sops: first secret integration (nix-settings)

2026-04-06 00:14:48 +02:00 · 2026-04-06 00:14:48 +02:00 · 8914fa79ed
commit 8914fa79ed
parent e8e402e9b7
10 changed files with 86 additions and 5 deletions
--- a/common/default.nix
+++ b/common/default.nix
@ -18,6 +18,7 @@ in
    ./guest.nix
    ./audio-sharing.nix
    ./angrr.nix
+    ./sops.nix
  ];

  services.davfs2.enable = true;
--- a/common/nix-settings.nix
+++ b/common/nix-settings.nix
@ -18,6 +18,22 @@ in
    };
    nixPath = lib.mapAttrsToList (key: value: "${key}=${value.to.path}") config.nix.registry;
  };
+  sops = {
+    secrets."nix/access-tokens" = {
+      owner = "root";
+      group = "users";
+      mode = "0440";
+      sopsFile = ./secrets.yaml;
+    };
+    templates.nix-secrets = {
+      content = ''
+        access-tokens = ${config.sops.placeholder."nix/access-tokens"}
+      '';
+      owner = "root";
+      group = "users";
+      mode = "0440";
+    };
+  };
  nix.settings = builtins.mapAttrs (_: lib.mkDefault) {
    # keep around all inputs necessary for offline-rebuilding the system
    keep-outputs = true;
@ -35,6 +51,6 @@ in
  # TODO: manage access token with sops instead of manual deployment
  # permissions: needs to be readable by the user invoking nix and root (for nix daemon)
  nix.extraOptions = ''
-    !include /etc/nix/secrets.conf
+    !include ${config.sops.templates.nix-secrets.path}
  '';
 }
--- a/common/secrets.yaml
+++ b/common/secrets.yaml
@ -0,0 +1,26 @@
+nix:
+    access-tokens: ENC[AES256_GCM,data:0e58ZzTN81E/2BWphnGKRp8wM8CBOyC5JG2frU6pQ2a10DOwJBJiuv91H3IfHNq+YadNswQZhouQTczhIXlEIW3uADELSBhEiC/L8z9+zrgc4KyRLsMskipuCC3H,iv:DKnJmMs88QA4L9ozvYku4QGottrZVG3UFbw90XNzF0c=,tag:RoKuFIv/tJ/+ZF5aNzkpIQ==,type:str]
+sops:
+    age:
+        - recipient: age1q80zzsgglj438verw74jghezn8ndpqldvg0mfxzwtaq4v5h7apusqysavz
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA4VmtBVGRNNTRuekxad24v
+            TmhpVm5BV2wwMkJVclNYd0RkcldtdHhQZlQ4CkVXeDRicStxdk9NdWZoWXRjUWdE
+            Q2ZibEpVMzR5MFMyalZqVklEajJtejQKLS0tIHhYczc2eFhuVVlQNGE1eTBuUURz
+            MEI3c2xoSmFneDNiMU40L2QwWC8zWGcKKpI1peaS0IVWxD/q52zDTbIBMkvsGSCy
+            3PbuFXZ0ksPpC3nVwTYI4g79X54dECLHQ5bIf4mefREX6wlP+EzdtQ==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1kx93vp8l8jd6kz0kvk379udr5z8a9t6946w0ff5t9a2esn47nqzqlfzvwe
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB6bmtiREFLNmdmdVNOOXNm
+            YW5XbWJaMHJYMExMZlNEMHJjSlRXUWJ1bmhFCmNBT25odmtGS3oxRFB1U1V6MXo0
+            WWVHRk5oTi9DZ0t1c21WcnpSNjd2SmsKLS0tIGphQlFoSWFMVXJObmRLejR0QU54
+            S2orZUZqT1g4eGhEMXJQUHp0UDdhSTgK7w+ht6QrXN8fqgIgU/JCkrZW42JhfRp9
+            WSnwD5pLJduGVbxVlTRw2+EXFEglDp1WL11UTRj3K9Q3sCH3tH+p2Q==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2026-04-05T22:12:29Z"
+    mac: ENC[AES256_GCM,data:5do9aK676jnIpaOldsL72W68BLKlWISBeeVglRCVtvYq/gmcmLAIESJli6XIRAURJmX7O61VnBDr5uGmH3jV0cb7s8zd6mxnWJOsnPIiKMNFiDg57W72R4iNsdeYINu6Y9HFfkXcI6HkP2eHdpzsVmmDvT7WuGS0Q6HgpbAbygM=,iv:DPdmA8LuSTNNsV0OTShi2pifhxpbITRbZAKYszDrFIU=,tag:fsOFaubD+LWG1pja6ttYYg==,type:str]
+    unencrypted_suffix: _unencrypted
+    version: 3.12.1
--- a/common/sops.nix
+++ b/common/sops.nix
@ -0,0 +1,11 @@
+{ lib, config, ... }:
+let
+  inputs = config.inputInjection.flake-inputs;
+in
+{
+  sops = {
+    age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
+    defaultSopsFile = lib.mkDefault toString (./. + "/hosts/${config.networking.hostname}/secrets.ini");
+    defaultSopsFormat = "yaml"; # is the default. ini had some template rendering issues in practice
+  };
+}