_ZSH_AUTOCOMPLETE_HACK=1 ${words[@]:0:#words[@]-1} --generate-bash-completion)}") + fi + + if [[ "${opts[1]}" != "" ]]; then + _describe 'values' opts + else + _files + fi + + return +} + +compdef _cli_zsh_autocomplete sops diff --git a/secrets/test.yaml b/secrets/test.yaml new file mode 100644 index 0000000..d3e232d --- /dev/null +++ b/secrets/test.yaml @@ -0,0 +1,72 @@ +hello: ENC[AES256_GCM,data:InrQC1cwHNYwCshr2RYZTRbeNWSHNr0Z319xqxQMZRf3BjAwtJ3FZ0y120P7dQ==,iv:/M6Hi3C29GySJO0XD9jnJuSbW0uwZ3DkD981leAoDFA=,tag:4fG3hrA4JWlCXEC4HCoVOA==,type:str] +example_key: ENC[AES256_GCM,data:rS8hhFYHFG5HuF052A==,iv:Ec1wMtt6Z2VMgI2pH3j17cwVtpxWOPHm+nhhbstwhto=,tag:iustehiDFbzNYsrSQt020A==,type:str] +#ENC[AES256_GCM,data:zMrmQNws4x9Tk4JV7tze4A==,iv:glvnI1ZxdSFWzDypM74uPbucyEbCyVmrKiGlUjuygXw=,tag:evh2xI6hWKQLDlrJIcviog==,type:comment] +example_array: + - ENC[AES256_GCM,data:H6pL++V+9HBdboEOeeU=,iv:ZduKwwgZfdhli5aMIbJu/WUi5qdvZhENcV9G6A3ukG0=,tag:5YRywD1SensTM0hsg6qeDQ==,type:str] + - ENC[AES256_GCM,data:/GRa1ZYqGj4x+cbmQSo=,iv:bj9WussUEMyF61grr1AXeGyumyPO2pjXdEWdlMuBQGk=,tag:3PtjHeEUJApdiVjcQCAuHQ==,type:str] +example_number: ENC[AES256_GCM,data:j+7tF6HOYjEUfg==,iv:VDQPA+Ium+S9voKiQPNQ+HxayM0bRf6txSX7zsED+6Y=,tag:RyP8MlNKpJTiFq4yki3IHA==,type:float] +example_booleans: + - ENC[AES256_GCM,data:vsYeAQ==,iv:MIUmFU7UJdkixIKCb0CCMAzhJ5uvkEZZlWHhleoZIEA=,tag:jMpWcJSwJv+yzkBB2/uvmg==,type:bool] + - ENC[AES256_GCM,data:0aq01xA=,iv:wF7WwrDVFG0hful9S5284olMTKlS+RnNnySAsw5UZp8=,tag:KqD1Quq0i0xeRiCMEC9yTQ==,type:bool] +sops: + shamir_threshold: 2 + key_groups: + - pgp: + - created_at: "2025-03-05T17:47:53Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQEMAzy6JxafzLr5AQgAl3m6zci5ipAkoy6mJKHCs8lq7s+wyvZ2tuHmUarbGxUP + Jg98Btnr4VTMdy116TeuRte+upGIN3bJLBSEYPGodpKkHhmFmInSmR2gXQCEvxAP + 2JQQLceYVTyHqtlxrgyRKQwMJQd4J44TZ0WUTUEOH5M2x+tnTrdG0cWug+unKr9G + omomiO3PQF5ImGKwdsPfyEK2/80j0Zu2+wBzbPuPIiBgHhk+SfUc/iLzUH6UupdQ + DYPGWwbFXptVLt/sqeZ1jQAivtFlu+NlcF2/Qd5vXZ636oKWSth9degTdYX4RKfW + osXzWAlvftUE/ZY6bQ14sV0Ug8/Y35BCrInh+I2ZENJSAUouvWfmsrqWsoXn9Kcp + 3UCfpQnlPmcK0I5pzROL8sE4n5/BpTEYx2iZe0bbY7xSnGC5N5VEP/s/OODLMpaQ + RnQUAsNJrQ9Iely+OS2K7jo7HA== + =5CNC + -----END PGP MESSAGE----- + fp: 0FECE8316E74BA6F44EFC21A2F8F21CE8721456B + hc_vault: [] + age: [] + - hc_vault: [] + age: + - recipient: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCxR/w+38b2lX90yNBqhq3mUmkn1WGu6GAPhN1tVp2ZjYRJNV/+5gWCnTtOWYtDx35HmK/spQ2Qy8X9ttkzORa24fysNx1Iqn/TiXhD7eIJjbGPnrOpIKTkW5/uB3SD/P5NBSa06//BaqJU4sBlG79hoXRpod052hQtdpTVDiMCIV+iboWPKqopmJJfWdBtVnHXs9rep0htPRExxGslImFk7Z6xjcaHyCpIQZPlOGf+sGsmUU7jRqzvZFV8ucIdbnAlMHrU4pepNFhuraESyZVTa/bi9sw0iozXp5Q5+5thMebEslmT1Z771kI4sieDy+O4r8c0Sx2/VY1UAzcpq1faggc3YB01MTh+tiEC6xdMvZLrQGL1NBWjHleMyL53GU5ERluC0vXJF3Hv3BGGBDfXWbrEm5n06DHr2apRVJGC0LwiQ7Woud1X4V4X1pKSusxCVMjT2lmcOwV6YhKhB2sowJc1OdMx4+tL0UWE+YKSZgBHfolwk6ml0F4EO9nnUHc= lelgenio@i15 