martin/dot
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Add secret handling

Browse Source
This commit is contained in:
Martin Pander
2026-02-07 15:55:01 +01:00
parent a9c5e2398d
commit 61bb1578e0
8 changed files with 91 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

23
nix/flake.lock generated
View File

@@ -98,7 +98,28 @@
"home-manager": "home-manager", "home-manager": "home-manager",
"nix-darwin": "nix-darwin", "nix-darwin": "nix-darwin",
"nixos-wsl": "nixos-wsl", "nixos-wsl": "nixos-wsl",
"nixpkgs": "nixpkgs" "nixpkgs": "nixpkgs",
"sops-nix": "sops-nix"
}
},
"sops-nix": {
"inputs": {
"nixpkgs": [
"nixpkgs"
]
},
"locked": {
"lastModified": 1770145881,
"narHash": "sha256-ktjWTq+D5MTXQcL9N6cDZXUf9kX8JBLLBLT0ZyOTSYY=",
"owner": "Mic92",
"repo": "sops-nix",
"rev": "17eea6f3816ba6568b8c81db8a4e6ca438b30b7c",
"type": "github"
},
"original": {
"owner": "Mic92",
"repo": "sops-nix",
"type": "github"
} }
} }
}, },

17
nix/flake.nix
View File

@@ -18,9 +18,14 @@
url = "github:LnL7/nix-darwin"; url = "github:LnL7/nix-darwin";
inputs.nixpkgs.follows = "nixpkgs"; inputs.nixpkgs.follows = "nixpkgs";
}; };
sops-nix = {
url = "github:Mic92/sops-nix";
inputs.nixpkgs.follows = "nixpkgs";
};
}; };
outputs = { self, nixpkgs, nixos-wsl, home-manager, nix-darwin, ... }@inputs: outputs = { self, nixpkgs, nixos-wsl, home-manager, nix-darwin, sops-nix, ... }@inputs:
let let
linuxSystem = "x86_64-linux"; linuxSystem = "x86_64-linux";
linuxAarchSystem = "aarch64-linux"; linuxAarchSystem = "aarch64-linux";
@@ -38,7 +43,7 @@
# Work WSL # Work WSL
work = nixpkgs.lib.nixosSystem { work = nixpkgs.lib.nixosSystem {
system = linuxSystem; system = linuxSystem;
specialArgs = { inherit self; }; specialArgs = { inherit self inputs; };
modules = [ modules = [
nixos-wsl.nixosModules.wsl nixos-wsl.nixosModules.wsl
./hosts/work/nixos/configuration.nix ./hosts/work/nixos/configuration.nix
@@ -46,6 +51,7 @@
{ {
home-manager.useGlobalPkgs = true; home-manager.useGlobalPkgs = true;
home-manager.useUserPackages = true; home-manager.useUserPackages = true;
home-manager.extraSpecialArgs = { inherit self inputs; };
home-manager.users.pan = import ./hosts/work/nixos/home.nix; home-manager.users.pan = import ./hosts/work/nixos/home.nix;
} }
]; ];
@@ -54,13 +60,14 @@
# Home # Home
home = nixpkgs.lib.nixosSystem { home = nixpkgs.lib.nixosSystem {
system = linuxAarchSystem; system = linuxAarchSystem;
specialArgs = { inherit self; }; specialArgs = { inherit self inputs; };
modules = [ modules = [
./hosts/home/nixos/configuration.nix ./hosts/home/nixos/configuration.nix
home-manager.nixosModules.home-manager home-manager.nixosModules.home-manager
{ {
home-manager.useGlobalPkgs = true; home-manager.useGlobalPkgs = true;
home-manager.useUserPackages = true; home-manager.useUserPackages = true;
home-manager.extraSpecialArgs = { inherit self inputs; };
home-manager.users.martin = import ./hosts/home/nixos/home.nix; home-manager.users.martin = import ./hosts/home/nixos/home.nix;
} }
]; ];
@@ -70,7 +77,7 @@
# --- Darwin Systems (Mac) --- # --- Darwin Systems (Mac) ---
darwinConfigurations."Martins-MacBook-Pro" = nix-darwin.lib.darwinSystem { darwinConfigurations."Martins-MacBook-Pro" = nix-darwin.lib.darwinSystem {
system = darwinSystem; system = darwinSystem;
specialArgs = { inherit self; }; specialArgs = { inherit self inputs; };
modules = [ ./hosts/home/darwin/configuration.nix ]; modules = [ ./hosts/home/darwin/configuration.nix ];
}; };
@@ -78,11 +85,13 @@
homeConfigurations = { homeConfigurations = {
"pan@work" = home-manager.lib.homeManagerConfiguration { "pan@work" = home-manager.lib.homeManagerConfiguration {
pkgs = pkgsLinux; pkgs = pkgsLinux;
extraSpecialArgs = { inherit self inputs; };
modules = [ ./hosts/work/nix/home.nix ]; modules = [ ./hosts/work/nix/home.nix ];
}; };
"martin@mac" = home-manager.lib.homeManagerConfiguration { "martin@mac" = home-manager.lib.homeManagerConfiguration {
pkgs = pkgsDarwin; pkgs = pkgsDarwin;
extraSpecialArgs = { inherit self inputs; };
modules = [ ./hosts/home/nix/home.nix ]; modules = [ ./hosts/home/nix/home.nix ];
}; };
}; };

