Add secret handling
This commit is contained in:
Martin Pander
23
nix/flake.lock
generated
23
nix/flake.lock
generated
@@ -98,7 +98,28 @@
|
||||
"home-manager": "home-manager",
|
||||
"nix-darwin": "nix-darwin",
|
||||
"nixos-wsl": "nixos-wsl",
|
||||
"nixpkgs": "nixpkgs"
|
||||
"nixpkgs": "nixpkgs",
|
||||
"sops-nix": "sops-nix"
|
||||
}
|
||||
},
|
||||
"sops-nix": {
|
||||
"inputs": {
|
||||
"nixpkgs": [
|
||||
"nixpkgs"
|
||||
]
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1770145881,
|
||||
"narHash": "sha256-ktjWTq+D5MTXQcL9N6cDZXUf9kX8JBLLBLT0ZyOTSYY=",
|
||||
"owner": "Mic92",
|
||||
"repo": "sops-nix",
|
||||
"rev": "17eea6f3816ba6568b8c81db8a4e6ca438b30b7c",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "Mic92",
|
||||
"repo": "sops-nix",
|
||||
"type": "github"
|
||||
}
|
||||
}
|
||||
},
|
||||
|
||||
@@ -18,9 +18,14 @@
|
||||
url = "github:LnL7/nix-darwin";
|
||||
inputs.nixpkgs.follows = "nixpkgs";
|
||||
};
|
||||
|
||||
sops-nix = {
|
||||
url = "github:Mic92/sops-nix";
|
||||
inputs.nixpkgs.follows = "nixpkgs";
|
||||
};
|
||||
};
|
||||
|
||||
outputs = { self, nixpkgs, nixos-wsl, home-manager, nix-darwin, ... }@inputs:
|
||||
outputs = { self, nixpkgs, nixos-wsl, home-manager, nix-darwin, sops-nix, ... }@inputs:
|
||||
let
|
||||
linuxSystem = "x86_64-linux";
|
||||
linuxAarchSystem = "aarch64-linux";
|
||||
@@ -38,7 +43,7 @@
|
||||
# Work WSL
|
||||
work = nixpkgs.lib.nixosSystem {
|
||||
system = linuxSystem;
|
||||
specialArgs = { inherit self; };
|
||||
specialArgs = { inherit self inputs; };
|
||||
modules = [
|
||||
nixos-wsl.nixosModules.wsl
|
||||
./hosts/work/nixos/configuration.nix
|
||||
@@ -46,6 +51,7 @@
|
||||
{
|
||||
home-manager.useGlobalPkgs = true;
|
||||
home-manager.useUserPackages = true;
|
||||
home-manager.extraSpecialArgs = { inherit self inputs; };
|
||||
home-manager.users.pan = import ./hosts/work/nixos/home.nix;
|
||||
}
|
||||
];
|
||||
@@ -54,13 +60,14 @@
|
||||
# Home
|
||||
home = nixpkgs.lib.nixosSystem {
|
||||
system = linuxAarchSystem;
|
||||
specialArgs = { inherit self; };
|
||||
specialArgs = { inherit self inputs; };
|
||||
modules = [
|
||||
./hosts/home/nixos/configuration.nix
|
||||
home-manager.nixosModules.home-manager
|
||||
{
|
||||
home-manager.useGlobalPkgs = true;
|
||||
home-manager.useUserPackages = true;
|
||||
home-manager.extraSpecialArgs = { inherit self inputs; };
|
||||
home-manager.users.martin = import ./hosts/home/nixos/home.nix;
|
||||
}
|
||||
];
|
||||
@@ -70,7 +77,7 @@
|
||||
# --- Darwin Systems (Mac) ---
|
||||
darwinConfigurations."Martins-MacBook-Pro" = nix-darwin.lib.darwinSystem {
|
||||
system = darwinSystem;
|
||||
specialArgs = { inherit self; };
|
||||
specialArgs = { inherit self inputs; };
|
||||
modules = [ ./hosts/home/darwin/configuration.nix ];