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1yc2EgQnd3eEhnCmtodG9TZ0ph + MjM0dnVMa2c4L0wvRXJmSkRYVFpYYnloYktBamw4VXR6anRBaHJxckR2MXNqdXB0 + QnJleGdFVjEKQkdlanc3T0YvWWJiMVFVTm9sNmM5RXUvVjhyLytqeHJ6eVJPZ3Vw + VDdYaUJlSmlMZFVCQmd3MmhROWdJSXlNeApHN3c2dUwwNDVBUURTREo3b2hpRG9K + azZTYXhFbGtzYmZURTM2WVA2NUREOHdwZFZncWF2TXhsK0hJNWNYeFVBCmtiTWtv + aStUcW1IVDVIb2ZxQ0E2U29Jd1ZXc1NHMEg5aVpMSHJDVU5KQk15N1lZVkJNdWpS + ZzZVNlFVSWg2bHMKMXRnU3o2RnV5blVlL0ZlYlFIeHp4aXFUTjBpSUIyeERDNmZI + a1h3c1RjOUdZOXhNaU5ueVhKaGFCZFpZMm9mcApCNEZwUTk5dEc5NTlXei9ZZ1A4 + WVc5ckt3YldXb3dCSzBjK3UySVhRNmlRVlVSNVlsSlppVThPVXBHN0JlT3F0CjA0 + THVDZ1hqcmROODlNWjB0aGxPM1J0MzYxQnd5ejJlUnppZ1JQOUR5ckY0VXZTSkND + dzd3S3JYdngzeEx3djUKb2xJRXVBd0lVbEZ5MEdQN2FEaloxc05zYTYrMWJpVmU4 + OHRlc0ZpNVJoWDJkOGErYVFrZlpmZS9wZUIvWU1mLwoKLS0tIHNqUFZCQ3RqVjIw + WTVxR21vUjdxWWdDa3F6QmRvQUdQTEllcTdpdGlKZHcKeFppXJ/3fVylNSYT3utw + 5MErQHe5ATw0kWH1Sq6dmuRuCNRTFIrozk+wWvZCEehRZoP7Fr9yieTtWlRsgL6J + O5k= + -----END AGE ENCRYPTED FILE----- + - recipient: ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHESKhLPhvJIFW5S8rXweS2i6c13sk6h1Oo6SSJwEsNr root@monolith + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IFl3cDFOZyBidkUr + dDNqem5qNS9UUUNMSEl2M3JIcU5MYzgzdG5HQTZoMUZMc1liNTBZCm9veDZ6MlQv + Rm5NbzljWG1kRlRIV09iaVl2c2JPUGpqT1Y1YkNSZHRjQWsKLS0tIENDVXl3cTVs + MGtReUpHTDBqNTBpM09FWU1ETHJzTlJHa1UyUXk3bTIrRFUK7zV5PlkcUpgQCWqm + DVpUxUzh6tNWSwOqFsCKSXwxRdVPTZwHiO8+fpYKyk5gNA1WyhgkJl34qvcyh2rN + ZqPElPc= + -----END AGE ENCRYPTED FILE----- + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: [] + lastmodified: "2025-03-05T16:50:53Z" + mac: ENC[AES256_GCM,data:Q0oAUxQb29WCm6HBhR2RTfNUA3upKHFYEiVOGftGd9MUMRGW4WP9jLgFZ9NQah1hIpdJWv9nNKNaJslpA5LmrYOIFMLCORbk8hJC+/Mg8HZa+mRARUGvGOebNC7p10rgsAIloaOK8/eFteENMcIhDqFBfWlqX+yoXJb5XsaHx4U=,iv:Tf8yIqyLA1wDx/dXj6KhU4eG6CLsrAaZjEVIm8uFZpo=,tag:hxJgbyMQ6cWboIs/40C7Xg==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.9.4 diff --git a/system/secrets.nix b/system/secrets.nix index fdf14e8..81c2876 100644 --- a/system/secrets.nix +++ b/system/secrets.nix @@ -1,5 +1,22 @@ -{ pkgs, ... }: +{ pkgs, config, ... }: { + environment.systemPackages = with pkgs; [ + sops-master + gnupg + ]; + + sops = { + package = pkgs.sops-master; + + defaultSopsFile = ../secrets/test.yaml; + + secrets.hello = { }; + }; + + environment.etc."teste-sops" = { + text = config.sops.secrets.hello.path; + }; + age = { identityPaths = [ "/root/.ssh/id_rsa" ]; secrets.lelgenio-cachix.file = ../secrets/lelgenio-cachix.age;