From 4f4d38ed1ee61a6ccbd533f5272dfef15441081a Mon Sep 17 00:00:00 2001 From: Matt Nish-Lapidus Date: Wed, 1 Jan 2025 13:18:25 -0500 Subject: [PATCH] sops-nix for bw secrets --- .sops.yaml | 7 +++++++ flake.lock | 21 +++++++++++++++++++++ flake.nix | 9 ++++++++- home/home.nix | 28 +++++++++++++++++++++++----- home/secrets.yaml | 22 ++++++++++++++++++++++ 5 files changed, 81 insertions(+), 6 deletions(-) create mode 100644 .sops.yaml create mode 100644 home/secrets.yaml diff --git a/.sops.yaml b/.sops.yaml new file mode 100644 index 0000000..0ec3027 --- /dev/null +++ b/.sops.yaml @@ -0,0 +1,7 @@ +keys: + - &emenel_eddie age10k8v6pfm3p7cmsgn6wu5ufpcquqgpvqh76l23xf326et55dacc0qlr8fe8 +creation_rules: + - path_regex: secrets.yaml$ + key_groups: + - age: + - *emenel_eddie diff --git a/flake.lock b/flake.lock index dcf45fd..b08ced0 100644 --- a/flake.lock +++ b/flake.lock @@ -205,6 +205,7 @@ "nixos-hardware": "nixos-hardware", "nixpkgs": "nixpkgs", "nixpkgs-unstable": "nixpkgs-unstable", + "sops-nix": "sops-nix", "wezterm": "wezterm" } }, @@ -229,6 +230,26 @@ "type": "github" } }, + "sops-nix": { + "inputs": { + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1735468296, + "narHash": "sha256-ZjUjbvS06jf4fElOF4ve8EHjbpbRVHHypStoY8HGzk8=", + "owner": "Mic92", + "repo": "sops-nix", + "rev": "bcb8b65aa596866eb7e5c3e1a6cccbf5d1560b27", + "type": "github" + }, + "original": { + "owner": "Mic92", + "repo": "sops-nix", + "type": "github" + } + }, "systems": { "locked": { "lastModified": 1681028828, diff --git a/flake.nix b/flake.nix index ce35bdb..9c7e9a8 100644 --- a/flake.nix +++ b/flake.nix @@ -30,6 +30,11 @@ inputs.nixpkgs.follows = "nixpkgs"; }; + sops-nix = { + url = "github:Mic92/sops-nix"; + inputs.nixpkgs.follows = "nixpkgs"; + }; + # nix-ld.url = "github:Mic92/nix-ld"; # nix-ld.inputs.nixpkgs.follows = "nixpkgs"; @@ -37,7 +42,7 @@ # affinity-nix.inputs.nixpkgs.follows = "nixpkgs"; }; - outputs = {nixpkgs, nixpkgs-unstable, wezterm, home-manager, nix-flatpak, kmonad, musnix, self, ... } @ inputs: + outputs = {nixpkgs, home-manager, sops-nix, nix-flatpak, kmonad, musnix, self, ... } @ inputs: let inherit (self) outputs; # Supported systems for your flake packages, shell, etc. @@ -66,6 +71,7 @@ inherit inputs outputs; }; modules = [ + sops-nix.nixosModules.sops nix-flatpak.nixosModules.nix-flatpak kmonad.nixosModules.default musnix.nixosModules.musnix @@ -84,6 +90,7 @@ modules = [ nix-flatpak.homeManagerModules.nix-flatpak + sops-nix.homeManagerModules.sops ./home/home.nix ]; }; diff --git a/home/home.nix b/home/home.nix index 0c70e4d..ca7ecbe 100644 --- a/home/home.nix +++ b/home/home.nix @@ -1,4 +1,4 @@ -{ nix-flatpak, lib, pkgs, inputs, outputs, ... }: +{ nix-flatpak, lib, config, pkgs, inputs, outputs, ... }: { nixpkgs = { @@ -68,6 +68,9 @@ alsa-oss powertop + age + sops + nix-du usbutils @@ -369,8 +372,8 @@ WINEFSYNC = 1; PKG_CONFIG_PATH = "/home/emenel/.nix-profile/lib/pkgconfig:/home/emenel/.nix-profile/lib64/pkgconfig:/home/emenal/.nix-profile/share/pkgconfig"; GI_TYPELIB_PATH = "/run/current-system/sw/lib/girepository-1.0"; - BW_CLIENTID = "***REMOVED***"; - BW_CLIENTSECRET = "***REMOVED***"; + BW_CLIENTID = "$(cat ${config.sops.defaultSymlinkPath}/bw_client_id)"; + BW_CLIENTSECRET = "$(cat ${config.sops.defaultSymlinkPath}/bw_api_key)"; NIXOS_OZONE_WL = "1"; }; @@ -381,6 +384,22 @@ enable = true; }; + sops = { + age.keyFile = "/home/emenel/.config/sops/age/keys.txt"; # must have no password! + + defaultSopsFile = ./secrets.yaml; + defaultSymlinkPath = "/run/user/1000/secrets"; + defaultSecretsMountPoint = "/run/user/1000/secrets.d"; + + secrets.bw_client_id = { + path = "${config.sops.defaultSymlinkPath}/bw_client_id"; + }; + + secrets.bw_api_key = { + path = "${config.sops.defaultSymlinkPath}/bw_api_key"; + }; + }; + programs = { home-manager.enable = true; direnv = { @@ -393,6 +412,7 @@ "ls" = "eza"; ".j" = "just -g"; "em" = "emacsclient -n -r"; + "mkdir" = "mkdir -pv"; }; plugins = [ { @@ -620,8 +640,6 @@ }; }; - # Service to start - # moving files! home.file.".npmrc".source = ../dotfiles/dot_npmrc; # xdg.configFile."kmonad".source = ../dotfiles/dot_config/kmonad; diff --git a/home/secrets.yaml b/home/secrets.yaml new file mode 100644 index 0000000..a07d52e --- /dev/null +++ b/home/secrets.yaml @@ -0,0 +1,22 @@ +bw_client_id: ENC[AES256_GCM,data:7ssBRUFfYW7CNsDwntS6S+2p68DpSaivUFAXY1GaTUuxOc81QzEdqtY=,iv:8CaYkM/mv1tqunhQZ/YdNQS64d9PEjSKelI5S7pVZWU=,tag:WO006QqK0oyiG4zN+SglmQ==,type:str] +bw_api_key: ENC[AES256_GCM,data:Dwb++djM0lrkkmfVDNq46uhMxjbj1grmDwykk2v4,iv:JPy6fOwaMAL31tk/yU6n9CMKhXV1WrGNV9dgOVIdbS4=,tag:v/IIZ9qCaCoimrxdNRsrWw==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age10k8v6pfm3p7cmsgn6wu5ufpcquqgpvqh76l23xf326et55dacc0qlr8fe8 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAxM0J2TnF5ZHNETnNrWTlj + SEViczZqOHRuNThhUHF0bllVZTNnZDdtWnhVCnZxTkVGczRRTzlDUDF2TmtjUVMw + QVV2cTYxS1d5QXU3aUNyajZWelUyQmcKLS0tIG1oYjU3M0pBL2lBUmN1cFoyTXdB + RTk5RGdrZ3dGaXJIait5VG45bTFpQVkKFvq2714fyXnUlQ2ovZGVl55Wq9m/uvpC + Q7k9SEOdSMNqioG5TR7yhGS+cCbcO+zV7WXxKB+mpwUmhkc13H0w5A== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2025-01-01T18:01:40Z" + mac: ENC[AES256_GCM,data:hvRBNR5zYgAYbXYkGmijFRrl9dS98RqxMUIeMbI4KFopw61vLVG4sR2aIKD5UAVGNKb4tyv+PfW17VD1grGZXuSJbrks3ic0sbHVr4G3xh2w++/koiD3V+Mh0H1j3aEBX1UD13ThUpzPuwgSG5KUlp/naOQ8I63GNJL+LzgpK74=,iv:gQndjsTvVpD6EAgwwuEAfO1GiWmZsF05+ZpDGGmRtd8=,tag:hb/UEz7DQXH9obzm0OKnyQ==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.9.2