5
nix/modules/home/common.nix
View File

@@ -2,6 +2,7 @@
{ {
imports = [ imports = [
./secrets.nix
./sh.nix ./sh.nix
./tmux.nix ./tmux.nix
./git.nix ./git.nix
@@ -18,6 +19,10 @@
yaml-language-server yaml-language-server
marksman marksman
dockerfile-language-server dockerfile-language-server
# Secrets management
sops
age
]; ];
news.display = "silent"; news.display = "silent";

17
nix/modules/home/secrets.nix Normal file
View File

@@ -0,0 +1,17 @@
{ inputs, config, ... }:
{
imports = [
inputs.sops-nix.homeManagerModules.sops
];
sops = {
defaultSopsFile = ../../secrets/secrets.yaml;
defaultSopsFormat = "yaml";
age = {
# This is the default location for the age key
keyFile = "${config.home.homeDirectory}/.config/sops/age/keys.txt";
};
};
}

4
nix/modules/nixos/common.nix
View File

@@ -1,6 +1,10 @@
{ config, pkgs, lib, ... }: { config, pkgs, lib, ... }:
{ {
imports = [
./secrets.nix
];
time.timeZone = "Europe/Berlin"; time.timeZone = "Europe/Berlin";
i18n.defaultLocale = "en_US.UTF-8"; i18n.defaultLocale = "en_US.UTF-8";

21
nix/modules/nixos/secrets.nix Normal file
View File

@@ -0,0 +1,21 @@
{ inputs, config, ... }:
{
imports = [
inputs.sops-nix.nixosModules.sops
];
sops = {
defaultSopsFile = ../../secrets/secrets.yaml;
defaultSopsFormat = "yaml";
age = {
# This will automatically import the SSH keys as age keys
sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
# This is where the age key for sops-nix is stored
keyFile = "/var/lib/sops-nix/key.txt";
# This will generate a new age key from the SSH key if it doesn't exist
generateKey = true;
};
};
}

8
nix/secrets/.sops.yaml Normal file
View File

@@ -0,0 +1,8 @@
keys:
- &macbook age1hmgy68ukugduef75ev72jnpu77ff3lajadpf7u0zv3ex4nt7f5qs5nxx2l
creation_rules:
- path_regex: secrets\.yaml$
key_groups:
- age:
- *macbook

1
nix/secrets/secrets.yaml Normal file
View File

@@ -0,0 +1 @@