schmittlauch/nixconfigs
2
0
Fork 0
Code Issues 2 Pull requests Releases Wiki Activity

sops: first secret integration (nix-settings)

Browse source
This commit is contained in:
Trolli Schmittlauch 2026-04-06 00:14:48 +02:00
parent e8e402e9b7
commit 8914fa79ed
10 changed files with 86 additions and 5 deletions
Download patch file Download diff file Expand all files Collapse all files

7
.sops.yaml
View file

@ -6,7 +6,12 @@ keys:
- &machine_framenix age1kx93vp8l8jd6kz0kvk379udr5z8a9t6946w0ff5t9a2esn47nqzqlfzvwe - &machine_framenix age1kx93vp8l8jd6kz0kvk379udr5z8a9t6946w0ff5t9a2esn47nqzqlfzvwe
creation_rules: creation_rules:
# per-host secrets for host specific ones, but for service modules we could store and manage them also per module scope # per-host secrets for host specific ones, but for service modules we could store and manage them also per module scope
- path_regex: hosts/framenix/secrets/[^/]+\.(yaml|json|env|ini)$ - path_regex: hosts/framenix/secrets\.(yaml|json|env|ini)$
key_groups:
- age:
- *admins
- *machine_framenix
- path_regex: common/secrets\.(yaml|json|env|ini)$
key_groups: key_groups:
- age: - age:
- *admins - *admins

1
common/default.nix
View file

@ -18,6 +18,7 @@ in
./guest.nix ./guest.nix
./audio-sharing.nix ./audio-sharing.nix
./angrr.nix ./angrr.nix
./sops.nix
]; ];
services.davfs2.enable = true; services.davfs2.enable = true;

18
common/nix-settings.nix
View file

@ -18,6 +18,22 @@ in
}; };
nixPath = lib.mapAttrsToList (key: value: "${key}=${value.to.path}") config.nix.registry; nixPath = lib.mapAttrsToList (key: value: "${key}=${value.to.path}") config.nix.registry;
}; };
sops = {
secrets."nix/access-tokens" = {
owner = "root";
group = "users";
mode = "0440";
sopsFile = ./secrets.yaml;
};
templates.nix-secrets = {
content = ''
access-tokens = ${config.sops.placeholder."nix/access-tokens"}
'';
owner = "root";
group = "users";
mode = "0440";
};
};
nix.settings = builtins.mapAttrs (_: lib.mkDefault) { nix.settings = builtins.mapAttrs (_: lib.mkDefault) {
# keep around all inputs necessary for offline-rebuilding the system # keep around all inputs necessary for offline-rebuilding the system
keep-outputs = true; keep-outputs = true;
@ -35,6 +51,6 @@ in
# TODO: manage access token with sops instead of manual deployment # TODO: manage access token with sops instead of manual deployment
# permissions: needs to be readable by the user invoking nix and root (for nix daemon) # permissions: needs to be readable by the user invoking nix and root (for nix daemon)
nix.extraOptions = '' nix.extraOptions = ''
!include /etc/nix/secrets.conf !include ${config.sops.templates.nix-secrets.path}
''; '';
} }

26
common/secrets.yaml Normal file
View file

@ -0,0 +1,26 @@
nix:
access-tokens: ENC[AES256_GCM,data:0e58ZzTN81E/2BWphnGKRp8wM8CBOyC5JG2frU6pQ2a10DOwJBJiuv91H3IfHNq+YadNswQZhouQTczhIXlEIW3uADELSBhEiC/L8z9+zrgc4KyRLsMskipuCC3H,iv:DKnJmMs88QA4L9ozvYku4QGottrZVG3UFbw90XNzF0c=,tag:RoKuFIv/tJ/+ZF5aNzkpIQ==,type:str]
sops:
age:
- recipient: age1q80zzsgglj438verw74jghezn8ndpqldvg0mfxzwtaq4v5h7apusqysavz
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA4VmtBVGRNNTRuekxad24v
TmhpVm5BV2wwMkJVclNYd0RkcldtdHhQZlQ4CkVXeDRicStxdk9NdWZoWXRjUWdE
Q2ZibEpVMzR5MFMyalZqVklEajJtejQKLS0tIHhYczc2eFhuVVlQNGE1eTBuUURz
MEI3c2xoSmFneDNiMU40L2QwWC8zWGcKKpI1peaS0IVWxD/q52zDTbIBMkvsGSCy
3PbuFXZ0ksPpC3nVwTYI4g79X54dECLHQ5bIf4mefREX6wlP+EzdtQ==
-----END AGE ENCRYPTED FILE-----
- recipient: age1kx93vp8l8jd6kz0kvk379udr5z8a9t6946w0ff5t9a2esn47nqzqlfzvwe
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB6bmtiREFLNmdmdVNOOXNm
YW5XbWJaMHJYMExMZlNEMHJjSlRXUWJ1bmhFCmNBT25odmtGS3oxRFB1U1V6MXo0
WWVHRk5oTi9DZ0t1c21WcnpSNjd2SmsKLS0tIGphQlFoSWFMVXJObmRLejR0QU54
S2orZUZqT1g4eGhEMXJQUHp0UDdhSTgK7w+ht6QrXN8fqgIgU/JCkrZW42JhfRp9
WSnwD5pLJduGVbxVlTRw2+EXFEglDp1WL11UTRj3K9Q3sCH3tH+p2Q==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2026-04-05T22:12:29Z"
mac: ENC[AES256_GCM,data:5do9aK676jnIpaOldsL72W68BLKlWISBeeVglRCVtvYq/gmcmLAIESJli6XIRAURJmX7O61VnBDr5uGmH3jV0cb7s8zd6mxnWJOsnPIiKMNFiDg57W72R4iNsdeYINu6Y9HFfkXcI6HkP2eHdpzsVmmDvT7WuGS0Q6HgpbAbygM=,iv:DPdmA8LuSTNNsV0OTShi2pifhxpbITRbZAKYszDrFIU=,tag:fsOFaubD+LWG1pja6ttYYg==,type:str]
unencrypted_suffix: _unencrypted
version: 3.12.1

