sops-nix for bw secrets

2025-01-01 13:18:25 -05:00 · 2025-01-01 13:18:25 -05:00 · 4f4d38ed1e
commit 4f4d38ed1e
parent 8e4e9c16fa
5 changed files with 81 additions and 6 deletions
--- a/.sops.yaml
+++ b/.sops.yaml
@ -0,0 +1,7 @@
+keys:
+  - &emenel_eddie age10k8v6pfm3p7cmsgn6wu5ufpcquqgpvqh76l23xf326et55dacc0qlr8fe8
+creation_rules:
+  - path_regex: secrets.yaml$
+    key_groups:
+      - age:
+          - *emenel_eddie
--- a/flake.lock
+++ b/flake.lock
@ -205,6 +205,7 @@
        "nixos-hardware": "nixos-hardware",
        "nixpkgs": "nixpkgs",
        "nixpkgs-unstable": "nixpkgs-unstable",
+        "sops-nix": "sops-nix",
        "wezterm": "wezterm"
      }
    },
@ -229,6 +230,26 @@
        "type": "github"
      }
    },
+    "sops-nix": {
+      "inputs": {
+        "nixpkgs": [
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1735468296,
+        "narHash": "sha256-ZjUjbvS06jf4fElOF4ve8EHjbpbRVHHypStoY8HGzk8=",
+        "owner": "Mic92",
+        "repo": "sops-nix",
+        "rev": "bcb8b65aa596866eb7e5c3e1a6cccbf5d1560b27",
+        "type": "github"
+      },
+      "original": {
+        "owner": "Mic92",
+        "repo": "sops-nix",
+        "type": "github"
+      }
+    },
    "systems": {
      "locked": {
        "lastModified": 1681028828,
--- a/flake.nix
+++ b/flake.nix
@ -30,6 +30,11 @@
      inputs.nixpkgs.follows = "nixpkgs";
    };

+    sops-nix = {
+      url = "github:Mic92/sops-nix";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
+
    # nix-ld.url = "github:Mic92/nix-ld";
    # nix-ld.inputs.nixpkgs.follows = "nixpkgs";

@ -37,7 +42,7 @@
    # affinity-nix.inputs.nixpkgs.follows = "nixpkgs";
  };

-  outputs = {nixpkgs, nixpkgs-unstable, wezterm, home-manager, nix-flatpak, kmonad, musnix, self, ... } @ inputs:
+  outputs = {nixpkgs, home-manager, sops-nix, nix-flatpak, kmonad, musnix, self, ... } @ inputs:
    let
      inherit (self) outputs;
      # Supported systems for your flake packages, shell, etc.
@ -66,6 +71,7 @@
            inherit inputs outputs;
          };
          modules = [
+            sops-nix.nixosModules.sops
            nix-flatpak.nixosModules.nix-flatpak
            kmonad.nixosModules.default
            musnix.nixosModules.musnix
@ -84,6 +90,7 @@

          modules = [
            nix-flatpak.homeManagerModules.nix-flatpak
+            sops-nix.homeManagerModules.sops
            ./home/home.nix
          ];
        };
--- a/home/home.nix
+++ b/home/home.nix
@ -1,4 +1,4 @@
-{ nix-flatpak, lib, pkgs, inputs, outputs, ... }:
+{ nix-flatpak, lib, config, pkgs, inputs, outputs, ... }:
 {

  nixpkgs = {
@ -68,6 +68,9 @@
      alsa-oss
      powertop

+      age
+      sops
+
      nix-du

      usbutils
@ -369,8 +372,8 @@
      WINEFSYNC = 1;
      PKG_CONFIG_PATH = "/home/emenel/.nix-profile/lib/pkgconfig:/home/emenel/.nix-profile/lib64/pkgconfig:/home/emenal/.nix-profile/share/pkgconfig";
      GI_TYPELIB_PATH = "/run/current-system/sw/lib/girepository-1.0";
-      BW_CLIENTID = "***REMOVED***";
-      BW_CLIENTSECRET = "***REMOVED***";
+      BW_CLIENTID = "$(cat ${config.sops.defaultSymlinkPath}/bw_client_id)";
+      BW_CLIENTSECRET = "$(cat ${config.sops.defaultSymlinkPath}/bw_api_key)";
      NIXOS_OZONE_WL = "1";
    };

