From 2e06ef806d99c1e1dc7e27f42570baaa88890985 Mon Sep 17 00:00:00 2001 From: FredzyW Date: Wed, 24 Apr 2024 14:52:47 +0200 Subject: [PATCH] Added sops support --- .sops.yaml | 11 +++++++ config/home.nix | 4 +++ flake.lock | 54 ++++++++++++++++++++++++++++++- flake.nix | 7 +++- maskiner/laptop/configuration.nix | 8 ++++- moduler/common/kitty.nix | 2 ++ moduler/common/spotifyd.nix | 3 +- secrets/fred.yaml | 29 +++++++++++++++++ 8 files changed, 114 insertions(+), 4 deletions(-) create mode 100644 .sops.yaml create mode 100644 secrets/fred.yaml diff --git a/.sops.yaml b/.sops.yaml new file mode 100644 index 0000000..c61b9a3 --- /dev/null +++ b/.sops.yaml @@ -0,0 +1,11 @@ +keys: + - &admin_fred age1krwc99ct25lst4543jrcfdkfhufha7j6237a2r4zhf425d5e54wqcl20jr +creation_rules: + - path_regex: secrets/[^/]+\.(yaml|json|env|ini)$ + key_groups: + - age: + - *admin_fred + - path_regex: secrets/fred/[^/]+\.(yaml|json|env|ini)$ + key_groups: + - age: + - *admin_fred diff --git a/config/home.nix b/config/home.nix index a017cab..b3dd2f2 100644 --- a/config/home.nix +++ b/config/home.nix @@ -67,6 +67,8 @@ steam-run appimage-run bluez-tools + sops + age #Terminal git @@ -87,6 +89,7 @@ btop poppler_utils pandoc + ncspot #Desktop aerc @@ -108,6 +111,7 @@ audacity pdfarranger byzanz + freecad #Dev python3 diff --git a/flake.lock b/flake.lock index 6e05e90..d1e3391 100644 --- a/flake.lock +++ b/flake.lock @@ -92,6 +92,22 @@ "type": "github" } }, + "nixpkgs-stable": { + "locked": { + "lastModified": 1713638189, + "narHash": "sha256-q7APLfB6FmmSMI1Su5ihW9IwntBsk2hWNXh8XtSdSIk=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "74574c38577914733b4f7a775dd77d24245081dd", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "release-23.11", + "repo": "nixpkgs", + "type": "github" + } + }, "nixpkgs-unstable": { "locked": { "lastModified": 1712439257, @@ -124,12 +140,48 @@ "type": "github" } }, + "nixpkgs_3": { + "locked": { + "lastModified": 1713596654, + "narHash": "sha256-LJbHQQ5aX1LVth2ST+Kkse/DRzgxlVhTL1rxthvyhZc=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "fd16bb6d3bcca96039b11aa52038fafeb6e4f4be", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixpkgs-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, "root": { "inputs": { "home-manager": "home-manager", "nix-gaming": "nix-gaming", "nixpkgs": "nixpkgs_2", - "nixpkgs-unstable": "nixpkgs-unstable" + "nixpkgs-unstable": "nixpkgs-unstable", + "sops-nix": "sops-nix" + } + }, + "sops-nix": { + "inputs": { + "nixpkgs": "nixpkgs_3", + "nixpkgs-stable": "nixpkgs-stable" + }, + "locked": { + "lastModified": 1713892811, + "narHash": "sha256-uIGmA2xq41vVFETCF1WW4fFWFT2tqBln+aXnWrvjGRE=", + "owner": "Mic92", + "repo": "sops-nix", + "rev": "f1b0adc27265274e3b0c9b872a8f476a098679bd", + "type": "github" + }, + "original": { + "owner": "Mic92", + "repo": "sops-nix", + "type": "github" } } }, diff --git a/flake.nix b/flake.nix index ad4eb54..51b2897 100644 --- a/flake.nix +++ b/flake.nix @@ -10,6 +10,7 @@ home-manager.url = "github:nix-community/home-manager/release-23.11"; home-manager.inputs.nixpkgs.follows = "nixpkgs"; nix-gaming.url = "github:fufexan/nix-gaming"; + sops-nix.url = "github:Mic92/sops-nix"; # TODO: Add any other flake you might need # hardware.url = "github:nixos/nixos-hardware"; @@ -20,6 +21,7 @@ nixpkgs, home-manager, nixpkgs-unstable, + sops-nix, ... } @ inputs: let inherit (self) outputs; @@ -39,7 +41,10 @@ inherit inputs outputs; myhostname = "laptop"; }; - modules = [./maskiner/laptop/configuration.nix]; + modules = [ + ./maskiner/laptop/configuration.nix + sops-nix.nixosModules.sops + ]; }; desktop = nixpkgs.lib.nixosSystem { specialArgs = { diff --git a/maskiner/laptop/configuration.nix b/maskiner/laptop/configuration.nix index aea13d9..83d48f9 100644 --- a/maskiner/laptop/configuration.nix +++ b/maskiner/laptop/configuration.nix @@ -16,9 +16,15 @@ ]; networking.hostName = myhostname; + sops.defaultSopsFile = ../../secrets/fred.yaml; + # This will automatically import SSH keys as age keys + sops.age.sshKeyPaths = [ "~/.ssh/id_ed" ]; + # This is using an age key that is expected to already be in the filesystem + sops.age.keyFile = "~/.config/sops/age/keys.txt"; + sops.secrets.spotify_password = {}; services.xserver.dpi = 140; - + services.spotifyd.settings.password = "${config.sops.secrets.spotify_password}"; # https://nixos.wiki/wiki/FAQ/When_do_I_update_stateVersion system.stateVersion = "23.11"; } diff --git a/moduler/common/kitty.nix b/moduler/common/kitty.nix index 2ae5eb3..d74f88e 100644 --- a/moduler/common/kitty.nix +++ b/moduler/common/kitty.nix @@ -7,7 +7,9 @@ size = 18; } else { name = "FiraCode Nerd Font"; + # size = 18; size = 24; + # size = 30; }; shellIntegration = { enableZshIntegration = true; diff --git a/moduler/common/spotifyd.nix b/moduler/common/spotifyd.nix index a49a4d9..63e2270 100644 --- a/moduler/common/spotifyd.nix +++ b/moduler/common/spotifyd.nix @@ -1,9 +1,10 @@ -{ pkgs, lib, myhostname, ... }: +{ pkgs, lib, myhostname, sops, ... }: { services.spotifyd = { enable = true; settings = { username = "fredzyw"; + password = sops.secrets.spotify_password; device_name = myhostname; }; }; diff --git a/secrets/fred.yaml b/secrets/fred.yaml new file mode 100644 index 0000000..dc6aeab --- /dev/null +++ b/secrets/fred.yaml @@ -0,0 +1,29 @@ +spotify_password: ENC[AES256_GCM,data:pEi7c7mGnLqOHcHTL9EXhb4WeQ==,iv:CJMdvwzlN+50szCLpwsGu0IKTFlBhnP/cwDzegmfeEU=,tag:qgwF8asIpVZMhU7hPnCwHg==,type:str] +#ENC[AES256_GCM,data:XbMoHRMRayasO8J+53f53A==,iv:psX/yl2AC/ciK1Bll0OundYdznCvvBs1/sXRfyKCOfs=,tag:w6uv0l1atSVO1gAUY+DTsw==,type:comment] +example_array: + - ENC[AES256_GCM,data:VPMtdtIvst0Kh3mj5+I=,iv:MVaHOOXV7DVOgW+K3o2ZCN4q/qp5OQA3L2ncDwCUJRU=,tag:bRuhaHhkn5RL0An2QER8pA==,type:str] + - ENC[AES256_GCM,data:fABtevCFNDu5+tjLprU=,iv:80ar+fNbfdEFTqDMSPFpq2wLMj9AF+6+58gHYKGDEHo=,tag:syQshcDSoNC5l+AtKbs/lQ==,type:str] +example_number: ENC[AES256_GCM,data:UPyoHsoNNqWn2Q==,iv:diubzEl3GLDcSulGW5Iof/75VxFppuL9w5SlnokA0xA=,tag:awKZHcA3MDP7Y6+HRVkprA==,type:float] +example_booleans: + - ENC[AES256_GCM,data:U0wuUQ==,iv:VHzxjYVAdocWmnYBz4XlUfx+xNtfTwY+rYSg3izGpL8=,tag:EbbnkVkXCBlWRgJvkRT80A==,type:bool] + - ENC[AES256_GCM,data:UeaTW2k=,iv:zzjMtznD5QNt0dM5c5V9okXNgdCGS/JYdEoEinPSrtU=,tag:Y6IpzWov+vb074QpTmgB4A==,type:bool] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1krwc99ct25lst4543jrcfdkfhufha7j6237a2r4zhf425d5e54wqcl20jr + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBPaFMweGJLQ0lyelhLNGMx + R3NaRGdjM3NNTUZzaVUxQmdKMUlPUnNRcm1zCnJxSWhmV2tJTzNjbW1ORC9zOVEw + cWtYalZTSzRDK1h2dTdoT0VTRCtKbG8KLS0tIEpHaUErRVlzUi9XL2pjZldNTEFQ + OTFhZVQ1bjA3bG81c1lKcHV0TzZabnMKzhPfi6kJnBB3EMXOvc7u3w4YNglKu1yH + 6dF41Pvh5MBVxOcw8zEQeqyvKNADzGU+WA36wMCppKCqETuBUqfLGw== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-04-24T12:37:14Z" + mac: ENC[AES256_GCM,data:XWohlQpWst/O1+gb6SYRoljEZ3EuMOnyqHRzIaSHDuwh47DN/VT7UhwzUxTh2DyHn4hEY4WS5bFLNBaYZ7xTAIW0ANT4VkMntC31RgcvZdIKh3iQd1IxUPq5RkuUEvdvnw3JTUARAh3PT4p7/49jaHnSTc7XZLAzA+x0lhzGVBI=,iv:cvqprPHCq0xRt32k6aI97BJ6fZqWjTpK25r5beMplO8=,tag:YFKzTDUaVGb8fwnxoUDUOQ==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.8.1