add sops

2024-11-03 18:36:00 -06:00 · 2024-11-03 18:36:00 -06:00 · 1a4f484b1d
commit 1a4f484b1d
parent 77f3cef4df
14 changed files with 159 additions and 43 deletions
--- a/.sops.yaml
+++ b/.sops.yaml
@ -0,0 +1,7 @@
 keys:
  - &rayandrew age10jr6vyrtppdtjzfudw36j22lf9pl2lu8rgekrr6t4egruz7dcsvqrhd4u3
 creation_rules:
  - path_regex: src/hosts/secrets.json$
    key_groups:
    - age:
      - *rayandrew
--- a/README.md
+++ b/README.md
@ -12,6 +12,5 @@ sudo nixos-install --root /mnt --flake .#pickwick
 ## References
- https://github.com/iynaix/dotfiles/blob/13c2fcec880d292726f52be1075277d521caf3a7/nixos/zfs.nix
+- https://github.com/iynaix/dotfiles (HUGE THANKS, MIT LICENSE)
 - https://github.com/iynaix/dotfiles/blob/13c2fcec880d292726f52be1075277d521caf3a7/nixos/impermanence.nix#L69 
 - https://github.com/maydayv7/dotfiles
--- a/flake.lock
+++ b/flake.lock
@ -356,6 +356,22 @@
        "type": "github"
      }
    },
    "nixpkgs-stable_3": {
      "locked": {
        "lastModified": 1730602179,
        "narHash": "sha256-efgLzQAWSzJuCLiCaQUCDu4NudNlHdg2NzGLX5GYaEY=",
        "owner": "NixOS",
        "repo": "nixpkgs",
        "rev": "3c2f1c4ca372622cb2f9de8016c9a0b1cbd0f37c",
        "type": "github"
      },
      "original": {
        "owner": "NixOS",
        "ref": "release-24.05",
        "repo": "nixpkgs",
        "type": "github"
      }
    },
    "plasma-manager": {
      "inputs": {
        "home-manager": [
@ -390,10 +406,32 @@
        "nixpkgs": "nixpkgs",
        "nixpkgs-stable": "nixpkgs-stable_2",
        "plasma-manager": "plasma-manager",
        "sops-nix": "sops-nix",
        "stylix": "stylix",
        "treefmt-nix": "treefmt-nix"
      }
    },
    "sops-nix": {
      "inputs": {
        "nixpkgs": [
          "nixpkgs"
        ],
        "nixpkgs-stable": "nixpkgs-stable_3"
      },
      "locked": {
        "lastModified": 1730605784,
        "narHash": "sha256-1NveNAMLHbxOg0BpBMSVuZ2yW2PpDnZLbZ25wV50PMc=",
        "owner": "Mic92",
        "repo": "sops-nix",
        "rev": "e9b5eef9b51cdf966c76143e13a9476725b2f760",
        "type": "github"
      },
      "original": {
        "owner": "Mic92",
        "repo": "sops-nix",
        "type": "github"
      }
    },
    "stylix": {
      "inputs": {
        "base16": "base16",
--- a/flake.nix
+++ b/flake.nix
@ -21,6 +21,8 @@
    treefmt-nix.inputs.nixpkgs.follows = "nixpkgs";
    git-hooks.url = "github:cachix/git-hooks.nix";
    git-hooks.inputs.nixpkgs.follows = "nixpkgs";
    sops-nix.url = "github:Mic92/sops-nix";
    sops-nix.inputs.nixpkgs.follows = "nixpkgs";
  };
  outputs =
@ -116,10 +118,11 @@
            nativeBuildInputs = [
              treefmtEval.${system}.config.build.wrapper
            ];
-            packages = [
+            packages = with pkgs; [
-              pkgs.sops
+              sops
-              pkgs.ssh-to-age
+              age
-              pkgs.nixfmt-rfc-style
+              ssh-to-age
              nixfmt-rfc-style
            ];
            DIRENV_LOG_FORMAT = "";
          };
--- a/src/home/default.nix
+++ b/src/home/default.nix
@ -10,10 +10,8 @@
    ./emacs.nix
    ./impermanence.nix
    ./gui
    ./latex.nix
    ./shell
    ./ssh.nix
    ./vim.nix
    ./wm
  ];
@ -25,38 +23,7 @@
      stateVersion = "24.11";
