NullCube/permafrost
1
0
Fork 0
forked from Zynh0722/permafrost
Code Pull requests Activity

sops: user password

Browse source
This commit is contained in:
Zynh Ludwig 2024-12-27 20:57:05 -08:00
parent 250f354067
commit 9bcc20b2d0
7 changed files with 97 additions and 11 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

11
.sops.yaml Normal file
View file

@ -0,0 +1,11 @@
keys:
users:
- &ravenshade age1zgd7qpj7vc4gjtetttqgp32aw75fmnjrw6ax2x2meul2w4jclytszvutdd
hosts:
- &permafrost age1scqfsfa4mqs033gt546fxyt6aa8a0ksngqs53lr9h0tt98hl4f9svwmrzj
creation_rules:
- path_regex: secrets.yaml$
key_groups:
- age:
- *ravenshade
- *permafrost

23
flake.lock
View file

@ -138,7 +138,8 @@
"inputs": { "inputs": {
"deploy-rs": "deploy-rs", "deploy-rs": "deploy-rs",
"nixpkgs": "nixpkgs_2", "nixpkgs": "nixpkgs_2",
"nyazoom": "nyazoom" "nyazoom": "nyazoom",
"sops-nix": "sops-nix"
} }
}, },
"rust-overlay": { "rust-overlay": {
@ -162,6 +163,26 @@
"type": "github" "type": "github"
} }
}, },
"sops-nix": {
"inputs": {
"nixpkgs": [
"nixpkgs"
]
},
"locked": {
"lastModified": 1734546875,
"narHash": "sha256-6OvJbqQ6qPpNw3CA+W8Myo5aaLhIJY/nNFDk3zMXLfM=",
"owner": "mic92",
"repo": "sops-nix",
"rev": "ed091321f4dd88afc28b5b4456e0a15bd8374b4d",
"type": "github"
},
"original": {
"owner": "mic92",
"repo": "sops-nix",
"type": "github"
}
},
"systems": { "systems": {
"locked": { "locked": {
"lastModified": 1681028828, "lastModified": 1681028828,

1
flake.nix
View file

@ -3,6 +3,7 @@
inputs = { inputs = {
nixpkgs.url = "github:NixOS/nixpkgs/nixos-24.11"; nixpkgs.url = "github:NixOS/nixpkgs/nixos-24.11";
sops-nix = { url = "github:mic92/sops-nix"; inputs.nixpkgs.follows = "nixpkgs"; };
deploy-rs.url = "github:serokell/deploy-rs"; deploy-rs.url = "github:serokell/deploy-rs";

10
hosts/permafrost/configuration.nix
View file

@ -15,21 +15,11 @@
auto-optimise-store = true; auto-optimise-store = true;
experimental-features = [ "nix-command" "flakes" ]; experimental-features = [ "nix-command" "flakes" ];
trusted-users = [
"ravenshade"
];
}; };
# Enable networking # Enable networking
networking.networkmanager.enable = true; networking.networkmanager.enable = true;
# Define a user account. Don't forget to set a password with passwd.
users.users.ravenshade = {
isNormalUser = true;
description = "Zynh Ludwig";
extraGroups = [ "networkmanager" "wheel" ];
};
# List packages installed in system profile. To search, run: # List packages installed in system profile. To search, run:
# $ nix search wget # $ nix search wget
environment.systemPackages = with pkgs; [ environment.systemPackages = with pkgs; [

16
modules/sops.nix Normal file
View file

@ -0,0 +1,16 @@
{ inputs, ... }:
{
imports = [
inputs.sops-nix.nixosModules.sops
];
sops = {
defaultSopsFile = ../secrets.yaml;
age = {
sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
keyFile = "/var/lib/sops-nix/key.txt";
generateKey = true;
};
};
}

16
modules/users.nix Normal file
View file

@ -0,0 +1,16 @@
{ config, ... }:
{
nix.settings.trusted-users = [ "ravenshade" ];
# users sops setup
sops.secrets."passwords/ravenshade".neededForUsers = true;
users.mutableUsers = false;
users.users.ravenshade = {
isNormalUser = true;
description = "Zynh Ludwig";
hashedPasswordFile = config.sops.secrets."passwords/ravenshade".path;
extraGroups = [ "networkmanager" "wheel" ];
};
}

31
secrets.yaml Normal file
View file

@ -0,0 +1,31 @@
passwords:
ravenshade: ENC[AES256_GCM,data:zWSMfn1NhvjJ41w8gh8rWHAGhhfx/m19CDT+V8opc/ToDqSC83ajHJ7g9wo5UFuTfVqd3hhw0+CLAINp/QFf10790UPZmiTqrQ==,iv:WYfg7XG1J68IxAaG5HA/9hXaAo3DPdArozUm0WQNtR0=,tag:jfgcLT1/cDxW5AgIbksIgA==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1zgd7qpj7vc4gjtetttqgp32aw75fmnjrw6ax2x2meul2w4jclytszvutdd
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA5WkhTajAvUFFiYlEvc1Zw
T2ZwUkwzdk83QkxVWERPalRBNWVuYVNpR2kwCk9oYVlrdlNrTzhNejdncVRodlRq
QzhsRHczY3ZTVHpmcHFiYkUvODhsZWcKLS0tIEtYbXJpbm4wekgyeVBvZWRTc2Jr
cGN4QUg4ZTFoT1RBMFBiS0QyWExpaTQKaEmohDZCYh1Rbf+e6g1FT9qyOdBVKYmO
eFVaLIcRFonu7nBhiiR+wfLPx8MNz8bJqugfGuMVPFs8BCFzeROJpw==
-----END AGE ENCRYPTED FILE-----
- recipient: age1scqfsfa4mqs033gt546fxyt6aa8a0ksngqs53lr9h0tt98hl4f9svwmrzj
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBJbHpGY2pGRjltQWdsWDdp
Q1E1OVh4K3dxNmdPM3RlNVREVGRzckZRRlNvCnBrTWhLcTBoclRINUd4UEFuMUhO
eHZBRng5UVE4SFdSbVo2dnRScHJ6SVkKLS0tIENMUmJ3aFEzNXpoSWpzai9KUGFj
dUk3UkE4dEFTTlNqTmNMbkh2M0ZWSTgKBKhzo5inQL8LXWyiD7ZqjfXZpZFPWgM8
b4urS/bu1qvX12Nu4IYls/xLV6Tca5DJ5+cXfYMec4TcydlUVcxJLw==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2024-12-28T05:25:33Z"
mac: ENC[AES256_GCM,data:8fnd7hhq3QplMCIL82VyHaWykHxoOzgovB8ij6B2B1f7C+h20PcaFlEZHWCb15L/kU6Hc3aL2rfkLR6DYAJnWRrTBLPyNHo0CvnUDTqVB0BU2asY27hPnAJZ2zBt6qdkk5enGf3qgKjQI+1HwftALhIstsiyiem8u/f4OX3HE0s=,iv:VU2SKF28hX4BXEFBhjZMiO+ZaNN7z5mVBviuzIc0vMA=,tag:5hJ/zR4r2BCVjQ7ZEM8V4g==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.9.2