cy/nixos-config
cy/nixos-config
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

better secrets management

Browse source
This commit is contained in:
Cy Pokhrel 2024-11-23 21:41:28 -05:00
parent 3c6d6f8686
commit b15432bd15
No known key found for this signature in database
GPG key ID: 1200FBE36C2ADE2E
5 changed files with 64 additions and 3 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

7
nix/.sops.yaml Normal file
View file

@ -0,0 +1,7 @@
keys:
- &primary age1sy0at69err83qyml2vqu8xvwjccfws447aaadfvacj2qluw3p45s2mtrw8
creation_rules:
- path_regex: secrets/secrets.yaml$
key_groups:
- age:
- *primary

8
nix/configuration.nix
View file

@ -6,6 +6,11 @@
./hardware-configuration.nix ./hardware-configuration.nix
]; ];
sops.defaultSopsFile = ./secrets/secrets.yaml;
sops.defaultSopsFormat = "yaml";
sops.age.keyFile = "/root/.config/sops/age/keys.txt";
sops.secrets."borg/yt" = { };
boot.loader.systemd-boot.enable = true; boot.loader.systemd-boot.enable = true;
boot.loader.efi.canTouchEfiVariables = true; boot.loader.efi.canTouchEfiVariables = true;
@ -98,6 +103,7 @@
wgnord wgnord
wireguard-tools wireguard-tools
traceroute traceroute
sops
]; ];
system.stateVersion = "24.05"; system.stateVersion = "24.05";
@ -151,7 +157,7 @@
repo = "de3911@de3911.rsync.net:borg/yt"; repo = "de3911@de3911.rsync.net:borg/yt";
encryption = { encryption = {
mode = "repokey-blake2"; mode = "repokey-blake2";
passCommand = "cat /root/keys/borg_yt"; passCommand = "cat /run/keys/borg_yt";
}; };
environment = { environment = {
BORG_RSH = "ssh -i /home/yt/.ssh/id_ed25519"; BORG_RSH = "ssh -i /home/yt/.ssh/id_ed25519";

23
nix/flake.lock generated
View file

@ -17,7 +17,28 @@
}, },
"root": { "root": {
"inputs": { "inputs": {
"nixpkgs": "nixpkgs" "nixpkgs": "nixpkgs",
"sops-nix": "sops-nix"
}
},
"sops-nix": {
"inputs": {
"nixpkgs": [
"nixpkgs"
]
},
"locked": {
"lastModified": 1732186149,
"narHash": "sha256-N9JGWe/T8BC0Tss2Cv30plvZUYoiRmykP7ZdY2on2b0=",
"owner": "Mic92",
"repo": "sops-nix",
"rev": "53c853fb1a7e4f25f68805ee25c83d5de18dc699",
"type": "github"
},
"original": {
"owner": "Mic92",
"repo": "sops-nix",
"type": "github"
} }
} }
}, },

7
nix/flake.nix
View file

@ -3,9 +3,13 @@
inputs = { inputs = {
nixpkgs.url = "nixpkgs/nixos-unstable"; nixpkgs.url = "nixpkgs/nixos-unstable";
sops-nix = {
url = "github:Mic92/sops-nix";
inputs.nixpkgs.follows = "nixpkgs";
};
}; };
outputs = { self, nixpkgs }: outputs = { self, nixpkgs, sops-nix }:
let let
lib = nixpkgs.lib; lib = nixpkgs.lib;
in { in {
@ -14,6 +18,7 @@
system = "x86_64-linux"; system = "x86_64-linux";
modules = [ modules = [
./configuration.nix ./configuration.nix
sops-nix.nixosModules.sops
]; ];
}; };
}; };

22
nix/secrets/secrets.yaml Normal file
View file

@ -0,0 +1,22 @@
borg:
yt: ENC[AES256_GCM,data:CGcdcA9LnDDlTYJwsT25uY9h70yJtKhxgA==,iv:F25VTezkd4RQd7BZ3DD39hPiPj+Z3H01IgPhCGUQ5aM=,tag:mxLPXR/ffBXkByk1R1PYvQ==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1sy0at69err83qyml2vqu8xvwjccfws447aaadfvacj2qluw3p45s2mtrw8
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBhUmhsRDljYWJLS2tzUC90
a1oxZGZBUy9LaFpJeTF2MmZWQnl1NU0vQkc0CklnTGszaHRCRW5GYUU1OU9NVjVH
SW02OWVXNDNSMTFyV2NUU2xTV1dlTGMKLS0tIGpKT3lQd3I0T0xEMWo2ekd1MmM3
a1MwYjB0Tm03bzJnWTdoZ01KbXBPUkUKUr6hOsdZDJK6bFyEnBf4Vkms8EJsIvZY
ML481g9d9Vlm5x7X74nUcWemFSzttSdWEM3Y/IOHpXDbvC/Tbw+z7Q==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2024-11-24T02:00:55Z"
mac: ENC[AES256_GCM,data:d8CY4QNU0O2pqTsNZgikJpCkm/jGgvu0lyBfmKoYmlQpHHIeWag9cT3n5/8UKnrcdgiLzCu26j0D6RiqolvpS/qtTz953kjSXiu3mclk9uuRurvzxxA31IacuiOeDRiln7dephRXxzzYvNiq5HtyAIEBxoIni5BCLFepBtGhB8U=,iv:b7Z6jFuXdhHJSuz6mJtB0f1hfo41UcNsXi+XwWUR10M=,tag:2Bdv9m4eoWZAt5Q/Fmf6Rw==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.9.1