rayandrew/nix-v0
rayandrew/nix-v0
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

add sops

Browse source
This commit is contained in:
Ray Andrew 2024-11-03 18:36:00 -06:00
parent 77f3cef4df
commit 1a4f484b1d
14 changed files with 159 additions and 43 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

7
.sops.yaml Normal file
View file

@ -0,0 +1,7 @@
keys:
- &rayandrew age10jr6vyrtppdtjzfudw36j22lf9pl2lu8rgekrr6t4egruz7dcsvqrhd4u3
creation_rules:
- path_regex: src/hosts/secrets.json$
key_groups:
- age:
- *rayandrew

3
README.md
View file

@ -12,6 +12,5 @@ sudo nixos-install --root /mnt --flake .#pickwick
## References
- https://github.com/iynaix/dotfiles/blob/13c2fcec880d292726f52be1075277d521caf3a7/nixos/zfs.nix
- https://github.com/iynaix/dotfiles/blob/13c2fcec880d292726f52be1075277d521caf3a7/nixos/impermanence.nix#L69
- https://github.com/iynaix/dotfiles (HUGE THANKS, MIT LICENSE)
- https://github.com/maydayv7/dotfiles

38
flake.lock
View file

@ -356,6 +356,22 @@
"type": "github"
}
},
"nixpkgs-stable_3": {
"locked": {
"lastModified": 1730602179,
"narHash": "sha256-efgLzQAWSzJuCLiCaQUCDu4NudNlHdg2NzGLX5GYaEY=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "3c2f1c4ca372622cb2f9de8016c9a0b1cbd0f37c",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "release-24.05",
"repo": "nixpkgs",
"type": "github"
}
},
"plasma-manager": {
"inputs": {
"home-manager": [
@ -390,10 +406,32 @@
"nixpkgs": "nixpkgs",
"nixpkgs-stable": "nixpkgs-stable_2",
"plasma-manager": "plasma-manager",
"sops-nix": "sops-nix",
"stylix": "stylix",
"treefmt-nix": "treefmt-nix"
}
},
"sops-nix": {
"inputs": {
"nixpkgs": [
"nixpkgs"
],
"nixpkgs-stable": "nixpkgs-stable_3"
},
"locked": {
"lastModified": 1730605784,
"narHash": "sha256-1NveNAMLHbxOg0BpBMSVuZ2yW2PpDnZLbZ25wV50PMc=",
"owner": "Mic92",
"repo": "sops-nix",
"rev": "e9b5eef9b51cdf966c76143e13a9476725b2f760",
"type": "github"
},
"original": {
"owner": "Mic92",
"repo": "sops-nix",
"type": "github"
}
},
"stylix": {
"inputs": {
"base16": "base16",

11
flake.nix
View file

@ -21,6 +21,8 @@
treefmt-nix.inputs.nixpkgs.follows = "nixpkgs";
git-hooks.url = "github:cachix/git-hooks.nix";
git-hooks.inputs.nixpkgs.follows = "nixpkgs";
sops-nix.url = "github:Mic92/sops-nix";
sops-nix.inputs.nixpkgs.follows = "nixpkgs";
};
outputs =
@ -116,10 +118,11 @@
nativeBuildInputs = [
treefmtEval.${system}.config.build.wrapper
];
packages = [
pkgs.sops
pkgs.ssh-to-age
pkgs.nixfmt-rfc-style
packages = with pkgs; [
sops
age
ssh-to-age
nixfmt-rfc-style
];
DIRENV_LOG_FORMAT = "";
};

35
src/home/default.nix
View file

@ -10,10 +10,8 @@
./emacs.nix
./impermanence.nix
./gui
./latex.nix
./shell
./ssh.nix
./vim.nix
./wm
];
@ -25,38 +23,7 @@
stateVersion = "24.11";
username = user;
homeDirectory = "/home/${user}";
activation = {
# linkDesktopApplications = {
# after = ["writeBoundary" "createXdgUserDirectories"];
# before = [];
# data = ''
# rm -rf ${config.home.homeDirectory}/.local/share/applications/home-manager
# rm -rf ${config.home.homeDirectory}/.icons/nix-icons
# mkdir -p ${config.home.homeDirectory}/.local/share/applications/home-manager
# mkdir -p ${config.home.homeDirectory}/.icons
# ln -sf ${config.home.homeDirectory}/.nix-profile/share/icons ${config.home.homeDirectory}/.icons/nix-icons
# # Check if the cached desktop files list exists
# if [ -f ${config.home.homeDirectory}/.cache/current_desktop_files.txt ]; then
# current_files=$(cat ${config.home.homeDirectory}/.cache/current_desktop_files.txt)
# else
# current_files=""
# fi
# # Symlink new desktop entries
# ${pkgs.bash}/bin/bash -c <
# for desktop_file in "${config.home.homeDirectory}/.nix-profile/share/applications/*.desktop"; do
# if ! echo "$current_files" | grep -q "$(basename $desktop_file)"; then
# echo $desktop_file
# ln -sf "$desktop_file" ${config.home.homeDirectory}/.local/share/applications/home-manager/$(basename $desktop_file)
# fi
# done
# # Update desktop database
# ${pkgs.desktop-file-utils}/bin/update-desktop-database ${config.home.homeDirectory}/.local/share/applications
# '';
# };
};
activation = { };
};
programs.home-manager.enable = true;

