sops-nix: basic key setup
This commit is contained in:
parent
4b712b6b67
commit
32822bcc3a
3 changed files with 42 additions and 0 deletions
14
.sops.yaml
Normal file
14
.sops.yaml
Normal file
|
|
@ -0,0 +1,14 @@
|
||||||
|
# XXX: missing: macbook, thinknix?, at some point mobile
|
||||||
|
keys:
|
||||||
|
- &admins age1q80zzsgglj438verw74jghezn8ndpqldvg0mfxzwtaq4v5h7apusqysavz #framenix
|
||||||
|
# Generate AGE keys from SSH keys with:
|
||||||
|
# nix-shell -p ssh-to-age --run 'ssh some.example.com /etc/ssh/ssh_host_ed25519_key.pub | ssh-to-age'
|
||||||
|
- &machine_framenix age1kx93vp8l8jd6kz0kvk379udr5z8a9t6946w0ff5t9a2esn47nqzqlfzvwe
|
||||||
|
creation_rules:
|
||||||
|
# per-host secrets for host specific ones, but for service modules we could store and manage them also per module scope
|
||||||
|
- path_regex: hosts/framenix/secrets/[^/]+\.(yaml|json|env|ini)$
|
||||||
|
key_groups:
|
||||||
|
- age:
|
||||||
|
- *admins
|
||||||
|
- *machine_framenix
|
||||||
|
|
||||||
21
flake.lock
generated
21
flake.lock
generated
|
|
@ -439,6 +439,7 @@
|
||||||
"nixos-unstable": "nixos-unstable",
|
"nixos-unstable": "nixos-unstable",
|
||||||
"nixpkgs": "nixpkgs_2",
|
"nixpkgs": "nixpkgs_2",
|
||||||
"nur": "nur",
|
"nur": "nur",
|
||||||
|
"sops-nix": "sops-nix",
|
||||||
"treefmt-nix": "treefmt-nix_3",
|
"treefmt-nix": "treefmt-nix_3",
|
||||||
"utils": "utils"
|
"utils": "utils"
|
||||||
}
|
}
|
||||||
|
|
@ -464,6 +465,26 @@
|
||||||
"type": "github"
|
"type": "github"
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
|
"sops-nix": {
|
||||||
|
"inputs": {
|
||||||
|
"nixpkgs": [
|
||||||
|
"nixpkgs"
|
||||||
|
]
|
||||||
|
},
|
||||||
|
"locked": {
|
||||||
|
"lastModified": 1775188331,
|
||||||
|
"narHash": "sha256-/0BoSi0Dg0ON7IW0oscM12WSPBaMSCn36XTt0lHZoy8=",
|
||||||
|
"owner": "Mic92",
|
||||||
|
"repo": "sops-nix",
|
||||||
|
"rev": "8f093d0d2f08f37317778bd94db5951d6cce6c46",
|
||||||
|
"type": "github"
|
||||||
|
},
|
||||||
|
"original": {
|
||||||
|
"owner": "Mic92",
|
||||||
|
"repo": "sops-nix",
|
||||||
|
"type": "github"
|
||||||
|
}
|
||||||
|
},
|
||||||
"systems": {
|
"systems": {
|
||||||
"locked": {
|
"locked": {
|
||||||
"lastModified": 1681028828,
|
"lastModified": 1681028828,
|
||||||
|
|
|
||||||
|
|
@ -29,6 +29,10 @@
|
||||||
flake = false;
|
flake = false;
|
||||||
url = "git+ssh://gitea@git.orlives.de:2342/schmittlauch/home-manager_secrets.git";
|
url = "git+ssh://gitea@git.orlives.de:2342/schmittlauch/home-manager_secrets.git";
|
||||||
};
|
};
|
||||||
|
sops-nix = {
|
||||||
|
url = "github:Mic92/sops-nix";
|
||||||
|
inputs.nixpkgs.follows = "nixpkgs";
|
||||||
|
};
|
||||||
nix-direnv = {
|
nix-direnv = {
|
||||||
url = "github:nix-community/nix-direnv";
|
url = "github:nix-community/nix-direnv";
|
||||||
inputs.nixpkgs.follows = "nixpkgs";
|
inputs.nixpkgs.follows = "nixpkgs";
|
||||||
|
|
@ -51,6 +55,7 @@
|
||||||
treefmt-nix,
|
treefmt-nix,
|
||||||
nix-darwin,
|
nix-darwin,
|
||||||
angrr,
|
angrr,
|
||||||
|
sops-nix,
|
||||||
...
|
...
|
||||||
}@inputs:
|
}@inputs:
|
||||||
let
|
let
|
||||||
|
|
@ -81,6 +86,7 @@
|
||||||
};
|
};
|
||||||
defaultModules = system: [
|
defaultModules = system: [
|
||||||
inputInjection
|
inputInjection
|
||||||
|
sops-nix.nixosModules.sops
|
||||||
|
|
||||||
# for some reason, `imports`-ing the home-manager module via inputInjection
|
# for some reason, `imports`-ing the home-manager module via inputInjection
|
||||||
# from a sub-module causes infinite recursion, so importing it here instead
|
# from a sub-module causes infinite recursion, so importing it here instead
|
||||||
|
|
@ -99,6 +105,7 @@
|
||||||
modules = [
|
modules = [
|
||||||
{
|
{
|
||||||
imports = [
|
imports = [
|
||||||
|
sops-nix.homeManagerModules.sops
|
||||||
./home/common.nix
|
./home/common.nix
|
||||||
./home/${confName}.nix
|
./home/${confName}.nix
|
||||||
];
|
];
|
||||||
|
|
|
||||||
Loading…
Add table
Add a link
Reference in a new issue