@ -381,6 +384,22 @@
    enable = true;
  };

+  sops = {
+    age.keyFile = "/home/emenel/.config/sops/age/keys.txt"; # must have no password!
+
+    defaultSopsFile = ./secrets.yaml;
+    defaultSymlinkPath = "/run/user/1000/secrets";
+    defaultSecretsMountPoint = "/run/user/1000/secrets.d";
+
+    secrets.bw_client_id = {
+      path = "${config.sops.defaultSymlinkPath}/bw_client_id";
+    };
+
+    secrets.bw_api_key = {
+      path = "${config.sops.defaultSymlinkPath}/bw_api_key";
+    };
+  };
+
  programs = {
    home-manager.enable = true;
    direnv = {
@ -393,6 +412,7 @@
        "ls" = "eza";
        ".j" = "just -g";
        "em" = "emacsclient -n -r";
+        "mkdir" = "mkdir -pv";
      };
      plugins = [
        {
@ -620,8 +640,6 @@
    };
  };

-  # Service to start
-
  # moving files!
  home.file.".npmrc".source = ../dotfiles/dot_npmrc;
  # xdg.configFile."kmonad".source = ../dotfiles/dot_config/kmonad;
--- a/home/secrets.yaml
+++ b/home/secrets.yaml
@ -0,0 +1,22 @@
+bw_client_id: ENC[AES256_GCM,data:7ssBRUFfYW7CNsDwntS6S+2p68DpSaivUFAXY1GaTUuxOc81QzEdqtY=,iv:8CaYkM/mv1tqunhQZ/YdNQS64d9PEjSKelI5S7pVZWU=,tag:WO006QqK0oyiG4zN+SglmQ==,type:str]
+bw_api_key: ENC[AES256_GCM,data:Dwb++djM0lrkkmfVDNq46uhMxjbj1grmDwykk2v4,iv:JPy6fOwaMAL31tk/yU6n9CMKhXV1WrGNV9dgOVIdbS4=,tag:v/IIZ9qCaCoimrxdNRsrWw==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age10k8v6pfm3p7cmsgn6wu5ufpcquqgpvqh76l23xf326et55dacc0qlr8fe8
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAxM0J2TnF5ZHNETnNrWTlj
+            SEViczZqOHRuNThhUHF0bllVZTNnZDdtWnhVCnZxTkVGczRRTzlDUDF2TmtjUVMw
+            QVV2cTYxS1d5QXU3aUNyajZWelUyQmcKLS0tIG1oYjU3M0pBL2lBUmN1cFoyTXdB
+            RTk5RGdrZ3dGaXJIait5VG45bTFpQVkKFvq2714fyXnUlQ2ovZGVl55Wq9m/uvpC
+            Q7k9SEOdSMNqioG5TR7yhGS+cCbcO+zV7WXxKB+mpwUmhkc13H0w5A==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2025-01-01T18:01:40Z"
+    mac: ENC[AES256_GCM,data:hvRBNR5zYgAYbXYkGmijFRrl9dS98RqxMUIeMbI4KFopw61vLVG4sR2aIKD5UAVGNKb4tyv+PfW17VD1grGZXuSJbrks3ic0sbHVr4G3xh2w++/koiD3V+Mh0H1j3aEBX1UD13ThUpzPuwgSG5KUlp/naOQ8I63GNJL+LzgpK74=,iv:gQndjsTvVpD6EAgwwuEAfO1GiWmZsF05+ZpDGGmRtd8=,tag:hb/UEz7DQXH9obzm0OKnyQ==,type:str]
+    pgp: []
+    unencrypted_suffix: _unencrypted
+    version: 3.9.2