      username = user;
      homeDirectory = "/home/${user}";
-      activation = {
+      activation = { };
        # linkDesktopApplications = {
        #   after = ["writeBoundary" "createXdgUserDirectories"];
        #   before = [];
        #   data = ''
        #     rm -rf ${config.home.homeDirectory}/.local/share/applications/home-manager
        #     rm -rf ${config.home.homeDirectory}/.icons/nix-icons
        #     mkdir -p ${config.home.homeDirectory}/.local/share/applications/home-manager
        #     mkdir -p ${config.home.homeDirectory}/.icons
        #     ln -sf ${config.home.homeDirectory}/.nix-profile/share/icons ${config.home.homeDirectory}/.icons/nix-icons
        #     # Check if the cached desktop files list exists
        #     if [ -f ${config.home.homeDirectory}/.cache/current_desktop_files.txt ]; then
        #       current_files=$(cat ${config.home.homeDirectory}/.cache/current_desktop_files.txt)
        #     else
        #       current_files=""
        #     fi
        #     # Symlink new desktop entries
        #     ${pkgs.bash}/bin/bash -c <
        #     for desktop_file in "${config.home.homeDirectory}/.nix-profile/share/applications/*.desktop"; do
        #       if ! echo "$current_files" | grep -q "$(basename $desktop_file)"; then
        #         echo $desktop_file
        #         ln -sf "$desktop_file" ${config.home.homeDirectory}/.local/share/applications/home-manager/$(basename $desktop_file)
        #       fi
        #     done
        #     # Update desktop database
        #     ${pkgs.desktop-file-utils}/bin/update-desktop-database ${config.home.homeDirectory}/.local/share/applications
        #   '';
        # };
      };
    };
    programs.home-manager.enable = true;
--- a/src/home/shell/custom.sh
+++ b/src/home/shell/custom.sh
@ -4,7 +4,7 @@ export PATH="$HOME/.bin:$PATH"
 export PATH="$HOME/bin:$PATH"
 export PATH="$HOME/.local/bin:$PATH"
-export EDITOR="nvim"
+export EDITOR="vim"
 # export EDITOR="emacs -nw"
 export ZINIT_INSTALL_BINARY=0
--- a/src/home/shell/default.nix
+++ b/src/home/shell/default.nix
@ -9,11 +9,13 @@
    ./bash.nix
    ./direnv.nix
    ./git.nix
    ./latex.nix
    ./lazygit.nix
    ./nix.nix
    ./ripgrep.nix
    ./shell.nix
    ./tmux
    ./vim.nix
    ./zoxide.nix
  ];
--- a/src/home/shell/latex.nix
+++ b/src/home/shell/latex.nix
--- a/src/home/shell/vim.nix
+++ b/src/home/shell/vim.nix
--- a/src/home/wm/common-i3.nix
+++ b/src/home/wm/common-i3.nix
@ -154,8 +154,8 @@ in
      "${modifier}+Shift+p" = "floating toggle";
      "${modifier}+p" = "focus mode_toggle";
      "${modifier}+f" = "fullscreen toggle";
-      "${modifier}+Shift+v" = "split h";
+      "${modifier}+Shift+v" = "split v";
-      "${modifier}+v" = "split v";
+      "${modifier}+v" = "split h";
      "${modifier}+Shift+h" = "move left";
      "${modifier}+Shift+j" = "move down";
--- a/src/hosts/default.nix
+++ b/src/hosts/default.nix
@ -59,6 +59,7 @@ let
        inputs.home-manager.nixosModules.home-manager
        inputs.impermanence.nixosModules.impermanence
        inputs.stylix.nixosModules.stylix
        inputs.sops-nix.nixosModules.sops
      ];
    };
 in
--- a/src/hosts/secrets.json
+++ b/src/hosts/secrets.json
@ -0,0 +1,19 @@
 {
 	"sops": {
 		"kms": null,
 		"gcp_kms": null,
