diff --git a/.envrc b/.envrc deleted file mode 100644 index 20db47e..0000000 --- a/.envrc +++ /dev/null @@ -1 +0,0 @@ -use flake . --impure --allow-dirty --no-write-lock-file diff --git a/.sops.yaml b/.sops.yaml deleted file mode 100644 index 5477595..0000000 --- a/.sops.yaml +++ /dev/null @@ -1,19 +0,0 @@ -# XXX: missing: macbook, thinknix?, at some point mobile -keys: - - &admins age1q80zzsgglj438verw74jghezn8ndpqldvg0mfxzwtaq4v5h7apusqysavz #framenix - # Generate AGE keys from SSH keys with: - # nix-shell -p ssh-to-age --run 'ssh some.example.com /etc/ssh/ssh_host_ed25519_key.pub | ssh-to-age' - - &machine_framenix age1kx93vp8l8jd6kz0kvk379udr5z8a9t6946w0ff5t9a2esn47nqzqlfzvwe -creation_rules: - # per-host secrets for host specific ones, but for service modules we could store and manage them also per module scope - - path_regex: hosts/framenix/secrets\.(yaml|json|env|ini)$ - key_groups: - - age: - - *admins - - *machine_framenix - - path_regex: common/secrets\.(yaml|json|env|ini)$ - key_groups: - - age: - - *admins - - *machine_framenix - diff --git a/common/default.nix b/common/default.nix index 69fc017..29608ca 100644 --- a/common/default.nix +++ b/common/default.nix @@ -18,7 +18,6 @@ in ./guest.nix ./audio-sharing.nix ./angrr.nix - ./sops.nix ]; services.davfs2.enable = true; diff --git a/common/nix-settings.nix b/common/nix-settings.nix index 1cd0aed..6199694 100644 --- a/common/nix-settings.nix +++ b/common/nix-settings.nix @@ -18,22 +18,6 @@ in }; nixPath = lib.mapAttrsToList (key: value: "${key}=${value.to.path}") config.nix.registry; }; - sops = { - secrets."nix/access-tokens" = { - owner = "root"; - group = "users"; - mode = "0440"; - sopsFile = ./secrets.yaml; - }; - templates.nix-secrets = { - content = '' - access-tokens = ${config.sops.placeholder."nix/access-tokens"} - ''; - owner = "root"; - group = "users"; - mode = "0440"; - }; - }; nix.settings = builtins.mapAttrs (_: lib.mkDefault) { # keep around all inputs necessary for offline-rebuilding the system keep-outputs = true; @@ -51,6 +35,6 @@ in # TODO: manage access token with sops instead of manual deployment # permissions: needs to be readable by the user invoking nix and root (for nix daemon) nix.extraOptions = '' - !include ${config.sops.templates.nix-secrets.path} + !include /etc/nix/secrets.conf ''; } diff --git a/common/secrets.yaml b/common/secrets.yaml deleted file mode 100644 index 6a9fc8c..0000000 --- a/common/secrets.yaml +++ /dev/null @@ -1,26 +0,0 @@ -nix: - access-tokens: ENC[AES256_GCM,data:0e58ZzTN81E/2BWphnGKRp8wM8CBOyC5JG2frU6pQ2a10DOwJBJiuv91H3IfHNq+YadNswQZhouQTczhIXlEIW3uADELSBhEiC/L8z9+zrgc4KyRLsMskipuCC3H,iv:DKnJmMs88QA4L9ozvYku4QGottrZVG3UFbw90XNzF0c=,tag:RoKuFIv/tJ/+ZF5aNzkpIQ==,type:str] -sops: - age: - - recipient: age1q80zzsgglj438verw74jghezn8ndpqldvg0mfxzwtaq4v5h7apusqysavz - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA4VmtBVGRNNTRuekxad24v - TmhpVm5BV2wwMkJVclNYd0RkcldtdHhQZlQ4CkVXeDRicStxdk9NdWZoWXRjUWdE - Q2ZibEpVMzR5MFMyalZqVklEajJtejQKLS0tIHhYczc2eFhuVVlQNGE1eTBuUURz - MEI3c2xoSmFneDNiMU40L2QwWC8zWGcKKpI1peaS0IVWxD/q52zDTbIBMkvsGSCy - 3PbuFXZ0ksPpC3nVwTYI4g79X54dECLHQ5bIf4mefREX6wlP+EzdtQ== - -----END AGE ENCRYPTED FILE----- - - recipient: age1kx93vp8l8jd6kz0kvk379udr5z8a9t6946w0ff5t9a2esn47nqzqlfzvwe - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB6bmtiREFLNmdmdVNOOXNm - YW5XbWJaMHJYMExMZlNEMHJjSlRXUWJ1bmhFCmNBT25odmtGS3oxRFB1U1V6MXo0 - WWVHRk5oTi9DZ0t1c21WcnpSNjd2SmsKLS0tIGphQlFoSWFMVXJObmRLejR0QU54 - S2orZUZqT1g4eGhEMXJQUHp0UDdhSTgK7w+ht6QrXN8fqgIgU/JCkrZW42JhfRp9 - WSnwD5pLJduGVbxVlTRw2+EXFEglDp1WL11UTRj3K9Q3sCH3tH+p2Q== - -----END AGE ENCRYPTED FILE----- - lastmodified: "2026-04-05T22:12:29Z" - mac: ENC[AES256_GCM,data:5do9aK676jnIpaOldsL72W68BLKlWISBeeVglRCVtvYq/gmcmLAIESJli6XIRAURJmX7O61VnBDr5uGmH3jV0cb7s8zd6mxnWJOsnPIiKMNFiDg57W72R4iNsdeYINu6Y9HFfkXcI6HkP2eHdpzsVmmDvT7WuGS0Q6HgpbAbygM=,iv:DPdmA8LuSTNNsV0OTShi2pifhxpbITRbZAKYszDrFIU=,tag:fsOFaubD+LWG1pja6ttYYg==,type:str] - unencrypted_suffix: _unencrypted - version: 3.12.1 diff --git a/common/sops.nix b/common/sops.nix deleted file mode 100644 index 68e5d5b..0000000 --- a/common/sops.nix +++ /dev/null @@ -1,11 +0,0 @@ -{ lib, config, ... }: -let - inputs = config.inputInjection.flake-inputs; -in -{ - sops = { - age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ]; - defaultSopsFile = lib.mkDefault toString (./. + "/hosts/${config.networking.hostname}/secrets.ini"); - defaultSopsFormat = "yaml"; # is the default. ini had some template rendering issues in practice - }; -} diff --git a/darwin/configuration.nix b/darwin/configuration.nix index 8d08b1a..3ee831b 100644 --- a/darwin/configuration.nix +++ b/darwin/configuration.nix @@ -8,7 +8,6 @@ in imports = [ ../common/nix-settings.nix ../common/angrr.nix - ./sops.nix ]; nix = { enable = true; diff --git a/darwin/sops.nix b/darwin/sops.nix deleted file mode 100644 index a819347..0000000 --- a/darwin/sops.nix +++ /dev/null @@ -1,13 +0,0 @@ -{ - lib, - config, - pkgs, - ... -}: -{ - sops = { - age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ]; - defaultSopsFile = lib.mkDefault ./secrets.yaml; - defaultSopsFormat = "yaml"; # is the default. ini had some template rendering issues in practice - }; -} diff --git a/flake.lock b/flake.lock index 6876b2f..200348c 100644 --- a/flake.lock +++ b/flake.lock @@ -11,11 +11,11 @@ "treefmt-nix": "treefmt-nix" }, "locked": { - "lastModified": 1775232685, - "narHash": "sha256-+kVivleQqI6HdFeVWVukEPvPec/SN74l+j/Tw9OBaSw=", + "lastModified": 1774628296, + "narHash": "sha256-wZaNf8KbaiNWHUGKRe1LzXllMNcsTl7DkdLGd4Uczy0=", "owner": "linyinfeng", "repo": "angrr", - "rev": "e1b066a0dbdd6ed3208dd5405e7d6cde91b7e20d", + "rev": "bc5852e4d7fcd9ffe2d1562f8a7030b81e0679d9", "type": "github" }, "original": { @@ -79,11 +79,11 @@ ] }, "locked": { - "lastModified": 1775087534, - "narHash": "sha256-91qqW8lhL7TLwgQWijoGBbiD4t7/q75KTi8NxjVmSmA=", + "lastModified": 1772408722, + "narHash": "sha256-rHuJtdcOjK7rAHpHphUb1iCvgkU3GpfvicLMwwnfMT0=", "owner": "hercules-ci", "repo": "flake-parts", - "rev": "3107b77cd68437b9a76194f0f7f9c55f2329ca5b", + "rev": "f20dc5d9b8027381c474144ecabc9034d6a839a3", "type": "github" }, "original": { @@ -184,11 +184,11 @@ ] }, "locked": { - "lastModified": 1775425411, - "narHash": "sha256-KY6HsebJHEe5nHOWP7ur09mb0drGxYSzE3rQxy62rJo=", + "lastModified": 1774875830, + "narHash": "sha256-WPYlTmZvVa9dWlAziFkVjBdv1Z6giNIq40O1DxsBmiI=", "owner": "nix-community", "repo": "home-manager", - "rev": "0d02ec1d0a05f88ef9e74b516842900c41f0f2fe", + "rev": "7afd8cebb99e25a64a745765920e663478eb8830", "type": "github" }, "original": { @@ -246,11 +246,11 @@ ] }, "locked": { - "lastModified": 1775037210, - "narHash": "sha256-KM2WYj6EA7M/FVZVCl3rqWY+TFV5QzSyyGE2gQxeODU=", + "lastModified": 1773000227, + "narHash": "sha256-zm3ftUQw0MPumYi91HovoGhgyZBlM4o3Zy0LhPNwzXE=", "owner": "nix-darwin", "repo": "nix-darwin", - "rev": "06648f4902343228ce2de79f291dd5a58ee12146", + "rev": "da529ac9e46f25ed5616fd634079a5f3c579135f", "type": "github" }, "original": { @@ -304,11 +304,11 @@ }, "nixos-hardware": { "locked": { - "lastModified": 1775203647, - "narHash": "sha256-6MWaMLXK9QMndI94CIxeiPafi3wuO+imCtK9tfhsZdw=", + "lastModified": 1774933469, + "narHash": "sha256-OrnCQeUO2bqaWUl0lkDWyGWjKsOhtCyd7JSfTedQNUE=", "owner": "NixOS", "repo": "nixos-hardware", - "rev": "80afbd13eea0b7c4ac188de949e1711b31c2b5f0", + "rev": "f4c4c2c0c923d7811ac2a63ccc154767e4195337", "type": "github" }, "original": { @@ -320,11 +320,11 @@ }, "nixos-unstable": { "locked": { - "lastModified": 1775036866, - "narHash": "sha256-ZojAnPuCdy657PbTq5V0Y+AHKhZAIwSIT2cb8UgAz/U=", + "lastModified": 1774709303, + "narHash": "sha256-D3Q07BbIA2KnTcSXIqqu9P586uWxN74zNoCH3h2ESHg=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "6201e203d09599479a3b3450ed24fa81537ebc4e", + "rev": "8110df5ad7abf5d4c0f6fb0f8f978390e77f9685", "type": "github" }, "original": { @@ -352,11 +352,11 @@ }, "nixpkgs_2": { "locked": { - "lastModified": 1775002709, - "narHash": "sha256-d3Yx83vSrN+2z/loBh4mJpyRqr9aAJqlke4TkpFmRJA=", + "lastModified": 1774799055, + "narHash": "sha256-Tsq9BCz0q47ej1uFF39m4tuhcwru/ls6vCCJzutEpaw=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "bcd464ccd2a1a7cd09aa2f8d4ffba83b761b1d0e", + "rev": "107cba9eb4a8d8c9f8e9e61266d78d340867913a", "type": "github" }, "original": { @@ -368,11 +368,11 @@ }, "nixpkgs_3": { "locked": { - "lastModified": 1775036866, - "narHash": "sha256-ZojAnPuCdy657PbTq5V0Y+AHKhZAIwSIT2cb8UgAz/U=", + "lastModified": 1774386573, + "narHash": "sha256-4hAV26quOxdC6iyG7kYaZcM3VOskcPUrdCQd/nx8obc=", "owner": "nixos", "repo": "nixpkgs", - "rev": "6201e203d09599479a3b3450ed24fa81537ebc4e", + "rev": "46db2e09e1d3f113a13c0d7b81e2f221c63b8ce9", "type": "github" }, "original": { @@ -388,11 +388,11 @@ "nixpkgs": "nixpkgs_3" }, "locked": { - "lastModified": 1775426378, - "narHash": "sha256-ouGowK2BaU09TDryipQxRzOSRcBYxwpIeYbk4vfO96c=", + "lastModified": 1774540439, + "narHash": "sha256-zVYoM58GjEh07Oa56zRygHaqp+Fm83PK8C77p84l5uA=", "owner": "nix-community", "repo": "NUR", - "rev": "09b0001e733b3c28458ca676b1db5d345fbf9820", + "rev": "95ed6efd2ba5aefb62f522c71ef3276b18a8b5a0", "type": "github" }, "original": { @@ -439,7 +439,6 @@ "nixos-unstable": "nixos-unstable", "nixpkgs": "nixpkgs_2", "nur": "nur", - "sops-nix": "sops-nix", "treefmt-nix": "treefmt-nix_3", "utils": "utils" } @@ -465,26 +464,6 @@ "type": "github" } }, - "sops-nix": { - "inputs": { - "nixpkgs": [ - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1775188331, - "narHash": "sha256-/0BoSi0Dg0ON7IW0oscM12WSPBaMSCn36XTt0lHZoy8=", - "owner": "Mic92", - "repo": "sops-nix", - "rev": "8f093d0d2f08f37317778bd94db5951d6cce6c46", - "type": "github" - }, - "original": { - "owner": "Mic92", - "repo": "sops-nix", - "type": "github" - } - }, "systems": { "locked": { "lastModified": 