homelab
/
config
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Add sops-nix

main
kalle 2024-12-26 19:41:49 +01:00
parent 1da714d2b7
commit 01f88e9051
5 changed files with 73 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
.sops.yaml Normal file
View File

@ -0,0 +1,9 @@
keys:
- &kalle_laptop age1y86zket4wccf9kfp65gmlcsf0a9drjux7r3zlcfqqdkh99dfnyeqts8jra
- &vm_base age1w8flykazkwxewcxpe2mn50cawn857ylcdp4r7vp459p3q7cx9uasap4stz
creation_rules:
- key_groups:
- age:
- *kalle_laptop
- *vm_base

23
flake.lock
View File

@ -34,7 +34,28 @@
"root": {
"inputs": {
"impermanence": "impermanence",
"nixpkgs": "nixpkgs"
"nixpkgs": "nixpkgs",
"sops-nix": "sops-nix"
}
},
"sops-nix": {
"inputs": {
"nixpkgs": [
"nixpkgs"
]
},
"locked": {
"lastModified": 1734546875,
"narHash": "sha256-6OvJbqQ6qPpNw3CA+W8Myo5aaLhIJY/nNFDk3zMXLfM=",
"owner": "Mic92",
"repo": "sops-nix",
"rev": "ed091321f4dd88afc28b5b4456e0a15bd8374b4d",
"type": "github"
},
"original": {
"owner": "Mic92",
"repo": "sops-nix",
"type": "github"
}
}
},

4
flake.nix
View File

@ -4,6 +4,10 @@
inputs = {
nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable";
impermanence.url = "github:nix-community/impermanence";
# Sops-nix, a secrets manager
sops-nix.url = "github:Mic92/sops-nix";
sops-nix.inputs.nixpkgs.follows = "nixpkgs";
};
outputs =

33
secrets/nix-test.yaml Normal file
View File

@ -0,0 +1,33 @@
traefik:
acmeEmail: ENC[AES256_GCM,data:aM2AQADo5s0c1b//UWPXNPlKMXNRRnPFDbM=,iv:RP7Tn8s1nYKJf0B0KO0BQkI4tnz/zUK8KqzQqeNiyZk=,tag:g4+lwK4miUdxOwLHQcUZhg==,type:str]
CLOUDFLARE_EMAIL: ENC[AES256_GCM,data:YHQ00Qh0t7owvFE/PXu8o4a8ry1P92/CVA==,iv:z982jUAm8W4Du/5dLopQZE0p5eWi4Ls7TYsiiwUlqvg=,tag:bek2eQ4duYBH8F2LG+Tr+g==,type:str]
CLOUDFLARE_DNS_API_TOKEN: ENC[AES256_GCM,data:zyTpv1AGA9GzfGfFyxqO40NKZt8LlHU1YT9kvXPZYAGUc5wE3GVxzg==,iv:W7u5gEeYNkCGO3D0Y+XBZ4PCI081QsNK10ThHKbV68M=,tag:7onKfU+mVz3euCbFrX1mdg==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1y86zket4wccf9kfp65gmlcsf0a9drjux7r3zlcfqqdkh99dfnyeqts8jra
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSArSmIyL2JwZXhJaE13SlJW
NXg3Nzg3bjlUOHp4blVBdmFJZmRjUkREa0RnCmhZQTJlaER4KzZHeHc2dkVXQ3RU
OFd1c2REMkR0YlVJL2lOcENNM01Ka1EKLS0tIGJFdzFpN2VqdEVQV1ZnQXVwa1Vs
enpRZVQ1dVphQmtETlY1UDdleXVRdDAKmUzn+98cPWbKXgsCKHeQzkVysj2eOIx6
UTT6+MPOskud/PPrCV9SmBsfwxZ5NJvbkYPtmRHOWr3UgJ7gOSD0ZQ==
-----END AGE ENCRYPTED FILE-----
- recipient: age1w8flykazkwxewcxpe2mn50cawn857ylcdp4r7vp459p3q7cx9uasap4stz
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBmMHllWTBWd2h0c29TT2pF
NTNmM2puSG9USUtVU0drNnFmVUxaYXJES2lrCmY1d2hLR2VCVXgrb3k2Z2RJVXBY
dUhOMjJ4elhLaUZqK1BNQzh0Z3YvYTAKLS0tICtFSFBsN2FoRURwQVNGNUNRdnAy
SitKZlhUek9SM2xuRmc1dEh3N0xJak0K1HrF4CcZhq2DBjiRj8eTRBe1FHas9yep
vzEBYsnjsJ3uCtcLCqVu0CApBr6oLXPiwgRouAmRIzBUQfiXtWoEbQ==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2024-12-26T18:39:38Z"
mac: ENC[AES256_GCM,data:2dr8o3njYlYVHiFItM4MrlHfpiw7AurdedXm614MbMiX6b5bkAoIuSJHWjjwmBsQY52yTUwl5GS0oLztRGOZ9OsxiwvGRoxNG5lAPK83t4pralaWvLKVn7CCClU6fyYnUwqPEfw/YFSxlm00iBPz54zRQNvIigrZhhAM3lHswaM=,iv:sgvpiOwz183/GewbTFsW3EV8bHX7p/13b32sDPxRcMw=,tag:ZHHv4fAOT/lPZg/n9rnMvA==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.9.2

6
utils.nix
View File

@ -19,12 +19,16 @@
};
modules = [
inputs.impermanence.nixosModules.impermanence
# inputs.sops-nix.nixosModules.sops
inputs.sops-nix.nixosModules.sops
./systems/base/configuration.nix
(
{ ... }:
{
sops.defaultSopsFile = ./secrets + "/${hostConfig.hostname}.yaml";
# Disable automatic pgp key generation based on ssh keys
sops.gnupg.sshKeyPaths = [ ];
networking.hostName = hostConfig.hostname;
system.stateVersion = hostConfig.stateVersion;
}