emenel/nixos-config
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

sops-nix for bw secrets

Browse source
This commit is contained in:
Matt Nish-Lapidus 2025-01-01 13:18:25 -05:00
parent 8e4e9c16fa
commit 4f4d38ed1e
5 changed files with 81 additions and 6 deletions
Download patch file Download diff file Expand all files Collapse all files

7
.sops.yaml Normal file
View file

@ -0,0 +1,7 @@
keys:
- &emenel_eddie age10k8v6pfm3p7cmsgn6wu5ufpcquqgpvqh76l23xf326et55dacc0qlr8fe8
creation_rules:
- path_regex: secrets.yaml$
key_groups:
- age:
- *emenel_eddie

21
flake.lock generated
View file

@ -205,6 +205,7 @@
"nixos-hardware": "nixos-hardware", "nixos-hardware": "nixos-hardware",
"nixpkgs": "nixpkgs", "nixpkgs": "nixpkgs",
"nixpkgs-unstable": "nixpkgs-unstable", "nixpkgs-unstable": "nixpkgs-unstable",
"sops-nix": "sops-nix",
"wezterm": "wezterm" "wezterm": "wezterm"
} }
}, },
@ -229,6 +230,26 @@
"type": "github" "type": "github"
} }
}, },
"sops-nix": {
"inputs": {
"nixpkgs": [
"nixpkgs"
]
},
"locked": {
"lastModified": 1735468296,
"narHash": "sha256-ZjUjbvS06jf4fElOF4ve8EHjbpbRVHHypStoY8HGzk8=",
"owner": "Mic92",
"repo": "sops-nix",
"rev": "bcb8b65aa596866eb7e5c3e1a6cccbf5d1560b27",
"type": "github"
},
"original": {
"owner": "Mic92",
"repo": "sops-nix",
"type": "github"
}
},
"systems": { "systems": {
"locked": { "locked": {
"lastModified": 1681028828, "lastModified": 1681028828,

9
flake.nix
View file

@ -30,6 +30,11 @@
inputs.nixpkgs.follows = "nixpkgs"; inputs.nixpkgs.follows = "nixpkgs";
}; };
sops-nix = {
url = "github:Mic92/sops-nix";
inputs.nixpkgs.follows = "nixpkgs";
};
# nix-ld.url = "github:Mic92/nix-ld"; # nix-ld.url = "github:Mic92/nix-ld";
# nix-ld.inputs.nixpkgs.follows = "nixpkgs"; # nix-ld.inputs.nixpkgs.follows = "nixpkgs";
@ -37,7 +42,7 @@
# affinity-nix.inputs.nixpkgs.follows = "nixpkgs"; # affinity-nix.inputs.nixpkgs.follows = "nixpkgs";
}; };
outputs = {nixpkgs, nixpkgs-unstable, wezterm, home-manager, nix-flatpak, kmonad, musnix, self, ... } @ inputs: outputs = {nixpkgs, home-manager, sops-nix, nix-flatpak, kmonad, musnix, self, ... } @ inputs:
let let
inherit (self) outputs; inherit (self) outputs;
# Supported systems for your flake packages, shell, etc. # Supported systems for your flake packages, shell, etc.
@ -66,6 +71,7 @@
inherit inputs outputs; inherit inputs outputs;
}; };
modules = [ modules = [
sops-nix.nixosModules.sops
nix-flatpak.nixosModules.nix-flatpak nix-flatpak.nixosModules.nix-flatpak
kmonad.nixosModules.default kmonad.nixosModules.default
musnix.nixosModules.musnix musnix.nixosModules.musnix
@ -84,6 +90,7 @@
modules = [ modules = [
nix-flatpak.homeManagerModules.nix-flatpak nix-flatpak.homeManagerModules.nix-flatpak
sops-nix.homeManagerModules.sops
./home/home.nix ./home/home.nix
]; ];
}; };

