sops: fix config for darwin
This commit is contained in:
parent
281ca7ed03
commit
76d79356c3
3 changed files with 36 additions and 9 deletions
|
|
@ -21,7 +21,6 @@ in
|
||||||
sops = {
|
sops = {
|
||||||
secrets."nix/access-tokens" = {
|
secrets."nix/access-tokens" = {
|
||||||
owner = "root";
|
owner = "root";
|
||||||
group = "users";
|
|
||||||
mode = "0440";
|
mode = "0440";
|
||||||
sopsFile = ./secrets.yaml;
|
sopsFile = ./secrets.yaml;
|
||||||
};
|
};
|
||||||
|
|
@ -30,7 +29,8 @@ in
|
||||||
access-tokens = ${config.sops.placeholder."nix/access-tokens"}
|
access-tokens = ${config.sops.placeholder."nix/access-tokens"}
|
||||||
'';
|
'';
|
||||||
owner = "root";
|
owner = "root";
|
||||||
group = "users";
|
# secret needs to be readable by users (nix client) as well as nix-daemon (running as root)
|
||||||
|
group = if pkgs.stdenv.isDarwin then "localaccounts" else "users";
|
||||||
mode = "0440";
|
mode = "0440";
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
|
||||||
|
|
@ -6,7 +6,9 @@
|
||||||
}:
|
}:
|
||||||
{
|
{
|
||||||
sops = {
|
sops = {
|
||||||
age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
|
age.keyFile = "/Users/os/Library/Application Support/sops/age/keys.txt";
|
||||||
|
age.sshKeyPaths = lib.mkForce [ ]; # no host keys
|
||||||
|
gnupg.sshKeyPaths = lib.mkForce [ ]; # no host keys
|
||||||
defaultSopsFile = lib.mkDefault ./secrets.yaml;
|
defaultSopsFile = lib.mkDefault ./secrets.yaml;
|
||||||
defaultSopsFormat = "yaml"; # is the default. ini had some template rendering issues in practice
|
defaultSopsFormat = "yaml"; # is the default. ini had some template rendering issues in practice
|
||||||
};
|
};
|
||||||
|
|
|
||||||
|
|
@ -1,7 +1,32 @@
|
||||||
{ inputs, ... }:
|
|
||||||
{
|
{
|
||||||
sops = {
|
inputs,
|
||||||
age.keyFile = "/home/user/.age-key.txt"; # must have no password!
|
config,
|
||||||
# deliberately not setting `defaultSopsFile` because there is no clear file-hostname-mapping. Each separate home config has to configure this explicitly.
|
lib,
|
||||||
};
|
pkgs,
|
||||||
}
|
...
|
||||||
|
}:
|
||||||
|
let
|
||||||
|
homeKeys =
|
||||||
|
if pkgs.stdenv.isDarwin then
|
||||||
|
"/Users/${config.home.username}/Library/Application Support/sops/age/keys.txt"
|
||||||
|
else
|
||||||
|
"/home/${config.home.username}/.config/sops/age/keys.txt";
|
||||||
|
in
|
||||||
|
lib.mkMerge [
|
||||||
|
{
|
||||||
|
home.ensureDirs."${builtins.dirOf homeKeys}".mode = "0700";
|
||||||
|
sops = {
|
||||||
|
age.keyFile = "/home/user/.age-key.txt"; # must have no password!
|
||||||
|
# deliberately not setting `defaultSopsFile` because there is no clear file-hostname-mapping. Each separate home config has to configure this explicitly.
|
||||||
|
};
|
||||||
|
}
|
||||||
|
# linux machines: assumption: there is an OpenSSH server of which we are able to use the hostkey, like at the NixOS module. The `keyDir` is only used for the private admin key.
|
||||||
|
(lib.mkIf pkgs.stdenv.isLinux {
|
||||||
|
sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
|
||||||
|
})
|
||||||
|
|
||||||
|
# darwin: no SSH server, no hostkey => let's use the `keyDir` key both for encryption and decrpytion
|
||||||
|
(lib.mkIf pkgs.stdenv.isDarwin {
|
||||||
|
sops.age.keyFile = homeKeys;
|
||||||
|
})
|
||||||
|
]
|
||||||
|
|
|
||||||
Loading…
Add table
Add a link
Reference in a new issue