11
common/sops.nix Normal file
View file

@ -0,0 +1,11 @@
{ lib, config, ... }:
let
inputs = config.inputInjection.flake-inputs;
in
{
sops = {
age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
defaultSopsFile = lib.mkDefault toString (./. + "/hosts/${config.networking.hostname}/secrets.ini");
defaultSopsFormat = "yaml"; # is the default. ini had some template rendering issues in practice
};
}

1
darwin/configuration.nix
View file

@ -8,6 +8,7 @@ in
imports = [ imports = [
../common/nix-settings.nix ../common/nix-settings.nix
../common/angrr.nix ../common/angrr.nix
./sops.nix
]; ];
nix = { nix = {
enable = true; enable = true;

13
darwin/sops.nix Normal file
View file

@ -0,0 +1,13 @@
{
lib,
config,
pkgs,
...
}:
{
sops = {
age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
defaultSopsFile = lib.mkDefault ./secrets.yaml;
defaultSopsFormat = "yaml"; # is the default. ini had some template rendering issues in practice
};
}

6
flake.nix
View file

@ -86,11 +86,11 @@
}; };
defaultModules = system: [ defaultModules = system: [
inputInjection inputInjection
sops-nix.nixosModules.sops
# for some reason, `imports`-ing the home-manager module via inputInjection # for some reason, `imports`-ing the home-manager module via inputInjection
# from a sub-module causes infinite recursion, so importing it here instead # from a sub-module causes infinite recursion, so importing it here instead
home-manager.nixosModules.home-manager home-manager.nixosModules.home-manager
inputs.sops-nix.nixosModules.sops
]; ];
mkSystem = mkSystem =
system: extraModules: system: extraModules:
@ -105,9 +105,9 @@
modules = [ modules = [
{ {
imports = [ imports = [
sops-nix.homeManagerModules.sops
./home/common.nix ./home/common.nix
./home/${confName}.nix ./home/${confName}.nix
inputs.sops-nix.homeManagerModules.sops
]; ];
# extends the home config # extends the home config
home.username = user; home.username = user;
@ -148,7 +148,7 @@
./darwin/configuration.nix ./darwin/configuration.nix
inputInjection inputInjection
inputs.angrr.darwinModules.angrr inputs.angrr.darwinModules.angrr
inputs.sops-nix.darwinModules.sops
]; ];
}; };
homeConfigurations = { homeConfigurations = {

1
home/common.nix
View file

@ -13,6 +13,7 @@
./modules/captive-browser.nix ./modules/captive-browser.nix
./modules/ensureDirs.nix ./modules/ensureDirs.nix
./modules/ssh.nix ./modules/ssh.nix
./modules/sops.nix
]; ];
home.homeDirectory = home.homeDirectory =
if pkgs.stdenv.isDarwin then "/Users/${config.home.username}" else "/home/${config.home.username}"; if pkgs.stdenv.isDarwin then "/Users/${config.home.username}" else "/home/${config.home.username}";

7
home/modules/sops.nix Normal file
View file

@ -0,0 +1,7 @@
{ inputs, ... }:
{
sops = {
age.keyFile = "/home/user/.age-key.txt"; # must have no password!
# deliberately not setting `defaultSopsFile` because there is no clear file-hostname-mapping. Each separate home config has to configure this explicitly.
};
}