 		"azure_kv": null,
 		"hc_vault": null,
 		"age": [
 			{
 				"recipient": "age10jr6vyrtppdtjzfudw36j22lf9pl2lu8rgekrr6t4egruz7dcsvqrhd4u3",
 				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBMZkczUjQ3b2NEV29WRTNZ\nSnlLdUlsUFdsWmZmU2gxVEgzWFlqNzlBNDE4CnlWazBQSFRReHZWT1lDYm0yWng2\nUEtjcDlvcS9QWEFDYU4yWkxOTmttMmsKLS0tIDVmcUV3ejg2MktWMFNBR25EdHVU\ndXdNMHBEYURNbFBHeDhVY2h2MnVTVk0KEg0MtRZR2dyb/4yuOC09DwxuVu1nca9H\naO8ZILRosqAkWL6qyuxnvlZHFOmLVibwMUnpAtesBHMXhxBiFyslMw==\n-----END AGE ENCRYPTED FILE-----\n"
 			}
 		],
 		"lastmodified": "2024-11-04T00:18:04Z",
 		"mac": "ENC[AES256_GCM,data:f6JwS7xYvqLMHd+mjuYpK2k+WMtXXK5ePuKrsjsMtjLpHR4YnQm4tFmhlvGtVHXkgn9WT7+qq8HUfMaDKvU3AZ9fkio3DCAPQFQZpIUHApvTTb8MgS4XBl2ST1/HPBnGS40IRL3Nx0NvUtxCUadv1+sE+9fz0repcQ4OkGpcvno=,iv:bfFCUlkY9oOaIueZLA8llmp6U3NUdRGsVqwNSmjM36g=,tag:ShzJ79NtDo14dh5TygYQsw==,type:str]",
 		"pgp": null,
 		"unencrypted_suffix": "_unencrypted",
 		"version": "3.9.1"
 	}
 }
--- a/src/nixos/default.nix
+++ b/src/nixos/default.nix
@ -19,6 +19,7 @@
    ./pipewire.nix
    ./stylix.nix
    ./touchpad.nix
    ./sops.nix
    ./users.nix
    ./xdg-portal.nix
    ./wm
--- a/src/nixos/sops.nix
+++ b/src/nixos/sops.nix
@ -0,0 +1,79 @@
 {
  config,
  lib,
  pkgs,
  user,
  ...
 }:
 let
  homeDir = config.hm.home.homeDirectory;
 in
 {
  options.custom = with lib; {
    sops.enable = mkEnableOption "sops" // {
      default = true;
    };
  };
  config = lib.mkIf config.custom.sops.enable {
    sops = {
      # to edit secrets file, run "sops hosts/secrets.json"
      defaultSopsFile = ../hosts/secrets.json;
      # use full path to persist as the secrets activation script runs at the start
      # of stage 2 boot before impermanence
      gnupg.sshKeyPaths = [ ];
      age = {
        sshKeyPaths = [ "/persist${homeDir}/.ssh/id_ed25519" ];
        keyFile = "/persist${homeDir}/.config/sops/age/keys.txt";
        # This will generate a new key if the key specified above does not exist
        generateKey = false;
      };
    };
    users.users.${user}.extraGroups = [ config.users.groups.keys.name ];
    # script to bootstrap a new install
    custom.shell.packages = {
      install-remote-secrets = {
        runtimeInputs = [ pkgs.rsync ];
        text =
          let
            persistHome = "/persist${homeDir}";
            copy = src: ''rsync -aP --mkpath "${persistHome}/${src}" "$user@$remote:$target/${src}"'';
          in
          ''
            read -rp "Enter ip of remote host: " remote
            target="/mnt${persistHome}"
            while true; do
                read -rp "Use /mnt? [y/n] " yn
                case $yn in
                  [Yy]*)
                    echo "y";
                    target="/mnt${persistHome}"
                    break;;
                  [Nn]*)
                    echo "n";
                    target="${persistHome}"
                    break;;
                  *)
                    echo "Please answer yes or no.";;
                esac
            done
            read -rp "Enter user on remote host: [nixos] " user
            user=''${user:-nixos}
            ${copy ".ssh/"}
            ${copy ".config/sops/age/"}
          '';
      };
    };
    custom.persist.home = {
      directories = [ ".config/sops" ];
    };
  };
 }