|
||||
};
|
||||
|
||||
@@ -78,11 +85,13 @@
|
||||
homeConfigurations = {
|
||||
"pan@work" = home-manager.lib.homeManagerConfiguration {
|
||||
pkgs = pkgsLinux;
|
||||
extraSpecialArgs = { inherit self inputs; };
|
||||
modules = [ ./hosts/work/nix/home.nix ];
|
||||
};
|
||||
|
||||
"martin@mac" = home-manager.lib.homeManagerConfiguration {
|
||||
pkgs = pkgsDarwin;
|
||||
extraSpecialArgs = { inherit self inputs; };
|
||||
modules = [ ./hosts/home/nix/home.nix ];
|
||||
};
|
||||
};
|
||||
|
||||
@@ -2,6 +2,7 @@
|
||||
|
||||
{
|
||||
imports = [
|
||||
./secrets.nix
|
||||
./sh.nix
|
||||
./tmux.nix
|
||||
./git.nix
|
||||
@@ -18,6 +19,10 @@
|
||||
yaml-language-server
|
||||
marksman
|
||||
dockerfile-language-server
|
||||
|
||||
# Secrets management
|
||||
sops
|
||||
age
|
||||
];
|
||||
|
||||
news.display = "silent";
|
||||
|
||||
17
nix/modules/home/secrets.nix
Normal file
17
nix/modules/home/secrets.nix
Normal file
@@ -0,0 +1,17 @@
|
||||
{ inputs, config, ... }:
|
||||
|
||||
{
|
||||
imports = [
|
||||
inputs.sops-nix.homeManagerModules.sops
|
||||
];
|
||||
|
||||
sops = {
|
||||
defaultSopsFile = ../../secrets/secrets.yaml;
|
||||
defaultSopsFormat = "yaml";
|
||||
|
||||
age = {
|
||||
# This is the default location for the age key
|
||||
keyFile = "${config.home.homeDirectory}/.config/sops/age/keys.txt";
|
||||
};
|
||||
};
|
||||
}
|
||||
@@ -1,6 +1,10 @@
|
||||
{ config, pkgs, lib, ... }:
|
||||
|
||||
{
|
||||
imports = [
|
||||
./secrets.nix
|
||||
];
|
||||
|
||||
time.timeZone = "Europe/Berlin";
|
||||
i18n.defaultLocale = "en_US.UTF-8";
|
||||
|
||||
|
||||
21
nix/modules/nixos/secrets.nix
Normal file
21
nix/modules/nixos/secrets.nix
Normal file
@@ -0,0 +1,21 @@
|
||||
{ inputs, config, ... }:
|
||||
|
||||
{
|
||||
imports = [
|
||||
inputs.sops-nix.nixosModules.sops
|
||||
];
|
||||
|
||||
sops = {
|
||||
defaultSopsFile = ../../secrets/secrets.yaml;
|
||||
defaultSopsFormat = "yaml";
|
||||
|
||||
age = {
|
||||
# This will automatically import the SSH keys as age keys
|
||||
sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
|
||||
# This is where the age key for sops-nix is stored
|
||||
keyFile = "/var/lib/sops-nix/key.txt";
|
||||
# This will generate a new age key from the SSH key if it doesn't exist
|
||||
generateKey = true;
|
||||
};
|
||||
};
|
||||
}
|
||||
8
nix/secrets/.sops.yaml
Normal file
8
nix/secrets/.sops.yaml
Normal file
@@ -0,0 +1,8 @@
|
||||
keys:
|
||||
- &macbook age1hmgy68ukugduef75ev72jnpu77ff3lajadpf7u0zv3ex4nt7f5qs5nxx2l
|
||||
|
||||
creation_rules:
|
||||
- path_regex: secrets\.yaml$
|
||||
key_groups:
|
||||
- age:
|
||||
- *macbook
|
||||
1
nix/secrets/secrets.yaml
Normal file
1
nix/secrets/secrets.yaml
Normal file
@@ -0,0 +1 @@
|
||||
|
||||
Reference in New Issue
Block a user