28
home/home.nix
View file

@ -1,4 +1,4 @@
{ nix-flatpak, lib, pkgs, inputs, outputs, ... }: { nix-flatpak, lib, config, pkgs, inputs, outputs, ... }:
{ {
nixpkgs = { nixpkgs = {
@ -68,6 +68,9 @@
alsa-oss alsa-oss
powertop powertop
age
sops
nix-du nix-du
usbutils usbutils
@ -369,8 +372,8 @@
WINEFSYNC = 1; WINEFSYNC = 1;
PKG_CONFIG_PATH = "/home/emenel/.nix-profile/lib/pkgconfig:/home/emenel/.nix-profile/lib64/pkgconfig:/home/emenal/.nix-profile/share/pkgconfig"; PKG_CONFIG_PATH = "/home/emenel/.nix-profile/lib/pkgconfig:/home/emenel/.nix-profile/lib64/pkgconfig:/home/emenal/.nix-profile/share/pkgconfig";
GI_TYPELIB_PATH = "/run/current-system/sw/lib/girepository-1.0"; GI_TYPELIB_PATH = "/run/current-system/sw/lib/girepository-1.0";
BW_CLIENTID = "***REMOVED***"; BW_CLIENTID = "$(cat ${config.sops.defaultSymlinkPath}/bw_client_id)";
BW_CLIENTSECRET = "***REMOVED***"; BW_CLIENTSECRET = "$(cat ${config.sops.defaultSymlinkPath}/bw_api_key)";
NIXOS_OZONE_WL = "1"; NIXOS_OZONE_WL = "1";
}; };
@ -381,6 +384,22 @@
enable = true; enable = true;
}; };
sops = {
age.keyFile = "/home/emenel/.config/sops/age/keys.txt"; # must have no password!
defaultSopsFile = ./secrets.yaml;
defaultSymlinkPath = "/run/user/1000/secrets";
defaultSecretsMountPoint = "/run/user/1000/secrets.d";
secrets.bw_client_id = {
path = "${config.sops.defaultSymlinkPath}/bw_client_id";
};
secrets.bw_api_key = {
path = "${config.sops.defaultSymlinkPath}/bw_api_key";
};
};
programs = { programs = {
home-manager.enable = true; home-manager.enable = true;
direnv = { direnv = {
@ -393,6 +412,7 @@
"ls" = "eza"; "ls" = "eza";
".j" = "just -g"; ".j" = "just -g";
"em" = "emacsclient -n -r"; "em" = "emacsclient -n -r";
"mkdir" = "mkdir -pv";
}; };
plugins = [ plugins = [
{ {
@ -620,8 +640,6 @@
}; };
}; };
# Service to start
# moving files! # moving files!
home.file.".npmrc".source = ../dotfiles/dot_npmrc; home.file.".npmrc".source = ../dotfiles/dot_npmrc;
# xdg.configFile."kmonad".source = ../dotfiles/dot_config/kmonad; # xdg.configFile."kmonad".source = ../dotfiles/dot_config/kmonad;

22
home/secrets.yaml Normal file
View file

@ -0,0 +1,22 @@
bw_client_id: ENC[AES256_GCM,data:7ssBRUFfYW7CNsDwntS6S+2p68DpSaivUFAXY1GaTUuxOc81QzEdqtY=,iv:8CaYkM/mv1tqunhQZ/YdNQS64d9PEjSKelI5S7pVZWU=,tag:WO006QqK0oyiG4zN+SglmQ==,type:str]
bw_api_key: ENC[AES256_GCM,data:Dwb++djM0lrkkmfVDNq46uhMxjbj1grmDwykk2v4,iv:JPy6fOwaMAL31tk/yU6n9CMKhXV1WrGNV9dgOVIdbS4=,tag:v/IIZ9qCaCoimrxdNRsrWw==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age10k8v6pfm3p7cmsgn6wu5ufpcquqgpvqh76l23xf326et55dacc0qlr8fe8
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAxM0J2TnF5ZHNETnNrWTlj
SEViczZqOHRuNThhUHF0bllVZTNnZDdtWnhVCnZxTkVGczRRTzlDUDF2TmtjUVMw
QVV2cTYxS1d5QXU3aUNyajZWelUyQmcKLS0tIG1oYjU3M0pBL2lBUmN1cFoyTXdB
RTk5RGdrZ3dGaXJIait5VG45bTFpQVkKFvq2714fyXnUlQ2ovZGVl55Wq9m/uvpC
Q7k9SEOdSMNqioG5TR7yhGS+cCbcO+zV7WXxKB+mpwUmhkc13H0w5A==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2025-01-01T18:01:40Z"
mac: ENC[AES256_GCM,data:hvRBNR5zYgAYbXYkGmijFRrl9dS98RqxMUIeMbI4KFopw61vLVG4sR2aIKD5UAVGNKb4tyv+PfW17VD1grGZXuSJbrks3ic0sbHVr4G3xh2w++/koiD3V+Mh0H1j3aEBX1UD13ThUpzPuwgSG5KUlp/naOQ8I63GNJL+LzgpK74=,iv:gQndjsTvVpD6EAgwwuEAfO1GiWmZsF05+ZpDGGmRtd8=,tag:hb/UEz7DQXH9obzm0OKnyQ==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.9.2