martials/nixos-configuration
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

[shared] Sops nix for user passwords

Browse Source
This commit is contained in:
Martin Berg Alstad 2025-04-17 00:31:19 +02:00
parent 8244fe8927
commit 01e5fb42d3
Signed by: martials
GPG Key ID: 706F53DD087A91DE
9 changed files with 93 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
.gitattributes vendored
View File

@ -1 +1 @@
shared/secrets/* filter=git-crypt diff=git-crypt shared/secrets/weather-api-key filter=git-crypt diff=git-crypt

7
.sops.yaml Normal file
View File

@ -0,0 +1,7 @@
keys:
- &primary age1fxr5s6d6ar0xy5pr63kpq93tk7jha5k96jcxnyquj6s2mw8mmcpss8w29w
creation_rules:
- path_regex: shared/secrets/secrets.yaml$
key_groups:
- age:
- *primary

21
flake.lock generated
View File

@ -509,10 +509,31 @@
"nixpkgs-stable": "nixpkgs-stable", "nixpkgs-stable": "nixpkgs-stable",
"nixpkgs-unstable": "nixpkgs-unstable", "nixpkgs-unstable": "nixpkgs-unstable",
"nixvim": "nixvim", "nixvim": "nixvim",
"sops-nix": "sops-nix",
"spicetify-nix": "spicetify-nix", "spicetify-nix": "spicetify-nix",
"zen-browser": "zen-browser" "zen-browser": "zen-browser"
} }
}, },
"sops-nix": {
"inputs": {
"nixpkgs": [
"nixpkgs"
]
},
"locked": {
"lastModified": 1744669848,
"narHash": "sha256-pXyanHLUzLNd3MX9vsWG+6Z2hTU8niyphWstYEP3/GU=",
"owner": "mic92",
"repo": "sops-nix",
"rev": "61154300d945f0b147b30d24ddcafa159148026a",
"type": "github"
},
"original": {
"owner": "mic92",
"repo": "sops-nix",
"type": "github"
}
},
"spicetify-nix": { "spicetify-nix": {
"inputs": { "inputs": {
"nixpkgs": [ "nixpkgs": [

8
flake.nix
View File

@ -23,10 +23,10 @@
# ========= Utilities ========= # ========= Utilities =========
# #
# Secrets management # Secrets management
# sops-nix = { sops-nix = {
# url = "github:mic92/sops-nix"; url = "github:mic92/sops-nix";
# inputs.nixpkgs.follows = "nixpkgs"; inputs.nixpkgs.follows = "nixpkgs";
# }; };
# Catppuccin theming # Catppuccin theming
catppuccin = { catppuccin = {
url = "github:catppuccin/nix"; url = "github:catppuccin/nix";

16
justfile
View File

@ -44,3 +44,19 @@ unlock:
# Connect to tailnet or sign-in if not registered # Connect to tailnet or sign-in if not registered
start-tailscale: start-tailscale:
tailscale up --login-server https://vpn.martials.no tailscale up --login-server https://vpn.martials.no
# Generate a new age key from an existing ssh key (without passphrase)
@generate-age-from-ssh:
nix run nixpkgs#ssh-to-age -- -private-key -i ~/.ssh/id_ed25519 > ~/.config/sops/age/keys.txt
# Get a public age key from an existing age private key
@get-public-age-key:
nix shell nixpkgs#age -c age-keygen -y ~/.config/sops/age/keys.txt
# Edit the SOPS secrets file
@edit-secrets:
nix run nixpkgs#sops -- shared/secrets/secrets.yaml
# Hash a string using the mkpasswd command
hash PASS:
echo "{{PASS}}" | mkpasswd -s

1
shared/modules/security/default.nix
View File

@ -1,5 +1,6 @@
{ {
imports = [ imports = [
./sops.nix
./yubikey.nix ./yubikey.nix
]; ];

20
shared/modules/security/sops.nix Normal file
View File

@ -0,0 +1,20 @@
{
inputs,
lib,
systemConfig,
...
}:
{
imports = [
inputs.sops-nix.nixosModules.sops
];
sops = {
defaultSopsFile = lib.custom.relativeToRoot "shared/secrets/secrets.yaml";
defaultSopsFormat = "yaml";
age.keyFile = "/home/${systemConfig.user.name}/.config/sops/age/keys.txt";
secrets.password.neededForUsers = true;
};
}

4
shared/modules/users.nix
View File

@ -1,11 +1,11 @@
{ systemConfig, ... }: { config, systemConfig, ... }:
let let
username = systemConfig.user.name; username = systemConfig.user.name;
in in
{ {
# Define a user without a password, TODO pass in user.password
users.users.${username} = { users.users.${username} = {
isNormalUser = true; isNormalUser = true;
hashedPasswordFile = config.sops.secrets.password.path;
description = username; description = username;
extraGroups = [ extraGroups = [
"networkmanager" "networkmanager"

21
shared/secrets/secrets.yaml Normal file
View File

@ -0,0 +1,21 @@
password: ENC[AES256_GCM,data:tEiGH0G57H9yfRr3t9MyPEw3UvKPXJcCQ3xd0Baiz2yzIlFdPAMWl3TUjmGgEolaU2HznIv3DXAtlqQt8mXCMJKE8XD20VTOjw==,iv:OZYO/Ps9JakbvLqJ6QaUQ6YcJRasM0GRSQzs/mhg3eg=,tag:UjzK0vJPHj8UEgDMAlBjZw==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1fxr5s6d6ar0xy5pr63kpq93tk7jha5k96jcxnyquj6s2mw8mmcpss8w29w
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBReCtVUlRYV0hXL1RDa2ta
dDVlRU1FazI1cjA1OGJxNUZ6TGVkWFI2SGxVCm9VdUliTk1CeWRGN3pvOU5ZcGNZ
dGxNMlFRUlcyR1NKNVVscDFPbHRUWjAKLS0tIDhhQjhPWnZXdVZkd1owT0pWQ2dH
aENIaVM4cm1ZWDVOcEFYZEFjTDc1OUkKpRq6R6PYR9lPdX79Kaw+7R3OYLZLVrYh
seVS5wbrjShY2MZGKAOc0mUt5pCDBddt43gGAmI152451l70LZiN7A==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2025-04-16T22:29:18Z"
mac: ENC[AES256_GCM,data:e+OAwJgpRLaCh64dQPOtI7ZmH9NflmyO37HmQFCWEjn65VB0tGfodmmKzzf8D+e7dZLQCO2RA86atSN3GdiB5JSJ7LGJg0XYMDBPi4Kc9iOSgxvnzeZd0YL52aD9qRHx4H5GDPSTHd0ZdqGj1c6DUVaHLxwd3uFh3FzS7nkAlfQ=,iv:r2tIu9xSrT0xv5vJV4OlDj0ogs9LZggucjY1KrI48Fk=,tag:oUavEzaMczLx47ZB6XE8+w==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.9.4