2
src/home/shell/custom.sh
View file

@ -4,7 +4,7 @@ export PATH="$HOME/.bin:$PATH"
export PATH="$HOME/bin:$PATH"
export PATH="$HOME/.local/bin:$PATH"
export EDITOR="nvim"
export EDITOR="vim"
# export EDITOR="emacs -nw"
export ZINIT_INSTALL_BINARY=0

2
src/home/shell/default.nix
View file

@ -9,11 +9,13 @@
./bash.nix
./direnv.nix
./git.nix
./latex.nix
./lazygit.nix
./nix.nix
./ripgrep.nix
./shell.nix
./tmux
./vim.nix
./zoxide.nix
];

0
src/home/latex.nix → src/home/shell/latex.nix
View file

0
src/home/vim.nix → src/home/shell/vim.nix
View file

4
src/home/wm/common-i3.nix
View file

@ -154,8 +154,8 @@ in
"${modifier}+Shift+p" = "floating toggle";
"${modifier}+p" = "focus mode_toggle";
"${modifier}+f" = "fullscreen toggle";
"${modifier}+Shift+v" = "split h";
"${modifier}+v" = "split v";
"${modifier}+Shift+v" = "split v";
"${modifier}+v" = "split h";
"${modifier}+Shift+h" = "move left";
"${modifier}+Shift+j" = "move down";

1
src/hosts/default.nix
View file

@ -59,6 +59,7 @@ let
inputs.home-manager.nixosModules.home-manager
inputs.impermanence.nixosModules.impermanence
inputs.stylix.nixosModules.stylix
inputs.sops-nix.nixosModules.sops
];
};
in

19
src/hosts/secrets.json Normal file
View file

@ -0,0 +1,19 @@
{
"sops": {
"kms": null,
"gcp_kms": null,
"azure_kv": null,
"hc_vault": null,
"age": [
{
"recipient": "age10jr6vyrtppdtjzfudw36j22lf9pl2lu8rgekrr6t4egruz7dcsvqrhd4u3",
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBMZkczUjQ3b2NEV29WRTNZ\nSnlLdUlsUFdsWmZmU2gxVEgzWFlqNzlBNDE4CnlWazBQSFRReHZWT1lDYm0yWng2\nUEtjcDlvcS9QWEFDYU4yWkxOTmttMmsKLS0tIDVmcUV3ejg2MktWMFNBR25EdHVU\ndXdNMHBEYURNbFBHeDhVY2h2MnVTVk0KEg0MtRZR2dyb/4yuOC09DwxuVu1nca9H\naO8ZILRosqAkWL6qyuxnvlZHFOmLVibwMUnpAtesBHMXhxBiFyslMw==\n-----END AGE ENCRYPTED FILE-----\n"
}
],
"lastmodified": "2024-11-04T00:18:04Z",
"mac": "ENC[AES256_GCM,data:f6JwS7xYvqLMHd+mjuYpK2k+WMtXXK5ePuKrsjsMtjLpHR4YnQm4tFmhlvGtVHXkgn9WT7+qq8HUfMaDKvU3AZ9fkio3DCAPQFQZpIUHApvTTb8MgS4XBl2ST1/HPBnGS40IRL3Nx0NvUtxCUadv1+sE+9fz0repcQ4OkGpcvno=,iv:bfFCUlkY9oOaIueZLA8llmp6U3NUdRGsVqwNSmjM36g=,tag:ShzJ79NtDo14dh5TygYQsw==,type:str]",
"pgp": null,
"unencrypted_suffix": "_unencrypted",
"version": "3.9.1"
}
}

1
src/nixos/default.nix
View file

@ -19,6 +19,7 @@
./pipewire.nix
./stylix.nix
./touchpad.nix
./sops.nix
./users.nix
./xdg-portal.nix
./wm

79
src/nixos/sops.nix Normal file
View file

@ -0,0 +1,79 @@
{
config,
lib,
pkgs,
user,
...
}:
let
homeDir = config.hm.home.homeDirectory;
in
{
options.custom = with lib; {
sops.enable = mkEnableOption "sops" // {
default = true;
};
};
config = lib.mkIf config.custom.sops.enable {
sops = {
# to edit secrets file, run "sops hosts/secrets.json"
defaultSopsFile = ../hosts/secrets.json;
# use full path to persist as the secrets activation script runs at the start
# of stage 2 boot before impermanence
gnupg.sshKeyPaths = [ ];
age = {
sshKeyPaths = [ "/persist${homeDir}/.ssh/id_ed25519" ];
keyFile = "/persist${homeDir}/.config/sops/age/keys.txt";
# This will generate a new key if the key specified above does not exist
generateKey = false;
};
};
users.users.${user}.extraGroups = [ config.users.groups.keys.name ];
# script to bootstrap a new install
custom.shell.packages = {
install-remote-secrets = {
runtimeInputs = [ pkgs.rsync ];
text =
let
persistHome = "/persist${homeDir}";
copy = src: ''rsync -aP --mkpath "${persistHome}/${src}" "$user@$remote:$target/${src}"'';
in
''
read -rp "Enter ip of remote host: " remote
target="/mnt${persistHome}"
while true; do
read -rp "Use /mnt? [y/n] " yn
case $yn in
[Yy]*)
echo "y";
target="/mnt${persistHome}"
break;;
[Nn]*)
echo "n";
target="${persistHome}"
break;;
*)
echo "Please answer yes or no.";;
esac
done
read -rp "Enter user on remote host: [nixos] " user
user=''${user:-nixos}
${copy ".ssh/"}
${copy ".config/sops/age/"}
'';
};
};
custom.persist.home = {
directories = [ ".config/sops" ];
};
};
}