diff --git a/hosts/pi4/default.nix b/hosts/pi4/default.nix index 5a0a120..16d3a71 100644 --- a/hosts/pi4/default.nix +++ b/hosts/pi4/default.nix @@ -1,14 +1,16 @@ { lib, + config, systemConfig, ... }: { - imports = [ - (lib.custom.relativeToRoot "shared/modules/nix-helper.nix") - (lib.custom.relativeToRoot "shared/modules/nixos.nix") - (lib.custom.relativeToRoot "shared/modules/shell.nix") + imports = with lib.custom; [ + (relativeToRoot "shared/modules/nix-helper.nix") + (relativeToRoot "shared/modules/nixos.nix") + (relativeToRoot "shared/modules/shell.nix") + (relativeToRoot "shared/modules/security/sops.nix") ./boot.nix ./development.nix ./hardware.nix @@ -22,7 +24,7 @@ mutableUsers = false; users.${systemConfig.user.name} = { isNormalUser = true; - password = systemConfig.user.password; + hashedPasswordFile = config.sops.secrets.password.path; extraGroups = [ "wheel" ]; }; }; diff --git a/justfile b/justfile index 647a944..24b9f13 100644 --- a/justfile +++ b/justfile @@ -18,6 +18,12 @@ test *FLAGS: just fmt nh os test . {{FLAGS}} +# Add new configuration to bootloader, but don't activate it now +boot *FLAGS: + git add . + just fmt + nh os test . {{FLAGS}} + # Switch to new config and add to bootloader switch *FLAGS: git add . diff --git a/shared/secrets/secrets.yaml b/shared/secrets/secrets.yaml index b56d68e..277b432 100644 --- a/shared/secrets/secrets.yaml +++ b/shared/secrets/secrets.yaml @@ -1,4 +1,4 @@ -password: ENC[AES256_GCM,data:tEiGH0G57H9yfRr3t9MyPEw3UvKPXJcCQ3xd0Baiz2yzIlFdPAMWl3TUjmGgEolaU2HznIv3DXAtlqQt8mXCMJKE8XD20VTOjw==,iv:OZYO/Ps9JakbvLqJ6QaUQ6YcJRasM0GRSQzs/mhg3eg=,tag:UjzK0vJPHj8UEgDMAlBjZw==,type:str] +password: ENC[AES256_GCM,data:9sqcjpl3e+Fu6vDeoSViQ+z+AMpaL/zvdDNRsIs3APJytzvOktj4njJ4Ciign+fuehLv1jnCt4QeLh4W5bz4QOlo5VQweX2v/w==,iv:p4no6Vza6ma14Aeg6cRfJg2bbj2EeKd0MueepZCsILI=,tag:MKHDXT8G+cy4kC7r/UQVHg==,type:str] sops: kms: [] gcp_kms: [] @@ -8,14 +8,23 @@ sops: - recipient: age1fxr5s6d6ar0xy5pr63kpq93tk7jha5k96jcxnyquj6s2mw8mmcpss8w29w enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBReCtVUlRYV0hXL1RDa2ta - dDVlRU1FazI1cjA1OGJxNUZ6TGVkWFI2SGxVCm9VdUliTk1CeWRGN3pvOU5ZcGNZ - dGxNMlFRUlcyR1NKNVVscDFPbHRUWjAKLS0tIDhhQjhPWnZXdVZkd1owT0pWQ2dH - aENIaVM4cm1ZWDVOcEFYZEFjTDc1OUkKpRq6R6PYR9lPdX79Kaw+7R3OYLZLVrYh - seVS5wbrjShY2MZGKAOc0mUt5pCDBddt43gGAmI152451l70LZiN7A== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA0TDlyZ1lYajRRMksyTFRO + NmNYcUdxVDdzTmdZajhKRDRJSzR1ZnFUaFFZClUwS0w0MlhNUDZBWDdDM28zUUlr + VFZvcWMrRTNVMVlrVnZDelZjV3piMjgKLS0tIFVlbG9Xai9hQVJ5NmZsdVR2dkJR + VUhNbDFUU0JjUHNKVXVJZVBJNThQaWsKyaVuPD89mvnK+6t4buocuXW7SBgO1NH9 + CwnxdMNadQ5ZAATuBJTiL1IhDfusc6rtDl8DyrQxFv7R/0i/hFVERQ== -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-04-16T22:29:18Z" - mac: ENC[AES256_GCM,data:e+OAwJgpRLaCh64dQPOtI7ZmH9NflmyO37HmQFCWEjn65VB0tGfodmmKzzf8D+e7dZLQCO2RA86atSN3GdiB5JSJ7LGJg0XYMDBPi4Kc9iOSgxvnzeZd0YL52aD9qRHx4H5GDPSTHd0ZdqGj1c6DUVaHLxwd3uFh3FzS7nkAlfQ=,iv:r2tIu9xSrT0xv5vJV4OlDj0ogs9LZggucjY1KrI48Fk=,tag:oUavEzaMczLx47ZB6XE8+w==,type:str] + - recipient: age1xlnprpvshv93eerthxzg6cahklsfc4efh8dd6u8dte9u6cl0u5qsz48qlt + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB6bkhSTEpMcUNBQmhQNmdS + dENxbGJtUGxpZFhoR3B6WG1oM2VSOW1qcURJCjhlbUNaaktDV1RTTy9tbGlYYXdH + Q3c1WUNXRWJSU3QxbDVJTXEwZ3RSVncKLS0tIFpvRkpMWUFwTHJlaTlFK3g2aVgr + YlYvRkxWcmM2bUs1Q1p1RWZHS0EyV3cKH0PSG9KxIRbTr0bCJt9+e2a9c8ATPpYU + c8ncCckCCv/zmGvyRE/v7DYWN0tUutbMULle5AC7MqVdREP7zMMlXA== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2025-04-18T13:14:40Z" + mac: ENC[AES256_GCM,data:ydUPxCQFAwVKf9iKnvaEcwH49w8rdK9GqqFosoErzqGFJTax7vFAFhwHgM8j4dpJhM5VM1N27Hke4h7ksO1w2XABMJyQi+f1wgiier3qiEeWE+3CeE18+nXnnHjXqrCLHCoKUUtEdK8rosOfaEXBFTs5Ihwz22UklvG5Ero0ls0=,iv:H89DPDlr/P+eEI+BgmxNY/LKgh8xtS7cfPnAFlwL1wE=,tag:TXtiza9PAPt6q4+wssHIjg==,type:str] pgp: [] unencrypted_suffix: _unencrypted version: 3.9.4