1681028828, @@ -508,11 +487,11 @@ ] }, "locked": { - "lastModified": 1775125835, - "narHash": "sha256-2qYcPgzFhnQWchHo0SlqLHrXpux5i6ay6UHA+v2iH4U=", + "lastModified": 1773297127, + "narHash": "sha256-6E/yhXP7Oy/NbXtf1ktzmU8SdVqJQ09HC/48ebEGBpk=", "owner": "numtide", "repo": "treefmt-nix", - "rev": "75925962939880974e3ab417879daffcba36c4a3", + "rev": "71b125cd05fbfd78cab3e070b73544abe24c5016", "type": "github" }, "original": { diff --git a/flake.nix b/flake.nix index 5ad6638..84dbbcf 100644 --- a/flake.nix +++ b/flake.nix @@ -29,10 +29,6 @@ flake = false; url = "git+ssh://gitea@git.orlives.de:2342/schmittlauch/home-manager_secrets.git"; }; - sops-nix = { - url = "github:Mic92/sops-nix"; - inputs.nixpkgs.follows = "nixpkgs"; - }; nix-direnv = { url = "github:nix-community/nix-direnv"; inputs.nixpkgs.follows = "nixpkgs"; @@ -55,7 +51,6 @@ treefmt-nix, nix-darwin, angrr, - sops-nix, ... }@inputs: let @@ -90,7 +85,6 @@ # for some reason, `imports`-ing the home-manager module via inputInjection # from a sub-module causes infinite recursion, so importing it here instead home-manager.nixosModules.home-manager - inputs.sops-nix.nixosModules.sops ]; mkSystem = system: extraModules: @@ -107,7 +101,6 @@ imports = [ ./home/common.nix ./home/${confName}.nix - inputs.sops-nix.homeManagerModules.sops ]; # extends the home config home.username = user; @@ -148,7 +141,7 @@ ./darwin/configuration.nix inputInjection inputs.angrr.darwinModules.angrr - inputs.sops-nix.darwinModules.sops + ]; }; homeConfigurations = { @@ -175,13 +168,7 @@ treefmtEval = treefmt-nix.lib.evalModule pkgs_unstable treefmtConf; in { - devShells.default = pkgs.mkShell { - packages = with pkgs; [ - sops - ssh-to-age - age - ]; - }; + devShells.default = pkgs.mkShell { buildInputs = [ ]; }; formatter = treefmtEval.config.build.wrapper; checks.formatting = treefmtEval.config.build.check self; # expose nixpkgs with overlay; TODO: figure out role of config diff --git a/home/common.nix b/home/common.nix index bf19896..d53b3ec 100644 --- a/home/common.nix +++ b/home/common.nix @@ -13,7 +13,6 @@ ./modules/captive-browser.nix ./modules/ensureDirs.nix ./modules/ssh.nix - ./modules/sops.nix ]; home.homeDirectory = if pkgs.stdenv.isDarwin then "/Users/${config.home.username}" else "/home/${config.home.username}"; diff --git a/home/modules/sops.nix b/home/modules/sops.nix deleted file mode 100644 index 0e18ffe..0000000 --- a/home/modules/sops.nix +++ /dev/null @@ -1,7 +0,0 @@ -{ inputs, ... }: -{ - sops = { - age.keyFile = "/home/user/.age-key.txt"; # must have no password! - # deliberately not setting `defaultSopsFile` because there is no clear file-hostname-mapping. Each separate home config has to configure this explicitly. - }; -} diff --git a/home/modules/ssh.nix b/home/modules/ssh.nix index bdefa24..36c44b0 100644 --- a/home/modules/ssh.nix +++ b/home/modules/ssh.nix @@ -93,7 +93,7 @@ in tag: tagDef: let dependency = if tagDef.after != null then lib.hm.dag.entryAfter tagDef.after else lib.id; - escapeOpensshConfig = builtins.replaceStrings [ "%" ] [ "%%" ]; + escapeOpensshConfig = builtins.replaceStrings ["%"] ["%%"]; in lib.nameValuePair "tagged-${tag}" { match = ''tagged="${tag}"'';