schmittlauch/nixconfigs
2
0
Fork 0
Code Issues 2 Pull requests Releases Wiki Activity

Compare commits

base: schmittlauch:22ced0b1e36dbee38377be04bfc4b0a8dba6c48a
Branches Tags
schmittlauch:mainline
schmittlauch:upgrade-25.11
schmittlauch:darwin-patch-nodejs_20
schmittlauch:workmac
schmittlauch:amd-pmf-debugging
schmittlauch:modularise-config
schmittlauch:flake-conversion
..
compare: schmittlauch:5366a47e77bbeb3af5c1465e9335d56b47644e98
Branches Tags
schmittlauch:mainline
schmittlauch:upgrade-25.11
schmittlauch:darwin-patch-nodejs_20
schmittlauch:workmac
schmittlauch:amd-pmf-debugging
schmittlauch:modularise-config
schmittlauch:flake-conversion

No commits in common. "22ced0b1e36dbee38377be04bfc4b0a8dba6c48a" and "5366a47e77bbeb3af5c1465e9335d56b47644e98" have entirely different histories.
22ced0b1e3 ... 5366a47e77

3 changed files with 8 additions and 35 deletions
Download patch file Download diff file Expand all files Collapse all files

4
.sops.yaml
View file

@ -1,9 +1,8 @@
# XXX: missing: macbook, thinknix?, at some point mobile
keys:
- &admins age1q80zzsgglj438verw74jghezn8ndpqldvg0mfxzwtaq4v5h7apusqysavz #framenix
- &workmac age1fft2ynhazjwtjmxsvt37qervtekktdln2968gjp4vcp5sp3jeg5segkz3x #workmac
# Generate AGE keys from SSH keys with:
# nix-shell -p ssh-to-age --run 'ssh some.example.com cat /etc/ssh/ssh_host_ed25519_key.pub | ssh-to-age'
# nix-shell -p ssh-to-age --run 'ssh some.example.com /etc/ssh/ssh_host_ed25519_key.pub | ssh-to-age'
- &machine_framenix age1kx93vp8l8jd6kz0kvk379udr5z8a9t6946w0ff5t9a2esn47nqzqlfzvwe
creation_rules:
# per-host secrets for host specific ones, but for service modules we could store and manage them also per module scope
@ -16,6 +15,5 @@ creation_rules:
key_groups:
- age:
- *admins
- *workmac
- *machine_framenix

2
darwin/sops.nix
View file

@ -6,7 +6,7 @@
}:
{
sops = {
age.keyFile = "/Users/os/Library/Application Support/sops/age/keys.txt";
age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
defaultSopsFile = lib.mkDefault ./secrets.yaml;
defaultSopsFormat = "yaml"; # is the default. ini had some template rendering issues in practice
};

37
home/modules/sops.nix
View file

@ -1,32 +1,7 @@
{ inputs, ... }:
{
inputs,
config,
lib,
pkgs,
...
}:
let
homeKeys =
if pkgs.stdenv.isDarwin then
"/Users/${config.home.username}/Library/Application Support/sops/age/keys.txt"
else
"/home/${config.home.username}/.config/sops/age/keys.txt";
in
lib.mkMerge [
{
home.ensureDirs."${builtins.dirOf homeKeys}".mode = "0700";
sops = {
age.keyFile = "/home/user/.age-key.txt"; # must have no password!
# deliberately not setting `defaultSopsFile` because there is no clear file-hostname-mapping. Each separate home config has to configure this explicitly.
};
}
# linux machines: assumption: there is an OpenSSH server of which we are able to use the hostkey, like at the NixOS module. The `keyDir` is only used for the private admin key.
(lib.mkIf pkgs.stdenv.isLinux {
sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
})
# darwin: no SSH server, no hostkey => let's use the `keyDir` key both for encryption and decrpytion
(lib.mkIf pkgs.stdenv.isDarwin {
sops.age.keyFile = homeKeys;
})
]
sops = {
age.keyFile = "/home/user/.age-key.txt"; # must have no password!
# deliberately not setting `defaultSopsFile` because there is no clear file-hostname-mapping. Each separate home config has to configure this explicitly.
};
}