diff --git a/nix/flake.lock b/nix/flake.lock index 9d1fa68..4d34658 100644 --- a/nix/flake.lock +++ b/nix/flake.lock @@ -98,7 +98,28 @@ "home-manager": "home-manager", "nix-darwin": "nix-darwin", "nixos-wsl": "nixos-wsl", - "nixpkgs": "nixpkgs" + "nixpkgs": "nixpkgs", + "sops-nix": "sops-nix" + } + }, + "sops-nix": { + "inputs": { + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1770145881, + "narHash": "sha256-ktjWTq+D5MTXQcL9N6cDZXUf9kX8JBLLBLT0ZyOTSYY=", + "owner": "Mic92", + "repo": "sops-nix", + "rev": "17eea6f3816ba6568b8c81db8a4e6ca438b30b7c", + "type": "github" + }, + "original": { + "owner": "Mic92", + "repo": "sops-nix", + "type": "github" } } }, diff --git a/nix/flake.nix b/nix/flake.nix index 038de7e..329fa34 100644 --- a/nix/flake.nix +++ b/nix/flake.nix @@ -18,9 +18,14 @@ url = "github:LnL7/nix-darwin"; inputs.nixpkgs.follows = "nixpkgs"; }; + + sops-nix = { + url = "github:Mic92/sops-nix"; + inputs.nixpkgs.follows = "nixpkgs"; + }; }; - outputs = { self, nixpkgs, nixos-wsl, home-manager, nix-darwin, ... }@inputs: + outputs = { self, nixpkgs, nixos-wsl, home-manager, nix-darwin, sops-nix, ... }@inputs: let linuxSystem = "x86_64-linux"; linuxAarchSystem = "aarch64-linux"; @@ -38,7 +43,7 @@ # Work WSL work = nixpkgs.lib.nixosSystem { system = linuxSystem; - specialArgs = { inherit self; }; + specialArgs = { inherit self inputs; }; modules = [ nixos-wsl.nixosModules.wsl ./hosts/work/nixos/configuration.nix @@ -46,6 +51,7 @@ { home-manager.useGlobalPkgs = true; home-manager.useUserPackages = true; + home-manager.extraSpecialArgs = { inherit self inputs; }; home-manager.users.pan = import ./hosts/work/nixos/home.nix; } ]; @@ -54,13 +60,14 @@ # Home home = nixpkgs.lib.nixosSystem { system = linuxAarchSystem; - specialArgs = { inherit self; }; + specialArgs = { inherit self inputs; }; modules = [ ./hosts/home/nixos/configuration.nix home-manager.nixosModules.home-manager { home-manager.useGlobalPkgs = true; home-manager.useUserPackages = true; + home-manager.extraSpecialArgs = { inherit self inputs; }; home-manager.users.martin = import ./hosts/home/nixos/home.nix; } ]; @@ -70,7 +77,7 @@ # --- Darwin Systems (Mac) --- darwinConfigurations."Martins-MacBook-Pro" = nix-darwin.lib.darwinSystem { system = darwinSystem; - specialArgs = { inherit self; }; + specialArgs = { inherit self inputs; }; modules = [ ./hosts/home/darwin/configuration.nix ]; }; @@ -78,11 +85,13 @@ homeConfigurations = { "pan@work" = home-manager.lib.homeManagerConfiguration { pkgs = pkgsLinux; + extraSpecialArgs = { inherit self inputs; }; modules = [ ./hosts/work/nix/home.nix ]; }; "martin@mac" = home-manager.lib.homeManagerConfiguration { pkgs = pkgsDarwin; + extraSpecialArgs = { inherit self inputs; }; modules = [ ./hosts/home/nix/home.nix ]; }; }; diff --git a/nix/modules/home/common.nix b/nix/modules/home/common.nix index d05c36e..4ef3475 100644 --- a/nix/modules/home/common.nix +++ b/nix/modules/home/common.nix @@ -2,6 +2,7 @@ { imports = [ + ./secrets.nix ./sh.nix ./tmux.nix ./git.nix @@ -18,6 +19,10 @@ yaml-language-server marksman dockerfile-language-server + + # Secrets management + sops + age ]; news.display = "silent"; diff --git a/nix/modules/home/secrets.nix b/nix/modules/home/secrets.nix new file mode 100644 index 0000000..6cc4675 --- /dev/null +++ b/nix/modules/home/secrets.nix @@ -0,0 +1,17 @@ +{ inputs, config, ... }: + +{ + imports = [ + inputs.sops-nix.homeManagerModules.sops + ]; + + sops = { + defaultSopsFile = ../../secrets/secrets.yaml; + defaultSopsFormat = "yaml"; + + age = { + # This is the default location for the age key + keyFile = "${config.home.homeDirectory}/.config/sops/age/keys.txt"; + }; + }; +} diff --git a/nix/modules/nixos/common.nix b/nix/modules/nixos/common.nix index bee8b77..f436d01 100644 --- a/nix/modules/nixos/common.nix +++ b/nix/modules/nixos/common.nix @@ -1,6 +1,10 @@ { config, pkgs, lib, ... }: { + imports = [ + ./secrets.nix + ]; + time.timeZone = "Europe/Berlin"; i18n.defaultLocale = "en_US.UTF-8"; diff --git a/nix/modules/nixos/secrets.nix b/nix/modules/nixos/secrets.nix new file mode 100644 index 0000000..7340574 --- /dev/null +++ b/nix/modules/nixos/secrets.nix @@ -0,0 +1,21 @@ +{ inputs, config, ... }: + +{ + imports = [ + inputs.sops-nix.nixosModules.sops + ]; + + sops = { + defaultSopsFile = ../../secrets/secrets.yaml; + defaultSopsFormat = "yaml"; + + age = { + # This will automatically import the SSH keys as age keys + sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ]; + # This is where the age key for sops-nix is stored + keyFile = "/var/lib/sops-nix/key.txt"; + # This will generate a new age key from the SSH key if it doesn't exist + generateKey = true; + }; + }; +} diff --git a/nix/secrets/.sops.yaml b/nix/secrets/.sops.yaml new file mode 100644 index 0000000..95fb7d6 --- /dev/null +++ b/nix/secrets/.sops.yaml @@ -0,0 +1,8 @@ +keys: + - &macbook age1hmgy68ukugduef75ev72jnpu77ff3lajadpf7u0zv3ex4nt7f5qs5nxx2l + +creation_rules: + - path_regex: secrets\.yaml$ + key_groups: + - age: + - *macbook diff --git a/nix/secrets/secrets.yaml b/nix/secrets/secrets.yaml new file mode 100644 index 0000000..8b13789 --- /dev/null +++ b/nix/secrets/secrets.yaml @@ -0,0 +1 @@ +